Seravo.com: WordPress Security 101

42
WORDPRESS SECURITY 101 what is important – and what is not © Seravo 2017

Transcript of Seravo.com: WordPress Security 101

Page 1: Seravo.com: WordPress Security 101

WORDPRESS SECURITY 101what is important – and what is not

© Seravo 2017

Page 2: Seravo.com: WordPress Security 101

DEFINITION OF INFORMATION SECURITY

1. Confidentiality2. Integrity3. Availability

Page 3: Seravo.com: WordPress Security 101

You must keep your WordPress site secure.

Page 4: Seravo.com: WordPress Security 101

POTENTIAL CONSEQUENCES

● Corrupted orders database: webshop unable to ship anything or resolve payments

● Leaked customer database: angry customers, lawsuit for neglect of privacy laws

● Visitors get redirected to shady sites: lost reputation, marketing budget goes in vain

● Site spreads malware: Google might detect and ban from showing up in search results

● Site sends spam: could become blacklisted and legit email stops working

Page 5: Seravo.com: WordPress Security 101

“BUT MY SITE IS NOT IMPORTANT!”

Your site can be used to mount further attacks!

If you have clearly neglected the maintenance of your own site, you could be held partly liable for attacks on other sites.

Page 6: Seravo.com: WordPress Security 101

What is REALLY important in keeping your WordPress site secure?

Page 7: Seravo.com: WordPress Security 101

AVENUES OFUNAUTHORISED ACCESS:

1. Leaked passwords2. Software vulnerabilities

Page 8: Seravo.com: WordPress Security 101

LEAKED PASSWORDS

Page 9: Seravo.com: WordPress Security 101

Remember password hygieneseravo.fi/2014/password-hygiene-every-mans-responsibility

Page 10: Seravo.com: WordPress Security 101

HTTPS, SFTP, SSHNever submit passwords over an unencrypted connection!

Page 11: Seravo.com: WordPress Security 101

Enforce HTTPS in WordPress1. Your server needs to support HTTPS2. Enforce in wp-config.php with: define('FORCE_SSL_ADMIN', true);

Page 12: Seravo.com: WordPress Security 101

Use captcha to avoid robot usersGoogle reCaptcha recommended

Page 13: Seravo.com: WordPress Security 101

SOFTWARE VULNERABILITIES

Page 14: Seravo.com: WordPress Security 101

MINIMIZE VULNERABILITIES 1. Minimize the attack surface by minimizing the amount of

software you have2. For the software you really need, make sure you have

updated to latest releases

Page 15: Seravo.com: WordPress Security 101

HOW SECURE IS WORDPRESS CORE?

Security bugs per 1000 lines of code written

All time: 0,1(204 CVE entries per 2,1 million lines of code)

In 2015: 0,05 (11 CVE entries per 236 000 lines of code)

Page 16: Seravo.com: WordPress Security 101

WORDPRESS COREIS SECURE.

Page 17: Seravo.com: WordPress Security 101

THE PROBLEM IS THE PLUGINS.

Page 18: Seravo.com: WordPress Security 101

Combined core, plugin and theme vulnerability database:wpvulndb.com

Page 19: Seravo.com: WordPress Security 101

Example case: Mossack Fonseca aka Panama papers

● The site www.mossfon.com was running WordPress● Unauthorized access of WP lead to unauthorized access of MS Exchange

email server on internal network and other sites at *.mossfon.com● The intruders most likely came through an old and insecure version of the

Revolution Slider plugin.○ Well known vulnerability, WordPress.org even has a patch as a separate plugin

(https://wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not available at WordPress.org.

Page 21: Seravo.com: WordPress Security 101

WP PLUGIN REVIEW GUIDELINES FOR CAPITALISTS*

If the logo is red and name contains revolution, don’t install it on your system!

* a small dose of parody can’t hurt?

Page 22: Seravo.com: WordPress Security 101

PLUGIN SECURITY1. Minimize the attack surface by minimizing the amount of

plugins (and themes) you have2. For the plugins you really need, make sure you have

updated to latest releases

You will not minimize vulnerabilities by installing more plugins!

Page 23: Seravo.com: WordPress Security 101

WordPress is insecure!Quickly, install a security plugin!

Page 24: Seravo.com: WordPress Security 101

NO

Page 25: Seravo.com: WordPress Security 101
Page 26: Seravo.com: WordPress Security 101

DON’T WASTE TIME ON

● removing generator meta or hiding version numbers● hiding login errors● changing wp-admin location● disabling xmlrpc● removing readme.html or other files

Only for WP geeks who love to research the pros and cons. For normal users WordPress default settings are secure.

Page 27: Seravo.com: WordPress Security 101

FALSE SENSE OF SECURITY

Feels like a lot has been done when really very little has.

Page 28: Seravo.com: WordPress Security 101

Example: useless readme.html blocking = don’t!

Page 29: Seravo.com: WordPress Security 101

Example: useless readme.html blocking

Versions leak anyway

Page 30: Seravo.com: WordPress Security 101

Example: useless readme.html blocking

Disclaimer:WordFence was used just as an example. It still the best guy in town. Many other security plugins are much worse.

..and other WordPress integrity checks trigger

Page 31: Seravo.com: WordPress Security 101

SECURITY PLUGINS ARE NOT THE SOLUTION

Scan results require interpretation. Recommended only for professionals.

Page 32: Seravo.com: WordPress Security 101

The only recommended ones:WPScan and Google Webmaster ToolsAlmost no false positives and no business model based on spreading fear.

Page 33: Seravo.com: WordPress Security 101

IF YOU RUN YOUR OWN SERVER

Also remember to harden and keep updated

● operating system ● web server● database server● PHP environment

Page 34: Seravo.com: WordPress Security 101

INSTALL ONLY FROM TRUSTED SOURCES

Avoid random 3rd party repositories that don’t have any maintenance policy.

Page 35: Seravo.com: WordPress Security 101

PROTECTION AGAINST DDOS

What if the problem is not unauthorized access but the lack of authorized access?

Page 36: Seravo.com: WordPress Security 101

DENIAL OF SERVICE ATTACKS

Detect, withstand and block

● high performance servers and good caching

● detect repeated offenders and block at network level

○ e.g. failtoban + iptables

● detect and block at http level

○ e.g. Nginx rate limiting

● If you are trying to block at PHP/WordPress level, you’ve already lost

DDOS is a constant race of new techniques of attack and defence. Try to find a good hosting provider that takes care of DDOS at least on the network level.

Page 37: Seravo.com: WordPress Security 101

BACKUP AND RECOVERY

Because some day, sooner or later, everything else fails.

Page 38: Seravo.com: WordPress Security 101

BACKUP GUIDELINES 1/2

Make sure your backup system meets these requirements

● automatic: not dependant on human action

● complete: both files and database

● incremental with a history: at least 30 days

● frequent: daily is good

Page 39: Seravo.com: WordPress Security 101

BACKUP GUIDELINES 2/2

● offsite: in case access to the original site is lost

● pull, not push: original site should not have access to the backups, otherwise an attacker can delete both the original site and all backups

Personal favourite: mysqldump + rdiff-backup over SSH

Page 40: Seravo.com: WordPress Security 101

ONCE MORE WITH A FEELING

Page 41: Seravo.com: WordPress Security 101

WORDPRESS SECURITY 101

1. Always follow password hygiene.2. Use captchas to stall robot users.3. Use HTTPS (and SFTP and SSH) – never submit passwords in plain

text on any network connection.4. Remove unnecessary software to reduce attack surface.5. Keep WordPress plugins and all other software too updated to have

all known vulnerability fixes installed.6. Install software and update only from trusted sources.7. Have a good backups system in place.8. Choose a good service provider and trust them to take care of the

rest.

Page 42: Seravo.com: WordPress Security 101

THANK YOU!

[email protected]

Twitter: @Seravocom