Keep Your Wordpress Site Safe and Fast

(In a Dense Threat Environment)

Louis Judice Founder The Round Mountain Group, LLC

About Me• Fifth TCF talk/workshop

• RCA/DEC/HP

• Founded RMG in 2004

• Wordpress development + hosting

• Manage several servers, 40+ client sites

• Sites range from small business to multimillion $$ enterprises to government

• Play all roles (user to WP developer + admin to sysadmin)

• Extensive experience in online security issue

C’mon…What’s the WORST That Can REALLY Happen to My Site?

CENSOR

ED

About This Workshop• Focus on Wordpress

• Security and Performance Inter-Related

• Examples in Centos Linux / cPanel / WHM environment

• Most concepts apply to other OS, Control Panels as well as to Joomla, Drupal, etc.

• Difficulty from easy to complex

• Relevant to bloggers, site admin, system admin

• Few comprehensive sources of information to protect the entire Wordpress ecosystem

Wordpress• Started in 2003 as a blogging tool

• Millions of sites in operation

• Blogs to Fortune 500 Corporate Sites

• Most popular web platform on earth

• Free, Open Source

• Massive EcoSystem of Add-ons, Plug-ins, Themes, etc.

• 4/5 sites “managed” by inexperienced users

• 90% of sites not up to date

• Targeted by hackers, scammers and every disreputable bot in the galaxy

What My Site Log Looks Like:

A Dense Threat Environment• Specifically targeting you or your site (theft, credit cards, email or true denial of

service (DOS))

• Brute force attacks (hijack your site to commandeer it’s mail or compute capabilities; bot recruitment, defacto denial of service)

• Directory scanners (scan your site for known vulnerabilities)

• Bots Behaving Badly (web crawlers that don’t obey the rules of etiquette or actively steal your content)

• Distributed Denial of Service (DDOS)

• Idiot users (never attribute to malice what is better explained by stupidity)

• High chance of success given abundance of poorly managed sites

• Even unsuccessful attacks impact performance

Paradox

It’s nearly impossible to tell the difference between a hacker and a really dumb user.

?

Who Are These People??• Recreational hackers just havin’ fun

• Hacktivists (if they are after you, then you might have bigger problems…)

• Spam Mailbot Network Owners

• Criminal Gangs (extortion sites, porn sites, gambling sites)

• The other 9 million search engines you never heard of

• Russia, China, Ukraine, Vietnam, US predominate - but due to compromised servers and IP spoofing - hard to tell….

• Geo-restrictions of limited value

The Problem• If they get in - you’re in trouble

• If they don’t get in - there is still a problem

• Web servers see a bot asking for 1000 nonexistent files exactly as if 1000 users simultaneously asked for 1 non-existent file

• In other words, they slow down, hang or crash

• Wordpress likes to handle 404 non-existent errors on its own. This makes things worse since WP will quickly run out of memory.

• The bot moves on, accomplishing nothing. And your server is hung.

• Welcome to the Internet!

Impact On Performance

Peaks Associated With DOS Attacks

Wordpress Popularity Makes It An Easy Target

“If 1% of 50 million sites have weak passwords, that’s 500,000 sites that can be cracked in seconds.”

Collective Security Is The Answer…

WORDPRESS USERS UNITE!

The Less Likely an Attack On Wordpress will Succeed…

The More Likely Attackers Will Move On to Another Target.

Security and performance are interrelated.

Since most unwanted visitors will likely do no real harm and can’t be blocked it’s best to

run fast sites and move them along.

Let’s Get Started• Difficulty Level

• Access: WP Admin, cPanel (or equivalent), root or WHM

• Hosting Type: wordpress.com, shared, vps/dedicated, reseller

• Security + Performance: Inter-related

Passwords• Strong passwords are #1 prevention tool

• Password managers vs. writing it down?

• Set policies when possible, but be VERY firm in regard to any privileged account.

• Longer, upper lower case, numbers

• Fact is:

• For brute force there are other defenses

• If “intercepted” little to stop someone, so don’t transmit passwords over insecure methods

User Permissions

• Difficulty: Easy

• “Stinginess with privileges is kindness in disguise”

• Limit user roles and permissions strictly.

Admin Account Name• Difficulty: Easy

• Don’t use “admin” - pick something else when site is set up

• You can also change the admin account name after the fact but this is more difficult.

• Use strong passwords (or implement password policy)

• 90% of brute force attacks assume admin account is “admin”

White Listing WP-Login• Difficulty: Moderate, Requires

cPanel, .htaccess

• Exclude all but certain IP addresses from accessing WP login screen.

• Caveat: Comcast, etc. may change your IP address, locking YOU out. Some hosts don’t allow .htaccess to be edited.

• .htaccess missing? Turn on “hidden file access”

• Tip: whitelist by network (CIDR notation). This blocks 99.9999% of web from ever reaching your login screen

Added at the end of .htaccess

Get Network CIDR: http://countryipblocks.net

Robots.txt• Easy, need cPanel

• Located in public_html directory

• Tells bot where to look and where not to look

• Good bots like Google and Bing pay attention

• Bad bots say: “Возьмите robots.txt и подсунуть его вверх ваш диск.”

• Critical to avoid having internal files indexed.

• Google robots.txt generator

Disallow Directory Searches

• Difficulty: easy, cPanel, .htaccess

• Add this line to .htaccess

• Disables open access to directories

• Makes it harder for outsiders to scan for vulnerable files.

Options -Indexes

System Level Whitelisting• Difficulty: expert

• Resources to block: cPanel, WHM, FTP, SSH

• WHM Host Access Control

• Check with your host - they may need some IP’s unblocked for maintenance

• Consider a Proxy or VPN with a FIXED IP address

Limit Plug-ins

• Difficulty: Easy

• Plug-ins vary in security impact

• Out dated plug-ins are a major vulnerability

• Disable/delete unused plug-ins

Stay Up to Date• Difficulty: Easy to Tedious

• Keep Wordpress, Themes, Plug-ins Up to Date

• Many updates are security related

• When they go out, all the bad actors are now aware of issues they can try to exploit

• WP 4.0+ and many plug-ins allow for auto update.

Comments• Difficulty: Easy

• If comments are not part of your model TURN THEM OFF

• Delete “HELLO WORLD” post

• Force users to register

• Use approval feature

• Use ASKIMET or other anti-spam comment plug-in

• Ignore at your peril

Comments can usually be controlled in the Theme Control Panel

Comments (continued)

General Observation:

Nothing makes a site look worse than being filled with those “I love your site but did you know you can make $9000/day while surfing the web

in your pajamas…” comments.

Block XMLRPC.PHP

• Difficulty: Moderate

• Requires access to cPanel and .htaccess file

• Very common exploit in older WP versions

• So many bad actors look for this, it’s best to just block it to keep them away.

Added at the end of .htaccess

Install Wordfence Plug-in• Difficulty: Easy to Moderate

• Wordfence is a free, comprehensive security solution

• Firewall to block or throttle bad bots and stupid users (be careful until you know how it works)

• Login security, password policy

• Virus scanning

• Send emails when it takes action

• Premium (paid) version supports geo restrictions

• Downside: Stopping flood of requests inside WP is too late.

Wordfence (continued)

Wordfence (continued)

Limit Login Attempts• Difficulty: Easy

• There are numerous plugins to limit login attempts

• If you are NOT running Wordpress you should run one of them.

• Check reputations and pick the most widely used with best feedback.

• We use Johan Enfeldt’s plugin

6G Firewall • Difficulty: moderate, requires

cPanel, .htaccess

• 6G is a set of code you insert in .htaccess

• It filters out many bad queries, bad requests, bad user agent, etc.

• Free

• http://perishablepress.com

• Caution if you use mod_userdir (tilde) or some other special characters.

• Comes as a plugin too, but see previous caveats.

Blackhole for Bad Bots

• Difficulty: expert - requires care or you may block users

• Essentially advertises a honeypot in robots.txt

• Then snags any bots that go there.

• http://perishablepress.com

Linux Firewall: CSF/LFD• Difficulty: Expert, Linux Administrator

• Comprehensive firewall for Linux systems.

• Free, open source.

• Defends against many common attacks, including DDOS attacks.

• Supports RBLs

• Alerts via email when it takes action

• Main limitation is that it uses IPTABLES which can impact performance if blocked list grows too large. (Can use IPSET)

• Hundreds of configuration options

• CSF/LFD or equivalent is an absolute must for any Linux web server.

CSF/LFD (continued)

Email from CSF after blocking DDOS attack

Logs• Difficulty: Takes practice

• Almost everything is logged but few people take the time to read or understand them

• Logs reveal errors like broken links, as well as suspicious activity

• Wordfence, cPanel and Linux itself all generate logs

• cPanel “Latest Visitors” and “Error Log” are very useful

• Not all attacks “Fast and Furious”

• Linux logs are for experts only

Logs (continued)

Logs (continued)

IP Deny Manager

• Difficulty: Easy

• cPanel Access Required

• CIDR format can be used but be careful!

• countryipblocks.net is a good resource for researching IP addresses

Caching• Difficulty: Moderate

• Caching Plug-Ins keep your most commonly used content on disk, avoiding a database lookup to render your pages

• Speedup can be dramatic

• Saving CPU and memory while under attack will often prevent hangs and crashes.

• User education

• Several good Caching Plug-ins are available; we use W3-Total Cache. It is free and open source

Source: dashboardjunkie.com

Content Delivery Network (CDN)• Difficulty: Moderate to Expert

• Takes caching a step further by storing your most used content on a network of servers that are positioned around the world to be close to users.

• CDN greatly reduces server load under normal operations or under attack

• Push vs Pull

• In Wordpress, usually works in concert with a caching plug-in.

• Many options, the most popular and easiest is Cloudflare which also offers geo restrictions.

• Our experience has been mixed with Cloudflare. Easy to set up, unpredictable performance.

• We use Amazon Web Services Cloudfront. It is not free, though quite affordable - but it is very complex to set up. However it delivers high performance.

• You need hit ratios better than 80% to be worthwhileSource: labs.ripe.net

Minify/GZIP• Moderate, but be careful

• Most caching plugins, as well as standalone minifiers will remove blank, wasted space in html, css, etc. This helps websites load faster.

• Minify can break some things in Wordpress so watch out.

• GZIP compression is usually less problematic and can be turned on in caching plugins.

• Remember all of these trade off more CPU on host for faster transmission.

Perfomance Testing• Difficulty: Easy

• http://tools.pingdom.com/fpt

• Provides overall stats and detailed timing information

• Reveals surprises like broken redirects, unoptimized images, etc.

• Also serves as a handy proxy for testing your site!

• Click DO NOT SAVE!!!!

• Free

Uptime Monitoring

• Difficulty: Easy to Moderate

• Numerous services will test your site and inform you if it’s down or has changed.

• Some are free with limitations; sophisticated features usually come at a price.

• Most have mobile apps

Monitis Response Time Measurement (ms)

Uptime / Performance Monitoring

• BinaryCanary

• Pingdom

• Monitis

• Site24x7

• Roll Your Own

• Many Others

Site24x7 Embedded Status Page

Monitoring

• Monitoring, Alerts, Status pages for users: should always be “transmitted out of band” and “never be hosted on your servers”

Some Notes On Email• Whole other “ball of wax”; 90% of email is

spam.

• On server we run Barracuda Reputation Block List (RBL) and SpamAssassin to get about 80% of spam. CSF/LFD does good job here as well.

• Forwarding issues, especially to Gmail

• Better to push users to hosted solutions with a mail exchanger like Gmail Apps for Biz; Amazon Cloudmail, etc.

• Use SMTP login for site generated email when possible

If all else fails…

• Lighten or cache 404 errors

• More CPU power (speed or cores)

• More memory

• Apache Keep Alive and other tuning parameters

Questions?

Hunterdon Based. Global Experience.

http://roundmountaingroup.com