WordPress Security & Plugins - WPDistrict · WordPress “Hardening” Website Hosts WordPress security starts with selecting the appropriate web host for your site. Qualities of

@ S I T E L O C K@ S I T E L O C K

WordPressSecurity & Plugins

In t rodu c t ion to Se c u r i tyWi th Logan K ipp

@ S I T E L O C K

Welcome to WordPress (Security)Wh at to e x pe c t?

• We’re going to cover a lot of ground.o We will do a Q&A after the slides.

• Be a WordPress Security Communicator.o Share what you learn here with your peers.

• This session is for all audiences.o Super advanced questions? Let’s geek out after the session!

Find me outside or Tweet @SiteLock.

@ S I T E L O C K

Welcome to WordPress (Security)Session Goals d

F IND ar eas f or im pr ovem ent.

F IX m is conf ig ur a t ions .

PR EVENT com pr om is e.

ACCEL ER ATE y our lea r n ing cur ve.

COM PL Y with bes t p r act ices .

@ S I T E L O C K

Welcome to WordPress (Security)

It’s okay to be new.

@ S I T E L O C K

Welcome to WordPress (Security)Jane was new to driving.

I m a g e © S t a t e F a r m I n s u r a n c e . A l l r i g h t s r e s e r v e d .

@ S I T E L O C K


The manual can’t help you if you don’t know it’s there, or

where to f ind it .

@ S I T E L O C K


The WordPress Codex i s your manual .

codex.wordpress.org

@ S I T E L O C K


• Don’ t accept c r ed i t ca r ds ?• Don’ t have s ens i t ive data?• Your webs i te i s n’ t that popula r ?• You’ ve avoided contr over s ia l top ics ?• You on ly s er ve a loca l cus tom er bas e?

You’re st i l l a target.

Don’t establish a false sense of security.Hackers may not be motivated by what you think.

@ S I T E L O C K


There is no magic bullet in secur ity.

@ S I T E L O C K

WordPress “Hardening”

• Website Hosts

• Website Appl ications

• Vulnerabil ities in Your Computer

• Vulnerabil ities in WordPress

• Vulnerabil ities in Your Web

Server & Network

• St rong Passwords

• Database Secur ity

• Secur ing areas of WP

• Permiss ions

• Logging & Monitor ing

• Backups

@ S I T E L O C K

WordPress “Hardening”W eb s i t e Hos t s

W o r d P r e s s s e c u r i t y s t a r t s w i t h s e l e c t i n g t h e a p p r o p r i a t e w e b h o s t fo r y o u r s i t e .

Q u a l i t i e s o f a t r u s t e d w e b h o s t i n c l u d e :

• R e a d i l y d i s c u s s i n g y o u r s e c u r i t y c o n c e r n s a n d w h i c h s e c u r i t y f e a t u r e s a n d p r o c e s s e s t h e y o f f e r w i t h t h e i r h o s t i n g .

• P r o v i d i n g t h e m o s t r e c e n t s t a b l e v e r s i o n s o f a l l s e r v e r s o f t w a r e .

• P r o v i d i n g r e l i a b l e m e t h o d s f o r b a c k u p a n d r e c o v e r y .

@ S I T E L O C K

WordPress “Hardening”

Websi te Appl ications

Your web hos t i s not r es pons ib le f or s ecur ing

y our web app l icat ions .

That inc ludes Wor dP r es s .

Image © PetDoors.com. All Rights Reserved.

@ S I T E L O C K

WordPress “Hardening”Vulnerabi l i t ies in Your Computer

R e m e m be r : N o a m o u n t o f w e b s i t e s e c u r i t y w i l l k e e p y o u r e n v i r o n m e n t s a fe i f y o u r c o m p u t e r i s a c t i n g a ga i n s t y o u .

• U s e t r u s t e d a n t i v i r u s s o f t w a r e a n d k e e p y o u r v i r u s d e f i n i t i o n s u p d a t e d .

• U p d a t e y o u r c o m p u t e r ! ! ( s e r i o u s l y fo l k s )

@ S I T E L O C K





@ S I T E L O C K





@ S I T E L O C K

WordPress “Hardening”Vulnerabi l i t ies in WordPress

• New fea t u res a re i n t egra t ed regu l a r l y .• New i n fo rm a t i on b ecom es a v a i l a b l e .• Up d a t e Word P res s , i nc l ud i ng t hem es

a nd p l ugi ns .• Ze ro d a y v u l ne ra b i l i t i e s ha p p en.*

* M o r e o n “ Z e r o D a y s ” t o c o m e .

@ S I T E L O C K

WordPress “Hardening”Vulnerabi l i t ies in Server & Network

• I s your hom e/of f i ce net work secure?

• Are you u t i l i z i ng H T T P S w i t h sens i t i v e d a t a ?(t h i s i nc l ud es /wp - a d m i n/)

• Sca n your web s i t e ’ s net work regu l a r l y .*

* P e r m i s s i o n f r o m n e t w o r k o p e r a t o r r e q u i r e d .

@ S I T E L O C K

WordPress “Hardening”Strong Passwords

• Un i q ue p a ssword s fo r ev ery l ogi n• L engt hy p a s sword s w i t hout word s• Up p er - ca sed a nd l ower - ca sed l e t t e r s• Num b er s a nd sym b ol s• C ons i d er a se rv i ce (L a s t P a s s , K eep a ss , e t c .)• Use t wo- s t ep AK A t wo- fa ct or a ut hent i ca t i on

@ S I T E L O C K

WordPress “Hardening”Strong Passwords

@ S I T E L O C K

WordPress “Hardening”Two-Factor Authentication (2FA)

@ S I T E L O C K

WordPress “Hardening”Database & Env i ronment Secur i ty

• U s e s e p a r a t e d a t a b a s e s a n d u s e r s fo r e a c h s i t e .

• U s e s e p a r a t e h o s t i n g p a r t i t i o n s fo r e a c h s i t e .

Image © Epitaph Records. All Rights Reserved.

@ S I T E L O C K

WordPress “Hardening”Secur ing the WordPress Instal l

• S e c u r i n g w p - a d m i n• S e c u r i n g w p - i n c l u d e s• S e c u r i n g w p - c o n f i g . p h p• D i s a b l i n g F i l e E d i t i n g

kipp.ski/hardening(just a short URL for the WP codex’s hardening article)

@ S I T E L O C K

Plugins or Cloud-Based Solutions?Th e re are som e awe som e se c u r i ty p lu g in s ou t

th e re . You sh ou ld t ry som e .

Plugins I like:• Wordfence

• WP Fail2Ban

• Google Authenticator (2FA)

• Jetpack Protect

@ S I T E L O C K

Plugins or Cloud-Based Solutions?Plugin-Based WAF Of fer ings a

Pro s• A c t s a s a l o c a l w e b a p p l i c a t i o n f i r e w a l l• Ba s i c s c a n n i n g fo r c o m m o n m a l w a r e a n d v u l n s• S o m e s u p p o r t t w o - fa c t o r a u t h e n t i c a t i o n• La r ge r c o m m u n i t i e s h e l p w i t h t r o u b l e s h o o t i n g• F r e e v e r s i o n s w i t h l i m i t e d fe a t u r e s a v a i l a b l e

C o n s• Ma j o r i t y o f p r o c e s s e s r u n l o c a l l y• S u p p o r t o v e r e m a i l o r t i c k e t s• D a t a b a s e s m a l l e r t h a n o t h e r p a i d p r o v i d e r s ’

@ S I T E L O C K

Plugins or Cloud-Based Solutions?Plugin-Based Anti -Brute Force

Pro s• L i gh t w e i gh t a n d p u r p o s e - b u i l t• E f fe c t i v e a ga i n s t t y p i c a l b r u t e fo r c e a t t e m p t s• F r e e

C o n s• N o o t h e r s e c u r i t y fe a t u r e s• P r o c e s s e s r u n l o c a l l y

@ S I T E L O C K

Plugins or Cloud-Based Solutions?Plugin-Based Two-Factor

AuthenticationPro s• L i gh t w e i gh t & p u r p o s e - b u i l t• E f fe c t i v e a ga i n s t l o g i n a b u s e• F r e e

C o n s• S e c r e t c o d e p o t e n t i a l l y

r e t r i e v a b l e i n W o r d P r e s s

@ S I T E L O C K

Plugins or Cloud-Based Solutions?

Pro s• Cl o u d w e b a p p l i c a t i o n f i r e w a l l s (W A F s )

p r o v i d e a n o f f - s i t e l a y e r o f s e c u r i t y• Cl o u d W A F fa s t e r (w h e n c o u p l e d w i t h a CD N )• V i r t u a l p a t c h i n g a c o m m o n fe a t u r e• P r o c e s s e s r u n i n c l o u d

C o n s• Oft e n m a n a ge d o u t s i d e W o r d P r e s s i n t e r fa c e• T y p i c a l l y l i m i t e d s e c u r i t y fe a t u r e s i n f r e e v e r s i o n s

Cloud-Based (e.g. SiteLock® TrueShield™, etc.)

@ S I T E L O C K

Plugins or Cloud-Based Solutions?

• P l u g i n s a r e s o f t w a r e r u n n i n g o n y o u r w e b s e r v e r .T h e y a r e l i m i t e d b y t h i s p o s i t i o n .

• P l u g i n s a n d c l o u d - b a s e d s o l u t i o n s a r e n o t m u t u a l l y e x c l u s i v e o p t i o n s . Y o u c a n u s e b o t h .

The question isn’t “plugins OR cloud?”

@ S I T E L O C K

WordPress Security: Child’s Play

Austin- & -

Logan

@ S I T E L O C K


Austin• Smart

• Older

• Experienced

• Responsible

• Trusted

@ S I T E L O C K


Logan• “Smart”

• Younger

• Curious

• Mischievous

• Calamitous…

@ S I T E L O C K


@ S I T E L O C K


@ S I T E L O C K


@ S I T E L O C K

WordPress Security: Child’s PlayWh at did we le arn ?

Image © Paramount Pictures. All rights reserved.

@ S I T E L O C K


Inf luence

• E n t i t i e s w i t h s a m e a u t h o r i t y l e v e l

• N o t a s s i m p l e a s “ go o d ” a n d “ b a d ”

• P o t e n t i a l l y i n e f fe c t i v e d e m i l i t a r i ze d zo n e

• T r u s t l e v e l s s h o u l d b e r e - e v a l u a t e d

@ S I T E L O C K

Plugins & Cloud Solutions

• P e r f o r m b a c k u p s D A I L Y• I n c l u d e b o t h t h e F i l e s & D a t a b a s e s• C o n f i g u r a t i o n b a c k u p s ( w h e r e a p p l i c a b l e )• R o u t i n e l y c h e c k b a c k u p i n t e g r i t y ( w e e k l y )

S o m e p l u g i n o p t i o n s :• V a u l t P r e s s• B l o g V a u l t• B a c k u p B u d d y

Backups

@ S I T E L O C K

WordPress Security: BalanceHow much should I be spending?

Ma k e a b u d ge t fo r s e c u r i t y o n y o u r w e b s i t e , j u s t l i k e y o u d o fo r h o s t i n g . T h e b e s t s e c u r i t y s o l u t i o n s a r e p r e d o m i n a n t l y p a i d s o l u t i o n s . T h i s i s a p a r t o f o p e r a t i n g a w e b s i t e . D o n ’ t c u t c o r n e r s .T r u s t t h e p r o fe s s i o n a l s .

Gr e a t s e c u r i t y d o e s n ’ t n e e d t o b e e x p e n s i v e i n t e r m s o f f i n a n c i a l c o s t , b u t c a n b e c o m e a fu l l -t i m e j o b . T h e r e i s a t r a d e - o f f b e t w e e n t i m e a n d m o n e y i n s e c u r i t y . H o w i s y o u r t i m e b e s t s p e n t ?

@ S I T E L O C K

WordPress Security: Budget

Spend more t ime, less money.

OR

Higher budget, less t ime spent.

@ S I T E L O C K

SSL Certificates

• S t a n d s fo r “ S e c u r e S o c k e t s La y e r ”

• E n a b l e s u s e o f H T T P S• E n c r y p t s d a t a i n t r a n s i t ,

b u t n o t a t r e s t• D o e s n o t p ro t e c t y o u r

w e bs i t e

@ S I T E L O C K

SSL Certificates

• BON U S : u s e o f H T T P / 2 . S a fe r , fa s t e r , b e t t e r !

• T h e r e i s n o d o w n s i d e t o u t i l i z i n g S S L Ce r t i f i c a t e s .

• E n c r y p t i o n w i l l b e c o m e t h e s t a n d a r d i n d u e t i m e .

@ S I T E L O C K

SSL Certificates

• Mo s t H T T P S c o n n e c t i o n s a r e a c t u a l l y u s i n g T LS ( T r a n s p o r t La y e r S e c u r i t y ) c i p h e r s , n o t S S L c i p h e r s . S S L i s b e i n g p h a s e d - o u t i n fa v o r o f n e w e r T LS t e c h n o l o gy .

• S S L v 1 , 2 , & 3 c i p h e r s a r e c o n s i d e r e d o b s o l e t e . E v e n T LS 1 . 1 i s b e i n g p h a s e d o u t a t t h i s t i m e .

• P CI s t a n d a r d s n o w r e q u i r e T LS v 1 . 2 t o b e u s e d .

Did you know?

@ S I T E L O C K

Hacking WordPress Websites

QHow do hackers

compromise webs i tes?

AProbably not the way

you think they do.

@ S I T E L O C K


• Most hacks do not target your password.

• In jection was the #1 exploi t uti l i zed on WordPress webs i tes in 2015 .

• The vast majori ty performed exploratory operations v ia dork or dork- l i ke methods.

@ S I T E L O C K

Hacking WordPress WebsitesOWASP Top 10

(Open Web App l icat ion Secur i ty P r o ject)• I n j e c t i on• B r ok e n A u th e n t i c a t i on a n d Se s s i on Ma n a g e m e n t ( X SS )• Cr os s S i te Sc r i p t i n g ( X SS )• I n se c u r e D i r e c t O b j e c t R e f e r e n c e s• Se c u r i t y M i s c on f i g u r a t i on• Mi s s i n g F u n c t i on L e v e l A c c e s s Con t r o l• Cr os s S i te R e q u e s t F o r g e r y ( CSR F )• Us i n g Com p on e n t s w i th K n ow n V u l n e r a b i l i t i e s• Un v a l i d a te d R e d i r e c t s a n d F o r w a r d s

@ S I T E L O C K

Hacking WordPress WebsitesInjection & XSS

I n a n u t s h e l l : r e m o t e l y e x e c u t i n g a r b i t r a r y c o d e o n a w e b s i t e .

F o r e x a m p l e , e x p l o i t i n g i n p u t f i e l d s .

@ S I T E L O C K

Hacking WordPress WebsitesSecur i ty Misconf iguration

U s i n g w e b s e r v i c e s l i k e A p a c h e w i t h o u t r e a l i z i n g y o u s h o u l d p a y c l o s e r a t t e n t i o n t o t h e s e t t i n gs y o u u s e .

@ S I T E L O C K

Hacking WordPress WebsitesWhat i s a ZERO DAY expoi t?

A Z e r o D a y V u l n e r a b i l i t y i s a v u l n e r a b i l i t y t h a t i s n o t y e t k n o w n t o t h e s o f t w a r e ’ s d e v e l o p e r ; m e a n i n g n o p a t c h fo r t h e v u l n e r a b i l i t y y e t e x i s t s , i n c r e a s i n g t h e l i k e l i h o o d o f e x p l o i t a t i o n . “ Z e r o D a y ” i s r e fe r e n c i n g t o d a y b e i n g d a y 0 o f t h e e x p l o i t e x i s t i n g “ i n t h e w i l d . ”

I t h appe n s .

@ S I T E L O C K

Hacking WordPress WebsitesHow can I defend against Zero days?

• K e e p i n g y o u r s o f t w a r e u p t o d a t e i s y o u r n u m b e r o n e d e fe n s e . U n l e s s a n e x p l o i t i s m a s s i v e - s c a l e , y o u ’ r e n o t l i k e l y t o b e i m p a c t e d i n t h e f i r s t w a v e (p r e - p a t c h ) .

• D e p l o y i n g a Z e r o D a y e x p l o i t e x p o s e s i t s e x i s t e n c e t o s e c u r i t y r e s e a r c h e r s a n dp a t c h i n g b e c o m e s i n e v i t a b l e .

@ S I T E L O C K


Web Application Firewalls (WAFs) are the best active

defense mechanisms concerning application-based Zero

Day vulnerabilities. By utilizing a WAF that supports real-time

threat updates, “virtual” patching acts as a shield until the

software developer can deploy a firm patch.

@ S I T E L O C K


• Stay informed.

• Subscribe to WordPress security feeds.

• Trust the professionals.

@ S I T E L O C K


@ S I T E L O C K


@ S I T E L O C K


@ S I T E L O C K


@ S I T E L O C K


@ S I T E L O C K


@ S I T E L O C K


@ S I T E L O C K


@ S I T E L O C K


@ S I T E L O C K

Remember…

@ S I T E L O C K

Thank you!Logan K ippP r o d u c t E v a n ge l i s t – W o r d P r e s sW P D i s t r i c t . S i t e Lo c k . c o m

@LoganKipp

• Used WordPress since 1.5 in ’05• Eight years experience in hosting and security industry

• Previously worked at GoDaddy.com• Most recently served as Lead Security Analyst for SiteLock

@ S I T E L O C K@ S I T E L O C K

WordPressSecurity & Plugins

In t rodu c t ion to Se c u r i tyWi th Logan K ipp

Documents

WordPress Security & Plugins - WPDistrict · WordPress “Hardening” Website Hosts WordPress security starts with selecting the appropriate web host for your site. Qualities of