25
Securing Your Securing Your WordPress WordPress Website Website 1 Vladimir Lasky http://wpexpert.com.au/ WordCamp Sydney 2012

Securing Your WordPress Website - WordCamp Sydney 2012

Embed Size (px)

DESCRIPTION

Presentation slides from Vladimir Lasky's talk "Security for WordPress", presented on Sunday 22nd July at WordCamp Sydney 2012.This talk is the sequel to his WordCamp Gold Coast 2011 presentation “Securing Your WordPress Website” and covers:*Tackling the biggest Internet and WordPress security threats of 2012*An updated list of essential plugins to harden your WordPress site*New WordPress management services that make it easier to back up and update your sites

Citation preview

Page 1: Securing Your WordPress Website - WordCamp Sydney 2012

Securing Your Securing Your WordPressWordPress WebsiteWebsite

1

Vladimir Lasky

http://wpexpert.com.au/

WordCamp Sydney 2012

Page 2: Securing Your WordPress Website - WordCamp Sydney 2012

What’s New In Today’s Talk?What’s New In Today’s Talk?

1. The biggest security threats of 2012 and how

to deal with them

2. An updated list of essential WordPress

2

2. An updated list of essential WordPress

hardening steps for EVERY site

3. New WordPress management services that

make your life easier

Page 3: Securing Your WordPress Website - WordCamp Sydney 2012

Big Events in Internet Security This YearBig Events in Internet Security This Year

1. Yahoo, LinkedIn, eHarmony all experienced

security incidents that resulted in users’

passwords/hashes being published

3

passwords/hashes being published

2. Lots of exploits targeting code using

vulnerable PHP libraries including TimThumb

and Uploadify

3. Wi-Fi Protected Setup (WPS) vulnerability in

Wireless Routers revealed in December 2011

Page 4: Securing Your WordPress Website - WordCamp Sydney 2012

4

Page 5: Securing Your WordPress Website - WordCamp Sydney 2012

5

Page 6: Securing Your WordPress Website - WordCamp Sydney 2012

Lessons From Password Disclosure IncidentsLessons From Password Disclosure Incidents

1. You cannot assume any website will properly secure their

databases.

2. Plenty of computational power exists for brute-force

password cracking of password hashes – spare no effort

6

password cracking of password hashes – spare no effort

to prevent these from being leaked.

3. People who reuse the same password across different

sites are asking to get “p0wned” and become targets for

identity theft.

4. Having a unique, secure password for every Internet

account is mandatory.

Page 7: Securing Your WordPress Website - WordCamp Sydney 2012

WiWi--Fi Protected SetupFi Protected Setup

7

Page 8: Securing Your WordPress Website - WordCamp Sydney 2012

Lessons from WPS VulnerabilityLessons from WPS Vulnerability

1. The WPS exploit provides a backdoor to

wireless routers secured with WPA2

2. Technologies that overcome security

8

2. Technologies that overcome security

burdens often introduce security holes

3. Disable WPS in every Wi-Fi Router that you

control. In some cases, this will require a

firmware upgrade or possibly even replacing

the router

Page 9: Securing Your WordPress Website - WordCamp Sydney 2012

Example PHP Exploit AttemptExample PHP Exploit Attempt

9

Page 10: Securing Your WordPress Website - WordCamp Sydney 2012

Lessons from PHP ExploitsLessons from PHP Exploits

1. Many programmers are lazy or ignorant of

proper data validation practices

2. Obtaining plugins and themes from official

10

2. Obtaining plugins and themes from official

sources reduces risk, but does not guaratee

security

3. Application firewalls are a NECESSITY

Page 11: Securing Your WordPress Website - WordCamp Sydney 2012

Essential Steps to Harden Your WP InstallationEssential Steps to Harden Your WP Installation

11

Page 12: Securing Your WordPress Website - WordCamp Sydney 2012

Install WP Firewall 2Install WP Firewall 2

� This plugin analyses HTTP requests and checks

for suspicious parameters that indicate PHP or

SQL injection attempts

12

� It will protect you against the majority of zero-

day exploits

� Set the configuration option ‘Suppress similar

attack warning emails’ to ‘On’, to prevent being

deluged with identical warnings.

Page 13: Securing Your WordPress Website - WordCamp Sydney 2012

Rename Your Admin AccountRename Your Admin Account

1. Use the plugin ‘Admin Renamer Extended’ to

rename the ‘admin’ account to something

unique.

13

unique.

2. From the WP Dashboard, go to Users->Your

Profile. For the option set ‘Display Name

Publicly as’, choose something that is not

the same as your admin account name

Page 14: Securing Your WordPress Website - WordCamp Sydney 2012

Change the Default Change the Default MySQLMySQL Table PrefixTable Prefix

1. The WordPress default MySQL table prefix is

‘wp_’.

2. By renaming this to something else, ie. ‘tb132_’

14

2. By renaming this to something else, ie. ‘tb132_’

we can foil the majority of blind SQL injection

attempts

3. For an existing site, use the plugin “WordPress

Table Rename” to make this easier.

Page 15: Securing Your WordPress Website - WordCamp Sydney 2012

Prevent Plaintext Password Transmission Prevent Plaintext Password Transmission –– Best OptionBest Option

1. Have your site hosted with a provider that supports

HTTPS and provides either:

– Their own Shared SSL Certificate

– The ability to install your own

15

– The ability to install your own

– The ability to obtain one for you and install it (usually for a

fee)

2. Install the plugin “WP HTTPS (SSL)” and enable the

option “Force SSL Administration”.

3. This will prevent your password and session cookies

from being sniffed (captured) over the Network

Page 16: Securing Your WordPress Website - WordCamp Sydney 2012

Prevent Plaintext Password Transmission Prevent Plaintext Password Transmission –– Next BestNext Best

1. If you can’t use HTTPS, then install the plugin

“Semisecure Login Reimagined”.

2. This uses Javascript to encrypt your password

16

2. This uses Javascript to encrypt your password

before sending it to the server

3. Make sure you logout from WordPress to

prevent network eavedroppers from sniffing

(capturing) and re-using your session key.

Page 17: Securing Your WordPress Website - WordCamp Sydney 2012

Prevent BrutePrevent Brute--Force Login AttemptsForce Login Attempts

� Install one of the following plugins:

1. Login Security Solution– Slows down response time of your website after

multiple failed attemptsmultiple failed attempts

– Prevents users from choosing weak passwords

and

2. Limit Login Attempts– Locks out accounts for a set time period after

multiple failed attempts

17

Page 18: Securing Your WordPress Website - WordCamp Sydney 2012

Install WP File Monitor PlusInstall WP File Monitor Plus

� This plugin monitors files under your WP installation for changes.

� When a change is detected, it � When a change is detected, it displays a dashboard alert and can also send an email

� As an administrator, you can view the list of changes and spot anything unexpected or unusual

18

Page 19: Securing Your WordPress Website - WordCamp Sydney 2012

Essential Security HabitsEssential Security Habits

19

Page 20: Securing Your WordPress Website - WordCamp Sydney 2012

Regularly Update Your Site, Regularly Update Your Site, PluginsPlugins and Themesand Themes

� The last talk stressed the importance of performing

regular updates to WordPress, themes and plugins

and performing regular remotely-initiated backups

20

� Several WordPress management services now exist

to simply and speed up these steps:

– ManageWP (hosted)

– InfiniteWP (self-hosted)

– WP Remote (hosted)

– Worpit (hosted)

Page 21: Securing Your WordPress Website - WordCamp Sydney 2012

Accessing Your Site From Accessing Your Site From UntrustedUntrusted PCsPCs

� Two-Factor authentication is mandatory

� This is a combination of a password and a random

number from a key fob, SMS message or a mobile

21

phone app that you obtain each time you log in

� WordPress Two-Factor plugins include:

1. Second Factor

2. Google Authenticator

3. Duo Two-Factor Authentication

Page 22: Securing Your WordPress Website - WordCamp Sydney 2012

Accessing Your Site From Accessing Your Site From UntrustedUntrusted NetworksNetworks

1. If you can, use your smart phone or laptop

PC equipped with 3G, 4G or GPRS Mobile

Internet

22

Internet

2. If you are forced to use a public WiFi access

point or LAN, ensure that any sites requiring

authentication are accessed via their HTTPS

(secure) link.

Page 23: Securing Your WordPress Website - WordCamp Sydney 2012

Choosing a PasswordChoosing a Password

� Twelve characters long as a minimum, but not a

dictionary word

� Common number/letter substitutions provide little

23

� Common number/letter substitutions provide little

extra security – cracking tools almost always check

for these

Page 24: Securing Your WordPress Website - WordCamp Sydney 2012

Password Memorisation TechniquesPassword Memorisation Techniques

1. Come up with a memorable sentence, and use the

first letters of each word to form the password e.g.

– “Jack and Jill went up the hill to fetch a pale of water”

24

could form a 13-character password “JaJwuthtfapow”

2. Three unrelated unconnected dictionary words one

after the other, misspelt a certain way known to

you

� On your own trusted PC, consider using an

encrypted password manager like KeePass

Page 25: Securing Your WordPress Website - WordCamp Sydney 2012

ConclusionConclusion

� Slides from Previous Talk at Wordcamp GC 2011:

– http://slidesha.re/tr2XA5

– Covers the “Three Pillars of Security”, the aims of attackers and other

WordPress security plugins

25

WordPress security plugins

� ManageWP - 30% discount on all plans for WordCamp Sydney

Attendees:

– http://managewp.com/wcsyd

� Questions and Comments:

– http://wpexpert.com.au/contact-us/