Slides from a talk given on April 30, 2016 at WordCamp Vernon in Vernon, British Columbia, Canada. The talk was an overview of WordPress security solutions and best practices at a beginner/intermediate level. It presented practical techniques and advice for guarding against hackers and unauthorized access to your self-hosted WordPress installation. The topic was addressed from a fairly non-technical perspective.
3. How Sites are Hacked
●
Exploiting code vulnerabilities in WordPress
Core, themes, or plugins
●
Gaining access to the WordPress admin via a
user account
●
Finding a way into the web server
5. Update, Update, Update
●
Keep WordPress, themes, and plugins up-to-
date
●
Consider enabling automatic updates
– Only enabled for minor core releases, translation
files, critical plugin/theme updates by default
– Can be expanded, e.g. using Advanced Automatic
Updates plugin
7. Minimize the Attack Surface
●
Less code = lower probability of vulnerabilities
●
Deactivate all unused plugins
●
Uninstall all plugins and themes that aren't
needed
8. Choose Themes & Plugins Carefully
●
Whenever possible, use products from reputable
theme and plugin authors
●
Paying for a theme/plugin does not guarantee
quality
●
Prefer older, more widely used themes/plugins
9. Choose Themes & Plugins Carefully
●
Check most recent release date, update
frequency
14. Avoid Brute Force Attacks
●
Don't use default or easily guessed usernames
– “admin”, “administrator”
– Domain name
15. Avoid Brute Force Attacks
●
Use strong passwords
– Uppercase and lowercase letters, numbers, symbols
– At least 8 characters, preferably more
– No dictionary words
●
Enforce strong passwords
– e.g. Force Strong Passwords plugin
16. Avoid Brute Force Attacks
●
Limit the number of failed login attempts
– Block the user for a specified time after X failed login
attempts
– e.g. Limit Login Attempts plugin
Limit Login Attempts lockout options
17. Two-Factor Authentication
●
Add “what you have” to “what you know”
●
Email, SMS, or mobile app based
●
e.g. Clef, Duo, Rublon Two-Factor Authentication
plugins
19. “Security By Obscurity”
●
Change the paths to your WordPress admin
directory and the wp-login.php script
– e.g. Protect Your Admin plugin
20. Principle of Least Privilege
●
Limit users' roles to what they actually need
●
Customize roles and capabilities if necessary
– e.g. Capability Manager Enhanced plugin
●
Disable editing of plugins and themes from the
admin
– define('DISALLOW_FILE_EDIT', true);
21. Prevent Password Sniffing
●
Don't log in to your WordPress admin on
unsecured WiFi networks
●
Consider installing an SSL certificate for admin
access
23. FTP, Control Panel, SSH Access
●
Use strong passwords
●
Use public key authentication where possible
●
Use two-factor authentication where possible
24. Database Server
●
Use strong passwords for database users
●
Apply principle of least privilege
●
Block external access unless absolutely
necessary
26. Backups
●
Make backups of your database and website files
often
●
Store backups off-site
●
Check/test backups!
●
e.g. BackUpWordPress, Dropbox Backup &
Restore, UpdraftPlus Backup and Restoration
plugins
28. Recognize the Symptoms
●
Unfamiliar files in your website's directories
●
Unrecognized plugins
●
New posts or other content that you didn't write
●
Spammy links appearing in existing content
●
New users added
●
Successful admin logins from unrecognized
IPs/locations
29. What Malicious Code (May) Look Like
●
Prepended or appended to WordPress core,
plugin, or theme PHP files
●
New files with seemingly legitimate names
– login.php, config.php, etc.
●
PHP files in the uploads directory
●
Calls to eval(), often with base64_decode() or
gzinflate()
– eval(base64_decode(ZnVuY3Rpb24gbXlSZWF
sbHlCYWRGdW5jKCkgewplY2hvKCdIZWxsbyB3b
3JsZCEnKTsKZGllKCk7Cn0...
30. First Steps
●
“Quarantine” all website files
●
Backup the database
●
Restore website files and database from the
most recent clean backup
●
Immediately change all user passwords
●
Install all updates
31. Identify the Attack Vector
●
Determine when entry was first gained, and by
whom (IP address)
– WordPress login log
– Website logs
– Backups of database and files
●
Trace the attacker's actions
– Login via a compromised user account?
– Web requests with a specific URI?