Robert Vidal is an information security professional who specializes in WordPress security. He outlines several recommendations for securing a WordPress site, including changing default usernames and passwords, removing WordPress version information, keeping software updated, using strong security plugins, limiting comments and user input, regularly backing up the site, and scanning for vulnerabilities, malware and unauthorized changes. Vidal emphasizes that there is no single solution and site owners must take an active, ongoing approach to security through multiple methods like plugins, backups and monitoring.
1. Robert Vidal, ABCP OSCP OSWP
robert.vidal@infotransec.com
http://www.infotransec.com
WordPress Security and
Best Practices
2. • Robert Vidal, ABCP OSCP OSWP Cert. IS-CF
• Associate Business Continuity Professional (ABCP)
• Certified Vulnerability and Penetration Testing Professional (OSCP)
• Certified Wireless Security Professional (OSWP)
• Certificate Information Security and Computer Forensics (Cert. IS-CF)
• Information Security Analyst – InfoTransec (Hamilton)
• Specializing in Network and Application Security
• Industry Compliance and Governance
• IT Industry since 2005
• Focused on Security since 2008
• Working with WordPress since 2011
About Me:
3. • Our focus is always on delivering high quality solutions to our clients
through current industry standards and recognized frameworks and
benchmarks.
• Services include:
• Network and Web Application Vulnerability Assessments and Penetration
Testing
• Information Security Services
• Managed IT
• Computer Forensics
• Data Recovery
• eDiscovery
• CyberStalking / CyberBullying
About InfoTransec:
4. • WordPress is an open-source application so anyone is able to download
the application and view the system defaults and file structure.
• Once a hacker has this knowledge or map of your site they can then plan
an attack in attempts to exploit the site.
• What this means:
• Default username is known
• File Structure is known
• Database structure is known
• Location of usernames and passwords and configuration files are known
• Location of plugins, themes, and file uploads is known
• WordPress version can be enumerated
WordPress Defaults
5. • Do not use ‘admin’ as default Administrator username
• Change to a complex username – similar to a complex password (Upper Case letter, lower case letter,
number, and special character i.e: R0b3rtV!d@l)
• Remove Author name from pages and posts
• Account names are exposed when content is published
• Plugin “WP Author, Date and Meta Remover” https://wordpress.org/plugins/wp-author-date-and-meta-
remover/
• Use non-default database table prefixes
• Upon installation – specify a unique table prefix (non wp_)
• Modify WP after installation
• Manually via PHP Admin & wp-config.php
• Plugins “Change DB Prefix” https://wordpress.org/plugins/db-prefix-change/
• Remove WordPress version from source code
• Add to functions.php “remove_action('wp_head', 'wp_generator');”
• Plugins “Remove Version” https://wordpress.org/plugins/remove-version-remver/
• Delete unused themes and plugins
• Hello Dolly / Akismit / Jet Pack, etc…..
Recommendations:
8. • Everyone from your competitors, to Black Hat SEO enthusiasts, to hackers and
script kiddies.
• Hackers use automated scanners and GoogleDork search techniques to locate
vulnerable WordPress installations, plugins or themes, which they can exploit.
• Google Dork : Search techniques used to locate websites or information that is not
intended to be indexed by google
• inurl:wp-content/”
• inurl:"/wp-content/plugins/wp-shopping-cart/”
• inurl:”wp-content/plugins/wp-dbmanager/”
• What this means:
• Malware can be injected into the site
• Brute force login attempts can be done over time
• Your site may become slow or unresponsive due to handling the excessive requests
• Tools can be used to scan your site and enumerate information about your site and what
is installed.
• WPScan
• Nmap (http-wordpress-enum - nmap plugin)
9. • Think Like a Hacker
• Limit search exposure and restrict access to foreign visitors
• If you are offering products and services to people or businesses in the Hamilton area
why do you need to allow visitors from Russia, Ukraine, China?
• via webmaster tools to set a preferred location
• Use IP Blocker plugins to restrict access
• Block information your visitors do not need to see
• Modify the robot.txt file of the webpage to prevent bots from accessing sensitive
information
• Modify the htaccess file to ensure secure file and folder permissions are set
• Take Pro-active measures:
• Installed lockout plugins to lock a user out after a number of failed attempts
• Scan site regularly for Malware
• Sucuri site check
• Use WPScan and nmap to identify what hackers can enumerate.
Recommendations
13. • Files can be added or modified without you knowing
• Google may flag your site as Hacked resulting in a lower Google ranking
• Your site may be filled with Spam links resulting in a lower Google ranking
• May unknowingly be infecting your visitors with virus’ or malicious code.
• Visitors may be immediately redirected off your site.
• Website can be defaced.
• Backdoors can be added which may lead to future problems.
• Users can be lock you out.
• Anything else they wish.
What does this mean?
14. • Backup your files and DataBase regularly!!!
Its easier to compare files or even revert to a known good build or even compare files
• Use plugins that detect file changes and alerts via email.
• https://wordpress.org/plugins/wordfence/ (WordFence)
• Limit the number of registered users on the site, and ensure accounts have appropriate permissions.
• Scan your site for malware regularly
• Securi Site Check https://sitecheck.sucuri.net/ (FREE)
• Google search the site regularly.
• FTP into your hosting account and look for:
• Files that end with xxxx_old.php
• Files with unexpected extensions (image files with a .php file extension)
• Look at the modification dates of your files. If all files in a directory have the same modified date and there
is 1 with a different modified date – Probaly Malware or a backdoor
• Look for unexpected files in your directories. (If there is a PHP files in an images directory)
• Install a Web Application Firewall plugin to prevent malicious activity.
• https://en-ca.wordpress.org/plugins/wp-simple-firewall/ (Simple Security Firewall)
What to do:
16. A: Good - Comments are great for
allowing interactivity with your
visitors.
But...
17. You are also allowing user input into your
site.
What does this mean?
• A visitor can instead of a text comment inject malicious script or links into
your site.
• <script type="text/javascript">alert("Hello");</script>
• I love your site I also found <a href=“http://badwebsite.com”> this link </a> for
more information.
• Visitors can promote their own site or links that may go against the
reputation of your site
• Online Pharmacy’s, Adult content, Profanity
• This can lower your Google Ranking and SEO Reputation
• This can also cause your site to be flagged by google as hacked
18. • Disable Comments on all pages and posts
• If you wish to allow comments on your site manually approve them or
only allow them on certain pages
• Modify functions.php to NOT allow HTML based comments.
• Review the front end of your site regularly
• Google search your site regularly to ensure Google has not flagged your
site due to malicious comments.
• Install plugins
• That allow users / visitors to report malicious or offensive comments
• Block all comments
• Do not allow HTML comments
What to do:
19. Q: What is the best method to
protect my site?
20. A1: Keep the WordPress Core,
Themes and Plugins up to date.
And…
22. • As components are updates Hackers are able to identify the weaknesses
of previous versions.
• Many hackers will intentionally target older versions of WordPress with
known security issues, so keep an eye on your Dashboard notification
area and don’t ignore those ‘Please update now’ messages.
• Hackers prey on those that are slow to update.
Code is always evolving, improved and
updated.
What does this mean?
23. • Regular backups at multiple layers
• MySQL
• Wordpress Pages and Posts
• FTP files
• Update the WordPress core when updates are available
• Use a Host that offers automatic updates
• Update plugins and themes regularly
• Delete unused plugins and themes
• Install plugins that manage updates
• Themes and plugins
• WordPress Core
What to do:
24. • There is no one-stop solution to secure your site.
• There is no single way to recover / restore a website.
• Use multiple tools and tactics to protect your site.
• Ensure you know what is going on in your site.
• “DON’T SET IT AND FORGET IT”
• Setup email alerts
• Visit and test your own site regularly
• Use Google regularly to search your own site
In Closing: