The document discusses security best practices for WordPress sites. It defines information security as confidentiality, integrity and availability. The biggest risks are from leaked passwords and software vulnerabilities. For passwords, it recommends strong unique passwords, HTTPS for all connections, and using captchas. For software, it advises minimizing plugins/themes, only installing from trusted sources, and keeping everything updated. It warns that plugins pose the largest risk and provides an example of a breach through an outdated plugin. Regular backups that are automated, complete, frequent and stored offsite are also important for recovery from failures or attacks. The key is following password hygiene, updating software, using HTTPS, installing from trusted sources, and having backups in place.

1. @ottokekalainen
WORDPRESS
SECURITY 101
what is important –
and what is not
WordCamp Finland 2016
Otto Kekäläinen

2. @ottokekalainen
Definition of
information security
1. Confidentiality
2. Integrity
3. Availability

3. @ottokekalainen
You must keep your
WordPress site
secure

4. @ottokekalainen
Potential consequences
● Corrupted orders database: webshop unable to
ship anything or resolve payments
● Leaked customer database: angry customers,
lawsuit for neglect of privacy laws
● Visitors get redirected to shady sites: lost
reputation, marketing budget goes in vain
● Site spreads malware: Google might detect and
ban from showing up in search results
● Site sends spam: could become blacklisted and
legit email stops working

5. @ottokekalainen
“But my site is not important!”
Your site can be used to mount further attacks!
If you have clearly neglected the maintenance
of your own site, you could be held partly liable
for attacks on other sites.

6. @ottokekalainen
What is really
important in
keeping your
WordPress site
secure?

7. @ottokekalainen
Avenues of unauthorized access:
1. Leaked passwords
2. Software vulnerabilities

8. @ottokekalainen
Leaked
passwords

9. @ottokekalainen
Remember password hygiene
seravo.fi/2014/password-hygiene-every-mans-responsibility

10. @ottokekalainen
HTTPS, SFTP, SSH
Never submit passwords over an unencrypted connection!

11. @ottokekalainen
1. Your server needs to support HTTPS
2. Enforce in wp-config.php with:
define('FORCE_SSL_ADMIN', true);
Enforce HTTPS in
WordPress

12. @ottokekalainen
Use captcha
to avoid robot users
Google reCaptcha recommended

13. @ottokekalainen
Software
vulnerabilities

14. @ottokekalainen
1. Minimize the attack surface by minimizing the
amount of software you have
2. For the software you really need, make sure you
have updated to latest releases
Minimize vulnerabilities

15. @ottokekalainen
How secure is the WordPress core?
Security bugs per 1000
lines of code written
All time: 0,1
(204 CVE entries per 2,1
million lines of code)
In 2015: 0,05
(11 CVE entries per 236
000 lines of code)

16. @ottokekalainen
WordPress core
is secure.

17. @ottokekalainen
The problem is the plugins.

18. @ottokekalainen
Combined
core, plugin
and theme
vulnerability
database:
wpvulndb.com

19. @ottokekalainen
Example case: Mossack Fonseca aka Panama papers
● The site www.mossfon.com was running WordPress
● Unauthorized access of WP lead to unauthorized access of MS Exchange
email server on internal network and other sites at *.mossfon.com
● The intruders most likely came through an old and insecure version of the
Revolution Slider plugin.
○ Well known vulnerability, WordPress.org even has a patch as a separate plugin (https:
//wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not
available at WordPress.org.

20. @ottokekalainen
Example case: Mossack Fonseca aka Panama papers
● Case analysis at https://www.wordfence.com/blog/2016/04/mossack-
fonseca-breach-vulnerable-slider-revolution/

21. @ottokekalainen
WP plugin review
guidelines for capitalists*
If the logo is red and
name contains revolution,
don’t install it on your system!
* a small dose of parody can’t hurt?

22. @ottokekalainen
If you run your own server
Also remember to harden and keep updated
● operating system
● web server
● database server
● PHP environment

23. @ottokekalainen
Install only from trusted
sources.
Avoid random 3rd party repositories that don’t have any maintenance policy.

24. @ottokekalainen
Don’t waste time on
● removing generator meta or hiding version numbers
● hiding login errors
● changing wp-admin location
● removing readme.html or other files
● disabling xmlrpc
Only for WP geeks who love to research the pros and cons.
For normal users WordPress default settings are secure.

25. @ottokekalainen
False sense of security:
feels like a lot has been done
when really very little has.

26. @ottokekalainen
Scan results require interpretation. Recommended only for professionals.
Security plugins are not the solution

27. @ottokekalainen
The only recommended ones:
WPScan and Google Webmaster Tools
Almost no false positives and no business model based on spreading fear.

28. @ottokekalainen
Protection against DDOS
What if the problem is not unauthorized access
but the lack of authorized access?

29. @ottokekalainen
Denial of service attacks
Detect, withstand and block
● high performance servers and good caching
● detect repeated offenders and block at network level
○ e.g. failtoban + iptables
DDOS is a constant race of new techniques of attack and defence.
Try to find a good hosting provider that takes care of DDOS at least
on the network level.

30. @ottokekalainen
Backup and recovery
Because some day,
sooner or later,
everything else fails.

31. @ottokekalainen
Backup guidelines1/2
Make sure your backup system meets these requirements
● automatic: not dependant on human action
● complete: both files and database
● incremental with a history: at least 30 days
● frequent: daily is good

32. @ottokekalainen
List continues..
● offsite: in case access to the original site is lost
● pull, not push: original site should not have access to the backups,
otherwise an attacker can delete both the original site and all backups
Personal favourite: mysqldump + rdiff-backup over SSH
Backup guidelines1/2

33. @ottokekalainen
Once more with
a feeling

34. @ottokekalainen
1. Always follow password hygiene.
2. Use captchas to stall robot users.
3. Use HTTPS (and SFTP and SSH) – never submit
passwords in plain text on any network connection.
4. Remove unnecessary software to reduce attack surface.
5. Keep WordPress plugins and all other software too
updated to have all known vulnerability fixes installed.
6. Install software and update only from trusted sources.
7. Have a good backups system in place.
8. Choose a good service provider and trust them to take
care of the rest.
WordPress security 101

35. @ottokekalainen
Thank You!
Visit https://wp-palvelu.
fi/blogi for more tips (in
Finnish)