3. .com or .org?
• wpisnotwp.com
• wordpress.com
• hosted service from Automattic
• Security covered by them
• no influence on the installation
4. • just a small private blog
• content which doesn't harm anyoine
• even not much outreach
• negligible audience
• no financial interest
Is it about me?
5. • just a small private blog
• content which doesn't harm anyoine
• even not much outreach
• negligible audience
• no financial interest
Is it about me?
6. Content is King
• computational power (CPU)
• disk space
• bandwidth
• sendmail for spam
nothing
7. Y U d0n't want 2 B h4cked
• you lose reputation
• your sales are affected
• you spend money on others behalf
• you just feel bad!
10. CMS? No prob!
• CVE-Hitlist
• (32) Joomla: 382
• (37) WordPress: 342
• (39) Drupal: 300
• no entry ≠ secure, just not yet exposed
11. WordPress Security
• often referred as "insecure"
• core vs. 3rd party vs. operation
• large community that takes care
• WordPress security team
11%
52%
37%
Core PlugIns Themes
12. • Brute-Force Attacs
• „default“ usernames
• weak passwords
• XSS - Cross Site Scripting / SQL Injections
• bad coding
• old and outdated installations
Attac Vectors
13. • »admin« default til v3.0
• part of the domain-name
• common: eMail-address like »info@…«
• best practice: 1 admin-, 1 user-account
• make sure user names are not accessible
User Name
14.
15. • Anything that can be found in dictionaries
• socialhacking
• keyboard runs and sequences
• recycled passwords
• PW-lists in Word/Excel/Evernote
Password NoGos!
18. Defense Strategy
➡ strong passwords
➡ disable/tweak login messages
➡ lockout after x malicious attempts for time y
➡ IP-blacklisting
➡ disable XML-RPC if not needed
➡ restrict REST-API access
➡ consider geoblocking where feasible
19. Update, Update, Update!
• autoupdate for minor core updates ✅
• update plugins and themes ASAP ⏰
• critical infrastructure: have a staging system 🎭
• check functionalities after update 🚀
• premium: renew your subscriptions 💸
20. wp.org Stuff Only!
• use themes and plugins from wp.org repo only
• avoid "premium" plugins and themes
• never ever use doubtful sources
21. Remove Unused Stuff
• uninstall themes and plugins not actively used
• keep the recent default theme for fallback
• disabled plugins are still accessible
🚫
22. Monitoring
• server up and running
• malicious login attempts
• 404's
• changed/added/deleted files
• user actions
• malware detection
• changes in UI after updates
23. Raise the Barrier
• get a free SSL certificate with Let's Encrypt
• Multi-Factor Authentification (MFA)
• very simple via eMail
• more sophsticted: Google Authenticator, Duo,
Rublon
• extra hardware: UbiKey, Fido U2F
25. • randomize version number
• change db-prefix
• renaming of /wp-content folder
• hide login window
• hide WordPress at all
Security Foo
26. Let's Get the
Complete Picture
• how secure is your local client?
• keylogger
• Do you still use FTP?
• change to SFTP or FTPS (SSL/TLS)!
• PW submitted via eMail?
• eMail is without encryption = postcard
27. Backup
• you don't want to have a backup,
➡ you want to have a restore!
• timed & regular, automatic, off-site
• both database and files
• practice restore
🚒
🚨
28. Recommendations
🔒 harden your installation
✅ update, update, update
ⓦ use themes and plugins from wp.org repo only
🚫 remove unused plugins and themes
🔭 monitor your site(s)
🚨 have a backup
29. en detail
• Chose the right hoster
• Limit access rights
• Have a SSL Certificate
• Disable FileEditor
32. Summary
• Security is not installing a plugin
• Security is a continuous process
• Security should become a habit!
• effort vs. benefits?
• make or buy