Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to WordPress Security 101 - Meetup Nairobi March 2020
Similar to WordPress Security 101 - Meetup Nairobi March 2020 (20)
More from stk_jj
More from stk_jj (11)
Recently uploaded
Recently uploaded (17)
WordPress Security 101 - Meetup Nairobi March 2020
- 1. WordPress Security 101 WordPress Meetup Nairobi March 2020
- 2. ! @stkjj ! stefan@adminpress.de https://profiles.w.org/stk_jj About Me • Stefan Kremer • 14 yrs WordPress experience • Contributor • freelance IT Consultant, mainly WordPress, Mac, CTI • Owner of AdminPress (de) and KeDe Digital LLP (ke)
- 3. .com or .org? • wpisnotwp.com • wordpress.com • hosted service from Automattic • Security covered by them • no influence on the installation
- 4. • just a small private blog • content which doesn't harm anyoine • even not much outreach • negligible audience • no financial interest Is it about me?
- 5. • just a small private blog • content which doesn't harm anyoine • even not much outreach • negligible audience • no financial interest Is it about me?
- 6. Content is King • computational power (CPU) • disk space • bandwidth • sendmail for spam nothing
- 7. Y U d0n't want 2 B h4cked • you lose reputation • your sales are affected • you spend money on others behalf • you just feel bad!
- 9. CMS? No prob! • CVE-Hitlist
- 10. CMS? No prob! • CVE-Hitlist • (32) Joomla: 382 • (37) WordPress: 342 • (39) Drupal: 300 • no entry ≠ secure, just not yet exposed
- 11. WordPress Security • often referred as "insecure" • core vs. 3rd party vs. operation • large community that takes care • WordPress security team 11% 52% 37% Core PlugIns Themes
- 12. • Brute-Force Attacs • „default“ usernames • weak passwords • XSS - Cross Site Scripting / SQL Injections • bad coding • old and outdated installations Attac Vectors
- 13. • »admin« default til v3.0 • part of the domain-name • common: eMail-address like »info@…« • best practice: 1 admin-, 1 user-account • make sure user names are not accessible User Name
- 15. • Anything that can be found in dictionaries • socialhacking • keyboard runs and sequences • recycled passwords • PW-lists in Word/Excel/Evernote Password NoGos!
- 17. Kopfschmerzen? Finger wund? ➡ Passwortmanager!
- 18. Defense Strategy ➡ strong passwords ➡ disable/tweak login messages ➡ lockout after x malicious attempts for time y ➡ IP-blacklisting ➡ disable XML-RPC if not needed ➡ restrict REST-API access ➡ consider geoblocking where feasible
- 19. Update, Update, Update! • autoupdate for minor core updates ✅ • update plugins and themes ASAP ⏰ • critical infrastructure: have a staging system 🎭 • check functionalities after update 🚀 • premium: renew your subscriptions 💸
- 20. wp.org Stuff Only! • use themes and plugins from wp.org repo only • avoid "premium" plugins and themes • never ever use doubtful sources
- 21. Remove Unused Stuff • uninstall themes and plugins not actively used • keep the recent default theme for fallback • disabled plugins are still accessible 🚫
- 22. Monitoring • server up and running • malicious login attempts • 404's • changed/added/deleted files • user actions • malware detection • changes in UI after updates
- 23. Raise the Barrier • get a free SSL certificate with Let's Encrypt • Multi-Factor Authentification (MFA) • very simple via eMail • more sophsticted: Google Authenticator, Duo, Rublon • extra hardware: UbiKey, Fido U2F
- 24. Security Foo
- 25. • randomize version number • change db-prefix • renaming of /wp-content folder • hide login window • hide WordPress at all Security Foo
- 26. Let's Get the Complete Picture • how secure is your local client? • keylogger • Do you still use FTP? • change to SFTP or FTPS (SSL/TLS)! • PW submitted via eMail? • eMail is without encryption = postcard
- 27. Backup • you don't want to have a backup, ➡ you want to have a restore! • timed & regular, automatic, off-site • both database and files • practice restore 🚒 🚨
- 28. Recommendations 🔒 harden your installation ✅ update, update, update ⓦ use themes and plugins from wp.org repo only 🚫 remove unused plugins and themes 🔭 monitor your site(s) 🚨 have a backup
- 29. en detail • Chose the right hoster • Limit access rights • Have a SSL Certificate • Disable FileEditor
- 30. various single solutions or All-in-one Suite ? • Limit Login Attempts • Login Lockdown • 2-Factor Authentification • Simple Firewall • Edit Author Slug • manuell .htaccess entries • iThemes Security • Sucuri • WordFence • Security Ninja • Cerber Security • Bulletproof Security
- 31. DEMO
- 32. Summary • Security is not installing a plugin • Security is a continuous process • Security should become a habit! • effort vs. benefits? • make or buy
- 34. Links Login LockDown https://wordpress.org/plugins/login-lockdown/ Limit Login Attempts https://de.wordpress.org/plugins/limit-login-attempts- reloaded/ Two Factor https://de.wordpress.org/plugins/two-factor/ 2-Step-Verification https://github.com/pluginkollektiv/2-Step-Verification .htaccess Entries https://gist.github.com/zottto/608a18d109bd22e76aa4 Edit Author Slug https://de.wordpress.org/plugins/edit-author-slug/ All In One WP Security & Firewall https://de.wordpress.org/plugins/all-in-one-wp- security-and-firewall/ Security Ninja: https://de.wordpress.org/plugins/security-ninja/ iThemes Security: https://de.wordpress.org/plugins/ better-wp-security/ Sucuri: https://de.wordpress.org/plugins/sucuri- scanner/ Wordfence: https://de.wordpress.org/plugins/wordfence/ Bulletproof Security https://wordpress.org/plugins/bulletproof-security/ Cerber Security, Antispam & Malware Scan https://de.wordpress.org/plugins/wp-cerber/ Shield Security https://de.wordpress.org/plugins/wp-simple-firewall/ Ninja Firewall https://de.wordpress.org/plugins/ninjafirewall/ Simple Firewall http://de.wordpress.org/plugins/wp-simple-firewall/
- 35. Q & A
- 36. Thank you!