3. .com or .org?
• wpisnotwp.com
• wordpress.com
• hosted service from Automattic
• Security covered by them
• no influence on the installation
4. • just a small private blog
• content which doesn't harm anyoine
• even not much outreach
• negligible audience
• no financial interest
Is it about me?
5. Content is King
• computational power (CPU)
• disk space
• bandwidth
• sendmail for spam
nothing
6. Y U d0n't want 2 B h4cked
• you lose reputation
• your sales are affected
• you spend money on others behalf
• you just feel bad!
7. CMS? No prob!
• CVE-Hitlist
• (32) Joomla: 382
• (37) WordPress: 342
• (39) Drupal: 300
• no entry ≠ secure, just not yet exposed
8. WordPress Security
• often referred as "insecure"
• core vs. 3rd party vs. operation
• large community that takes care
• WordPress security team
11 %
52 %
37 %
Core PlugIns Themes
9. • Brute-Force Attacs
• „default“ usernames
• weak passwords
• XSS - Cross Site Scripting / SQL Injections
• bad coding
• old and outdated installations
Attac Vectors
10. • »admin« default til v3.0
• part of the domain-name
• common: eMail-address like »info@…«
• best practice: 1 admin-, 1 user-account
• make sure user names are not accessible
User Name
11.
12. • Anything that can be found in dictionaries
• socialhacking
• keyboard runs and sequences
• recycled passwords
• PW-lists in Word/Excel/Evernote
Password NoGos!
15. Defense Strategy
➡ strong passwords
➡ disable/tweak login messages
➡ lockout after x malicious attempts for time y
➡ IP-blacklisting
➡ disable XML-RPC if not needed
➡ restrict REST-API access
➡ consider geoblocking where feasible
16. Update, Update, Update!
• autoupdate for minor core updates ✅
• update plugins and themes ASAP ⏰
• critical infrastructure: have a staging system #
• check functionalities after update $
• premium: renew your subscriptions %
17. wp.org Stuff Only!
• use themes and plugins from wp.org repo only
• avoid "premium" plugins and themes
• never ever use doubtful sources
18. Remove Unused Stuff
• uninstall themes and plugins not actively used
• keep the recent default theme for fallback
• disabled plugins are still accessible
&
19. Monitoring
• server up and running
• malicious login attempts
• 404's
• changed/added/deleted files
• user actions
• malware detection
• changes in UI after updates
20. Raise the Barrier
• get a free SSL certificate with Let's Encrypt
• Multi-Factor Authentification (MFA)
• very simple via eMail
• more sophsticted: Google Authenticator, Duo,
Rublon
• extra hardware: UbiKey, Fido U2F
21. • randomize version number
• change db-prefix
• renaming of /wp-content folder
• hide login window
• hide WordPress at all
Security Foo
22. Let's Get the
Complete Picture
• how secure is your local client?
• keylogger
• Do you still use FTP?
• change to SFTP or FTPS (SSL/TLS)!
• PW submitted via eMail?
• eMail is without encryption = postcard
23. Backup
• you don't want to have a backup,
➡ you want to have a restore!
• timed & regular, automatic, off-site
• both database and files
• practice restore
(
24. Recommendations
) harden your installation
✅ update, update, update
use themes and plugins from wp.org repo only
& remove unused plugins and themes
* monitor your site(s)
( have a backup
25. Summary
• Security is not installing a plugin
• Security is a continuous process
• Security should become a habit!
• effort vs. benefits?
• make or buy
