wordpress - open source foundation for application security
TRANSCRIPT
![Page 1: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/1.jpg)
WordPress Security Implementation Guideline
Good practices and
epic fails of WordPress implementations
![Page 2: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/2.jpg)
About Me
• Information Security Consultant
– Application Security
– Secure SDLC
Dan VASILE
http://www.pentest.ro
@DanCVasile
![Page 3: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/3.jpg)
Why do I talk about WordPress?
• I use WordPress
• Previous talk @OWASP Ro InfoSec Conf 2013
• Working with 3rd parties on secure WordPress
implementation
• The project:
WordPress Security Implementation Guideline
![Page 4: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/4.jpg)
Why do I talk about WordPress?
WordPress Security Implementation Guideline
![Page 5: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/5.jpg)
Scope
• Not just WordPress but Open Source adoption
• Framework for secure implementation
• Large scale integration
![Page 6: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/6.jpg)
Scope
• General security
• Infrastructure security
• WordPress security
• Large-scale integration
![Page 7: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/7.jpg)
Scope
• General security
• Infrastructure security
• WordPress security
• Large-scale integration
![Page 8: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/8.jpg)
General & Infrastructure Security
General security
![Page 9: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/9.jpg)
Scope
• General security
• Infrastructure security
• WordPress security
• Large-scale integration
![Page 10: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/10.jpg)
General & Infrastructure Security
Infrastructure security
![Page 11: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/11.jpg)
Scope
• General security
• Infrastructure security
• WordPress security
• Large-scale integration
![Page 12: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/12.jpg)
WordPress security
WordPress Security Implementation Guideline
20 subjects
3 main components:
• Core
• Plugins
• Themes
Manual activities & plugin alternatives
![Page 13: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/13.jpg)
WordPress security
Updates
3 main types of updates:
• Core
• Minor
• Major
WordPress > v3.7 – automatic updates for Minor
![Page 14: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/14.jpg)
WordPress security
Updates
Turn on auto-updates for Major/Core
define( 'WP_AUTO_UPDATE_CORE', true );
For plugins and themes add a filter add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
![Page 15: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/15.jpg)
WordPress security
Choose plugins carefully
![Page 16: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/16.jpg)
WordPress security
Backup
What?
• Files • Core installation, plugins, themes, images & files
• Database
How?
Manual vs Automatic
![Page 17: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/17.jpg)
WordPress security
Backup horror story 1
The good • Daily backup, files & database, 365 days retention
policy
The bad • No geographical redundancy, no disaster recovery plan
The ugly • HDD fail on main machine, faulty HDD on the backup
machine
• Missing data and database structure
![Page 18: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/18.jpg)
WordPress security
Backup horror story 2
The good
• Proper backup to the cloud
The bad
• Backup credentials stored in clear text
The ugly
• Attacker compromising site and deleting backups
![Page 19: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/19.jpg)
WordPress security
User roles
• Super Admin
• Administrator
• Editor
• Author
• Contributor
• Subscriber
![Page 20: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/20.jpg)
WordPress security
Restricting access
Sensitive areas of the application must be protected from unauthorized access.
.htaccess
Order Deny,Allow
Deny from all
Allow from 127.0.0.1
![Page 21: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/21.jpg)
WordPress security
Prevent brute-forcing
• Add CAPTCHA
• Blacklist attackers
• Lock accounts
Write a plugin that will lock an account
for a predefined period of time after a
number of failed attempts.
![Page 22: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/22.jpg)
WordPress security
Add blank index.php
This should be covered by Apache configuration,
but it’s not always the case.
![Page 23: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/23.jpg)
WordPress security
Missing blank index.php
![Page 24: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/24.jpg)
WordPress security
Force encryption on data in transit
There are cases where both port 80 and 443 are
used.
Sensitive operations must use SSL:
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);
![Page 25: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/25.jpg)
Scope
• General security
• Infrastructure security
• WordPress security
• Large scale integration
![Page 26: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/26.jpg)
Large scale integration
Large scale integration
• Creating a standard image
• LDAP integration & Single Sign On
• Multisites
• Unified management of multiple installations
![Page 27: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/27.jpg)
Large scale integration
Creating a standard image
• Blank image (no data)
• All the updates
• All the basic shared plugins and themes (&data?)
Purpose:
• Testing ground for new stuff
• Create new instances, secure by default
![Page 28: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/28.jpg)
Large scale integration
LDAP integration & Single Sign On
• Integration with Active Directory
• Single Sign On (SSO)
Why?
• Centralized user management
• Use existing hierarchy
![Page 29: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/29.jpg)
Large scale integration
Multisites
• Built-in WordPress functionality
• End users can create their own sites on
demand
Downside
• Shared components (plugins)
![Page 30: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/30.jpg)
Large scale integration
Unified management of multiple installations
• Self-hosted and cloud solutions
Why?
• Centralized login and management
• Push updates to all instances
![Page 31: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/31.jpg)
What’s next?
Next steps
• Contribute to the project
Wordpress Security Implementation Guideline
• Share the knowledge
• Write secure code for WordPress
• Help others
![Page 32: WordPress - Open Source Foundation for Application Security](https://reader030.vdocument.in/reader030/viewer/2022012714/61ace97e2fd5ad512420a18f/html5/thumbnails/32.jpg)
Q&A