wordpress security
DESCRIPTION
Most of us rely on security plugins to protect our WordPress sites. But do they really secure our site? Or do they just provide a false sense of security? For more details, read our article - https://blogvault.net/does-wordpress-security-plugin-secure-your-site/TRANSCRIPT
WordPress Security
Does your security plugin really secure your site?
How often do we get hacked?
Why do we get hacked?
What is the solution?
•A tool that can analyze files, screen logins, check for version incompatibilities, and prevent suspicious scripts from being executed
•Security plugin is the obvious choice
Top Ranked Security Plugins
•Based on the popularity in WordPress forums and ranking in the plugin repository, the following emerge on top –
– BulletProof Security
– Wordfence Security
– iThemes Security
– All In One WP Security
The Ultimate Test
•We chose some of the major exploits in WordPress history and tested each security plugin against it
•The exploits are
– TimThumb Vulnerability
– Firestorm Real Estate Vulnerability
– Custom Contact Forms Vulnerability
– W3TC and WP Super Cache Vulnerability
Setting Up the Plugins
• We went through the list of all features in each plugin
•We enabled all the top features and recommended settings listed in the plugin’s homepage
BulletProof Security (BPS)
The plugin has mainly focuses on .htaccess protection and login security.
•.htaccess protection
–Backed up the current .htaccess files using Backup & Restore
–Activated the .htaccess files in root and admin folders
•Login security
–Went with the defaults, didn’t change any setting here.
Wordfence Security
The plugin provides support for caching, cell-phone sign-in (two factor authentication), malware scanning, IP/ country blocking, and a host of firewall options.
•Caching - Enabled Wordfence Falcon Engine•Two Factor Authentication - Enabled cell-phone sign-in•Malware Scanning - Went with the default i.e. Wordfence’s
automatic scheduled scans•Firewall Options - Went with the defaults, didn’t change any
setting here.
iThemes Security
Apart from the default options, we enabled the following in the Settings section –
404 detection Remove file writing permissions
File change detection Disable PHP in uploads
Hide backend feature Display random WordPress version
Malware scanning Completely disable XMLRPC
Protect system files Filter request methods
Disable directory browsing Filter long URL strings
All In One WP Security
The plugin classifies its features into different sections and each section has a score associated. We have enabled features such that the maximum score is hit for a given section.
–User Accounts–User Login–User Registration–Filesystem Security–Firewall–SPAM Prevention–Copy Protection
Ready for Test
•We recreated the vulnerabilities and tested them with the security plugins
TimThumb Vulnerability• Allows attacker to upload scripts remotely and execute them
without authentication
• Your site can be used for phishing, sending spam, hosting malware, and infecting other customers on the same server
Plugin Result
BulletProof Security The .htaccess file added by the plugin in the root folder includes a timthumb specific rule. However, we were still able to upload and execute the script remotely.
Wordfence Security Unable to prevent the vulnerability
iThemes Security The plugin provides an option to rename the wp-content folder. This way the attacker may not be able to execute the script remotely. However, this doesn’t solve the core problem involving permissions and only provides security through obscurity.
All In One WP Security Unable to prevent the vulnerability
WP Super Cache and W3TC Vulnerability
• Allows the attacker to execute any command on the target machine aka remote command execution
• Mainly exploited through comments
Plugin Result
BulletProof Security Unable to prevent the vulnerability
Wordfence Security Unable to prevent the vulnerability
iThemes Security Unable to prevent the vulnerability
All In One WP Security Unable to prevent the vulnerability
Firestorm Real Estate Vulnerability
•Malicious SQL statements are used to attack databases•Users search for real estate based on a province or country•ProvinceID and CountryID are retrieved directly from the GET
parameter without any validationwww.example.com/wp-content/plugins/fs-real-estate-plugin/xml/marker_listings.xml?id=[SQL]
Plugin Result
BulletProof Security Prevents the hack by adding appropriate rules in the .htaccess file.
Wordfence Security Unable to prevent the vulnerability
iThemes Security Provides a Filter long URLs setting to prevent this attack. Unfortunately, it can be circumvented easily. By adding &infinity=scrolling&action=infinite_scroll to the end of the SQL query, the URL length check is skipped.
All In One WP Security Unable to prevent the vulnerability
Custom Contact Forms Vulnerability•Allows attackers to execute arbitrary SQL statements remotely •Hackers can add SQL statements in a file and then send it
using a HTTP POST request •The plugin runs the SQL file, thereby providing the hacker
with unrestricted access to your database
Plugin Result
BulletProof Security Unable to prevent the vulnerability
Wordfence Security Unable to prevent the vulnerability
iThemes Security Unable to prevent the vulnerability
All In One WP Security Unable to prevent the vulnerability
Conclusion•Most attacks seem to be slipping past the security plugins that
we have in place•The security plugins bring a lot of value add though the many
features they support but they are not sufficient•If your site hasn’t been hacked so far, the credit doesn’t
necessarily go to the security plugin•A lot more work is required in this area to plug all the holes
and keep the evil-doers at bay