wordpress security & plugins - wpdistrict · wordpress “hardening” website hosts wordpress...
TRANSCRIPT
@ S I T E L O C K@ S I T E L O C K
WordPressSecurity & Plugins
In t rodu c t ion to Se c u r i tyWi th Logan K ipp
@ S I T E L O C K
Welcome to WordPress (Security)Wh at to e x pe c t?
• We’re going to cover a lot of ground.o We will do a Q&A after the slides.
• Be a WordPress Security Communicator.o Share what you learn here with your peers.
• This session is for all audiences.o Super advanced questions? Let’s geek out after the session!
Find me outside or Tweet @SiteLock.
@ S I T E L O C K
Welcome to WordPress (Security)Session Goals d
F IND ar eas f or im pr ovem ent.
F IX m is conf ig ur a t ions .
PR EVENT com pr om is e.
ACCEL ER ATE y our lea r n ing cur ve.
COM PL Y with bes t p r act ices .
@ S I T E L O C K
Welcome to WordPress (Security)
It’s okay to be new.
@ S I T E L O C K
Welcome to WordPress (Security)Jane was new to driving.
I m a g e © S t a t e F a r m I n s u r a n c e . A l l r i g h t s r e s e r v e d .
@ S I T E L O C K
Welcome to WordPress (Security)
The manual can’t help you if you don’t know it’s there, or
where to f ind it .
@ S I T E L O C K
Welcome to WordPress (Security)
The WordPress Codex i s your manual .
codex.wordpress.org
@ S I T E L O C K
Welcome to WordPress (Security)
• Don’ t accept c r ed i t ca r ds ?• Don’ t have s ens i t ive data?• Your webs i te i s n’ t that popula r ?• You’ ve avoided contr over s ia l top ics ?• You on ly s er ve a loca l cus tom er bas e?
You’re st i l l a target.
Don’t establish a false sense of security.Hackers may not be motivated by what you think.
@ S I T E L O C K
Welcome to WordPress (Security)
There is no magic bullet in secur ity.
@ S I T E L O C K
WordPress “Hardening”
• Website Hosts
• Website Appl ications
• Vulnerabil ities in Your Computer
• Vulnerabil ities in WordPress
• Vulnerabil ities in Your Web
Server & Network
• St rong Passwords
• Database Secur ity
• Secur ing areas of WP
• Permiss ions
• Logging & Monitor ing
• Backups
@ S I T E L O C K
WordPress “Hardening”W eb s i t e Hos t s
W o r d P r e s s s e c u r i t y s t a r t s w i t h s e l e c t i n g t h e a p p r o p r i a t e w e b h o s t fo r y o u r s i t e .
Q u a l i t i e s o f a t r u s t e d w e b h o s t i n c l u d e :
• R e a d i l y d i s c u s s i n g y o u r s e c u r i t y c o n c e r n s a n d w h i c h s e c u r i t y f e a t u r e s a n d p r o c e s s e s t h e y o f f e r w i t h t h e i r h o s t i n g .
• P r o v i d i n g t h e m o s t r e c e n t s t a b l e v e r s i o n s o f a l l s e r v e r s o f t w a r e .
• P r o v i d i n g r e l i a b l e m e t h o d s f o r b a c k u p a n d r e c o v e r y .
@ S I T E L O C K
WordPress “Hardening”
Websi te Appl ications
Your web hos t i s not r es pons ib le f or s ecur ing
y our web app l icat ions .
That inc ludes Wor dP r es s .
Image © PetDoors.com. All Rights Reserved.
@ S I T E L O C K
WordPress “Hardening”Vulnerabi l i t ies in Your Computer
R e m e m be r : N o a m o u n t o f w e b s i t e s e c u r i t y w i l l k e e p y o u r e n v i r o n m e n t s a fe i f y o u r c o m p u t e r i s a c t i n g a ga i n s t y o u .
• U s e t r u s t e d a n t i v i r u s s o f t w a r e a n d k e e p y o u r v i r u s d e f i n i t i o n s u p d a t e d .
• U p d a t e y o u r c o m p u t e r ! ! ( s e r i o u s l y fo l k s )
@ S I T E L O C K
WordPress “Hardening”Vulnerabi l i t ies in Your Computer
R e m e m be r : N o a m o u n t o f w e b s i t e s e c u r i t y w i l l k e e p y o u r e n v i r o n m e n t s a fe i f y o u r c o m p u t e r i s a c t i n g a ga i n s t y o u .
• U s e t r u s t e d a n t i v i r u s s o f t w a r e a n d k e e p y o u r v i r u s d e f i n i t i o n s u p d a t e d .
• U p d a t e y o u r c o m p u t e r ! ! ( s e r i o u s l y fo l k s )
@ S I T E L O C K
WordPress “Hardening”Vulnerabi l i t ies in Your Computer
R e m e m be r : N o a m o u n t o f w e b s i t e s e c u r i t y w i l l k e e p y o u r e n v i r o n m e n t s a fe i f y o u r c o m p u t e r i s a c t i n g a ga i n s t y o u .
• U s e t r u s t e d a n t i v i r u s s o f t w a r e a n d k e e p y o u r v i r u s d e f i n i t i o n s u p d a t e d .
• U p d a t e y o u r c o m p u t e r ! ! ( s e r i o u s l y fo l k s )
@ S I T E L O C K
WordPress “Hardening”Vulnerabi l i t ies in WordPress
• New fea t u res a re i n t egra t ed regu l a r l y .• New i n fo rm a t i on b ecom es a v a i l a b l e .• Up d a t e Word P res s , i nc l ud i ng t hem es
a nd p l ugi ns .• Ze ro d a y v u l ne ra b i l i t i e s ha p p en.*
* M o r e o n “ Z e r o D a y s ” t o c o m e .
@ S I T E L O C K
WordPress “Hardening”Vulnerabi l i t ies in Server & Network
• I s your hom e/of f i ce net work secure?
• Are you u t i l i z i ng H T T P S w i t h sens i t i v e d a t a ?(t h i s i nc l ud es /wp - a d m i n/)
• Sca n your web s i t e ’ s net work regu l a r l y .*
* P e r m i s s i o n f r o m n e t w o r k o p e r a t o r r e q u i r e d .
@ S I T E L O C K
WordPress “Hardening”Strong Passwords
• Un i q ue p a ssword s fo r ev ery l ogi n• L engt hy p a s sword s w i t hout word s• Up p er - ca sed a nd l ower - ca sed l e t t e r s• Num b er s a nd sym b ol s• C ons i d er a se rv i ce (L a s t P a s s , K eep a ss , e t c .)• Use t wo- s t ep AK A t wo- fa ct or a ut hent i ca t i on
@ S I T E L O C K
WordPress “Hardening”Strong Passwords
@ S I T E L O C K
WordPress “Hardening”Two-Factor Authentication (2FA)
@ S I T E L O C K
WordPress “Hardening”Database & Env i ronment Secur i ty
• U s e s e p a r a t e d a t a b a s e s a n d u s e r s fo r e a c h s i t e .
• U s e s e p a r a t e h o s t i n g p a r t i t i o n s fo r e a c h s i t e .
Image © Epitaph Records. All Rights Reserved.
@ S I T E L O C K
WordPress “Hardening”Secur ing the WordPress Instal l
• S e c u r i n g w p - a d m i n• S e c u r i n g w p - i n c l u d e s• S e c u r i n g w p - c o n f i g . p h p• D i s a b l i n g F i l e E d i t i n g
kipp.ski/hardening(just a short URL for the WP codex’s hardening article)
@ S I T E L O C K
Plugins or Cloud-Based Solutions?Th e re are som e awe som e se c u r i ty p lu g in s ou t
th e re . You sh ou ld t ry som e .
Plugins I like:• Wordfence
• WP Fail2Ban
• Google Authenticator (2FA)
• Jetpack Protect
@ S I T E L O C K
Plugins or Cloud-Based Solutions?Plugin-Based WAF Of fer ings a
Pro s• A c t s a s a l o c a l w e b a p p l i c a t i o n f i r e w a l l• Ba s i c s c a n n i n g fo r c o m m o n m a l w a r e a n d v u l n s• S o m e s u p p o r t t w o - fa c t o r a u t h e n t i c a t i o n• La r ge r c o m m u n i t i e s h e l p w i t h t r o u b l e s h o o t i n g• F r e e v e r s i o n s w i t h l i m i t e d fe a t u r e s a v a i l a b l e
C o n s• Ma j o r i t y o f p r o c e s s e s r u n l o c a l l y• S u p p o r t o v e r e m a i l o r t i c k e t s• D a t a b a s e s m a l l e r t h a n o t h e r p a i d p r o v i d e r s ’
@ S I T E L O C K
Plugins or Cloud-Based Solutions?Plugin-Based Anti -Brute Force
Pro s• L i gh t w e i gh t a n d p u r p o s e - b u i l t• E f fe c t i v e a ga i n s t t y p i c a l b r u t e fo r c e a t t e m p t s• F r e e
C o n s• N o o t h e r s e c u r i t y fe a t u r e s• P r o c e s s e s r u n l o c a l l y
@ S I T E L O C K
Plugins or Cloud-Based Solutions?Plugin-Based Two-Factor
AuthenticationPro s• L i gh t w e i gh t & p u r p o s e - b u i l t• E f fe c t i v e a ga i n s t l o g i n a b u s e• F r e e
C o n s• S e c r e t c o d e p o t e n t i a l l y
r e t r i e v a b l e i n W o r d P r e s s
@ S I T E L O C K
Plugins or Cloud-Based Solutions?
Pro s• Cl o u d w e b a p p l i c a t i o n f i r e w a l l s (W A F s )
p r o v i d e a n o f f - s i t e l a y e r o f s e c u r i t y• Cl o u d W A F fa s t e r (w h e n c o u p l e d w i t h a CD N )• V i r t u a l p a t c h i n g a c o m m o n fe a t u r e• P r o c e s s e s r u n i n c l o u d
C o n s• Oft e n m a n a ge d o u t s i d e W o r d P r e s s i n t e r fa c e• T y p i c a l l y l i m i t e d s e c u r i t y fe a t u r e s i n f r e e v e r s i o n s
Cloud-Based (e.g. SiteLock® TrueShield™, etc.)
@ S I T E L O C K
Plugins or Cloud-Based Solutions?
• P l u g i n s a r e s o f t w a r e r u n n i n g o n y o u r w e b s e r v e r .T h e y a r e l i m i t e d b y t h i s p o s i t i o n .
• P l u g i n s a n d c l o u d - b a s e d s o l u t i o n s a r e n o t m u t u a l l y e x c l u s i v e o p t i o n s . Y o u c a n u s e b o t h .
The question isn’t “plugins OR cloud?”
@ S I T E L O C K
WordPress Security: Child’s Play
Austin- & -
Logan
@ S I T E L O C K
WordPress Security: Child’s Play
Austin• Smart
• Older
• Experienced
• Responsible
• Trusted
@ S I T E L O C K
WordPress Security: Child’s Play
Logan• “Smart”
• Younger
• Curious
• Mischievous
• Calamitous…
@ S I T E L O C K
WordPress Security: Child’s Play
@ S I T E L O C K
WordPress Security: Child’s Play
@ S I T E L O C K
WordPress Security: Child’s Play
@ S I T E L O C K
WordPress Security: Child’s PlayWh at did we le arn ?
Image © Paramount Pictures. All rights reserved.
@ S I T E L O C K
WordPress Security: Child’s Play
Inf luence
• E n t i t i e s w i t h s a m e a u t h o r i t y l e v e l
• N o t a s s i m p l e a s “ go o d ” a n d “ b a d ”
• P o t e n t i a l l y i n e f fe c t i v e d e m i l i t a r i ze d zo n e
• T r u s t l e v e l s s h o u l d b e r e - e v a l u a t e d
@ S I T E L O C K
Plugins & Cloud Solutions
• P e r f o r m b a c k u p s D A I L Y• I n c l u d e b o t h t h e F i l e s & D a t a b a s e s• C o n f i g u r a t i o n b a c k u p s ( w h e r e a p p l i c a b l e )• R o u t i n e l y c h e c k b a c k u p i n t e g r i t y ( w e e k l y )
S o m e p l u g i n o p t i o n s :• V a u l t P r e s s• B l o g V a u l t• B a c k u p B u d d y
Backups
@ S I T E L O C K
WordPress Security: BalanceHow much should I be spending?
Ma k e a b u d ge t fo r s e c u r i t y o n y o u r w e b s i t e , j u s t l i k e y o u d o fo r h o s t i n g . T h e b e s t s e c u r i t y s o l u t i o n s a r e p r e d o m i n a n t l y p a i d s o l u t i o n s . T h i s i s a p a r t o f o p e r a t i n g a w e b s i t e . D o n ’ t c u t c o r n e r s .T r u s t t h e p r o fe s s i o n a l s .
Gr e a t s e c u r i t y d o e s n ’ t n e e d t o b e e x p e n s i v e i n t e r m s o f f i n a n c i a l c o s t , b u t c a n b e c o m e a fu l l -t i m e j o b . T h e r e i s a t r a d e - o f f b e t w e e n t i m e a n d m o n e y i n s e c u r i t y . H o w i s y o u r t i m e b e s t s p e n t ?
@ S I T E L O C K
WordPress Security: Budget
Spend more t ime, less money.
OR
Higher budget, less t ime spent.
@ S I T E L O C K
SSL Certificates
• S t a n d s fo r “ S e c u r e S o c k e t s La y e r ”
• E n a b l e s u s e o f H T T P S• E n c r y p t s d a t a i n t r a n s i t ,
b u t n o t a t r e s t• D o e s n o t p ro t e c t y o u r
w e bs i t e
@ S I T E L O C K
SSL Certificates
• BON U S : u s e o f H T T P / 2 . S a fe r , fa s t e r , b e t t e r !
• T h e r e i s n o d o w n s i d e t o u t i l i z i n g S S L Ce r t i f i c a t e s .
• E n c r y p t i o n w i l l b e c o m e t h e s t a n d a r d i n d u e t i m e .
@ S I T E L O C K
SSL Certificates
• Mo s t H T T P S c o n n e c t i o n s a r e a c t u a l l y u s i n g T LS ( T r a n s p o r t La y e r S e c u r i t y ) c i p h e r s , n o t S S L c i p h e r s . S S L i s b e i n g p h a s e d - o u t i n fa v o r o f n e w e r T LS t e c h n o l o gy .
• S S L v 1 , 2 , & 3 c i p h e r s a r e c o n s i d e r e d o b s o l e t e . E v e n T LS 1 . 1 i s b e i n g p h a s e d o u t a t t h i s t i m e .
• P CI s t a n d a r d s n o w r e q u i r e T LS v 1 . 2 t o b e u s e d .
Did you know?
@ S I T E L O C K
Hacking WordPress Websites
QHow do hackers
compromise webs i tes?
AProbably not the way
you think they do.
@ S I T E L O C K
Hacking WordPress Websites
• Most hacks do not target your password.
• In jection was the #1 exploi t uti l i zed on WordPress webs i tes in 2015 .
• The vast majori ty performed exploratory operations v ia dork or dork- l i ke methods.
@ S I T E L O C K
Hacking WordPress WebsitesOWASP Top 10
(Open Web App l icat ion Secur i ty P r o ject)• I n j e c t i on• B r ok e n A u th e n t i c a t i on a n d Se s s i on Ma n a g e m e n t ( X SS )• Cr os s S i te Sc r i p t i n g ( X SS )• I n se c u r e D i r e c t O b j e c t R e f e r e n c e s• Se c u r i t y M i s c on f i g u r a t i on• Mi s s i n g F u n c t i on L e v e l A c c e s s Con t r o l• Cr os s S i te R e q u e s t F o r g e r y ( CSR F )• Us i n g Com p on e n t s w i th K n ow n V u l n e r a b i l i t i e s• Un v a l i d a te d R e d i r e c t s a n d F o r w a r d s
@ S I T E L O C K
Hacking WordPress WebsitesInjection & XSS
I n a n u t s h e l l : r e m o t e l y e x e c u t i n g a r b i t r a r y c o d e o n a w e b s i t e .
F o r e x a m p l e , e x p l o i t i n g i n p u t f i e l d s .
@ S I T E L O C K
Hacking WordPress WebsitesSecur i ty Misconf iguration
U s i n g w e b s e r v i c e s l i k e A p a c h e w i t h o u t r e a l i z i n g y o u s h o u l d p a y c l o s e r a t t e n t i o n t o t h e s e t t i n gs y o u u s e .
@ S I T E L O C K
Hacking WordPress WebsitesWhat i s a ZERO DAY expoi t?
A Z e r o D a y V u l n e r a b i l i t y i s a v u l n e r a b i l i t y t h a t i s n o t y e t k n o w n t o t h e s o f t w a r e ’ s d e v e l o p e r ; m e a n i n g n o p a t c h fo r t h e v u l n e r a b i l i t y y e t e x i s t s , i n c r e a s i n g t h e l i k e l i h o o d o f e x p l o i t a t i o n . “ Z e r o D a y ” i s r e fe r e n c i n g t o d a y b e i n g d a y 0 o f t h e e x p l o i t e x i s t i n g “ i n t h e w i l d . ”
I t h appe n s .
@ S I T E L O C K
Hacking WordPress WebsitesHow can I defend against Zero days?
• K e e p i n g y o u r s o f t w a r e u p t o d a t e i s y o u r n u m b e r o n e d e fe n s e . U n l e s s a n e x p l o i t i s m a s s i v e - s c a l e , y o u ’ r e n o t l i k e l y t o b e i m p a c t e d i n t h e f i r s t w a v e (p r e - p a t c h ) .
• D e p l o y i n g a Z e r o D a y e x p l o i t e x p o s e s i t s e x i s t e n c e t o s e c u r i t y r e s e a r c h e r s a n dp a t c h i n g b e c o m e s i n e v i t a b l e .
@ S I T E L O C K
Hacking WordPress WebsitesHow can I defend against Zero days?
Web Application Firewalls (WAFs) are the best active
defense mechanisms concerning application-based Zero
Day vulnerabilities. By utilizing a WAF that supports real-time
threat updates, “virtual” patching acts as a shield until the
software developer can deploy a firm patch.
@ S I T E L O C K
Hacking WordPress WebsitesHow can I defend against Zero days?
• Stay informed.
• Subscribe to WordPress security feeds.
• Trust the professionals.
@ S I T E L O C K
Hacking WordPress Websites
@ S I T E L O C K
Hacking WordPress Websites
@ S I T E L O C K
Hacking WordPress Websites
@ S I T E L O C K
Hacking WordPress Websites
@ S I T E L O C K
Hacking WordPress Websites
@ S I T E L O C K
Hacking WordPress Websites
@ S I T E L O C K
Hacking WordPress Websites
@ S I T E L O C K
Hacking WordPress Websites
@ S I T E L O C K
Hacking WordPress Websites
@ S I T E L O C K
Remember…
@ S I T E L O C K
Thank you!Logan K ippP r o d u c t E v a n ge l i s t – W o r d P r e s sW P D i s t r i c t . S i t e Lo c k . c o m
@LoganKipp
• Used WordPress since 1.5 in ’05• Eight years experience in hosting and security industry
• Previously worked at GoDaddy.com• Most recently served as Lead Security Analyst for SiteLock
@ S I T E L O C K@ S I T E L O C K
WordPressSecurity & Plugins
In t rodu c t ion to Se c u r i tyWi th Logan K ipp