WordPress Security 2014 - The Basics of Security

50 %
50 %
Information about WordPress Security 2014 - The Basics of Security

Published on March 15, 2014

Author: perezbox



It‟s all about the Basics!! WORDPRESS SECURITY

SUCURI# WHOIS PEREZBOX • Name: Tony Perez • Twitter: @perezbox • Company: Sucuri, Inc. • Insight: Information Technology • Passion: Brazilian Jiu Jitsu 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCATL 2

TODAY‟S 5 CHALLENGES • Knowledge / Awareness • Administration • Extensibility • Credentials • End-users 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 3

KNOWLEDGE Check yourself before you wreck yourself 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 4 “The user’s going to pick dancing pigs over security every time.” - Bruce Schneider

IT‟S ABOUT RISK REDUCTION!!! 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 5 • Forget the “Why” • Why is this happening to me? • Focus on the “How” • How do I protect myself? Your risk will never be 0%

DEFENSE IN DEPTH 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 6 • Layered Defenses “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…”

KNOW THE ENVIRONMENTLAMPSTACK LINUX Apache MySQL PHP • This is what it takes to run WordPress • Each contains its own laundry list of known vulnerabilities • .org Implementations not .com 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 7

REALISTIC ENVIRONMENT 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 8 Linux Operating System Apache WordPress CPANEL Plesk MySQL myLittleAdmin PHPMyAdmin Etc.. PHP Modules

ASK QUESTIONS… 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 9 • Host: • What happens if I get hacked and you detect it before I do? • What backup solution do you offer me? • What security protocols do you have in place to protect me? • Designer / Developer: • Are you following all the appropriate coding best practice guidelines found in the codex? • Has your code ever been independently reviewed? • How will my website be maintained after the project completion? • Who will be responsible for updating my theme / plugin / core when the project is complete? • Are my files being backed up in the event of a catastrophe?

TODAY‟S RELEVANT ATTACK VECTORS 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 10 • Access Control • Brute Force • Software Vulnerabilities • Vulnerability Scanners • Denial of Service (DoS) • Distributed / Non-Distributed

• Two factor / Multi-Factor Authentication • IP White Listing • Throttling Access Attempts • Access is King for attackers and website owners make it too easy • Facilitated through Poor Passwords • Little Attention to Access Control‟s • Applies to all entry points – email, cpanel, FTP / SFTP, etc… ACCESS CONTROL Challenges Solutions 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 11

• Website Firewall – SaaS based • Stay current with the latest vulnerability releases • Apply updates to entire stack when available • Keep Only What you need on the server (production) • Very difficult for non technical people • Users refuse to update, some cannot • Soup Kitchen Servers • Too many attackers with too much time • Zero Days SOFTWARE VULNERABILITIES Challenges Solutions 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 12

DENIAL OF SERVICE VS BRUTE FORCE 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 13 • Educational Post: brute-force-attacks-wordpress-joomla-drupal-vbulletin.html • Differentiating Factor = Intent • Disruption of Services vs Gaining Access • Both important in their own Righ Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute More than 162,000 WordPress Sites Used for Distributed Denial of Service Attack (DDOS)

CONNECTING • If you don‟t need it, disable it • SFTP / SSH is preferred • FTP works fine – disable if you‟re not using, don‟t talk to me if you are • FTP/SFTP != WP-ADMIN • Least Privileged • You don‟t have to log in FTP / SFTP with full root access • Everyone doesn‟t need to be an admin • You don‟t need to log in as admin • The focus is on the role, not the name of the user • Accountability – kill generic accounts – who is doing what? 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 14


• Big enterprises with large followings • Big Name • Worth Investing time and energy to compromise, bigger return • Trolling the web looking for known vulnerabilities • Ability for mass exposure • Think “TimThumb” ATTACK TYPE Opportunistic Targeted 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 16

BRAND REPUTATION 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 17 • Blacklisting • Dirty Search Engine Result Pages (SERP)

THE HOW Nothing fancy here.. The facts 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 18 “Own one Own them All”

TOP SECURITY ISSUES TODAY • Backdoors • Injections • Pharma Hack • SEO SPAM • Malicious Redirects • Defacements • Form Abuse • SPAM Emails • Compromised web servers 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 19

1. Employ Website Firewall 2. Don‟t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 1. Kill PHP Execution 2. Disable Theme / Plugin Editing via Admin 3. Connect Securely – SFTP / SSH 4. Use Authentication Keys in wp-config 5. Use Trusted Sources 6. Use a local Antivirus – Yes, MAC‟s need one 7. Verify your permissions - D 755 | F 644 8. Least Privileged 9. Kill generic accounts - Accountability 10. Backup your site – yes, Database too THINGS YOU CAN DO TO REDUCE RISK The Bare Minimum: Ideal implementations: 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 20

KILL PHP EXECUTION • The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation: • WP-INCLUDES • UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files> 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 21

DISABLE PLUGIN/THEME EDITOR • Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true); 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 22

• Limit Login Attempts • BackupBuddy • Akismet • Better WP Security • WP Security Audit Log • Google Authenticator • WordFence • Detection – Monitoring / Remediation • Protection – Website Firewall • Auditing – Sucuri Premium Plugin • BackupBuddy Read about how I set things up here: perez-of-sucuri-sets-up-his-own-security/ SECURITY CONFIGURATIONS My Setup Alternatives 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 23

IMPORTANT SERVICES (PAID) 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 24 • Managed Hosting • WPEngine - • - • WebSynthesis - • Maintenance Services • Maintainn - • Security • Sucuri –

• Sucuri Blog: • SiteCheck Scanner: • Unmask Parasites: • Secunia Security Advisories: search/?search=wordpress • Hacked – • Malware – • BadwareBusters – • WordPress Hardening • ng_WordPress KNOW WHERE TO GO Support Forums Online Resources 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 25

BLACKLIST SOURCES 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 26 • Google • Search Engine Results Page (SERP) • •[your site] • Bing • Internet Explorer | Yahoo • • Norton • SafeWeb Browsing | Facebook • • AVG • Opera •

Sucuri, Inc. Tony Perez | @perezbox 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 27

Add a comment

Related presentations

Presentación que realice en el Evento Nacional de Gobierno Abierto, realizado los ...

In this presentation we will describe our experience developing with a highly dyna...

Presentation to the LITA Forum 7th November 2014 Albuquerque, NM

Un recorrido por los cambios que nos generará el wearabletech en el futuro

Um paralelo entre as novidades & mercado em Wearable Computing e Tecnologias Assis...

Microsoft finally joins the smartwatch and fitness tracker game by introducing the...

Related pages

WordCamp Chicago 2014: WordPress Security Is ... - PerezBox

WordCamp Chicago 2014: WordPress Security Is All About the Basics. Published in Security on July 2, ... WordPress Security: ...
Read more

WordCamp Minneapolis 2014: The Basics Of WordPress ...

Over the years, I have seen and experienced an amazing amount of security threats, vulnerabilities, malware attacks, and other problems website ...
Read more

Learn the Basics of WordPress Security, August 20-21

... online workshop that explores Wordpress security best practices. ... 2014 Learn the Basics of WordPress Security, August ...
Read more

WordPress Security 2014 - The Basics of Security - Technology

1.It‟s all about the Basics!! WORDPRESS SECURITY 2. SUCURI# WHOIS PEREZBOX • Name: Tony Perez • Twitter: @perezbox • Company: Sucuri, Inc. •…
Read more

SharePoint and SQL Server Security | IT System Basics

"The National Checklist Program website is the centralized repository of security ... IT System Basics. ... //itsystembasics.wordpress ...
Read more

Security Basics: Email Survey Requests are Dangerous | Sid ...

Quick post this afternoon based on a semi regular security email I send out to all users at work. Both at home and at work, we often see ...
Read more Einfache Websites oder Blogs

Benutzerfreundlich. Mit kannst du ansprechende und leistungsstarke Websites oder Blogs erstellen. Dein eigener Domainname. Wir richten deine ...
Read more

Deutsch — WordPress

WordPress wird im Kern von einer weltweiten Gemeinschaft mehrerer hundert Freiwilliger zuverlässig weiterentwickelt. Mit tausenden von Plugins ...
Read more