WordPress Security 2014 - The Basics of Security

50 %
50 %
Information about WordPress Security 2014 - The Basics of Security

Published on March 15, 2014

Author: perezbox

Source: slideshare.net

It‟s all about the Basics!! WORDPRESS SECURITY

SUCURI# WHOIS PEREZBOX • Name: Tony Perez • Twitter: @perezbox • Company: Sucuri, Inc. • Insight: Information Technology • Passion: Brazilian Jiu Jitsu 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCATL 2

TODAY‟S 5 CHALLENGES • Knowledge / Awareness • Administration • Extensibility • Credentials • End-users 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 3

KNOWLEDGE Check yourself before you wreck yourself 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 4 “The user’s going to pick dancing pigs over security every time.” - Bruce Schneider

IT‟S ABOUT RISK REDUCTION!!! 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 5 • Forget the “Why” • Why is this happening to me? • Focus on the “How” • How do I protect myself? Your risk will never be 0%

DEFENSE IN DEPTH 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 6 • Layered Defenses “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…”

KNOW THE ENVIRONMENTLAMPSTACK LINUX Apache MySQL PHP • This is what it takes to run WordPress • Each contains its own laundry list of known vulnerabilities • .org Implementations not .com 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 7

REALISTIC ENVIRONMENT 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 8 Linux Operating System Apache WordPress CPANEL Plesk MySQL myLittleAdmin PHPMyAdmin Etc.. PHP Modules

ASK QUESTIONS… 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 9 • Host: • What happens if I get hacked and you detect it before I do? • What backup solution do you offer me? • What security protocols do you have in place to protect me? • Designer / Developer: • Are you following all the appropriate coding best practice guidelines found in the codex? • Has your code ever been independently reviewed? • How will my website be maintained after the project completion? • Who will be responsible for updating my theme / plugin / core when the project is complete? • Are my files being backed up in the event of a catastrophe?

TODAY‟S RELEVANT ATTACK VECTORS 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 10 • Access Control • Brute Force • Software Vulnerabilities • Vulnerability Scanners • Denial of Service (DoS) • Distributed / Non-Distributed

• Two factor / Multi-Factor Authentication • IP White Listing • Throttling Access Attempts • Access is King for attackers and website owners make it too easy • Facilitated through Poor Passwords • Little Attention to Access Control‟s • Applies to all entry points – email, cpanel, FTP / SFTP, etc… ACCESS CONTROL Challenges Solutions 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 11

• Website Firewall – SaaS based • Stay current with the latest vulnerability releases • Apply updates to entire stack when available • Keep Only What you need on the server (production) • Very difficult for non technical people • Users refuse to update, some cannot • Soup Kitchen Servers • Too many attackers with too much time • Zero Days SOFTWARE VULNERABILITIES Challenges Solutions 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 12

DENIAL OF SERVICE VS BRUTE FORCE 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 13 • Educational Post: http://blog.sucuri.net/2014/03/understanding-denial-of-service-and- brute-force-attacks-wordpress-joomla-drupal-vbulletin.html • Differentiating Factor = Intent • Disruption of Services vs Gaining Access • Both important in their own Righ Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute More than 162,000 WordPress Sites Used for Distributed Denial of Service Attack (DDOS)

CONNECTING • If you don‟t need it, disable it • SFTP / SSH is preferred • FTP works fine – disable if you‟re not using, don‟t talk to me if you are • FTP/SFTP != WP-ADMIN • Least Privileged • You don‟t have to log in FTP / SFTP with full root access • Everyone doesn‟t need to be an admin • You don‟t need to log in as admin • The focus is on the role, not the name of the user • Accountability – kill generic accounts – who is doing what? 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 14


• Big enterprises with large followings • Big Name • Worth Investing time and energy to compromise, bigger return • Trolling the web looking for known vulnerabilities • Ability for mass exposure • Think “TimThumb” ATTACK TYPE Opportunistic Targeted 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 16

BRAND REPUTATION 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 17 • Blacklisting • Dirty Search Engine Result Pages (SERP)

THE HOW Nothing fancy here.. The facts 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 18 “Own one Own them All”

TOP SECURITY ISSUES TODAY • Backdoors • Injections • Pharma Hack • SEO SPAM • Malicious Redirects • Defacements • Form Abuse • SPAM Emails • Compromised web servers 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 19

1. Employ Website Firewall 2. Don‟t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 1. Kill PHP Execution 2. Disable Theme / Plugin Editing via Admin 3. Connect Securely – SFTP / SSH 4. Use Authentication Keys in wp-config 5. Use Trusted Sources 6. Use a local Antivirus – Yes, MAC‟s need one 7. Verify your permissions - D 755 | F 644 8. Least Privileged 9. Kill generic accounts - Accountability 10. Backup your site – yes, Database too THINGS YOU CAN DO TO REDUCE RISK The Bare Minimum: Ideal implementations: 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 20

KILL PHP EXECUTION • The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation: • WP-INCLUDES • UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files> 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 21

DISABLE PLUGIN/THEME EDITOR • Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true); 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 22

• Limit Login Attempts • BackupBuddy • Akismet • Better WP Security • WP Security Audit Log • Google Authenticator • WordFence • Detection – Monitoring / Remediation • Protection – Website Firewall • Auditing – Sucuri Premium Plugin • BackupBuddy Read about how I set things up here: http://wpengine.com/2013/04/24/how-tony- perez-of-sucuri-sets-up-his-own-security/ SECURITY CONFIGURATIONS My Setup Alternatives 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 23

IMPORTANT SERVICES (PAID) 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 24 • Managed Hosting • WPEngine - http://wpengine.com/ • Page.ly - http://page.ly/ • WebSynthesis - http://websynthesis.com/ • Maintenance Services • Maintainn - http://maintainn.com/ • Security • Sucuri – http://sucuri.net

• Sucuri Blog: http://blog.sucuri.net • SiteCheck Scanner: http://sitecheck.sucuri.net • Unmask Parasites: http://unmaskparasites.com • Secunia Security Advisories: http://secunia.com/community/advisories/ search/?search=wordpress • Hacked – http://wordpress.org/tags/hacked • Malware – http://wordpress.org/tags/malware • BadwareBusters – https://badwarebusters.org • WordPress Hardening • http://codex.wordpress.org/Hardeni ng_WordPress KNOW WHERE TO GO Support Forums Online Resources 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 25

BLACKLIST SOURCES 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 26 • Google • Search Engine Results Page (SERP) • http://www.google.com/webmaster/tools • http://www.google.com/safebrowsing/diagnostic?site=[your site] • Bing • Internet Explorer | Yahoo • http://www.bing.com/toolbox/webmaster/ • Norton • SafeWeb Browsing | Facebook • http://safeweb.norton.com/ • AVG • Opera • http://www.avgthreatlabs.com/sitereports/

Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net http://perezbox.com | @perezbox 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 27

Add a comment

Related presentations

Related pages

WordCamp Chicago 2014: WordPress Security Is ... - PerezBox

WordCamp Chicago 2014: WordPress Security Is All About the Basics. Published in Security on July 2, ... WordPress Security: ...
Read more

WordCamp Minneapolis 2014: The Basics Of WordPress ...

Over the years, I have seen and experienced an amazing amount of security threats, vulnerabilities, malware attacks, and other problems website ...
Read more

Learn the Basics of WordPress Security, August 20-21

... online workshop that explores Wordpress security best practices. ... 2014 Learn the Basics of WordPress Security, August ...
Read more

WordPress Security 2014 - The Basics of Security - Technology

1.It‟s all about the Basics!! WORDPRESS SECURITY 2. SUCURI# WHOIS PEREZBOX • Name: Tony Perez • Twitter: @perezbox • Company: Sucuri, Inc. •…
Read more

SharePoint and SQL Server Security | IT System Basics

"The National Checklist Program website is the centralized repository of security ... IT System Basics. ... //itsystembasics.wordpress ...
Read more

Security Basics: Email Survey Requests are Dangerous | Sid ...

Quick post this afternoon based on a semi regular security email I send out to all users at work. Both at home and at work, we often see ...
Read more

WordPress.com: Einfache Websites oder Blogs

Benutzerfreundlich. Mit WordPress.com kannst du ansprechende und leistungsstarke Websites oder Blogs erstellen. Dein eigener Domainname. Wir richten deine ...
Read more

Deutsch — WordPress

WordPress wird im Kern von einer weltweiten Gemeinschaft mehrerer hundert Freiwilliger zuverlässig weiterentwickelt. Mit tausenden von Plugins ...
Read more