Ithemes presentation

Developer at Red8 Interactive à Red8 Interactive
29 Jul 2015

Contenu connexe


Ithemes presentation

  1. WordPress Security using iThemes Security Jason Yingling | Lead Developer Red8 Interactive | @jason_yingling |
  2. HHAM • Hosting • Hardening • Access • Maintenance
  3. WordPress Hosting • Support for latest software • Optimized for running WordPress • Malware scanning • Work with WordPress 24/7 • Backups
  4. Hardening • Protecting your site from common security risks – Don’t use the ‘admin’ username – Strong passwords – Hide the login area – Brute Force Protection – 404 Protection – Malware scanning
  5. Access • Minimize number of administrators • Remove file editing from dashboard • Two Factor Authentication
  6. Maintenance • Keep WordPress up to date • Keep plugins up to date • Remove unused themes and plugins
  7. iThemes Security
  8. iThemes Landing Page • Broken down into high priority, medium priority, and low priority
  9. Global Settings • Write to wp- config.php • Emails for lockout notifications, file change warnings, etc.
  10. Global Settings • Error messages to display to locked out users
  11. Global Settings • Enables blacklisting repeat offenders • Good idea to switch these up from the defaults
  12. Global Settings • Enables blacklisting repeat offenders • Good idea to switch these up from the defaults
  13. 404 Detection • Blocks attacker for scanning for known vulnerabilities
  14. Away Mode • Allows for disabling access to the dashboard between certain hours • Do you really need to be able to edit 24/7? • Taking a vacation
  15. Banned Users • Enable’s blacklist feature • Enable Ban Users • Permanently bans attackers IPs
  16. Brute Force Protection • Limit the number of bad login attempts before temporarily locking out the offending host
  17. Brute Force Protection • Switch it up from the default • 4 Max Login Attempts Per Host • 9 Max Login Attempts Per User • 6 Minutes to Remember Bad Login
  18. Database Backups • Sends a database backup via email or stores on server • Plugins – BackupBuddy – BackWPUp – WPmudev Snapshot – VaultPress
  19. File Change Detection • Allows you to include and exclude specific files that may change often • Helpful to see what files were changed if an attack happens
  20. Hide Login Area • Change login url from /wp-admin • Makes it more difficult for attacker to find login area • Avoid using iThemes default /wplogin
  21. SSL • Requires SSL setup on server • Allows you to force SSL for Dashboard
  22. Strong Passwords • Enables you to force strong passwords for users for certain user roles
  23. System Tweaks • Some of this may be performed by your host • Good idea to have on unless you know something conflicts on your site
  24. WordPress Tweaks
  25. WordPress Tweaks
  26. WordPress Tweaks
  27. Advanced Settings • Change name of ‘admin’ user • Change user with id of 1
  28. Advanced Settings • Change WordPress salts
  29. Advanced Settings • Change name of wp-content directory • Not necessary on most WP specific hosts
  30. Advanced Settings • Change database prefix to make your tables harder to find
  31. iThemes Security Pro • Allow you to temporarily bump a users access
  32. iThemes Security Pro • More password options • Password generator on user profile • Password expiration • Force password change
  33. iThemes Security Pro • Use Google’s reCAPTCHA for login, registration, and commenting
  34. iThemes Security Pro • Allow users to setup Two Factor Authentication using Google Authenticator app
  35. iThemes Security Pro • Log user activities at a certain role such as login, saving content, and more
  36. Locked yourself out? • Login to your database via phpMyAdmin or a program like Sequel Pro • Navigate to the itsec_lockouts table • Delete the row with your IP
  37. Locked yourself out? • Disable plugin via FTP • Navigate to /wp-content/plugins • Rename the ithemes-security plugin directory
  38. Questions? • Jason Yingling | Red8 Interactive • @jason_yingling •

Notes de l'éditeur

  1. 4 key components to WP security
  2. We use WP Engine. They keep daily backups for 30 days and have a partnership with Sucuri for scanning havked sites and fixing issues
  3. This gives attackers less avenues for gaining access.
  4. - Formerly BetterWPSecurity (believe the free version shows up as that still in the file directory) - Upon activating iThemes Security you’ll get the important first steps screen
  5. Good idea to take care of high priority items
  6. Need to allow for iThemes to write to wp-config.php file
  7. - Error messages to display to users / hosts for different lockout reasons
  8. - Allows users / hosts to be banned for hitting a certain limit of lockouts within a certain time period
  9. If you’re forgetful you may want to white list your IP. - Use this sparingly
  10. Detects hosts that are hitting an unusually high number of 404 pages This can occur when an attacker is scanning for known vulnerabilities in plugins and themes on your site if those files don’t exist
  11. Let’s you completely block access to the backend during certain periods Can set up daily or one-time limits
  12. -Allows you to use hackrepair.coms list of known bad hosts / bots -Enabling ban users let’s you permanently ban bad hosts
  13. - Brute Force Protection let’s you limit the number of bad login attempts before temporarily locking out the offending host
  14. Good idea to avoid the iThemes defaults because as it becomes more commonly used attackers will learn the defaults (not a big thing)
  15. Let’s you get a copy of the database emailed or stored on the server I’d suggest using other backup software that let’s you store backups at an external source such as Dropbox or Google Drive
  16. Can detect if files were changed and show which files Can be annoying with plugin / theme updates
  17. Makes it harder for an attacker to find your login area
  18. -Allows you to force SSL if you have it set up on your server -
  19. Allows you to force users at or above a certain role to use a strong password
  20. Probably good to have these on for most simple WordPress sites
  21. Removing the generator meta tag and displaying a random version make it more difficult for an attacker to zero in on known vulnerabilities with past versions Who doesn’t want to reduce comment spam?
  22. -Disable the file editor hides the edit function from plugins and the Apperance menu. If you edit your theme directly form the WP-Admin you’ll want to leave the file editor on. I always edit my code from a separate program as it is more secure to have the file editor hidden.
  23. -I don’t mess with replacing the jQuery version as it could cause issues with themes functionality if they were built for a specific version I generally leave the login error message enabled Forcing a unique nickname helps prevent users from displaying their username within a post.
  24. Allows you to change the admin username if ‘admin’ exists and change the user id if there is a user with id of 1. Both are good to do as an attacker usually knows that account has the most access
  25. -Salts are secret keys used by WordPress in the wp-config.php files to increase security. These can be updated from iThemes. -I generally don’t mess with this as I generate salts during the initial WordPress install
  26. - This one can be tricky. It’s probably unneccesary on WP specific hosts as they’ll have measures in to protect wp-content and may not even allow you to change the name of this directory
  27. -changing the database prefix to something other than wp_ is good to make it harder for an attacker to find your database tables
  28. -These are some of the pro features for the paid version - Privilege escalation let’s you temporarily increase a users privileges, say if you have a developer that needs admin access for a week
  29. Pro also gives you more password options such as: - adding a password generator to user profiles - setting password expirations - and forcing users to change their password on their next login
  30. You can also add a Google reCAPTCHA field to your login screen that will help to prevent people from brute forcing your site
  31. Pro also allows you to give users the option for Two Factor Authentication through the Google Authenticator app. This requires users to enter a specially generated 6 digit code from their phone when logging into the site A huge increase of security
  32. -User logging let’s you track actions of users at or above a certain role -Actions like logging in and saving content