WordPress is a powerful tool for presenting your information on the web, but with great power comes great responsibility – and great targets for people intending various criminal intent. This presentation illustrates some of the risks and ways to mitigate them.
1. Wild WordPress Workshop With @WPEngine 04-
07-17
Understanding
WordPress
Security
Nick Batik
@nick_batik pleiadesservices
.com
2. What You Will Learn
❖ WordPress plugins and themes have the potential for
security vulnerabilities.
❖ Why hackers want your WordPress website.
❖ How to manage potential vulnerabilities
❖ Harden your site against the most common security
threats.
3. Introduction to
Hardening
WordPress
❖ Do you lock your door when you leave
your home?
❖ Have you ever left your car running
while you ran into to a convenience
store?
5. Busy folks tend to think about managing personal risk AFTER
the theft or destruction of personal or digital property.
With just a little bit of planning and prevention,
there is a good chance you could have averted the entire situation.
6. What you can do to minimize potential vulnerabilities
in your WordPress website?
7. Site security is all about
attitude.
❖ A Proactive attitude about
both prevention and
maintenance
❖ HOPE is Not a Viable
Security Strategy
8. A Site Hack is not an “IF” it is a
“WHEN”
from a minor inconvenience to a devastating security breach that
compromises sensitive information or takes down the site completely
9. What You Really Need to Know About WordPress
Security
❖ The WordPress has over
42,000 plugins —
each one with potential
vulnerabilities
❖ There are the ongoing
security issues with
WordPress themes
10. WordPress is a secure
platform
❖ The WordPress Team has security experts who
manage potential vulnerabilities.
❖ WordPress works closely with outside security
professionals and hosting companies.
11. Why Would Hackers Search for Vulnerabilities
In Your WordPress Website?
13. Reason # 1 – SEO
❖ Once Hackers is gain control of your
site they can:
❖ Insert back-links to improve the
SEO of another site
❖ Insert affiliate links designed to sell
something
❖ Further their own nefarious agenda
by using your site’s good reputation
— until Google blacklists YOU —
and they move on
14. Reason # 2 – SPAM
❖ ‘SPAM FARMS’ get blacklisted.
❖ Hacker controls your site and trashed your account,
then moves on.
❖ You get to clean up the mess and explain to your users
15. Reason # 3 – Theft
❖ What do YOU have stored on your computer:
❖ Passwords?
❖ Credit card information?
❖ Banking information?
❖ What else?
16. ❖ An exploit of your WordPress website can provide
access to not only your personal information — but from
your visitors’ computers as well.
17. Reason # 4 – a Base for Denial of
Service Attacks
❖ Denial of Service attacks render the targeted site
unavailable
❖ Hackers exploit a network of “vulnerable, zombie- sites”
to power the sustained attack.
18. Reason # 5 – Malware
❖ Malware can spy on a user’s actions or inject computer
viruses, worms, trojan horses, ransomware, spyware,
adware.
❖ Hackers inject malware into vulnerable sites because
you get penalized by Google and they go undetected.
19. Targeted vs Non-Targeted
Attacks
❖ Non-targeted
❖ automated attacks of a known vulnerability
❖ the hacker isn’t focused on you or your business
❖ opportunistic and efficient
❖ use automated tools to scan websites
❖ scan for a specific version or WordPress or a plugin
with exploitable vulnerabilities.
20. Targeted vs Non-Targeted
Attacks
❖ Targeted Attacks
❖ a hacker consciously decides to target your website
❖ more visitors to your website attracts targeting by
hackers
❖ targeted company loses its reputation, and can face for
damages.
❖ Some large-scale targeted attacks:
❖ Sony, Target, and Ashley Madison.
21. How Can You Prevent a Targeted
Attack?
❖ Harden Your WordPress Site to Encourage Hackers to
Move on to Easier Targets
22. The Open Web Application Security
Project
❖ The Open Web Application Security Project is
responsible for improving software security around the
world.
23. The Most Exploitable Website
Security Flaws
❖ 1. – Injection
❖ 2. – Broken Authentication and Session Management
❖ 3. – Cross-Site Scripting XSS
❖ 4. – Insecure Direct Object References
❖ 5. – Security Misconfiguration
❖ 6. – Sensitive Data Exposure
❖ 7. – Missing Function Level Access Control
❖ 8. – Cross-Site Request Forgery
❖ 9. – Using Components with Known Vulnerabilities
❖ 10. – Unvalidated Redirects and Forwards
24. Injection
❖ WordPress uses SQL to communicate with your
database which in turn makes it vulnerable to SQL
Injection Attacks.
❖ A malicious statement designed to extract sensitive
information from a database can be entered into a form
field.
25. Cross-Site Scripting (XSS)
❖ XSS vulnerabilities are both extremely common and complicated
❖ Taking advantage of an XSS Vulnerability requires two innocent parties — a
vulnerable WordPress website and an unwilling visitor
❖ Hackers find a vulnerable website
❖ they distribute malicious scripts (via email for example).
❖ user clicks on the link containing the malicious script
❖ it directs them to the vulnerable website
❖ The website then reflects the script back to the visitors browser where it is
executed willingly because it came from what was believed to be a safe
website.
27. Access control
❖ Access is a huge factor, and often what we hear being
exploited (i.e., attacked) when you hear of things like Brute
Force attacks.
❖ Software vulnerabilities, specifically the exploitation of said
vulnerabilities, is and continues to be a big problem for
WordPress users.
❖ Not because of the platform itself, but because of its
extensibility and the plethora of plugins / themes available, and
the shortage of skilled professionals, relative to the adoption of
the platform.
28. Access Control
❖ “…The attack vector for WordPress has been consistent
for the past two years, and revolves around two very
distinct vectors – Access Control and Software
Vulnerabilities.”
❖ — Tony Perez of Sucuri
29. How Do You Harden Your Your
Site?
❖ Identify and Fix
Common
WordPress Security
Vulnerabilities
30. How To Harden Your
WordPress Site
❖ Top Security Mistakes Inexperienced WordPress Users
Make
❖ 1. Use weak usernames and passwords.
❖ 2. Fail to keep software up to date.
❖ 3. Install plugins and themes without doing any basic
research about them, or checking the source.
31. Best Site Hardening Practices for
Beginners
❖ Back-Up Your Website
❖ The most important thing you can do is to backup
your website on a regular basis.
❖ Some hosting companies provide automated backups
❖ You can use a plugin like Backup Buddy
❖ Or you use a service like VaultPress
32. Pick a Solid WordPress Host
❖ Hosting companies need to take security seriously, but this is not to
say that you must rely on a managed WordPress hosting company.
❖ Some hosting companies will automatically block an IP address
after too many failed attempts to log in or access a hosting
account.
❖ You should also make sure that they are using a recent version of
MySQL and PHP, two of the components that are vital to
WordPress.
❖ Never hesitate to ask your hosting company for more information
on their security posture.
33. Use Reputable Themes and
Plugins
❖ Choosing reputable themes and plugins is an essential
step in reducing the overall surface area available to
potential hackers.
❖ Vulnerabilities can be present even in well-established
themes or plugins.
❖ It’s also a good idea to limit your total number of plugins
to as few as possible. More plugins mean a greater
potential risk.
34. Use a Strong User Name &
Password
❖ Use unique, and difficult to guess usernames and
passwords across all your accounts, not just your
WordPress login.
❖ Consider the damage that a hacker could inflict if they
gained access to your domain registrar, hosting account
or cPanel.
35. Use a Security Plugin
❖ iThemes Security
❖ WordFence
❖ Sucuri
36. Monitor Your Site
❖ Keeping an eye on what’s happening with your website can provide
important clues that something might not be right.
❖ Your analytics can provide key information about your website traffic.
Any sudden change, especially a sudden spike or drop might indicate a
problem
❖ Perform a site search using site:http://yourdomain.com – Are there any
sudden or negative changes in the number of pages indexed? Are all
your meta descriptions appropriate?
❖ What are the other logged in users on your website up to, authorized or
not? You can use a plugin like WP Security Audit Log to track what’s
happening.
37. What to Do If Your Site is
Hacked
❖ In the unfortunate event that your WordPress website is
hacked, you’ll breathe a sigh of relief knowing that you
have a recent backup on hand.
1. Make a backup of what there is. This will come in
handy to analyze what has happened. Be sure you’re
not overwriting a previous, uncompromised version of
your website.
2. Restore a backup and change all passwords.
3. Show the backup to a security professional.
38. Final Thoughts
❖ Ignore at your own peril. WordPress is the target of
innumerable hackers.
❖ Even if you feel that your website or small business is
too small to be a target, you need to remember that a
large percentage of attacks are automated and not
specifically directed at your website.
❖ Despite what feels like doom and gloom, the best
decision you can make is to be proactive with your
WordPress security posture.
40. Final Thoughts
❖ Limit access to vital parts of your WordPress site
❖ Making it more difficult for a hacker to access specific parts or your
site:
❖ • Secure your wp-config.php file
❖ • Make sure your directories and files have the correct permissions.
❖ • Disable the File Editor in the WordPress Admin panel which
means a hacker will require FTP access to access core and theme
files.
❖ Limiting access also includes the use of appropriate user roles.
41. Final Thoughts
❖ How to Disable Password Change Notifications in WordPress
❖ If you want to disable the email notifications for password changes of
users on your WordPress site, just insert this piece of code into your
theme’s functions.php file or create a custom functionality plugin and
insert this code in there:
if ( !function_exists( 'wp_password_change_notification'
) ) {
function wp_password_change_notification() {}
}
42. Presenter
Nick Batik
Started in web development in 1994 and
have been a WordPress consultant,
and web developer since 2007. A
WordPress evangelist, I’ve served as
Austin WordPress Meetup co-organizer
since 2010. With my partner, co-founded
Pleiades Publishing Services in 1992
and Hands-On WordPress Training in
2010.
Follow me @nick_batik / @WPATX
Contact me at: handsonwp.com
https://www.linkedin.com/in/nicholasbati
k
Notes de l'éditeur
• The WordPress extensive ecosystem contains a plethora of plugins and themes — each having the potential for additional security vulnerabilities.
• Why hackers invest their time searching for exploitable vulnerabilities in your simple, low- traffic beginner’s WordPress website.
• How to develop a well-defined process for managing potential vulnerabilities
• The best approach to protect and harden your site against the largest and most common security threats.
LiveSlide Site
https://www.youtube.com/watch?v=S81diy9-d28
and can be anything from a minor inconvenience for an easy fix — to a devastating security breach that compromises sensitive information or takes down the site completely
The WordPress Team has as a couple dozen security experts that include both developers and researchers who follow a well-defined process for managing potential vulnerabilities.
WordPress also works closely with outside security professionals and hosting companies.
If your site traffic just suddenly fell off the ledge — you’ve probably been hacked for the purpose of sending SPAM email.
Sites that have become unknowing ‘SPAM FARMS’ get blacklisted.
The opportunistic Hacker that controlled your site and trashed your hosting account, they just move on to the next target of opportunity.
You get to clean up the mess and explain to your users why they are getting the “Warning: Visiting this site may harm your computer!” message
BTW - the clean up steps are detailed @https://blog.sucuri.net/2011/01/what-to-do-when-your-site-gets-blacklisted.html
Malware (various types forms of hostile or intrusive software) can spy on a user’s actions such as key-logging, and/or inject computer viruses, worms, trojan horses, ransomware, spyware, adware.
Malware can take the form of executable code, scripts, active content, and other software.
Hackers inject malware into vulnerable sites because — You take the Goggle Hit — they go undetected as the original source.
There are two types of attacks that effect WordPress websites
Non-targeted — automated attacks that take advantage of a known vulnerability — Its not Personal — the hacker isn’t specifically focused on your business or you personally.
Hackers are opportunistic and efficient. They use automated tools to scan a wide range of IP addresses — like websites located on a specific shared hosting server.
Hackers scan for a specific version or WordPress or a plugin with exploitable vulnerabilities.
WordPress uses SQL to communicate with your database which in turn makes it vulnerable to SQL Injection Attacks.
SQL injection attacks are one of the top vulnerabilities facing the WordPress ecosystem
A malicious statement designed to extract sensitive information from a database can be entered into a form field.
This process might be handled manually but a hacker can also automate the process using a tool like Burp Suite
a small vulnerability can lead to the release of sensitive information.
Pick a Solid WordPress Host
Picking a solid, reliable hosting company for your WordPress website can go a long way towards relieving some of your security worries.
Hosting companies need to take security seriously, but this is not to say that you must rely on a managed WordPress hosting company. There are lots of great hosting companies to pick from with a wide variety of price points.
As an example of proactive security practices, some hosting companies will automatically block an IP address after too many failed attempts to log in or access a hosting account.
You should also make sure that they are using a recent version of MySQL and PHP, two of the components that are vital to WordPress.
Never hesitate to ask your hosting company for more information on their security posture.
3. USE REPUTABLE THEMES AND PLUGINS
Choosing reputable themes and plugins is an essential step in reducing the overall surface area available to potential hackers. Many of the top WordPress plugin or theme developers request a third-party audit from a company like Sucuri prior to release.
If you look back to the section where we discussed XSS vulnerabilities, it’s clear that vulnerabilities can be present even in well-established themes or plugins. The difference being that reputable or well-established theme companies or plugin developers are more likely to be proactive in their approach to security.
On the topic of plugins, it’s also a good idea to limit your total number of plugins to as few as possible. More plugins, by default, mean you are providing a greater potential attack surface.
Not only is this one of the issues brought up by Robert from WP White Security, it goes without saying that you need to make access to all of your accounts as difficult as possible. Use unique, and difficult to guess usernames and passwords across all your accounts, not just your WordPress login. You should also implement two-factor authentication on any account that provides the option and using a plugin like Clef Two-Factor Authentication for your WordPress site
Consider for a second the damage that a hacker could inflict if they gained access to your domain registrar, hosting account or cPanel. Despite these risks, many people insist on using the same login credentials across multiple accounts. A sign of a strong password is one that you can’t remember, but services like LastPass or 1Password are designed to manage that for you.
Here is some handy advice for creating strong passwords:
Many users find it easier to rely on a one-stop security solution. If that sounds like you, one of the available WordPress security plugins might be suitable. Here are a some of the popular options:
iThemes Security – available in both a free and premium version, iThemes provides over 30 different ways to improve the security of your website.
WordFence – is another security plugin that offers both a free and premium version. With just over 11 million downloads, WordFence has a strong user base who depend on this plugin for their security needs.
Sucuri – While Sucuri maintains a free plugin in the WordPress repository, they also provide a more comprehensive service that includes: malware and blacklist scanning, DDoS protection, malware cleanup, firewall protection and more. One of the great features of the Sucuri service is that it includes cleanup in the event that you site is compromised.
Here are list of other Malware tools for WordPress
The point here is that you should be vigilant. You can potentially avert untold damage by catching a security breach as early as possible.
http://google.com
FINAL THOUGHTS ON HARDENING YOUR WORDPRESS SECURITY
WordPress security and more specifically the hardening of your website is something you can choose to ignore at your own peril. As the most popular CMS in the World, WordPress is the target of innumerable hackers.
Even if you feel that your website or small business is too small to be a target, you need to remember that a large percentage of attacks are automated and not specifically directed at your website. If you are interested in digging into some hard numbers, Impervia produces an annual Web Application Attack Report that contains some frightening statistics.
Despite what feels like doom and gloom, the best decision you can make is to be proactive with your WordPress security posture. Too many WordPress administrators do too little, too late. Even though no WordPress website can ever be 100% secure, any action you take today to harden your security can pay instant dividends.
Refer to — Additional Information for article read the following Evernotes:
New Guide on How to Fix Hacked WordPress Sites
Sucuri Security
Hire WordPress Security Specialists for a WordPress Security Audit
Data Manipulation: An Imminent Threat
Advanced Tips & Tricks for Better Online Privacy and Security
Data Manipulation: An Imminent Threat
Source Documentation: http://makeawebsitehub.com/wordpress-security/
https://www.owasp.org/index.php/Main_Page
Idea:
How to Disable Password Change Notifications in WordPress
If you want to disable the email notifications for password changes of users on your WordPress site, just insert this piece of code into your theme’s functions.php file or create a custom functionality plugin and insert this code in there:
if ( !function_exists( 'wp_password_change_notification' ) ) {
function wp_password_change_notification() {}
}