WordPress is a powerful tool for presenting your information on the web, but with great power comes great responsibility – and great targets for people intending various criminal intent. This presentation illustrates some of the risks and ways to mitigate them.

1. Wild WordPress Workshop With @WPEngine 04-
07-17
Understanding
WordPress
Security
Nick Batik
@nick_batik pleiadesservices
.com

2. What You Will Learn
❖ WordPress plugins and themes have the potential for
security vulnerabilities.
❖ Why hackers want your WordPress website.
❖ How to manage potential vulnerabilities
❖ Harden your site against the most common security
threats.

3. Introduction to
Hardening
WordPress
❖ Do you lock your door when you leave
your home?
❖ Have you ever left your car running
while you ran into to a convenience
store?

4. Lorem Ipsum Dolor

5. Busy folks tend to think about managing personal risk AFTER
the theft or destruction of personal or digital property.
With just a little bit of planning and prevention,
there is a good chance you could have averted the entire situation.

6. What you can do to minimize potential vulnerabilities
in your WordPress website?

7. Site security is all about
attitude.
❖ A Proactive attitude about
both prevention and
maintenance
❖ HOPE is Not a Viable
Security Strategy

8. A Site Hack is not an “IF” it is a
“WHEN”
from a minor inconvenience to a devastating security breach that
compromises sensitive information or takes down the site completely

9. What You Really Need to Know About WordPress
Security
❖ The WordPress has over
42,000 plugins —
each one with potential
vulnerabilities
❖ There are the ongoing
security issues with
WordPress themes

10. WordPress is a secure
platform
❖ The WordPress Team has security experts who
manage potential vulnerabilities.
❖ WordPress works closely with outside security
professionals and hosting companies.

11. Why Would Hackers Search for Vulnerabilities
In Your WordPress Website?

12. WHY????
❖ Why Little Ol’ YOU?
❖ Let us count the WHYs

13. Reason # 1 – SEO
❖ Once Hackers is gain control of your
site they can:
❖ Insert back-links to improve the
SEO of another site
❖ Insert affiliate links designed to sell
something
❖ Further their own nefarious agenda
by using your site’s good reputation
— until Google blacklists YOU —
and they move on

14. Reason # 2 – SPAM
❖ ‘SPAM FARMS’ get blacklisted.
❖ Hacker controls your site and trashed your account,
then moves on.
❖ You get to clean up the mess and explain to your users

15. Reason # 3 – Theft
❖ What do YOU have stored on your computer:
❖ Passwords?
❖ Credit card information?
❖ Banking information?
❖ What else?

16. ❖ An exploit of your WordPress website can provide
access to not only your personal information — but from
your visitors’ computers as well.

17. Reason # 4 – a Base for Denial of
Service Attacks
❖ Denial of Service attacks render the targeted site
unavailable
❖ Hackers exploit a network of “vulnerable, zombie- sites”
to power the sustained attack.

18. Reason # 5 – Malware
❖ Malware can spy on a user’s actions or inject computer
viruses, worms, trojan horses, ransomware, spyware,
adware.
❖ Hackers inject malware into vulnerable sites because
you get penalized by Google and they go undetected.

19. Targeted vs Non-Targeted
Attacks
❖ Non-targeted
❖ automated attacks of a known vulnerability
❖ the hacker isn’t focused on you or your business
❖ opportunistic and efficient
❖ use automated tools to scan websites
❖ scan for a specific version or WordPress or a plugin
with exploitable vulnerabilities.

20. Targeted vs Non-Targeted
Attacks
❖ Targeted Attacks
❖ a hacker consciously decides to target your website
❖ more visitors to your website attracts targeting by
hackers
❖ targeted company loses its reputation, and can face for
damages.
❖ Some large-scale targeted attacks:
❖ Sony, Target, and Ashley Madison.

21. How Can You Prevent a Targeted
Attack?
❖ Harden Your WordPress Site to Encourage Hackers to
Move on to Easier Targets

22. The Open Web Application Security
Project
❖ The Open Web Application Security Project is
responsible for improving software security around the
world.

23. The Most Exploitable Website
Security Flaws
❖ 1. – Injection
❖ 2. – Broken Authentication and Session Management
❖ 3. – Cross-Site Scripting XSS
❖ 4. – Insecure Direct Object References
❖ 5. – Security Misconfiguration
❖ 6. – Sensitive Data Exposure
❖ 7. – Missing Function Level Access Control
❖ 8. – Cross-Site Request Forgery
❖ 9. – Using Components with Known Vulnerabilities
❖ 10. – Unvalidated Redirects and Forwards

24. Injection
❖ WordPress uses SQL to communicate with your
database which in turn makes it vulnerable to SQL
Injection Attacks.
❖ A malicious statement designed to extract sensitive
information from a database can be entered into a form
field.

25. Cross-Site Scripting (XSS)
❖ XSS vulnerabilities are both extremely common and complicated
❖ Taking advantage of an XSS Vulnerability requires two innocent parties — a
vulnerable WordPress website and an unwilling visitor
❖ Hackers find a vulnerable website
❖ they distribute malicious scripts (via email for example).
❖ user clicks on the link containing the malicious script
❖ it directs them to the vulnerable website
❖ The website then reflects the script back to the visitors browser where it is
executed willingly because it came from what was believed to be a safe
website.

26. Access control
❖ Logging into wp-admin in WordPress
❖ Access to servers and hosting accounts

27. Access control
❖ Access is a huge factor, and often what we hear being
exploited (i.e., attacked) when you hear of things like Brute
Force attacks.
❖ Software vulnerabilities, specifically the exploitation of said
vulnerabilities, is and continues to be a big problem for
WordPress users.
❖ Not because of the platform itself, but because of its
extensibility and the plethora of plugins / themes available, and
the shortage of skilled professionals, relative to the adoption of
the platform.

28. Access Control
❖ “…The attack vector for WordPress has been consistent
for the past two years, and revolves around two very
distinct vectors – Access Control and Software
Vulnerabilities.”
❖ — Tony Perez of Sucuri

29. How Do You Harden Your Your
Site?
❖ Identify and Fix
Common
WordPress Security
Vulnerabilities

30. How To Harden Your
WordPress Site
❖ Top Security Mistakes Inexperienced WordPress Users
Make
❖ 1. Use weak usernames and passwords.
❖ 2. Fail to keep software up to date.
❖ 3. Install plugins and themes without doing any basic
research about them, or checking the source.

31. Best Site Hardening Practices for
Beginners
❖ Back-Up Your Website
❖ The most important thing you can do is to backup
your website on a regular basis.
❖ Some hosting companies provide automated backups
❖ You can use a plugin like Backup Buddy
❖ Or you use a service like VaultPress

32. Pick a Solid WordPress Host
❖ Hosting companies need to take security seriously, but this is not to
say that you must rely on a managed WordPress hosting company.
❖ Some hosting companies will automatically block an IP address
after too many failed attempts to log in or access a hosting
account.
❖ You should also make sure that they are using a recent version of
MySQL and PHP, two of the components that are vital to
WordPress.
❖ Never hesitate to ask your hosting company for more information
on their security posture.

33. Use Reputable Themes and
Plugins
❖ Choosing reputable themes and plugins is an essential
step in reducing the overall surface area available to
potential hackers.
❖ Vulnerabilities can be present even in well-established
themes or plugins.
❖ It’s also a good idea to limit your total number of plugins
to as few as possible. More plugins mean a greater
potential risk.

34. Use a Strong User Name &
Password
❖ Use unique, and difficult to guess usernames and
passwords across all your accounts, not just your
WordPress login.
❖ Consider the damage that a hacker could inflict if they
gained access to your domain registrar, hosting account
or cPanel.

35. Use a Security Plugin
❖ iThemes Security
❖ WordFence
❖ Sucuri

36. Monitor Your Site
❖ Keeping an eye on what’s happening with your website can provide
important clues that something might not be right.
❖ Your analytics can provide key information about your website traffic.
Any sudden change, especially a sudden spike or drop might indicate a
problem
❖ Perform a site search using site:http://yourdomain.com – Are there any
sudden or negative changes in the number of pages indexed? Are all
your meta descriptions appropriate?
❖ What are the other logged in users on your website up to, authorized or
not? You can use a plugin like WP Security Audit Log to track what’s
happening.

37. What to Do If Your Site is
Hacked
❖ In the unfortunate event that your WordPress website is
hacked, you’ll breathe a sigh of relief knowing that you
have a recent backup on hand.
1. Make a backup of what there is. This will come in
handy to analyze what has happened. Be sure you’re
not overwriting a previous, uncompromised version of
your website.
2. Restore a backup and change all passwords.
3. Show the backup to a security professional.

38. Final Thoughts
❖ Ignore at your own peril. WordPress is the target of
innumerable hackers.
❖ Even if you feel that your website or small business is
too small to be a target, you need to remember that a
large percentage of attacks are automated and not
specifically directed at your website.
❖ Despite what feels like doom and gloom, the best
decision you can make is to be proactive with your
WordPress security posture.

39. Final Thoughts
❖ OWASP Wordpress Security Implementation Guideline
❖ https://www.owasp.org/index.php/OWASP_Wordpress_
Security_Implementation_Guideline

40. Final Thoughts
❖ Limit access to vital parts of your WordPress site
❖ Making it more difficult for a hacker to access specific parts or your
site:
❖ • Secure your wp-config.php file
❖ • Make sure your directories and files have the correct permissions.
❖ • Disable the File Editor in the WordPress Admin panel which
means a hacker will require FTP access to access core and theme
files.
❖ Limiting access also includes the use of appropriate user roles.

41. Final Thoughts
❖ How to Disable Password Change Notifications in WordPress
❖ If you want to disable the email notifications for password changes of
users on your WordPress site, just insert this piece of code into your
theme’s functions.php file or create a custom functionality plugin and
insert this code in there:
if ( !function_exists( 'wp_password_change_notification'
) ) {
function wp_password_change_notification() {}
}

42. Presenter
Nick Batik
Started in web development in 1994 and
have been a WordPress consultant,
and web developer since 2007. A
WordPress evangelist, I’ve served as
Austin WordPress Meetup co-organizer
since 2010. With my partner, co-founded
Pleiades Publishing Services in 1992
and Hands-On WordPress Training in
2010.
Follow me @nick_batik / @WPATX
Contact me at: handsonwp.com
https://www.linkedin.com/in/nicholasbati
k