The document discusses WordPress security beyond just using security plugins. It emphasizes that WordPress security is often neglected but important, especially for business sites. While security plugins are helpful, a defense-in-depth approach with additional layers of security is recommended. The presentation provides practical advice on prevention, detection of compromises, and steps users can take including regular backups, choosing quality plugins, strong passwords, monitoring, and maintenance. WordPress is a common target because of its popularity and past vulnerabilities. The impacts of breaches on businesses can be significant.
2. About This Presentation
• WordPress security is an often neglected topic, and with WordPress being
used for more complex and business-critical sites, it needs to be treated far
more seriously.
• It’s not uncommon to hear comments like “just install a security plugin and it’ll
be right!“. Security plugins and services are a step in the right direction, but
there are many other steps you can take to keep your site secure.
• In this presentation, Chris will provide some practical advice on how you can
add additional layers of security to your WordPress website.
About This Presentation
• WordPress security is an often neglected topic, and with
WordPress being used for more complex and business-
critical sites, it needs to be treated far more seriously.
• It’s not uncommon to hear comments like “just install a
security plugin and it’ll be right!“. Security plugins and
services are a step in the right direction, but there are many
other steps you can take to keep your site secure.
• In this presentation, Chris will provide some practical advice
on how you can add additional layers of security to your
WordPress website.
3. Overview
• Who Is This Guy?
• Why Should I Care?
• How Sites Are Compromised
• Prevention
• Practical Detection
• What Can You Do?
• Further Resources
4. Who Is This Guy?
• Chris Burgess
• Passionate about web development, security and digital
marketing
• Passionate about keeping up-to-date with the latest web
technologies
7. Not Everyone Loves Security But Everyone Should
Care About It.
• Are you a WordPress developer?
• Do you have your own WordPress site?
• Do you manage WordPress sites for your clients?
If you answered ”Yes” to any of the above questions, then you should factor
WordPress security practices into your workflow.
8. Security Is Not Absolute. It’s About
Risks And Managing The Risks.
It’s all about context…
9. “Security is not a product, security is a
process"
Bruce Schneier
11. Don’t Wait Until You See Something Like This Before
You Care.
https://www.google.com/webmasters/hacked/
12. Be Proactive. Not Just Reactive.
http://www.dailymail.co.uk/news/article-1388660/Mississippi-River-flooding-Residents-build-homemade-dams-saves-houses.html
13. There Is No Such Thing As Absolute
Security But You Can Reduce Risks
15. Common Myths And Misconceptions
“WordPress sites always get hacked.”
“No one is interested in attacking my site.”
“I’ve got nothing valuable for anyone to steal.”
“Security is not my problem, my host/developer/plugin takes care
of security for me.”
16.
17. Attackers
• A person or group who’s trying to attack your site
• It may personal, but the majority of the time, you’re just a victim of opportunity
• Typically, your website is just one faceless entity on a massive list of
sites/addresses being scanned and probed.
• Mostly motivated by economic gain
18. They Can Do It Via…
OUT OF DATE OR VULNERABLE THEMES
OUT OF DATE OR VULNERABLE PLUGINS
OUT OF DATE VERSION OF WORDPRESS
INTEGRATIONS
POOR PROCESSES
BAD PASSWORDS AND
PASSWORD MANAGEMENT
MISCONFIGURATION
HUMAN ERROR
41. “Most successful WordPress hack attacks
are typically the result of human error, be
human error, be it a configuration error or
configuration error or failing to maintain
maintain WordPress, such as keeping
keeping core and all plugins up to date, or
to date, or installing insecure plugins etc.”
plugins etc.”
- Robert Abela (@robertabela)
42. What Are The Impacts On Businesses?
• Loss in revenue and customers
• Cost of professional help, your time & resources
• Potential legal and compliance issues
• Affects brand reputation
• Compromise to your visitors
• Loss of trust and confidence amongst clients
IMPACTS BOTTOM LINE
DAMAGE TO REPUTATION
STRESS ON TEAM
TECHNICAL ISSUES
• Causes you unnecessary stress dealing with it
• Causes stress to your team
• Causes stress to colleagues and clients
• Domain & IP reputation, website blacklisting & email deliverability
• SEO and SEM impacts
• Downtime and outages
46. "Is Penetration Testing Worth it? There are two reasons
why you might want to conduct a penetration test. One,
you want to know whether a certain vulnerability is
present because you're going to fix it if it is. And two,
you need a big, scary report to persuade your boss to
spend more money. If neither is true, I'm going to save
you a lot of money by giving you this free penetration
test: You’re vulnerable. Now, go do something useful
about it."
-- Bruce Schneier
http://www.schneier.com/blog/archives/2007/05/is_penetration.htm
l
48. Defense In Depth
“While we boast the idea of employing a defense in depth strategy in the design
of our offering, we can’t say it’s the only defense in depth strategy an
organization will need. The strategy involves much more than our tools. Instead,
we say that we are a complementary solution to your existing security posture
and we encourage you to use any other tools you require to round out your
defensive position.”
Sucuri
52. Defense In Depth
• We can't talk about WordPress security without talking about the other layers.
• While more layers help secure our assets, they also introduce other issues
such as complacency and a false sense of security.
• UX, additional security measures can be cumbersome to manage. (that said,
I'd rather manage these issues than deal with a security incident)
54. Tools
• You can’t rely only on tools, they won’t always detect a compromise.
• Most WordPress security tools work by using signatures.
• Scanning your site with online tools work only if your site has active malware,
is defaced or blacklisted.
• If a site has been compromised, it cannot be trusted.
58. 1500+ Files In A Default WordPress Installation –
Excluding Themes & Plugins.
• WordPress relies on a many popular Open Source libraries (as does most
software).
• Here are a few of the most common ones:
• jQuery
• jQuery Masonry
• jQuery Hotkeys
• jQuery Suggest
• jQuery Form
• jQuery Color
• jQuery Migrate
• jQuery Schedule
• jQuery UI
• Backbone
• colorpicker
• hoverIntent
• SWFObject
• TinyMCE
• Atom Lib
• Text Diff
• SimplePie
• Pomo
• ID3
• Snoopy
• PHPMailer
• POP3 Class
• PHPass
• PemFTP
59. Isolation
• Look out for a shared web root, “addon” domains in cPanel, other web apps in
subfolders.
64. A Word On Staging/Test Environments
• While it’s never been easier to clone, copy, spin-up a new instance of an
environment, it’s also never been easier to lose track and manage these
environments.
• In many respects, these are softer targets than your production sites, so make
sure they’re protected.
65. Checking Content
• You can check your site from both a back end and front end perspective, this
is particularly useful since malware will use measures to hide its existence
• Grep for server side
• ScreamingFrog for crawling Internet facing (rendered) content
66. If The Server Has Been Compromised,
It Cannot Be Trusted.
75. Security issues typically occur because of certain
patterns. Cleaning, restoring or rebuilding doesn’t
address that. Compromised sites are much more likely
to become compromised again. Get everyone on board
to take security seriously.
76. What Can You Do?
• Establish basic processes
• Practice the principle of least privilege (POLP)
• Take backups seriously
• Be ruthless with your Plugin choices
• Maintain
• Monitor
• Choose a good host
90. Just Because…
• We don’t rely ONLY on security plugins doesn’t mean we shouldn’t use
them…
• Sucuri, Wordfence, iThemes Security etc. are all excellent choices. Learn to
use them effectively.
• For high value assets, I’d highly recommend paying for a premium licence.
95. Places to Learn about General Web App Security
• OWASP (global): https://www.owasp.org/index.php/Main_Page
• OWASP Melbourne: https://www.meetup.com/Application-Security-OWASP-
Melbourne/
98. Chris Burgess ∙ @chrisburgess ∙ https://chrisburgess.com.au/
Thanks/Questions?
Notes de l'éditeur
Malware Family
Backdoor - Files used to reinfect and retain access.
Malware - Generic term used for browser-side code used to create drive by downloads.
SPAM-SEO - Compromise that targets a website’s SEO.
HackTool - Exploit or DDOS tools used to attack other sites.
Defaced - Hacks that leave a website’s homepage unusable and promoting an unrelated
subject (i.e., Hacktavism).
Phishing - Used in phishing lures in which attackers attempt to trick users into sharing
sensitive information (i.e., log in information, credit card data, etc..).
Malware Family
Backdoor - Files used to reinfect and retain access.
Malware - Generic term used for browser-side code used to create drive by downloads.
SPAM-SEO - Compromise that targets a website’s SEO.
HackTool - Exploit or DDOS tools used to attack other sites.
Defaced - Hacks that leave a website’s homepage unusable and promoting an unrelated
subject (i.e., Hacktavism).
Phishing - Used in phishing lures in which attackers attempt to trick users into sharing
sensitive information (i.e., log in information, credit card data, etc..).