The document discusses WordPress security beyond just using security plugins. It emphasizes that WordPress security is often neglected but important, especially for business sites. While security plugins are helpful, a defense-in-depth approach with additional layers of security is recommended. The presentation provides practical advice on prevention, detection of compromises, and steps users can take including regular backups, choosing quality plugins, strong passwords, monitoring, and maintenance. WordPress is a common target because of its popularity and past vulnerabilities. The impacts of breaches on businesses can be significant.

1. Professional WordPress Security: Beyond
Security Plugins
Chris Burgess ∙ @chrisburgess ∙ https://chrisburgess.com.au/

2. About This Presentation
• WordPress security is an often neglected topic, and with WordPress being
used for more complex and business-critical sites, it needs to be treated far
more seriously.
• It’s not uncommon to hear comments like “just install a security plugin and it’ll
be right!“. Security plugins and services are a step in the right direction, but
there are many other steps you can take to keep your site secure.
• In this presentation, Chris will provide some practical advice on how you can
add additional layers of security to your WordPress website.
About This Presentation
• WordPress security is an often neglected topic, and with
WordPress being used for more complex and business-
critical sites, it needs to be treated far more seriously.
• It’s not uncommon to hear comments like “just install a
security plugin and it’ll be right!“. Security plugins and
services are a step in the right direction, but there are many
other steps you can take to keep your site secure.
• In this presentation, Chris will provide some practical advice
on how you can add additional layers of security to your
WordPress website.

3. Overview
• Who Is This Guy?
• Why Should I Care?
• How Sites Are Compromised
• Prevention
• Practical Detection
• What Can You Do?
• Further Resources

4. Who Is This Guy?
• Chris Burgess
• Passionate about web development, security and digital
marketing
• Passionate about keeping up-to-date with the latest web
technologies

5. Why Should I Care?

6. Is This How You Feel About The Topic?

7. Not Everyone Loves Security But Everyone Should
Care About It.
• Are you a WordPress developer?
• Do you have your own WordPress site?
• Do you manage WordPress sites for your clients?
If you answered ”Yes” to any of the above questions, then you should factor
WordPress security practices into your workflow.

8. Security Is Not Absolute. It’s About
Risks And Managing The Risks.
It’s all about context…

9. “Security is not a product, security is a
process"
Bruce Schneier

10. Probability vs Severity

11. Don’t Wait Until You See Something Like This Before
You Care.
https://www.google.com/webmasters/hacked/

12. Be Proactive. Not Just Reactive.
http://www.dailymail.co.uk/news/article-1388660/Mississippi-River-flooding-Residents-build-homemade-dams-saves-houses.html

13. There Is No Such Thing As Absolute
Security But You Can Reduce Risks

14. How Sites Are Compromised

15. Common Myths And Misconceptions
“WordPress sites always get hacked.”
“No one is interested in attacking my site.”
“I’ve got nothing valuable for anyone to steal.”
“Security is not my problem, my host/developer/plugin takes care
of security for me.”

17. Attackers
• A person or group who’s trying to attack your site
• It may personal, but the majority of the time, you’re just a victim of opportunity
• Typically, your website is just one faceless entity on a massive list of
sites/addresses being scanned and probed.
• Mostly motivated by economic gain

18. They Can Do It Via…
OUT OF DATE OR VULNERABLE THEMES
OUT OF DATE OR VULNERABLE PLUGINS
OUT OF DATE VERSION OF WORDPRESS
INTEGRATIONS
POOR PROCESSES
BAD PASSWORDS AND
PASSWORD MANAGEMENT
MISCONFIGURATION
HUMAN ERROR

19. Sucuri Website Hacked Trend Report 2018
https://sucuri.net/reports/2018-hacked-website-report/

20. What Sites Are Mostly Affected?
https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf

21. https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf

22. https://www.google.com/webmasters/hacked/

23. Real example of a compromised site in Google search results

24. Real example of a compromised site in Google search results

25. Real Example of a DoS attack

26. Google Search Console

27. Netregistry email about compromised site

28. Real example of a malicious plugin

29. Real example of a malicious file

30. Google Search Console

31. Ahrefs and Google Search Console

32. Real example of black hat SEO

33. Real example of anchor text from ahrefs.

34. Real example of links in Google Search Console

36. Real example of a malicious plugin.

37. Real example of a malicious plugin.

38. Real example of black hat SEO.

39. Why WordPress Is A Popular Target?
https://trends.builtwith.com/cms/country/Australiahttps://trends.builtwith.com/cms

40. Example Of WordPress Vulnerabilities
Source: http://wptavern.com

41. “Most successful WordPress hack attacks
are typically the result of human error, be
human error, be it a configuration error or
configuration error or failing to maintain
maintain WordPress, such as keeping
keeping core and all plugins up to date, or
to date, or installing insecure plugins etc.”
plugins etc.”
- Robert Abela (@robertabela)

42. What Are The Impacts On Businesses?
• Loss in revenue and customers
• Cost of professional help, your time & resources
• Potential legal and compliance issues
• Affects brand reputation
• Compromise to your visitors
• Loss of trust and confidence amongst clients
IMPACTS BOTTOM LINE
DAMAGE TO REPUTATION
STRESS ON TEAM
TECHNICAL ISSUES
• Causes you unnecessary stress dealing with it
• Causes stress to your team
• Causes stress to colleagues and clients
• Domain & IP reputation, website blacklisting & email deliverability
• SEO and SEM impacts
• Downtime and outages

43. Prevention

44. Security Plugins
https://www.wordfence.com/
https://sucuri.net/
https://ithemes.com/security/

45. Defense in depth
https://technet.microsoft.com/en-us/library/cc512681.aspx

46. "Is Penetration Testing Worth it? There are two reasons
why you might want to conduct a penetration test. One,
you want to know whether a certain vulnerability is
present because you're going to fix it if it is. And two,
you need a big, scary report to persuade your boss to
spend more money. If neither is true, I'm going to save
you a lot of money by giving you this free penetration
test: You’re vulnerable. Now, go do something useful
about it."
-- Bruce Schneier
http://www.schneier.com/blog/archives/2007/05/is_penetration.htm
l

47. https://www.edureka.co/blog/what-is-cybersecurity/

48. Defense In Depth
“While we boast the idea of employing a defense in depth strategy in the design
of our offering, we can’t say it’s the only defense in depth strategy an
organization will need. The strategy involves much more than our tools. Instead,
we say that we are a complementary solution to your existing security posture
and we encourage you to use any other tools you require to round out your
defensive position.”
Sucuri

49. https://bigideatech.com/how-a-defense-in-depth-strategy-protects-businesses-from-ransomware-and-other-cyberattacks/

50. https://www.slideshare.net/helhum/typo3-develop

51. https://newsroom.fb.com/news/2019/01/designing-security-for-billions/

52. Defense In Depth
• We can't talk about WordPress security without talking about the other layers.
• While more layers help secure our assets, they also introduce other issues
such as complacency and a false sense of security.
• UX, additional security measures can be cumbersome to manage. (that said,
I'd rather manage these issues than deal with a security incident)

53. Practical Detection

54. Tools
• You can’t rely only on tools, they won’t always detect a compromise.
• Most WordPress security tools work by using signatures.
• Scanning your site with online tools work only if your site has active malware,
is defaced or blacklisted.
• If a site has been compromised, it cannot be trusted.

55. WPScan

56. Example of WPScan

58. 1500+ Files In A Default WordPress Installation –
Excluding Themes & Plugins.
• WordPress relies on a many popular Open Source libraries (as does most
software).
• Here are a few of the most common ones:
• jQuery
• jQuery Masonry
• jQuery Hotkeys
• jQuery Suggest
• jQuery Form
• jQuery Color
• jQuery Migrate
• jQuery Schedule
• jQuery UI
• Backbone
• colorpicker
• hoverIntent
• SWFObject
• TinyMCE
• Atom Lib
• Text Diff
• SimplePie
• Pomo
• ID3
• Snoopy
• PHPMailer
• POP3 Class
• PHPass
• PemFTP

59. Isolation
• Look out for a shared web root, “addon” domains in cPanel, other web apps in
subfolders.

60. example.com/index.php

61. example.com/otherapp/

62. example.com/*

63. example.com/*

64. A Word On Staging/Test Environments
• While it’s never been easier to clone, copy, spin-up a new instance of an
environment, it’s also never been easier to lose track and manage these
environments.
• In many respects, these are softer targets than your production sites, so make
sure they’re protected.

65. Checking Content
• You can check your site from both a back end and front end perspective, this
is particularly useful since malware will use measures to hide its existence
• Grep for server side
• ScreamingFrog for crawling Internet facing (rendered) content

66. If The Server Has Been Compromised,
It Cannot Be Trusted.

67. System Monitoring
• Resources (Bandwidth/CPU/RAM/IO)
• Logins
• Processes

68. Integrity Monitoring
• Tripwire
• git
• wp-cli
• Any diff tools
• Plugins

69. Firewalls
• Network Firewalls
• Web Application Firewalls
• Security Services
• Proxies

70. IDS/IPS
• Typically at the host level
• OSSEC

71. Logging
• /var/log (access, error, php)
• Centralised Logging or Log Shipping
• Audit trails

72. Places To Check…
• Content/files
• Running processes
• Running scripts, open files (look at full paths in processes)
• Memory
• Cron jobs
• Database
• Date and timestamps
• Suspicious plugins
• Suspicious directories/files
• Sitemaps/SERPs
• WordPress Admin Users
• Other users in GSC
• Code audit

73. What Can You Do?

74. Image Source: https://twitter.com/sittingduckdev

75. Security issues typically occur because of certain
patterns. Cleaning, restoring or rebuilding doesn’t
address that. Compromised sites are much more likely
to become compromised again. Get everyone on board
to take security seriously.

76. What Can You Do?
• Establish basic processes
• Practice the principle of least privilege (POLP)
• Take backups seriously
• Be ruthless with your Plugin choices
• Maintain
• Monitor
• Choose a good host

77. Be Practically Paranoid
http://favoritememes.com/_nw/37/42148895.jpg

78. Practice Principle Of Least Privilege

79. Regular Backups & Offsite Storage
• Server Level Backups - cPanel/Plesk, Replication, Snapshots
• Backup Services
• Backup Plugins - Updraft Plus, WordPress Backup to Dropbox, VaultPress,
Backup Buddy, Duplicator etc.
• Manual Backups
• Exports
IMPORTANT: Don’t have publicly accessible backups (e.g /backup.zip) or config files
(wp-config.php.old)

80. Choose Only Quality Plugins

82. Regular Website Maintenance
“Patch early and patch often”

83. Use Isolation
• Separate Users/Servers/Instances
• Keeps attacks isolated
• Far more advantages than disadvantages

84. Use SSL
• SSL is now free on most good hosts
• Make sure it’s configured correctly (or use Really Simple SSL)

85. Use Strong Encryption Everywhere
• SFTP/SCP
• SSH
• HTTPS
• Avoid ”Less Secure” options

86. Use Google Search Console

87. Use Password/Key Management
• LastPass
• Dashlane
• 1Password
• Browser Password Manager
• Native OS
• KeePass
• Passwordsafe

88. Use Two Factor Authentication

89. Maintain Server Security
• Monitoring
• Integrity Monitoring
• Firewalls
• IDS/IPS
• Logging

90. Just Because…
• We don’t rely ONLY on security plugins doesn’t mean we shouldn’t use
them…
• Sucuri, Wordfence, iThemes Security etc. are all excellent choices. Learn to
use them effectively.
• For high value assets, I’d highly recommend paying for a premium licence.

91. Further Resources

92. Reading
• WordPress Docs/Codex
• OWASP
• OS/Platform Specific Resources (AWS, Ubuntu, Docker etc.)
• Host Management Specific Resources (Plesk, cPanel etc.)
• Stay Updated

93. Other Resources
• WordPress.org
• https://wordpress.org/about/security/
• https://wordpress.org/news/category/security/
• Google Safe Browsing -
https://www.google.com/transparencyreport/safebrowsing/diagnostic/
• OWASP WordPress Security -
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementati
on_Guideline

94. • https://wpvulndb.com/
• https://www.wpsecuritybloggers.com
• https://www.wpwhitesecurity.com
• https://sucuri.net/
• https://wpscan.org/

95. Places to Learn about General Web App Security
• OWASP (global): https://www.owasp.org/index.php/Main_Page
• OWASP Melbourne: https://www.meetup.com/Application-Security-OWASP-
Melbourne/

96. https://www.owasp.org/index.php/Main_Page

97. https://wpaustralia.org/

98. Chris Burgess ∙ @chrisburgess ∙ https://chrisburgess.com.au/
Thanks/Questions?