@ottokekalainen

WORDPRESS SECURITY 101what is important – and what is not

WordCamp Finland 2016Otto Kekäläinen

@ottokekalainen

Definition of information security

1. Confidentiality2. Integrity3. Availability

@ottokekalainen

You must keep your WordPress site secure

@ottokekalainen

Potential consequences● Corrupted orders database: webshop unable to

ship anything or resolve payments● Leaked customer database: angry customers,

lawsuit for neglect of privacy laws● Visitors get redirected to shady sites: lost

reputation, marketing budget goes in vain● Site spreads malware: Google might detect and

ban from showing up in search results● Site sends spam: could become blacklisted and

legit email stops working

@ottokekalainen

“But my site is not important!”

Your site can be used to mount further attacks!

If you have clearly neglected the maintenance of your own site, you could be held partly liable for attacks on other sites.

@ottokekalainen

What is really important in keeping your WordPress site secure?

@ottokekalainen

Avenues of unauthorized access:

1. Leaked passwords2. Software vulnerabilities

@ottokekalainen

Leakedpasswords

@ottokekalainen

Remember password hygieneseravo.fi/2014/password-hygiene-every-mans-responsibility

@ottokekalainen

HTTPS, SFTP, SSHNever submit passwords over an unencrypted connection!

@ottokekalainen

1. Your server needs to support HTTPS2. Enforce in wp-config.php with: define('FORCE_SSL_ADMIN', true);

Enforce HTTPS in WordPress

@ottokekalainen

Use captcha to avoid robot usersGoogle reCaptcha recommended

@ottokekalainen

Software vulnerabilities

@ottokekalainen

1. Minimize the attack surface by minimizing the amount of software you have

2. For the software you really need, make sure you have updated to latest releases

Minimize vulnerabilities

@ottokekalainen

How secure is the WordPress core?

Security bugs per 1000 lines of code written

All time: 0,1(204 CVE entries per 2,1 million lines of code)

In 2015: 0,05 (11 CVE entries per 236 000 lines of code)

@ottokekalainen

WordPress core is secure.

@ottokekalainen

The problem is the plugins.

@ottokekalainen

Combined core, plugin and theme vulnerability database:wpvulndb.com

@ottokekalainen

Example case: Mossack Fonseca aka Panama papers

● The site www.mossfon.com was running WordPress● Unauthorized access of WP lead to unauthorized access of MS Exchange

email server on internal network and other sites at *.mossfon.com● The intruders most likely came through an old and insecure version of the

Revolution Slider plugin.○ Well known vulnerability, WordPress.org even has a patch as a separate plugin (https:

//wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not

available at WordPress.org.

@ottokekalainen

Example case: Mossack Fonseca aka Panama papers

● Case analysis at https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/

@ottokekalainen

WP plugin review guidelines for capitalists*

If the logo is red and name contains revolution, don’t install it on your system!

* a small dose of parody can’t hurt?

@ottokekalainen

If you run your own server

Also remember to harden and keep updated

● operating system ● web server● database server● PHP environment

@ottokekalainen

Install only from trusted sources.

Avoid random 3rd party repositories that don’t have any maintenance policy.

@ottokekalainen

Don’t waste time on

● removing generator meta or hiding version numbers● hiding login errors● changing wp-admin location● removing readme.html or other files● disabling xmlrpc

Only for WP geeks who love to research the pros and cons. For normal users WordPress default settings are secure.

@ottokekalainen

False sense of security: feels like a lot has been done when really very little has.

@ottokekalainen

Scan results require interpretation. Recommended only for professionals.

Security plugins are not the solution

@ottokekalainen

The only recommended ones:WPScan and Google Webmaster ToolsAlmost no false positives and no business model based on spreading fear.

@ottokekalainen

Protection against DDOS

What if the problem is not unauthorized access but the lack of authorized access?

@ottokekalainen

Denial of service attacksDetect, withstand and block

● high performance servers and good caching

● detect repeated offenders and block at network level

○ e.g. failtoban + iptables

DDOS is a constant race of new techniques of attack and defence. Try to find a good hosting provider that takes care of DDOS at least on the network level.

@ottokekalainen

Backup and recovery

Because some day, sooner or later, everything else fails.

@ottokekalainen

Backup guidelines1/2

Make sure your backup system meets these requirements

● automatic: not dependant on human action

● complete: both files and database

● incremental with a history: at least 30 days

● frequent: daily is good

@ottokekalainen

List continues..

● offsite: in case access to the original site is lost

● pull, not push: original site should not have access to the backups, otherwise an attacker can delete both the original site and all backups

Personal favourite: mysqldump + rdiff-backup over SSH

Backup guidelines1/2

@ottokekalainen

Once more with a feeling

@ottokekalainen

1. Always follow password hygiene.2. Use captchas to stall robot users.3. Use HTTPS (and SFTP and SSH) – never submit

passwords in plain text on any network connection.4. Remove unnecessary software to reduce attack surface.5. Keep WordPress plugins and all other software too

updated to have all known vulnerability fixes installed.6. Install software and update only from trusted sources.7. Have a good backups system in place.8. Choose a good service provider and trust them to take

care of the rest.

WordPress security 101

@ottokekalainen

Thank You!

Visit https://wp-palvelu.fi/blogi for more tips (in

Finnish)