WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
-
Upload
otto-kekaelaeinen -
Category
Internet
-
view
111 -
download
0
Transcript of WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
![Page 1: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/1.jpg)
WORDPRESS SECURITY 101what is important – and what is not
WordPress Jyväskylä Meetup 21.3.2017Otto Kekäläinen@ottokekalainen
![Page 2: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/2.jpg)
DEFINITION OF INFORMATION SECURITY
1. Confidentiality2. Integrity3. Availability
![Page 3: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/3.jpg)
You must keep your WordPress site secure.
![Page 4: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/4.jpg)
POTENTIAL CONSEQUENCES
● Corrupted orders database: webshop unable to ship anything or resolve payments
● Leaked customer database: angry customers, lawsuit for neglect of privacy laws
● Visitors get redirected to shady sites: lost reputation, marketing budget goes in vain
● Site spreads malware: Google might detect and ban from showing up in search results
● Site sends spam: could become blacklisted and legit email stops working
![Page 5: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/5.jpg)
“BUT MY SITE IS NOT IMPORTANT!”
Your site can be used to mount further attacks!
If you have clearly neglected the maintenance of your own site, you could be held partly liable for attacks on other sites.
![Page 6: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/6.jpg)
What is REALLY important in keeping your WordPress site secure?
![Page 7: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/7.jpg)
AVENUES OFUNAUTHORISED ACCESS:
1. Leaked passwords2. Software vulnerabilities
![Page 8: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/8.jpg)
LEAKED PASSWORDS
![Page 9: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/9.jpg)
Remember password hygienewp-palvelu.fi/blogi/salasanahygienia/
![Page 10: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/10.jpg)
HTTPS, SFTP, SSHNever submit passwords over an unencrypted connection!
![Page 11: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/11.jpg)
Enforce HTTPS in WordPress1. Your server needs to support HTTPS2. Enforce in wp-config.php with: define('FORCE_SSL_ADMIN', true);
![Page 12: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/12.jpg)
Use captcha to avoid robot usersGoogle reCaptcha recommended
![Page 13: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/13.jpg)
SOFTWARE VULNERABILITIES
![Page 14: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/14.jpg)
MINIMIZE VULNERABILITIES 1. Minimize the attack
surface by minimizing the amount of software you have
2. For the software you really need, make sure you have updated to latest releases
![Page 15: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/15.jpg)
HOW SECURE IS WORDPRESS CORE?
Security bugs per 1000 lines of code written
All time: 0,1(204 CVE entries per 2,1 million lines of code)
In 2015: 0,05 (11 CVE entries per 236 000 lines of code)
![Page 16: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/16.jpg)
WORDPRESS COREIS SECURE.
![Page 17: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/17.jpg)
THE PROBLEM IS THE PLUGINS.
![Page 18: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/18.jpg)
Combined core, plugin and theme vulnerability database:wpvulndb.com
![Page 19: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/19.jpg)
Example case: Mossack Fonseca aka Panama papers
● The site www.mossfon.com was running WordPress● Unauthorized access of WP lead to unauthorized access of MS Exchange
email server on internal network and other sites at *.mossfon.com● The intruders most likely came through an old and insecure version of the
Revolution Slider plugin.○ Well known vulnerability, WordPress.org even has a patch as a separate plugin
(https://wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not available at WordPress.org.
![Page 20: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/20.jpg)
Example case: Mossack Fonseca aka Panama papers
● Case analysis at https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/
![Page 21: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/21.jpg)
WP PLUGIN REVIEW GUIDELINES FOR CAPITALISTS*
If the logo is red and name contains revolution, don’t install it on your system!
* a small dose of parody can’t hurt?
![Page 22: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/22.jpg)
PLUGIN SECURITY1. Minimize the attack surface by minimizing the amount of
plugins (and themes) you have2. For the plugins you really need, make sure you have
updated to latest releases
You will not minimize vulnerabilities by installing more plugins!
![Page 23: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/23.jpg)
WordPress is insecure!Quickly, install a security plugin!
![Page 24: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/24.jpg)
NO
![Page 25: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/25.jpg)
![Page 26: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/26.jpg)
DON’T WASTE TIME ON
● removing generator meta or hiding version numbers● hiding login errors● changing wp-admin location● removing readme.html or other files
Only for WP geeks who love to research the pros and cons. For normal users WordPress default settings are secure.
![Page 27: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/27.jpg)
FALSE SENSE OF SECURITY
Feels like a lot has been done when really very little has.
![Page 28: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/28.jpg)
Example: useless readme.html blocking= don’t!
![Page 29: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/29.jpg)
Example: useless readme.html blocking
Versions leak anyway
![Page 30: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/30.jpg)
Example: useless readme.html blocking
Disclaimer:WordFence was used just as an example. It still the best guy in town. Many other security plugins are much worse.
..and other WordPress integrity checks trigger
![Page 31: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/31.jpg)
SECURITY PLUGINS ARE NOT THE SOLUTION
Scan results require interpretation. Recommended only for professionals.
![Page 32: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/32.jpg)
The only recommended ones:WPScan and Google Webmaster ToolsAlmost no false positives and no business model based on spreading fear.
![Page 33: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/33.jpg)
IF YOU RUN YOUR OWN SERVER
Also remember to harden and keep updated
● operating system ● web server● database server● PHP environment● HTTPS hardening● SSH hardening
![Page 34: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/34.jpg)
INSTALL ONLY FROM TRUSTED SOURCES
Avoid random 3rd party repositories that don’t have any maintenance policy.
![Page 35: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/35.jpg)
PROTECTION AGAINST DDOS
What if the problem is not unauthorized access but the lack of authorized access?
![Page 36: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/36.jpg)
DENIAL OF SERVICE ATTACKSDetect, withstand and block
● high performance servers and good caching
● detect repeated offenders and block at network level
○ e.g. failtoban + iptables
● detect and block at http level
○ e.g. Nginx rate limiting
● If you are trying to block at PHP/WordPress level, you’ve already lost
DDOS is a constant race of new techniques of attack and defence. Try to find a good hosting provider that takes care of DDOS at least on the network level.
![Page 37: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/37.jpg)
BACKUP AND RECOVERY
Because some day, sooner or later, everything else fails.
![Page 38: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/38.jpg)
BACKUP GUIDELINES 1/2
Make sure your backup system meets these requirements
● automatic: not dependant on human action
● complete: both files and database
● incremental with a history: at least 30 days
● frequent: daily is good
![Page 39: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/39.jpg)
BACKUP GUIDELINES 2/2
● offsite: in case access to the original site is lost
● pull, not push: original site should not have access to the backups, otherwise an attacker can delete both the original site and all backups
Personal favourite: mysqldump + rdiff-backup over SSH
![Page 40: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/40.jpg)
ONCE MORE WITH A FEELING
![Page 41: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/41.jpg)
WORDPRESS SECURITY 1011. Always follow password hygiene.2. Use captchas to stall robot users.3. Use HTTPS (and SFTP and SSH) – never submit passwords in plain
text on any network connection.4. Remove unnecessary software to reduce attack surface.5. Keep WordPress plugins and all other software too updated to have
all known vulnerability fixes installed.6. Install software and update only from trusted sources.7. Have a good backups system in place.8. Choose a good service provider and trust them to take care of the
rest.
![Page 42: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/42.jpg)
ExtraRecommendation in 2016: don’t disableRecommendation 2017: disable and use REST API instead
![Page 43: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/43.jpg)
Blogi: Haittakoodi kuriin eli kuinka sivustomurto selvitetäänwp-palvelu.fi/blogi/wordpress-sivustomurto-haittakoodi/
Extra
![Page 44: WordPress security 101 - WP Jyväskylä Meetup 21.3.2017](https://reader035.fdocuments.us/reader035/viewer/2022062503/58ecf2311a28aba95f8b4789/html5/thumbnails/44.jpg)
THANK YOU!
WP-palvelu.fi
@SeravoFi@ottokekalainen