Hardening WordPress @ WordCamp Frankfurt 2016

George Gkouvousis
03.09.2016
SESSION:

View Slide

• Technical Analyst (Computer Engineering degree)
• Frontend Developer for over 8 years
• WordPress related stuff since 2010
• Web Development Coordinator at 8web Interactive ( 8web.gr )
• Scaling & securing 100+ WordPress Installations per year
GEORGE GKOUVOUSIS
  
Twitter:
@ggloveswp
Email:
[email protected]
Website:
www.8web.gr

View Slide

1. ABOUT SESSION
1 Prevent your WordPress websites from being hacked
Facts about your hardware protection layer (webhost) and simple ways
to protect your WordPress websites as a webmaster
Main topics explained
2 Compromised website. Now what?
Scenarios explained easiest cleaning-up techniques for a
compromised WordPress website

View Slide

TOPIC 1
Prevent your WordPress websites from being hacked

View Slide

WP
UNMANAGED
WEB HOSTING PLAN
WP
MANAGED
best choice.
if possible
1. Prevent your WordPress websites from being hacked
Managed versus unmanaged WordPress hosting package
CHANCE OF GETTING HACKED:
UNMANAGED 0 - 100%
MANAGED 0 - 10%
IMPORTANT FACTORS:
TIME LOSS
MANAGEMENT SKILLS
BIG COST
Hosting choice is critical

View Slide

Managed WordPress hosting package
Blazing Fast – Servers configured for
WordPress
Security – Practically Hacker-proof
Expert Support – Beyond levels of basic
support
Daily Backups – Included
Automatic Updates – They take care of them in
software & hardware layer
No downtime – Even with heavy traffic
Development Tools – Make development
easier
WordPress Managed Hosting Plan PROS

View Slide

Managed WordPress hosting package
Cost – Usually expensive
Limits – You can only run WordPress websites
New service – Not really a con 
Less control – In case you are a control freak 
WordPress Managed Hosting Plan CONS

View Slide

U P D A T E
Managing a WordPress website on your own
So you finally decided to go with a
WordPress unmanaged hosting package.
Not a problem at all. Just don’t forget the golden rule:

View Slide

Why do I need to be an update-maniac?
Because there are maaaany (5000+)
WordPress vulnerabilities officially listed.
You have to avoid:
• Outdated core
• Outdated plugins
• Outdated themes
• Poorly written code

View Slide

STRONG PASSWORDS
Pick strong passwords
(long, with numbers, capital
letters, and symbols) & avoid
public internet spots
ADMIN USERNAME
Don’t use “Admin” as your
administrator username
TWO FACTOR AUTHENTICATION LOG IN
Use one of the so-many available 2 factor
authentication plugins for login
SERVER-SIDE IP BLOCK
Restrict wp-admin access by
IP
SERVER-SIDE PASSWORD
Add another layer of
security, like BasicAuth to
wp-admin
ENABLE ACCESS LOGGING
If possible. This will help you
understand failed attack
tries and potential risks
Extra steps to take in order to maximize security level of WordPress (brute force related)

View Slide

PLUGINS UPDATE
Plugins are being used by
hackers in order to gain
access to WordPress
database and files
CORE UPDATE
Always keep your WordPress
core up to date. Even if its
safe enough, you don’t need
it outdated
THEMES’ UPDATE
Update every theme. Even if
its not in use. They can be
used by hackers even if they
are not active
POORLY CODED PLUGINS
Do not use poorly coded
plugins
FOLDERS’ PERMISSIONS
Do not change default
permissions of WordPress
folders
DON’T USE NULLED THINGS
Its ridiculous, but it happens.
Why having your website
hacked for a few bucks?!
Extra steps to take in order to maximize security level of WordPress (vulnerabilities related)

View Slide

ADD EXTRA SOFTWARE SECURITY
Staying on default security
level is a risk
BE UP TO DATE
Update everything in order
to avoid exploits
ADD EXTRA SECURITY IN SERVER LAYER
Important for “neighbor-
based”
attacks
You might think: I am not a security expert.
True. But you can make your website stronger with simple steps.
Synopsis of hardening process’ theory
HUMAN FACTOR EASILY EXPLAINED IN
NEXT SLIDES
HOSTING PROVIDER

View Slide

STEP 1: Scan your website using an online
vulnerabilities scanner
and take any suggested action
General steps you need to take in order to set software
protection layer on a higher level:
STEP 2: Install a real-time scanning
plugin.
It will let you immediately know about
risks and compromised data
STEP 3: Install a firewall plugin
It will prevent abusive behaviors
Critical, yet simple steps for having a healthy WordPress website

View Slide

SUGGESTED PLUGIN 1) ALL IN ONE WP SECURITY & FIREWALL
• Disables WordPress Meta information
• Prevents Brute Force login attacks
• Enables moderation in approving new user registrations
• Allows you to manage database prefix
• Adds blacklisting rules (based on IP, or range)
• Protects you with basic firewall rules
• Permits change of login page URL
• Notifies you regarding files’ modifications
Hardening, the easiest way.
Not the most effective methods, at least the best for beginners.

View Slide

SUGGESTED PLUGIN 2) SUCURI SECURITY
• Protects the wp-uploads directory from browsing and PHP
execution
• Restricts access to wp-content and wp-includes folders via wp-
admin
• Restricts access to the file editor via wp-admin

View Slide

SUGGESTED PLUGIN 3) BULLETPROOF SECURITY
• Offers an easy, one-click setup
• Protects .htaccess against XSS, RFI, CSRF, Base64, SQL injection and
other hacking attempts
• Monitors max login attempts, and adds lockout time in case of failures
• Offers wp-admin based database backups
• Alerts you via email for a variety of user actions that you will choose

View Slide

TOPIC 2
Compromised WordPress website, now what?

View Slide

Remember :
My website is compromised. Now, WHAT?!
• Know your enemy is not a must
• Know your weakness IS !
• If in doubt, hire an expert
2. Compromised WordPress website, now what?
Worst scenarios explained

View Slide

Pick a situation:
• Any previous backups available?
• Can I restore my website files to an earlier point?
• Can I restore my database to an earlier point?
• Is wiping files an option?

View Slide

Possible scenario 1#
Common post-infection scenarios
My website got hacked and I have no backups.
BAD.
Situation may not be recoverable unless an expert is
hired.

View Slide

My website got hacked and my only backup file is also infected.
I noticed that my website was compromised so late.
BAD, exactly like 1#.
Situation may not be recoverable unless an expert is hired.

View Slide

My website got hacked and my backup file is fine.
GOOD.
Situation is recoverable but actions are needed after restoration
(to a clean-state point)

View Slide

Where do hackers store their data?
Everywhere!
• Plugins folder
• Wp-uploads folder
• Inside root dir of WordPress
How those files look like?
Everything! (executable)
• PHP extension files
• Malicious code (base 64 etc) added
• Suspicious database strings/values
Key points of hack

View Slide

The not-so-easy part
Cleaning practices
Manual Cleanup
• Skills are needed
• Can be easier if you use software locally
Wipe and reinstalling (or recovering backup)
• Make sure that you wipe everything first
• Can be easier if you are under a control panel
based hosting and it uses a commercial
backup/restore application.
Cleaning ways

View Slide

100% success?
Never.
Make sure that you sleep with one eye open and keep everything up to date.
Success?

View Slide

So, what makes WordPress Vulnerable?
Simply:
Old version of WordPress core
+
outdated themes / plugins
+
popularity of WordPress
+
end user actions.
Synopsis of session
Facts

View Slide

QUESTIONS?
THANK YOU!

View Slide

Hardening WordPress @ WordCamp Frankfurt 2016

Hardening WordPress @ WordCamp Frankfurt 2016

George Gkouvousis

More Decks by George Gkouvousis

Other Decks in Programming

Featured

Transcript