Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening WordPress @ WordCamp Frankfurt 2016

Hardening WordPress @ WordCamp Frankfurt 2016

A security-focused speak about WordPress. This session will teach you how to prevent your WordPress installations from being compromised, which actions are required in order to clean up a compromised WordPress installation and ways of hardening your WordPress installation.

George Gkouvousis

September 03, 2016
Tweet

More Decks by George Gkouvousis

Other Decks in Programming

Transcript

  1. • Technical Analyst (Computer Engineering degree) • Frontend Developer for

    over 8 years • WordPress related stuff since 2010 • Web Development Coordinator at 8web Interactive ( 8web.gr ) • Scaling & securing 100+ WordPress Installations per year GEORGE GKOUVOUSIS    Twitter: @ggloveswp Email: [email protected] Website: www.8web.gr
  2. 1. ABOUT SESSION 1 Prevent your WordPress websites from being

    hacked Facts about your hardware protection layer (webhost) and simple ways to protect your WordPress websites as a webmaster Main topics explained 2 Compromised website. Now what? Scenarios explained easiest cleaning-up techniques for a compromised WordPress website
  3. WP UNMANAGED WEB HOSTING PLAN WP MANAGED best choice. if

    possible 1. Prevent your WordPress websites from being hacked Managed versus unmanaged WordPress hosting package CHANCE OF GETTING HACKED: UNMANAGED 0 - 100% MANAGED 0 - 10% IMPORTANT FACTORS: TIME LOSS MANAGEMENT SKILLS BIG COST Hosting choice is critical
  4. 1. Prevent your WordPress websites from being hacked Managed WordPress

    hosting package Blazing Fast – Servers configured for WordPress Security – Practically Hacker-proof Expert Support – Beyond levels of basic support Daily Backups – Included Automatic Updates – They take care of them in software & hardware layer No downtime – Even with heavy traffic Development Tools – Make development easier WordPress Managed Hosting Plan PROS
  5. 1. Prevent your WordPress websites from being hacked Managed WordPress

    hosting package Cost – Usually expensive Limits – You can only run WordPress websites New service – Not really a con  Less control – In case you are a control freak  WordPress Managed Hosting Plan CONS
  6. U P D A T E 1. Prevent your WordPress

    websites from being hacked Managing a WordPress website on your own So you finally decided to go with a WordPress unmanaged hosting package. Not a problem at all. Just don’t forget the golden rule:
  7. 1. Prevent your WordPress websites from being hacked Why do

    I need to be an update-maniac? Because there are maaaany (5000+) WordPress vulnerabilities officially listed. You have to avoid: • Outdated core • Outdated plugins • Outdated themes • Poorly written code
  8. STRONG PASSWORDS Pick strong passwords (long, with numbers, capital letters,

    and symbols) & avoid public internet spots ADMIN USERNAME Don’t use “Admin” as your administrator username TWO FACTOR AUTHENTICATION LOG IN Use one of the so-many available 2 factor authentication plugins for login SERVER-SIDE IP BLOCK Restrict wp-admin access by IP SERVER-SIDE PASSWORD Add another layer of security, like BasicAuth to wp-admin ENABLE ACCESS LOGGING If possible. This will help you understand failed attack tries and potential risks 1. Prevent your WordPress websites from being hacked Extra steps to take in order to maximize security level of WordPress (brute force related)
  9. PLUGINS UPDATE Plugins are being used by hackers in order

    to gain access to WordPress database and files CORE UPDATE Always keep your WordPress core up to date. Even if its safe enough, you don’t need it outdated THEMES’ UPDATE Update every theme. Even if its not in use. They can be used by hackers even if they are not active POORLY CODED PLUGINS Do not use poorly coded plugins FOLDERS’ PERMISSIONS Do not change default permissions of WordPress folders DON’T USE NULLED THINGS Its ridiculous, but it happens. Why having your website hacked for a few bucks?! 1. Prevent your WordPress websites from being hacked Extra steps to take in order to maximize security level of WordPress (vulnerabilities related)
  10. ADD EXTRA SOFTWARE SECURITY Staying on default security level is

    a risk BE UP TO DATE Update everything in order to avoid exploits ADD EXTRA SECURITY IN SERVER LAYER Important for “neighbor- based” attacks You might think: I am not a security expert. True. But you can make your website stronger with simple steps. 1. Prevent your WordPress websites from being hacked Synopsis of hardening process’ theory HUMAN FACTOR EASILY EXPLAINED IN NEXT SLIDES HOSTING PROVIDER
  11. STEP 1: Scan your website using an online vulnerabilities scanner

    and take any suggested action General steps you need to take in order to set software protection layer on a higher level: STEP 2: Install a real-time scanning plugin. It will let you immediately know about risks and compromised data STEP 3: Install a firewall plugin It will prevent abusive behaviors 1. Prevent your WordPress websites from being hacked Critical, yet simple steps for having a healthy WordPress website
  12. SUGGESTED PLUGIN 1) ALL IN ONE WP SECURITY & FIREWALL

    • Disables WordPress Meta information • Prevents Brute Force login attacks • Enables moderation in approving new user registrations • Allows you to manage database prefix • Adds blacklisting rules (based on IP, or range) • Protects you with basic firewall rules • Permits change of login page URL • Notifies you regarding files’ modifications 1. Prevent your WordPress websites from being hacked Hardening, the easiest way. Not the most effective methods, at least the best for beginners.
  13. SUGGESTED PLUGIN 2) SUCURI SECURITY • Protects the wp-uploads directory

    from browsing and PHP execution • Restricts access to wp-content and wp-includes folders via wp- admin • Restricts access to the file editor via wp-admin 1. Prevent your WordPress websites from being hacked Hardening, the easiest way.
  14. SUGGESTED PLUGIN 3) BULLETPROOF SECURITY • Offers an easy, one-click

    setup • Protects .htaccess against XSS, RFI, CSRF, Base64, SQL injection and other hacking attempts • Monitors max login attempts, and adds lockout time in case of failures • Offers wp-admin based database backups • Alerts you via email for a variety of user actions that you will choose 1. Prevent your WordPress websites from being hacked Hardening, the easiest way.
  15. Remember : My website is compromised. Now, WHAT?! • Know

    your enemy is not a must • Know your weakness IS ! • If in doubt, hire an expert 2. Compromised WordPress website, now what? Worst scenarios explained
  16. Pick a situation: • Any previous backups available? • Can

    I restore my website files to an earlier point? • Can I restore my database to an earlier point? • Is wiping files an option? 2. Compromised WordPress website, now what? Worst scenarios explained
  17. Possible scenario 1# Common post-infection scenarios My website got hacked

    and I have no backups. BAD. Situation may not be recoverable unless an expert is hired. 2. Compromised WordPress website, now what? Worst scenarios explained
  18. Possible scenario 2# Common post-infection scenarios My website got hacked

    and my only backup file is also infected. I noticed that my website was compromised so late. BAD, exactly like 1#. Situation may not be recoverable unless an expert is hired. 2. Compromised WordPress website, now what? Worst scenarios explained
  19. Possible scenario 3# Common post-infection scenarios My website got hacked

    and my backup file is fine. GOOD. Situation is recoverable but actions are needed after restoration (to a clean-state point) 2. Compromised WordPress website, now what? Worst scenarios explained
  20. Where do hackers store their data? Everywhere! • Plugins folder

    • Wp-uploads folder • Inside root dir of WordPress How those files look like? Everything! (executable) • PHP extension files • Malicious code (base 64 etc) added • Suspicious database strings/values 2. Compromised WordPress website, now what? Key points of hack
  21. The not-so-easy part Cleaning practices Manual Cleanup • Skills are

    needed • Can be easier if you use software locally Wipe and reinstalling (or recovering backup) • Make sure that you wipe everything first • Can be easier if you are under a control panel based hosting and it uses a commercial backup/restore application. 2. Compromised WordPress website, now what? Cleaning ways
  22. 100% success? Never. Make sure that you sleep with one

    eye open and keep everything up to date. 2. Compromised WordPress website, now what? Success?
  23. So, what makes WordPress Vulnerable? Simply: Old version of WordPress

    core + outdated themes / plugins + popularity of WordPress + end user actions. Synopsis of session Facts