Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Keep your site safe

Jeremy Herve
November 03, 2015

Keep your site safe

A few important WordPress security principles

http://jeremy.hu/wpbudapest-security/

Jeremy Herve

November 03, 2015
Tweet

More Decks by Jeremy Herve

Other Decks in Technology

Transcript

  1. KEEP YOUR SITE SAFE
    A few important WordPress security principles

    View full-size slide

  2. WHO?
    • Jeremy Herve
    • jeremy.hu
    • @jeherve
    • Jetpack Mechanic at Automattic

    View full-size slide

  3. WHAT IS SECURITY?

    View full-size slide

  4. SECU-WHAT?
    • Scary
    • Seems complicated
    • Yet super important
    Take the time to learn and understand.

    View full-size slide

  5. SECU-WHAT?
    • Link injections
    • Defacement of your whole site
    • Information gathering
    Take the time to learn and understand.

    View full-size slide

  6. HACKERS’ GOALS
    Why do people want to get into my site?

    View full-size slide

  7. WHY?
    • Money
    • Hack other sites through your site
    • Information gathering
    • Hacktivism
    • For the lulz
    What makes hackers tick

    View full-size slide

  8. ATTACKS
    How do hackers try to get in?

    View full-size slide

  9. HOW?
    • Targeted
    • Automated
    Different types of attacks
    MOST ATTACKS ARE NOT PERSONAL

    View full-size slide

  10. MISCONCEPTIONS

    View full-size slide

  11. WRONG!
    • “I’m not a target”
    • “I’m safe, I use X security plugin”
    • “I’m safe, I hide my WP version / log in
    page”
    • “WordPress is not secure”
    Common WP security misconceptions

    View full-size slide

  12. GOOD PRACTICES

    View full-size slide

  13. GOOD PRACTICES
    • PHP version
    • Specialized in WordPress
    • Update policy
    • Brute Force prevention measures
    • SSH access
    Pick a good host

    View full-size slide

  14. GOOD PRACTICES
    • Lock down registrations
    • List of admins
    • List of plugins & themes
    • Update policy
    • Edit code from your dashboard
    • Pingbacks
    • Lock down some options
    • Lock down dashboard access
    • XML-RPC access
    Audit of your WordPress use

    View full-size slide

  15. GOOD PRACTICES
    // Can't enable user registrations
    function jeherve_option_users_can_register( $value ) {
    return '0';
    }
    add_filter( 'pre_option_users_can_register', 'jeherve_option_users_can_register' );
    // Default role to subscriber
    function jeherve_option_default_role( $value ) {
    return 'subscriber';
    }
    add_filter( 'pre_option_default_role', 'jeherve_option_default_role' );
    Lock down registrations

    View full-size slide

  16. GOOD PRACTICES
    • Lock down registrations
    • List of admins
    • List of plugins & themes
    • Update policy
    • Edit code from your dashboard
    • Pingbacks
    • Lock down some options
    • Lock down dashboard access
    • XML-RPC access
    Audit of your WordPress use

    View full-size slide

  17. GOOD PRACTICES
    • Don’t keep deactivated plugins
    • Is the plugin maintained?
    • Who’s the maintainer?
    • How popular is it?
    Pick the right plugin / theme

    View full-size slide

  18. INSTALL FROM TRUSTED SOURCES ONLY

    View full-size slide

  19. GOOD PRACTICES
    • Lock down registrations
    • List of admins
    • List of plugins & themes
    • Update policy
    • Edit code from your dashboard
    • Pingbacks
    • Lock down some options
    • Lock down dashboard access
    • XML-RPC access
    Audit of your WordPress use

    View full-size slide

  20. GOOD PRACTICES
    // Don’t use the dashboard to edit code.
    Really.
    define('DISALLOW_FILE_EDIT', true);
    Don’t edit code via wp-admin

    View full-size slide

  21. GOOD PRACTICES
    • Lock down registrations
    • List of admins
    • List of plugins & themes
    • Update policy
    • Edit code from your dashboard
    • Pingbacks
    • Lock down some options
    • Lock down dashboard access
    • XML-RPC access
    Audit of your WordPress use

    View full-size slide

  22. GOOD PRACTICES
    // Force deactivate pingbacks
    function jeherve_deactivate_pings( $methods ) {
    unset( $methods['pingback.ping'] );
    return $methods;
    }
    add_filter( 'xmlrpc_methods', 'jeherve_deactivate_pings' );
    Disable ping backs

    View full-size slide

  23. GOOD PRACTICES
    • Lock down registrations
    • List of admins
    • List of plugins & themes
    • Update policy
    • Edit code from your dashboard
    • Pingbacks
    • Lock down some options
    • Lock down dashboard access
    • XML-RPC access
    Audit of your WordPress use

    View full-size slide

  24. GOOD PRACTICES
    // No one should be able to change the admin email address
    function jeherve_option_admin_email( $value ) {
    return '[email protected]’;
    }
    add_filter( 'option_admin_email', 'jeherve_option_admin_email' );
    Lock down some options

    View full-size slide

  25. GOOD PRACTICES
    • Lock down registrations
    • List of admins
    • List of plugins & themes
    • Update policy
    • Edit code from your dashboard
    • Pingbacks
    • Lock down some options
    • Lock down dashboard access
    • XML-RPC access
    Audit of your WordPress use

    View full-size slide

  26. GOOD PRACTICES
    // save as .htaccess and upload to the wp-admin/ folder
    # Block access to wp-admin.
    order deny,allow
    allow from x.x.x.x
    deny from all
    # Allow access to wp-admin/admin-ajax.php

    Order allow,deny
    Allow from all
    Satisfy any

    Lock down dashboard access

    View full-size slide

  27. GOOD PRACTICES
    • Lock down registrations
    • List of admins
    • List of plugins & themes
    • Update policy
    • Edit code from your dashboard
    • Pingbacks
    • Lock down some options
    • Lock down dashboard access
    • XML-RPC access
    Audit of your WordPress use

    View full-size slide

  28. GOOD PRACTICES
    // In a plugin
    add_filter( ‘xmlrpc_enabled', ‘__return_false' );
    // In .htaccess

    order deny,allow
    deny from all

    Disable XML-RPC

    View full-size slide

  29. BLOCK XML-RPC — IF YOU DON’T USE IT!

    View full-size slide

  30. LET’S TALK P@$$WORDS

    View full-size slide

  31. P@$$WORDS
    • Use a password manager
    • 1Password
    • Keepass
    A strong, unique password
    IF YOU CAN REMEMBER IT, IT’S NOT STRONG ENOUGH

    View full-size slide

  32. P@$$WORDS
    • SFTP instead of FTP
    • SSH Key pair instead of password
    • cPanel, PHPMyadmin
    • Domain registrar
    Make it hard everywhere

    View full-size slide

  33. P@$$WORDS
    • Use 2FA everywhere
    • In your WordPress dashboard
    • Authy
    • Google Authenticator
    • Clef
    • Jetpack
    Use 2 factor authentication

    View full-size slide

  34. P@$$WORDS
    • Free SSL with CloudFlare
    • letsencrypt.org
    Use HTTPS in the admin

    View full-size slide

  35. FIREWALLS
    Knock them down before they can get you

    View full-size slide

  36. FIREWALLS
    • WAF (Web Application Firewall)
    • Sucuri, CloudFlare, Incapsula, SiteLock
    • fail2ban, ModSecurity
    • Jetpack Protect
    • Your host, again
    Detect hackers before they get to your site

    View full-size slide

  37. PLUGINS
    Plenty of choice, your pick

    View full-size slide

  38. PLUGINS
    • iThemes Security
    • All In One WP Security
    • WordFence
    • Sucuri Security
    • Bulletproof Security
    Many good security plugins in the repo

    View full-size slide

  39. ALL SET!
    But don’t forget…

    View full-size slide

  40. MONITORING
    • Educate your clients: updating is important
    • Change passwords often
    • Monitor activity on the site
    • Use a backup service
    • Use a security scanning service
    Because you’re never done

    View full-size slide

  41. KEEP IN MIND

    View full-size slide

  42. 3 TIPS TO HELP YOU DODGE SOME BULLETS

    View full-size slide

  43. YOU ARE A TARGET

    View full-size slide

  44. AUDIT AND MONITOR

    View full-size slide

  45. Questions?
    Jeremy Herve | jeremy.hu | @jeherve
    jeremy.hu/wpbudapest-security/

    View full-size slide