Keep your site safe

KEEP YOUR SITE SAFE A few important WordPress security principles

WHO? • Jeremy Herve • jeremy.hu • @jeherve • Jetpack
Mechanic at Automattic

WHAT IS SECURITY?

SECU-WHAT? • Scary • Seems complicated • Yet super important
Take the time to learn and understand.

SECU-WHAT? • Link injections • Defacement of your whole site
• Information gathering Take the time to learn and understand.

HACKERS’ GOALS Why do people want to get into my
site?

WHY? • Money • Hack other sites through your site
• Information gathering • Hacktivism • For the lulz What makes hackers tick

ATTACKS How do hackers try to get in?

HOW? • Targeted • Automated Different types of attacks MOST
ATTACKS ARE NOT PERSONAL

MISCONCEPTIONS

WRONG! • “I’m not a target” • “I’m safe, I
use X security plugin” • “I’m safe, I hide my WP version / log in page” • “WordPress is not secure” Common WP security misconceptions

GOOD PRACTICES

GOOD PRACTICES • PHP version • Specialized in WordPress •
Update policy • Brute Force prevention measures • SSH access Pick a good host

GOOD PRACTICES • Lock down registrations • List of admins
• List of plugins & themes • Update policy • Edit code from your dashboard • Pingbacks • Lock down some options • Lock down dashboard access • XML-RPC access Audit of your WordPress use

GOOD PRACTICES // Can't enable user registrations function jeherve_option_users_can_register( $value
) { return '0'; } add_filter( 'pre_option_users_can_register', 'jeherve_option_users_can_register' ); // Default role to subscriber function jeherve_option_default_role( $value ) { return 'subscriber'; } add_filter( 'pre_option_default_role', 'jeherve_option_default_role' ); Lock down registrations

GOOD PRACTICES • Don’t keep deactivated plugins • Is the
plugin maintained? • Who’s the maintainer? • How popular is it? Pick the right plugin / theme

INSTALL FROM TRUSTED SOURCES ONLY

GOOD PRACTICES // Don’t use the dashboard to edit code.
Really. define('DISALLOW_FILE_EDIT', true); Don’t edit code via wp-admin

GOOD PRACTICES // Force deactivate pingbacks function jeherve_deactivate_pings( $methods )
{ unset( $methods['pingback.ping'] ); return $methods; } add_filter( 'xmlrpc_methods', 'jeherve_deactivate_pings' ); Disable ping backs

GOOD PRACTICES // No one should be able to change
the admin email address function jeherve_option_admin_email( $value ) { return '[email protected]’; } add_filter( 'option_admin_email', 'jeherve_option_admin_email' ); Lock down some options

GOOD PRACTICES // save as .htaccess and upload to the
wp-admin/ folder # Block access to wp-admin. order deny,allow allow from x.x.x.x deny from all # Allow access to wp-admin/admin-ajax.php <Files admin-ajax.php> Order allow,deny Allow from all Satisfy any </Files> Lock down dashboard access

GOOD PRACTICES // In a plugin add_filter( ‘xmlrpc_enabled', ‘__return_false' );
// In .htaccess <Files xmlrpc.php> order deny,allow deny from all </Files> Disable XML-RPC

BLOCK XML-RPC — IF YOU DON’T USE IT!

LET’S TALK P@$$WORDS

P@$$WORDS • Use a password manager • 1Password • Keepass
A strong, unique password IF YOU CAN REMEMBER IT, IT’S NOT STRONG ENOUGH

P@$$WORDS • SFTP instead of FTP • SSH Key pair
instead of password • cPanel, PHPMyadmin • Domain registrar Make it hard everywhere

P@$$WORDS • Use 2FA everywhere • In your WordPress dashboard
• Authy • Google Authenticator • Clef • Jetpack Use 2 factor authentication

P@$$WORDS • Free SSL with CloudFlare • letsencrypt.org Use HTTPS
in the admin

FIREWALLS Knock them down before they can get you

FIREWALLS • WAF (Web Application Firewall) • Sucuri, CloudFlare, Incapsula,
SiteLock • fail2ban, ModSecurity • Jetpack Protect • Your host, again Detect hackers before they get to your site

PLUGINS Plenty of choice, your pick

PLUGINS • iThemes Security • All In One WP Security
• WordFence • Sucuri Security • Bulletproof Security Many good security plugins in the repo

ALL SET! But don’t forget…

MONITORING • Educate your clients: updating is important • Change
passwords often • Monitor activity on the site • Use a backup service • Use a security scanning service Because you’re never done

KEEP IN MIND

3 TIPS TO HELP YOU DODGE SOME BULLETS

YOU ARE A TARGET

AUDIT AND MONITOR

UPDATE

Questions? Jeremy Herve | jeremy.hu | @jeherve jeremy.hu/wpbudapest-security/

Keep your site safe

Keep your site safe

More Decks by Jeremy Herve

Other Decks in Technology

Featured

Transcript