KEEP YOUR SITE SAFE
A few important WordPress security principles
Slide 2
Slide 2 text
WHO?
• Jeremy Herve
• jeremy.hu
• @jeherve
• Jetpack Mechanic at Automattic
Slide 3
Slide 3 text
WHAT IS SECURITY?
Slide 4
Slide 4 text
No content
Slide 5
Slide 5 text
SECU-WHAT?
• Scary
• Seems complicated
• Yet super important
Take the time to learn and understand.
Slide 6
Slide 6 text
SECU-WHAT?
• Link injections
• Defacement of your whole site
• Information gathering
Take the time to learn and understand.
Slide 7
Slide 7 text
HACKERS’ GOALS
Why do people want to get into my site?
Slide 8
Slide 8 text
No content
Slide 9
Slide 9 text
WHY?
• Money
• Hack other sites through your site
• Information gathering
• Hacktivism
• For the lulz
What makes hackers tick
Slide 10
Slide 10 text
ATTACKS
How do hackers try to get in?
Slide 11
Slide 11 text
No content
Slide 12
Slide 12 text
HOW?
• Targeted
• Automated
Different types of attacks
MOST ATTACKS ARE NOT PERSONAL
Slide 13
Slide 13 text
MISCONCEPTIONS
Slide 14
Slide 14 text
WRONG!
• “I’m not a target”
• “I’m safe, I use X security plugin”
• “I’m safe, I hide my WP version / log in
page”
• “WordPress is not secure”
Common WP security misconceptions
Slide 15
Slide 15 text
GOOD PRACTICES
Slide 16
Slide 16 text
No content
Slide 17
Slide 17 text
GOOD PRACTICES
• PHP version
• Specialized in WordPress
• Update policy
• Brute Force prevention measures
• SSH access
Pick a good host
Slide 18
Slide 18 text
GOOD PRACTICES
• Lock down registrations
• List of admins
• List of plugins & themes
• Update policy
• Edit code from your dashboard
• Pingbacks
• Lock down some options
• Lock down dashboard access
• XML-RPC access
Audit of your WordPress use
Slide 19
Slide 19 text
GOOD PRACTICES
// Can't enable user registrations
function jeherve_option_users_can_register( $value ) {
return '0';
}
add_filter( 'pre_option_users_can_register', 'jeherve_option_users_can_register' );
// Default role to subscriber
function jeherve_option_default_role( $value ) {
return 'subscriber';
}
add_filter( 'pre_option_default_role', 'jeherve_option_default_role' );
Lock down registrations
Slide 20
Slide 20 text
GOOD PRACTICES
• Lock down registrations
• List of admins
• List of plugins & themes
• Update policy
• Edit code from your dashboard
• Pingbacks
• Lock down some options
• Lock down dashboard access
• XML-RPC access
Audit of your WordPress use
Slide 21
Slide 21 text
GOOD PRACTICES
• Don’t keep deactivated plugins
• Is the plugin maintained?
• Who’s the maintainer?
• How popular is it?
Pick the right plugin / theme
Slide 22
Slide 22 text
INSTALL FROM TRUSTED SOURCES ONLY
Slide 23
Slide 23 text
GOOD PRACTICES
• Lock down registrations
• List of admins
• List of plugins & themes
• Update policy
• Edit code from your dashboard
• Pingbacks
• Lock down some options
• Lock down dashboard access
• XML-RPC access
Audit of your WordPress use
Slide 24
Slide 24 text
GOOD PRACTICES
// Don’t use the dashboard to edit code.
Really.
define('DISALLOW_FILE_EDIT', true);
Don’t edit code via wp-admin
Slide 25
Slide 25 text
GOOD PRACTICES
• Lock down registrations
• List of admins
• List of plugins & themes
• Update policy
• Edit code from your dashboard
• Pingbacks
• Lock down some options
• Lock down dashboard access
• XML-RPC access
Audit of your WordPress use
Slide 26
Slide 26 text
GOOD PRACTICES
// Force deactivate pingbacks
function jeherve_deactivate_pings( $methods ) {
unset( $methods['pingback.ping'] );
return $methods;
}
add_filter( 'xmlrpc_methods', 'jeherve_deactivate_pings' );
Disable ping backs
Slide 27
Slide 27 text
GOOD PRACTICES
• Lock down registrations
• List of admins
• List of plugins & themes
• Update policy
• Edit code from your dashboard
• Pingbacks
• Lock down some options
• Lock down dashboard access
• XML-RPC access
Audit of your WordPress use
Slide 28
Slide 28 text
GOOD PRACTICES
// No one should be able to change the admin email address
function jeherve_option_admin_email( $value ) {
return '[email protected]’;
}
add_filter( 'option_admin_email', 'jeherve_option_admin_email' );
Lock down some options
Slide 29
Slide 29 text
GOOD PRACTICES
• Lock down registrations
• List of admins
• List of plugins & themes
• Update policy
• Edit code from your dashboard
• Pingbacks
• Lock down some options
• Lock down dashboard access
• XML-RPC access
Audit of your WordPress use
Slide 30
Slide 30 text
GOOD PRACTICES
// save as .htaccess and upload to the wp-admin/ folder
# Block access to wp-admin.
order deny,allow
allow from x.x.x.x
deny from all
# Allow access to wp-admin/admin-ajax.php
Order allow,deny
Allow from all
Satisfy any
Lock down dashboard access
Slide 31
Slide 31 text
GOOD PRACTICES
• Lock down registrations
• List of admins
• List of plugins & themes
• Update policy
• Edit code from your dashboard
• Pingbacks
• Lock down some options
• Lock down dashboard access
• XML-RPC access
Audit of your WordPress use
Slide 32
Slide 32 text
GOOD PRACTICES
// In a plugin
add_filter( ‘xmlrpc_enabled', ‘__return_false' );
// In .htaccess
order deny,allow
deny from all
Disable XML-RPC
Slide 33
Slide 33 text
BLOCK XML-RPC — IF YOU DON’T USE IT!
Slide 34
Slide 34 text
LET’S TALK P@$$WORDS
Slide 35
Slide 35 text
P@$$WORDS
• Use a password manager
• 1Password
• Keepass
A strong, unique password
IF YOU CAN REMEMBER IT, IT’S NOT STRONG ENOUGH
Slide 36
Slide 36 text
P@$$WORDS
• SFTP instead of FTP
• SSH Key pair instead of password
• cPanel, PHPMyadmin
• Domain registrar
Make it hard everywhere
Slide 37
Slide 37 text
P@$$WORDS
• Use 2FA everywhere
• In your WordPress dashboard
• Authy
• Google Authenticator
• Clef
• Jetpack
Use 2 factor authentication
Slide 38
Slide 38 text
P@$$WORDS
• Free SSL with CloudFlare
• letsencrypt.org
Use HTTPS in the admin
Slide 39
Slide 39 text
FIREWALLS
Knock them down before they can get you
Slide 40
Slide 40 text
No content
Slide 41
Slide 41 text
FIREWALLS
• WAF (Web Application Firewall)
• Sucuri, CloudFlare, Incapsula, SiteLock
• fail2ban, ModSecurity
• Jetpack Protect
• Your host, again
Detect hackers before they get to your site
Slide 42
Slide 42 text
PLUGINS
Plenty of choice, your pick
Slide 43
Slide 43 text
No content
Slide 44
Slide 44 text
PLUGINS
• iThemes Security
• All In One WP Security
• WordFence
• Sucuri Security
• Bulletproof Security
Many good security plugins in the repo
Slide 45
Slide 45 text
ALL SET!
But don’t forget…
Slide 46
Slide 46 text
MONITORING
• Educate your clients: updating is important
• Change passwords often
• Monitor activity on the site
• Use a backup service
• Use a security scanning service
Because you’re never done
Slide 47
Slide 47 text
KEEP IN MIND
Slide 48
Slide 48 text
3 TIPS TO HELP YOU DODGE SOME BULLETS
Slide 49
Slide 49 text
YOU ARE A TARGET
Slide 50
Slide 50 text
AUDIT AND MONITOR
Slide 51
Slide 51 text
UPDATE
Slide 52
Slide 52 text
Questions?
Jeremy Herve | jeremy.hu | @jeherve
jeremy.hu/wpbudapest-security/