Keep your site safe - Speaker Deck

Keep your site safe

by Jeremy Herve

Slide 1

Slide 1 text

KEEP YOUR SITE SAFE A few important WordPress security principles

Slide 2

Slide 2 text

WHO? • Jeremy Herve • jeremy.hu • @jeherve • Jetpack Mechanic at Automattic

Slide 3

Slide 3 text

WHAT IS SECURITY?

Slide 4

Slide 4 text

No content

Slide 5

Slide 5 text

SECU-WHAT? • Scary • Seems complicated • Yet super important Take the time to learn and understand.

Slide 6

Slide 6 text

SECU-WHAT? • Link injections • Defacement of your whole site • Information gathering Take the time to learn and understand.

Slide 7

Slide 7 text

HACKERS’ GOALS Why do people want to get into my site?

Slide 8

Slide 8 text

No content

Slide 9

Slide 9 text

WHY? • Money • Hack other sites through your site • Information gathering • Hacktivism • For the lulz What makes hackers tick

Slide 10

Slide 10 text

ATTACKS How do hackers try to get in?

Slide 11

Slide 11 text

No content

Slide 12

Slide 12 text

HOW? • Targeted • Automated Different types of attacks MOST ATTACKS ARE NOT PERSONAL

Slide 13

Slide 13 text

MISCONCEPTIONS

Slide 14

Slide 14 text

WRONG! • “I’m not a target” • “I’m safe, I use X security plugin” • “I’m safe, I hide my WP version / log in page” • “WordPress is not secure” Common WP security misconceptions

Slide 15

Slide 15 text

GOOD PRACTICES

Slide 16

Slide 16 text

No content

Slide 17

Slide 17 text

GOOD PRACTICES • PHP version • Specialized in WordPress • Update policy • Brute Force prevention measures • SSH access Pick a good host

Slide 18

Slide 18 text

GOOD PRACTICES • Lock down registrations • List of admins • List of plugins & themes • Update policy • Edit code from your dashboard • Pingbacks • Lock down some options • Lock down dashboard access • XML-RPC access Audit of your WordPress use

Slide 19

Slide 19 text

GOOD PRACTICES // Can't enable user registrations function jeherve_option_users_can_register( $value ) { return '0'; } add_filter( 'pre_option_users_can_register', 'jeherve_option_users_can_register' ); // Default role to subscriber function jeherve_option_default_role( $value ) { return 'subscriber'; } add_filter( 'pre_option_default_role', 'jeherve_option_default_role' ); Lock down registrations

Slide 20

Slide 20 text

Slide 21

Slide 21 text

GOOD PRACTICES • Don’t keep deactivated plugins • Is the plugin maintained? • Who’s the maintainer? • How popular is it? Pick the right plugin / theme

Slide 22

Slide 22 text

INSTALL FROM TRUSTED SOURCES ONLY

Slide 23

Slide 23 text

Slide 24

Slide 24 text

GOOD PRACTICES // Don’t use the dashboard to edit code. Really. define('DISALLOW_FILE_EDIT', true); Don’t edit code via wp-admin

Slide 25

Slide 25 text

Slide 26

Slide 26 text

GOOD PRACTICES // Force deactivate pingbacks function jeherve_deactivate_pings( $methods ) { unset( $methods['pingback.ping'] ); return $methods; } add_filter( 'xmlrpc_methods', 'jeherve_deactivate_pings' ); Disable ping backs

Slide 27

Slide 27 text

Slide 28

Slide 28 text

GOOD PRACTICES // No one should be able to change the admin email address function jeherve_option_admin_email( $value ) { return '[email protected]’; } add_filter( 'option_admin_email', 'jeherve_option_admin_email' ); Lock down some options

Slide 29

Slide 29 text

Slide 30

Slide 30 text

GOOD PRACTICES // save as .htaccess and upload to the wp-admin/ folder # Block access to wp-admin. order deny,allow allow from x.x.x.x deny from all # Allow access to wp-admin/admin-ajax.php Order allow,deny Allow from all Satisfy any Lock down dashboard access

Slide 31

Slide 31 text

Slide 32

Slide 32 text

GOOD PRACTICES // In a plugin add_filter( ‘xmlrpc_enabled', ‘__return_false' ); // In .htaccess order deny,allow deny from all Disable XML-RPC

Slide 33

Slide 33 text

BLOCK XML-RPC — IF YOU DON’T USE IT!

Slide 34

Slide 34 text

LET’S TALK P@$$WORDS

Slide 35

Slide 35 text

P@$$WORDS • Use a password manager • 1Password • Keepass A strong, unique password IF YOU CAN REMEMBER IT, IT’S NOT STRONG ENOUGH

Slide 36

Slide 36 text

P@$$WORDS • SFTP instead of FTP • SSH Key pair instead of password • cPanel, PHPMyadmin • Domain registrar Make it hard everywhere

Slide 37

Slide 37 text

P@$$WORDS • Use 2FA everywhere • In your WordPress dashboard • Authy • Google Authenticator • Clef • Jetpack Use 2 factor authentication

Slide 38

Slide 38 text

P@$$WORDS • Free SSL with CloudFlare • letsencrypt.org Use HTTPS in the admin

Slide 39

Slide 39 text

FIREWALLS Knock them down before they can get you

Slide 40

Slide 40 text

No content

Slide 41

Slide 41 text

FIREWALLS • WAF (Web Application Firewall) • Sucuri, CloudFlare, Incapsula, SiteLock • fail2ban, ModSecurity • Jetpack Protect • Your host, again Detect hackers before they get to your site

Slide 42

Slide 42 text

PLUGINS Plenty of choice, your pick

Slide 43

Slide 43 text

No content

Slide 44

Slide 44 text

PLUGINS • iThemes Security • All In One WP Security • WordFence • Sucuri Security • Bulletproof Security Many good security plugins in the repo

Slide 45

Slide 45 text

ALL SET! But don’t forget…

Slide 46

Slide 46 text

MONITORING • Educate your clients: updating is important • Change passwords often • Monitor activity on the site • Use a backup service • Use a security scanning service Because you’re never done