Securing Your
WordPress Site
Shawn Hooper
Rochester WordPress Meetup January 2024
Slide 2
Slide 2 text
Director of Engineering & Security at
Actionable.co.
Freelance Developer, Code Reviewer & Web
Host
WordPress Core Contributor & Plugin
Author
Organizer of WordCamp Ottawa &
WordCamp Canada. Spoken at WordPress
events in Canada, the United States and
Australia
Blog & Email Newsletter at ShawnHooper.ca
Mastodon @[email protected]
Hello!
Slide 3
Slide 3 text
What we’ll cover
What do we mean by security?
Is WordPress secure?
Recommendations for Users
Recommendations for Developers
Slide 4
Slide 4 text
What do we mean
when we talk about
Security?
Slide 5
Slide 5 text
CIA
Slide 6
Slide 6 text
CIA
Con
fi
dentiality
Slide 7
Slide 7 text
CIA
Con
fi
dentiality
Integrity
Slide 8
Slide 8 text
CIA
Con
fi
dentiality
Integrity
Availability
Slide 9
Slide 9 text
What kinds of attacks
are there?
Backdoors
Brute Force
Redirects
Cross Site Scripting (XSS)
Denial of Service
Slide 10
Slide 10 text
WordPress Core
is secure
Slide 11
Slide 11 text
The risk usually lies in:
Server Con
fi
guration
Plugins
Themes
Bad User Practices
Slide 12
Slide 12 text
But with 62% of the CMS market share
It’s a huge target for hackers!
Slide 13
Slide 13 text
So What Can We Do ?
Slide 14
Slide 14 text
So What Can We Do ?
Let’s look at how to secure WordPress as:
A User
A System/Server Administrator
A Developer
An Information Security Professional
Slide 15
Slide 15 text
A User’s Perspective
Slide 16
Slide 16 text
Choose Wisely
The largest source of problems in WordPress
security come from the Theme & Plugin
Ecosystem.
Choose your themes & plugins wisely!
Slide 17
Slide 17 text
Choose Wisely
Are they regularly maintained?
Does the author(s) respond to support questions
promptly?
Are they popular?
Backups
WordPress Core
WordPress Plugins
WordPress Themes
Media Library (“Uploads”)
MySQL Database
Slide 22
Slide 22 text
Backups
I like:
UpdraftPlus (Freemium)
Slide 23
Slide 23 text
Admin Login
Older versions of WordPress came with an
“admin” login by default.
This became a default target for attacks. Use a
different username if you’d like. It’s doesn’t provide
much added security though.
Slide 24
Slide 24 text
Passwords
Of course, please use secure passwords.
password123 is not secure.
Slide 25
Slide 25 text
2 Factor Auth
Slide 26
Slide 26 text
Use Email As Login
WordPress defaults to a username login
Usernames are fairly discoverable in WordPress
The Email Login plugin forces login using an
email address instead.
https://wordpress.org/plugins/wp-email-login/
Slide 27
Slide 27 text
Least Privilege
Only gives users the permissions they need to do
their jobs.
Subscriber - Can Read
Contributor - Can Write, but not publish
Author - Can Publish their own Posts
Editor - Can Publish Anyone’s Posts & Pages
Administrator - Can modify site con
fi
guration
Slide 28
Slide 28 text
Security Plugins
Install one security suite. These plugins provide
many security improvements to your site.
I like WordFence.
Server Con
fi
guration
Some of these recommendations can be done by
users too. But they’re not things you do IN
WordPress.
Slide 32
Slide 32 text
Enable HTTPS
There’s no reason these days for your website not
to be secured by SSL. LetsEncrypt offers free
certi
fi
cates, and many web hosts have this as a
one-click install option.
Slide 33
Slide 33 text
Enable SFTP
Secure File Transfer Protocol (SFTP) is FTP over
SSH.
If you’re going to give users FTP access to their
sites, this is the best way to do it.
Block Some PHP Execution
No PHP Execution in Uploads Folder:
No Execution of Con
fi
g File:
Slide 36
Slide 36 text
Disable File Editor
Slide 37
Slide 37 text
Disable File Editor
Add to wp-con
fi
g.php:
Slide 38
Slide 38 text
Disable XML-RPC
There are also plugins to do this,
but doing so at the server side is recommended.
Slide 39
Slide 39 text
Keep Sites Isolated
If you’re running multiple sites on the same server,
keep them in separate home directories
running as separate users
This helps prevent cross-contamination of sites
in the event of a hack.
Slide 40
Slide 40 text
Checksum Validation
Using WP-CLI, see if
fi
les have been modi
fi
ed:
wp core verify-checksums
wp plugin verify-checksums --all
Slide 41
Slide 41 text
Developer’s
Perspective
Slide 42
Slide 42 text
Sanitization & Validation
Slide 43
Slide 43 text
Sanitization & Validation
There are a pile of functions to do input sanitization:
sanitize_title()
sanitize_user()
balance_tags()
tag_escape()
is_email()
sanitize_html_class()
array_map()
sanitize_email()
sanitize_
fi
le_name()
sanitize_term()
sanitize_term_
fi
eld()
sanitize_html_class()
sanitize_key()
sanitize_mime_type()
sanitize_option()
sanitize_sql_orderby()
sanitize_text_
fi
eld()
sanitize_title_for_query()
sanitize_title_with_dashes()
sanitize_user()
sanitize_meta()
Slide 44
Slide 44 text
Validation
Are values of the correct type? Do they have the expected
values?
$quantity = intval( $_POST[‘quantity’] );
or
$quantity = absint( $_POST[‘quantity’] );
if ( $quantity > 10 ) {
die(‘Quantity Out of Range’);
}
Escaping HTML
wp_rel_nofollow( $html );
Adds rel=“nofollow” to every link in the HTML fragment.
Slide 49
Slide 49 text
Sanitization & Escaping
For the of
fi
cial documentation on WordPress’ Validation &
Sanitization Functions, see:
https://developer.wordpress.org/apis/security/data-validation/
https://developer.wordpress.org/apis/security/sanitizing/
https://developer.wordpress.org/apis/security/escaping/
Slide 50
Slide 50 text
Working with the Database
Use $wpdb
Slide 51
Slide 51 text
Working with the Database
$wpdb->insert(
‘table_name’,
array(
'column1' => 'value1',
'column2' => 123
),
array(
'%s',
'%d'
)
);
Custom Queries should be written using the $wpdb->prepare() function.
$safeSQL = $wpdb->prepare(“SELECT * FROM {$wpdb->pre
fi
x}tablename
WHERE col1 = ‘%s’ AND col2 = %d”, $sParam, $iParam);
$wpdb->query($safeSQL);
Working with the Database
Slide 54
Slide 54 text
WP Coding Standards
WordPress has documented coding standards that apply to its PHP,
JavaScript, HTML, CSS and Accessibility components.
https://developer.wordpress.org/coding-standards/wordpress-coding-standards/php/
https://developer.wordpress.org/coding-standards/wordpress-coding-standards/html/
https://developer.wordpress.org/coding-standards/wordpress-coding-standards/css/
https://developer.wordpress.org/coding-standards/wordpress-coding-standards/javascript/
Slide 55
Slide 55 text
IT Security
Professional’s
Perspective
Slide 56
Slide 56 text
Responsible Disclosure
Don’t bring more attention to security vulnerabilities in public
forums, blog posts, chats, or issue trackers without giving
developers a reasonable chance to patch it
fi
rst.
Slide 57
Slide 57 text
Responsible Disclosure
Automattic participates in HackerOne, a platform for secure
reporting vulnerabilities. And yes, they offer bounties!
WordPress.com Hosted Sites:
https://hackerone.com/automattic
Slide 58
Slide 58 text
Responsible Disclosure
WordPress participates in HackerOne, a platform for secure
reporting vulnerabilities. And yes, they offer bounties!
The WordPress Open-Source Core Code
https://hackerone.com/wordpress/
Slide 59
Slide 59 text
Responsible Disclosure
WordFence runs a bug bounty program for all themes and
plugins with at least 50,000 active installs.
WordFence Bug Bounty Program
https://www.wordfence.com/threat-intel/bug-bounty-program/
Slide 60
Slide 60 text
Responsible Disclosure
Find a problem with a theme or plugin? Try contacting the
authors directory. If you can’t, email:
Plugins & Themes
[email protected]
Slide 61
Slide 61 text
Blog & Email Newsletter at ShawnHooper.ca
Mastodon @[email protected]
THANK YOU!