Securing Your WordPress Site

by Shawn Hooper

Slide 1

Slide 1 text

Securing Your WordPress Site Shawn Hooper Rochester WordPress Meetup January 2024

Slide 2

Slide 2 text

Director of Engineering & Security at Actionable.co. Freelance Developer, Code Reviewer & Web Host WordPress Core Contributor & Plugin Author Organizer of WordCamp Ottawa & WordCamp Canada. Spoken at WordPress events in Canada, the United States and Australia Blog & Email Newsletter at ShawnHooper.ca Mastodon @[email protected] Hello!

Slide 3

Slide 3 text

What we’ll cover What do we mean by security? Is WordPress secure? Recommendations for Users Recommendations for Developers

Slide 4

Slide 4 text

What do we mean when we talk about Security?

Slide 5

Slide 5 text

CIA

Slide 6

Slide 6 text

CIA Con fi dentiality

Slide 7

Slide 7 text

CIA Con fi dentiality Integrity

Slide 8

Slide 8 text

CIA Con fi dentiality Integrity Availability

Slide 9

Slide 9 text

What kinds of attacks are there? Backdoors Brute Force Redirects Cross Site Scripting (XSS) Denial of Service

Slide 10

Slide 10 text

WordPress Core is secure

Slide 11

Slide 11 text

The risk usually lies in: Server Con fi guration Plugins Themes Bad User Practices

Slide 12

Slide 12 text

But with 62% of the CMS market share It’s a huge target for hackers!

Slide 13

Slide 13 text

So What Can We Do ?

Slide 14

Slide 14 text

So What Can We Do ? Let’s look at how to secure WordPress as: A User A System/Server Administrator A Developer An Information Security Professional

Slide 15

Slide 15 text

A User’s Perspective

Slide 16

Slide 16 text

Choose Wisely The largest source of problems in WordPress security come from the Theme & Plugin Ecosystem. Choose your themes & plugins wisely!

Slide 17

Slide 17 text

Choose Wisely Are they regularly maintained? Does the author(s) respond to support questions promptly? Are they popular?

Slide 18

Slide 18 text

No content

Slide 19

Slide 19 text

Keep It Updated! WordPress Core ( w/ Automatic Updates!) WordPress Plugins (w/ Automatic Updates)   WordPress Themes

Slide 20

Slide 20 text

No content

Slide 21

Slide 21 text

Backups WordPress Core WordPress Plugins   WordPress Themes Media Library (“Uploads”) MySQL Database

Slide 22

Slide 22 text

Backups I like: UpdraftPlus (Freemium)

Slide 23

Slide 23 text

Admin Login Older versions of WordPress came with an “admin” login by default. This became a default target for attacks. Use a different username if you’d like. It’s doesn’t provide much added security though.

Slide 24

Slide 24 text

Passwords Of course, please use secure passwords.   password123 is not secure.

Slide 25

Slide 25 text

2 Factor Auth

Slide 26

Slide 26 text

Use Email As Login WordPress defaults to a username login Usernames are fairly discoverable in WordPress The Email Login plugin forces login using an email address instead.     https://wordpress.org/plugins/wp-email-login/

Slide 27

Slide 27 text

Least Privilege Only gives users the permissions they need to do their jobs. Subscriber - Can Read Contributor - Can Write, but not publish Author - Can Publish their own Posts   Editor - Can Publish Anyone’s Posts & Pages   Administrator - Can modify site con fi guration

Slide 28

Slide 28 text

Security Plugins Install one security suite. These plugins provide many security improvements to your site. I like WordFence.

Slide 29

Slide 29 text

Security Plugins do: Limit Login Attempts   File Monitoring   Security Auditing   Malware Scanning Change Default URLs   404 Detection   Strong Password Enforcement   Temporary Site Lockout (“Away Mode”)   Permissions Monitoring   WordPress Version Hiding  

Slide 30

Slide 30 text

System/Server Administrator’s Perspective

Slide 31

Slide 31 text

Server Con fi guration Some of these recommendations can be done by users too. But they’re not things you do IN WordPress.

Slide 32

Slide 32 text

Enable HTTPS There’s no reason these days for your website not to be secured by SSL. LetsEncrypt offers free certi fi cates, and many web hosts have this as a one-click install option.

Slide 33

Slide 33 text

Enable SFTP Secure File Transfer Protocol (SFTP) is FTP over SSH. If you’re going to give users FTP access to their sites, this is the best way to do it.

Slide 34

Slide 34 text

File & Folder Permissions Directories - 755 Files - 644    

Slide 35

Slide 35 text

Block Some PHP Execution No PHP Execution in Uploads Folder: No Execution of Con fi g File:

Slide 36

Slide 36 text

Disable File Editor

Slide 37

Slide 37 text

Disable File Editor Add to wp-con fi g.php:

Slide 38

Slide 38 text

Disable XML-RPC There are also plugins to do this,   but doing so at the server side is recommended.

Slide 39

Slide 39 text

Keep Sites Isolated If you’re running multiple sites on the same server, keep them in separate home directories running as separate users This helps prevent cross-contamination of sites in the event of a hack.

Slide 40

Slide 40 text

Checksum Validation Using WP-CLI, see if fi les have been modi fi ed: wp core verify-checksums    wp plugin verify-checksums --all

Slide 41

Slide 41 text

Developer’s Perspective

Slide 42

Slide 42 text

Sanitization & Validation

Slide 43

Slide 43 text

Sanitization & Validation There are a pile of functions to do input sanitization: sanitize_title() sanitize_user() balance_tags() tag_escape() is_email() sanitize_html_class() array_map() sanitize_email() sanitize_ fi le_name() sanitize_term() sanitize_term_ fi eld() sanitize_html_class() sanitize_key() sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_text_ fi eld() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user() sanitize_meta()

Slide 44

Slide 44 text

Validation Are values of the correct type? Do they have the expected values?     $quantity = intval( $_POST[‘quantity’] );   or   $quantity = absint( $_POST[‘quantity’] );     if ( $quantity > 10 ) {   die(‘Quantity Out of Range’);   }    

Slide 45

Slide 45 text

Escaping Text esc_html( $string ); esc_html__( $string, $domain ); ex:     Hello !

Slide 46

Slide 46 text

Escaping Text esc_attr( $text ); esc_attr__( $text, $domain );     Escaping a string for use in an HTML attribute tag.    

”>

Slide 47

Slide 47 text

Escaping Text $allowed_html = array(   'a' => array(   'href' => array(),   'title' => array()   ), 'br' => array(),   'em' => array(),   'strong' => array()   ); wp_kses( $fragment, $allowed_html, $protocols);

Slide 48

Slide 48 text

Escaping HTML wp_rel_nofollow( $html );     Adds rel=“nofollow” to every link in the HTML fragment.

Slide 49

Slide 49 text

Sanitization & Escaping For the of fi cial documentation on WordPress’ Validation & Sanitization Functions, see:     https://developer.wordpress.org/apis/security/data-validation/ https://developer.wordpress.org/apis/security/sanitizing/ https://developer.wordpress.org/apis/security/escaping/

Slide 50

Slide 50 text

Working with the Database Use $wpdb

Slide 51

Slide 51 text

Working with the Database $wpdb->insert( ‘table_name’, array( 'column1' => 'value1', 'column2' => 123 ), array( '%s', '%d' ) );

Slide 52

Slide 52 text

Working with the Database $wpdb->update( 'table', array( 'column1' => 'value1',       'column2' => 'value2' ), array( 'ID' => 1 ), array( '%s', // value1 '%d' // value2 ), array( '%d' ) );

Slide 53

Slide 53 text

Custom Queries should be written using the $wpdb->prepare() function. $safeSQL = $wpdb->prepare(“SELECT * FROM {$wpdb->pre fi x}tablename         WHERE col1 = ‘%s’ AND col2 = %d”, $sParam, $iParam); $wpdb->query($safeSQL); Working with the Database

Slide 54

Slide 54 text

WP Coding Standards WordPress has documented coding standards that apply to its PHP, JavaScript, HTML, CSS and Accessibility components. https://developer.wordpress.org/coding-standards/wordpress-coding-standards/php/ https://developer.wordpress.org/coding-standards/wordpress-coding-standards/html/ https://developer.wordpress.org/coding-standards/wordpress-coding-standards/css/ https://developer.wordpress.org/coding-standards/wordpress-coding-standards/javascript/

Slide 55

Slide 55 text

IT Security Professional’s Perspective

Slide 56

Slide 56 text

Responsible Disclosure Don’t bring more attention to security vulnerabilities in public forums, blog posts, chats, or issue trackers without giving developers a reasonable chance to patch it fi rst.

Slide 57

Slide 57 text

Responsible Disclosure Automattic participates in HackerOne, a platform for secure reporting vulnerabilities. And yes, they offer bounties! WordPress.com Hosted Sites: https://hackerone.com/automattic

Slide 58

Slide 58 text

Responsible Disclosure WordPress participates in HackerOne, a platform for secure reporting vulnerabilities. And yes, they offer bounties! The WordPress Open-Source Core Code https://hackerone.com/wordpress/

Slide 59

Slide 59 text

Responsible Disclosure WordFence runs a bug bounty program for all themes and plugins with at least 50,000 active installs. WordFence Bug Bounty Program https://www.wordfence.com/threat-intel/bug-bounty-program/

Slide 60

Slide 60 text

Responsible Disclosure Find a problem with a theme or plugin? Try contacting the authors directory. If you can’t, email: Plugins & Themes [email protected]

Slide 61

Slide 61 text

Blog & Email Newsletter at ShawnHooper.ca Mastodon @[email protected] THANK YOU!