Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing Your WordPress Site

Shawn Hooper
February 15, 2018

Securing Your WordPress Site

An introduction to securing WordPress websites.

- Originally delivered to the Ottawa OWASP Meetup in February 2018.
- Last Updated January 2024 for the Rochester WordPress meetup

Shawn Hooper

February 15, 2018
Tweet

More Decks by Shawn Hooper

Other Decks in Technology

Transcript

  1. Director of Engineering & Security at Actionable.co. Freelance Developer, Code

    Reviewer & Web Host WordPress Core Contributor & Plugin Author Organizer of WordCamp Ottawa & WordCamp Canada. Spoken at WordPress events in Canada, the United States and Australia Blog & Email Newsletter at ShawnHooper.ca Mastodon @[email protected] Hello!
  2. What we’ll cover What do we mean by security? Is

    WordPress secure? Recommendations for Users Recommendations for Developers
  3. CIA

  4. What kinds of attacks are there? Backdoors Brute Force Redirects

    Cross Site Scripting (XSS) Denial of Service
  5. So What Can We Do ? Let’s look at how

    to secure WordPress as: A User A System/Server Administrator A Developer An Information Security Professional
  6. Choose Wisely The largest source of problems in WordPress security

    come from the Theme & Plugin Ecosystem. Choose your themes & plugins wisely!
  7. Choose Wisely Are they regularly maintained? Does the author(s) respond

    to support questions promptly? Are they popular?
  8. Keep It Updated! WordPress Core ( w/ Automatic Updates!) WordPress

    Plugins (w/ Automatic Updates) 
 WordPress Themes
  9. Admin Login Older versions of WordPress came with an “admin”

    login by default. This became a default target for attacks. Use a different username if you’d like. It’s doesn’t provide much added security though.
  10. Use Email As Login WordPress defaults to a username login

    Usernames are fairly discoverable in WordPress The Email Login plugin forces login using an email address instead. 
 
 https://wordpress.org/plugins/wp-email-login/
  11. Least Privilege Only gives users the permissions they need to

    do their jobs. Subscriber - Can Read Contributor - Can Write, but not publish Author - Can Publish their own Posts 
 Editor - Can Publish Anyone’s Posts & Pages 
 Administrator - Can modify site con fi guration
  12. Security Plugins Install one security suite. These plugins provide many

    security improvements to your site. I like WordFence.
  13. Security Plugins do: Limit Login Attempts 
 File Monitoring 


    Security Auditing 
 Malware Scanning Change Default URLs 
 404 Detection 
 Strong Password Enforcement 
 Temporary Site Lockout (“Away Mode”) 
 Permissions Monitoring 
 WordPress Version Hiding 

  14. Server Con fi guration Some of these recommendations can be

    done by users too. But they’re not things you do IN WordPress.
  15. Enable HTTPS There’s no reason these days for your website

    not to be secured by SSL. LetsEncrypt offers free certi fi cates, and many web hosts have this as a one-click install option.
  16. Enable SFTP Secure File Transfer Protocol (SFTP) is FTP over

    SSH. If you’re going to give users FTP access to their sites, this is the best way to do it.
  17. Disable XML-RPC There are also plugins to do this, 


    but doing so at the server side is recommended.
  18. Keep Sites Isolated If you’re running multiple sites on the

    same server, keep them in separate home directories running as separate users This helps prevent cross-contamination of sites in the event of a hack.
  19. Checksum Validation Using WP-CLI, see if fi les have been

    modi fi ed: wp core verify-checksums
 
 wp plugin verify-checksums --all
  20. Sanitization & Validation There are a pile of functions to

    do input sanitization: sanitize_title() sanitize_user() balance_tags() tag_escape() is_email() sanitize_html_class() array_map() sanitize_email() sanitize_ fi le_name() sanitize_term() sanitize_term_ fi eld() sanitize_html_class() sanitize_key() sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_text_ fi eld() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user() sanitize_meta()
  21. Validation Are values of the correct type? Do they have

    the expected values? 
 
 $quantity = intval( $_POST[‘quantity’] ); 
 or 
 $quantity = absint( $_POST[‘quantity’] ); 
 
 if ( $quantity > 10 ) { 
 die(‘Quantity Out of Range’); 
 } 
 

  22. Escaping Text esc_html( $string ); esc_html__( $string, $domain ); ex:

    
 
 Hello <?php echo esc_html( $string ); ?> !
  23. Escaping Text esc_attr( $text ); esc_attr__( $text, $domain ); 


    
 Escaping a string for use in an HTML attribute tag. 
 
 <div data-value=“<?php echo esc_attr( $value ); ?>”>
  24. Escaping Text $allowed_html = array( 
 'a' => array( 


    'href' => array(), 
 'title' => array() 
 ), 'br' => array(), 
 'em' => array(), 
 'strong' => array() 
 ); wp_kses( $fragment, $allowed_html, $protocols);
  25. Sanitization & Escaping For the of fi cial documentation on

    WordPress’ Validation & Sanitization Functions, see: 
 
 https://developer.wordpress.org/apis/security/data-validation/ https://developer.wordpress.org/apis/security/sanitizing/ https://developer.wordpress.org/apis/security/escaping/
  26. Working with the Database $wpdb->update( 'table', array( 'column1' => 'value1',

    
 
 
 'column2' => 'value2' ), array( 'ID' => 1 ), array( '%s', // value1 '%d' // value2 ), array( '%d' ) );
  27. Custom Queries should be written using the $wpdb->prepare() function. $safeSQL

    = $wpdb->prepare(“SELECT * FROM {$wpdb->pre fi x}tablename 
 
 
 
 WHERE col1 = ‘%s’ AND col2 = %d”, $sParam, $iParam); $wpdb->query($safeSQL); Working with the Database
  28. WP Coding Standards WordPress has documented coding standards that apply

    to its PHP, JavaScript, HTML, CSS and Accessibility components. https://developer.wordpress.org/coding-standards/wordpress-coding-standards/php/ https://developer.wordpress.org/coding-standards/wordpress-coding-standards/html/ https://developer.wordpress.org/coding-standards/wordpress-coding-standards/css/ https://developer.wordpress.org/coding-standards/wordpress-coding-standards/javascript/
  29. Responsible Disclosure Don’t bring more attention to security vulnerabilities in

    public forums, blog posts, chats, or issue trackers without giving developers a reasonable chance to patch it fi rst.
  30. Responsible Disclosure Automattic participates in HackerOne, a platform for secure

    reporting vulnerabilities. And yes, they offer bounties! WordPress.com Hosted Sites: https://hackerone.com/automattic
  31. Responsible Disclosure WordPress participates in HackerOne, a platform for secure

    reporting vulnerabilities. And yes, they offer bounties! The WordPress Open-Source Core Code https://hackerone.com/wordpress/
  32. Responsible Disclosure WordFence runs a bug bounty program for all

    themes and plugins with at least 50,000 active installs. WordFence Bug Bounty Program https://www.wordfence.com/threat-intel/bug-bounty-program/
  33. Responsible Disclosure Find a problem with a theme or plugin?

    Try contacting the authors directory. If you can’t, email: Plugins & Themes [email protected]