Securing Your WordPress Site

Transcript

1. Securing Your WordPress Site Shawn Hooper Rochester WordPress Meetup January

   2024

2. Director of Engineering & Security at Actionable.co. Freelance Developer, Code

   Reviewer & Web Host WordPress Core Contributor & Plugin Author Organizer of WordCamp Ottawa & WordCamp Canada. Spoken at WordPress events in Canada, the United States and Australia Blog & Email Newsletter at ShawnHooper.ca Mastodon @[email protected] Hello!

3. What we’ll cover What do we mean by security? Is

   WordPress secure? Recommendations for Users Recommendations for Developers

4. What do we mean when we talk about Security?

5. CIA

6. CIA Con fi dentiality

7. CIA Con fi dentiality Integrity

8. CIA Con fi dentiality Integrity Availability

9. What kinds of attacks are there? Backdoors Brute Force Redirects

   Cross Site Scripting (XSS) Denial of Service

10. WordPress Core is secure

11. The risk usually lies in: Server Con fi guration Plugins

    Themes Bad User Practices

12. But with 62% of the CMS market share It’s a

    huge target for hackers!

13. So What Can We Do ?

14. So What Can We Do ? Let’s look at how

    to secure WordPress as: A User A System/Server Administrator A Developer An Information Security Professional

15. A User’s Perspective

16. Choose Wisely The largest source of problems in WordPress security

    come from the Theme & Plugin Ecosystem. Choose your themes & plugins wisely!

17. Choose Wisely Are they regularly maintained? Does the author(s) respond

    to support questions promptly? Are they popular?
18. None

19. Keep It Updated! WordPress Core ( w/ Automatic Updates!) WordPress

    Plugins (w/ Automatic Updates) 
 WordPress Themes
20. None

21. Backups WordPress Core WordPress Plugins 
 WordPress Themes Media Library

    (“Uploads”) MySQL Database

22. Backups I like: UpdraftPlus (Freemium)

23. Admin Login Older versions of WordPress came with an “admin”

    login by default. This became a default target for attacks. Use a different username if you’d like. It’s doesn’t provide much added security though.

24. Passwords Of course, please use secure passwords. 
 password123 is

    not secure.

25. 2 Factor Auth

26. Use Email As Login WordPress defaults to a username login

    Usernames are fairly discoverable in WordPress The Email Login plugin forces login using an email address instead. 
 
 https://wordpress.org/plugins/wp-email-login/

27. Least Privilege Only gives users the permissions they need to

    do their jobs. Subscriber - Can Read Contributor - Can Write, but not publish Author - Can Publish their own Posts 
 Editor - Can Publish Anyone’s Posts & Pages 
 Administrator - Can modify site con fi guration

28. Security Plugins Install one security suite. These plugins provide many

    security improvements to your site. I like WordFence.

29. Security Plugins do: Limit Login Attempts 
 File Monitoring 


    Security Auditing 
 Malware Scanning Change Default URLs 
 404 Detection 
 Strong Password Enforcement 
 Temporary Site Lockout (“Away Mode”) 
 Permissions Monitoring 
 WordPress Version Hiding 


30. System/Server Administrator’s Perspective

31. Server Con fi guration Some of these recommendations can be

    done by users too. But they’re not things you do IN WordPress.

32. Enable HTTPS There’s no reason these days for your website

    not to be secured by SSL. LetsEncrypt offers free certi fi cates, and many web hosts have this as a one-click install option.

33. Enable SFTP Secure File Transfer Protocol (SFTP) is FTP over

    SSH. If you’re going to give users FTP access to their sites, this is the best way to do it.

34. File & Folder Permissions Directories - 755 Files - 644

    
 


35. Block Some PHP Execution No PHP Execution in Uploads Folder:

    No Execution of Con fi g File:

36. Disable File Editor

37. Disable File Editor Add to wp-con fi g.php:

38. Disable XML-RPC There are also plugins to do this, 


    but doing so at the server side is recommended.

39. Keep Sites Isolated If you’re running multiple sites on the

    same server, keep them in separate home directories running as separate users This helps prevent cross-contamination of sites in the event of a hack.

40. Checksum Validation Using WP-CLI, see if fi les have been

    modi fi ed: wp core verify-checksums
 
 wp plugin verify-checksums --all

41. Developer’s Perspective

42. Sanitization & Validation

43. Sanitization & Validation There are a pile of functions to

    do input sanitization: sanitize_title() sanitize_user() balance_tags() tag_escape() is_email() sanitize_html_class() array_map() sanitize_email() sanitize_ fi le_name() sanitize_term() sanitize_term_ fi eld() sanitize_html_class() sanitize_key() sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_text_ fi eld() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user() sanitize_meta()

44. Validation Are values of the correct type? Do they have

    the expected values? 
 
 $quantity = intval( $_POST[‘quantity’] ); 
 or 
 $quantity = absint( $_POST[‘quantity’] ); 
 
 if ( $quantity > 10 ) { 
 die(‘Quantity Out of Range’); 
 } 
 


45. Escaping Text esc_html( $string ); esc_html__( $string, $domain ); ex:

    
 
 Hello <?php echo esc_html( $string ); ?> !

46. Escaping Text esc_attr( $text ); esc_attr__( $text, $domain ); 


    
 Escaping a string for use in an HTML attribute tag. 
 
 <div data-value=“<?php echo esc_attr( $value ); ?>”>

47. Escaping Text $allowed_html = array( 
 'a' => array( 


    'href' => array(), 
 'title' => array() 
 ), 'br' => array(), 
 'em' => array(), 
 'strong' => array() 
 ); wp_kses( $fragment, $allowed_html, $protocols);

48. Escaping HTML wp_rel_nofollow( $html ); 
 
 Adds rel=“nofollow” to

    every link in the HTML fragment.

49. Sanitization & Escaping For the of fi cial documentation on

    WordPress’ Validation & Sanitization Functions, see: 
 
 https://developer.wordpress.org/apis/security/data-validation/ https://developer.wordpress.org/apis/security/sanitizing/ https://developer.wordpress.org/apis/security/escaping/

50. Working with the Database Use $wpdb

51. Working with the Database $wpdb->insert( ‘table_name’, array( 'column1' => 'value1',

    'column2' => 123 ), array( '%s', '%d' ) );

52. Working with the Database $wpdb->update( 'table', array( 'column1' => 'value1',

    
 
 
 'column2' => 'value2' ), array( 'ID' => 1 ), array( '%s', // value1 '%d' // value2 ), array( '%d' ) );

53. Custom Queries should be written using the $wpdb->prepare() function. $safeSQL

    = $wpdb->prepare(“SELECT * FROM {$wpdb->pre fi x}tablename 
 
 
 
 WHERE col1 = ‘%s’ AND col2 = %d”, $sParam, $iParam); $wpdb->query($safeSQL); Working with the Database

54. WP Coding Standards WordPress has documented coding standards that apply

    to its PHP, JavaScript, HTML, CSS and Accessibility components. https://developer.wordpress.org/coding-standards/wordpress-coding-standards/php/ https://developer.wordpress.org/coding-standards/wordpress-coding-standards/html/ https://developer.wordpress.org/coding-standards/wordpress-coding-standards/css/ https://developer.wordpress.org/coding-standards/wordpress-coding-standards/javascript/

55. IT Security Professional’s Perspective

56. Responsible Disclosure Don’t bring more attention to security vulnerabilities in

    public forums, blog posts, chats, or issue trackers without giving developers a reasonable chance to patch it fi rst.

57. Responsible Disclosure Automattic participates in HackerOne, a platform for secure

    reporting vulnerabilities. And yes, they offer bounties! WordPress.com Hosted Sites: https://hackerone.com/automattic

58. Responsible Disclosure WordPress participates in HackerOne, a platform for secure

    reporting vulnerabilities. And yes, they offer bounties! The WordPress Open-Source Core Code https://hackerone.com/wordpress/

59. Responsible Disclosure WordFence runs a bug bounty program for all

    themes and plugins with at least 50,000 active installs. WordFence Bug Bounty Program https://www.wordfence.com/threat-intel/bug-bounty-program/

60. Responsible Disclosure Find a problem with a theme or plugin?

    Try contacting the authors directory. If you can’t, email: Plugins & Themes [email protected]

61. Blog & Email Newsletter at ShawnHooper.ca Mastodon @[email protected] THANK YOU!