Understanding WordPress Security

Fa4da3fe79ba23c483bcb977b0a340ca?s=47 Shawn Hooper
February 15, 2018

Understanding WordPress Security

An introduction to securing WordPress websites. Delivered to the Ottawa OWASP Meetup in February 2018.

Fa4da3fe79ba23c483bcb977b0a340ca?s=128

Shawn Hooper

February 15, 2018
Tweet

Transcript

  1. Understanding WordPress Security Yes, WordPress is Secure Shawn Hooper, Director

    of IT 
 Actionable.co Blog - shawnhooper.ca
 Twitter - @shawnhooper
  2. Director of IT at Actionable.
 WordPress Developer. WordPress Core Contributor

    & Plugin Author WordCamp Ottawa Lead Organizer Spoken at WordPress events in Canada, the United States and Australia Web Developer Since mid-1990s Hello! Blog - shawnhooper.ca
 Twitter - @shawnhooper
  3. What is WordPress? Blog - shawnhooper.ca
 Twitter - @shawnhooper

  4. What is WordPress? Blog - shawnhooper.ca
 Twitter - @shawnhooper WordPress

    is the world’s most popular Content Management System (CMS) It’s Open Source.
  5. What is WordPress? Blog - shawnhooper.ca
 Twitter - @shawnhooper WordPress

    started out as a blogging platform. It is now a Content Management System and an Application Framework with a full REST API.
  6. What is WordPress? Blog - shawnhooper.ca
 Twitter - @shawnhooper WordPress

    (the software) should not be confused with WordPress.com, a WordPress web hosting service run by Automattic. Automattic was founded by WordPress 
 co-founder Matt Mullenweg. The open source project can be found at WordPress.org
  7. What is WordPress? Blog - shawnhooper.ca
 Twitter - @shawnhooper WordPress

    is developed primarily in PHP Although JavaScript is becoming a larger part of the front-end codebase with every release. It’s database is a MySQL relational database.
  8. Extensibility Blog - shawnhooper.ca
 Twitter - @shawnhooper WordPress’ real power

    is in its extensibility. It’s API allows for the development of third party themes and plugins. 5,389 Themes 54,218 Plugins * Only in the free repo. (Feb 2018)
  9. Market Share Blog - shawnhooper.ca
 Twitter - @shawnhooper https://w3techs.com/technologies/overview/content_management/all

  10. WordPress’ Core is Secure Blog - shawnhooper.ca
 Twitter - @shawnhooper

  11. Blog - shawnhooper.ca
 Twitter - @shawnhooper but…. This market share

    makes it a huge target for hackers!
  12. So What Can We Do ? Blog - shawnhooper.ca
 Twitter

    - @shawnhooper
  13. So What Can We Do ? Blog - shawnhooper.ca
 Twitter

    - @shawnhooper Let’s look at how to secure WordPress as: A User A System/Server Administrator A Developer An Information Security Professional
  14. A User’s Perspective Blog - shawnhooper.ca
 Twitter - @shawnhooper

  15. Choose Wisely Blog - shawnhooper.ca
 Twitter - @shawnhooper The largest

    source of problems in WordPress Security come from the Plugin Ecosystem. Choose your themes & plugins wisely!
  16. Choose Wisely Blog - shawnhooper.ca
 Twitter - @shawnhooper Are they

    regularly maintained? Does the author(s) respond to support questions promptly? Are they popular?
  17. None
  18. Keep It Updated! Blog - shawnhooper.ca
 Twitter - @shawnhooper WordPress

    Core ( w/ Automatic Updates!) WordPress Plugins 
 WordPress Themes
  19. None
  20. Backups Blog - shawnhooper.ca
 Twitter - @shawnhooper WordPress Core WordPress

    Plugins 
 WordPress Themes Media Library (“Uploads”) MySQL Database
  21. Backups Blog - shawnhooper.ca
 Twitter - @shawnhooper Backup Buddy by

    iThemes (Paid) UpdraftPlus (Freemium) VaultPress (starting @ $39 a year)
  22. Backups Blog - shawnhooper.ca
 Twitter - @shawnhooper Some Managed Hosts

    include daily backups. My favourites include: 
 
 WP Engine Pantheon
  23. Admin Login Blog - shawnhooper.ca
 Twitter - @shawnhooper Older versions

    of WordPress came with an “admin” login by default. This became a default target for attacks. Use a different username.
  24. Passwords Blog - shawnhooper.ca
 Twitter - @shawnhooper Of course, please

    use secure passwords. 
 password123 is not secure.
  25. 2 Factor Auth Blog - shawnhooper.ca
 Twitter - @shawnhooper

  26. Use Email As Login Blog - shawnhooper.ca
 Twitter - @shawnhooper

    WordPress defaults to a username login Usernames are fairly discoverable in WordPress The Email Login plugin forces login using an email address instead.
 
 https://wordpress.org/plugins/wp-email-login/
  27. Least Privilege Blog - shawnhooper.ca
 Twitter - @shawnhooper Only gives

    users the permissions they need to do their jobs. Subscriber - Can Read Contributor - Can Write, but not publish Author - Can Publish their own Posts
 Editor - Can Publish Anyone’s Posts & Pages
 Administrator - Can modify site configuration
  28. Security Plugins Blog - shawnhooper.ca
 Twitter - @shawnhooper SiteLock iThemes

    Security
 
 WordFence
 
 Sucuri Security

  29. Security Plugins Blog - shawnhooper.ca
 Twitter - @shawnhooper Limit Login

    Attempts
 File Monitoring
 Security Auditing
 Malware Scanning Change Default URLs
 404 Detection
 Strong Password Enforcement
 Temporary Site Lockout (“Away Mode”)
 Permissions Monitoring
 WordPress Version Hiding

  30. System/Server Administrator’s Perspective Blog - shawnhooper.ca
 Twitter - @shawnhooper

  31. Server Configuration Blog - shawnhooper.ca
 Twitter - @shawnhooper Some of

    these recommendations can be done by users too. But they’re not things you do IN WordPress.
  32. Enable HTTPS Blog - shawnhooper.ca
 Twitter - @shawnhooper There’s no

    reason these days for your website not to be secured by SSL. LetsEncrypt offers free certificates, and many web hosts have this as a one-click install option.
  33. Enable SFTP Blog - shawnhooper.ca
 Twitter - @shawnhooper Secure File

    Transfer Protocol (SFTP) is FTP over SSH. If you’re going to give users FTP access to their sites, this is the best way to do it.
  34. File & Folder Permissions Blog - shawnhooper.ca
 Twitter - @shawnhooper

    Directories - 755 Files - 644
 

  35. Block Some PHP Execution Blog - shawnhooper.ca
 Twitter - @shawnhooper

    No PHP Execution in Uploads Folder: No Execution of Config File:
  36. Disable File Editor Blog - shawnhooper.ca
 Twitter - @shawnhooper

  37. Disable File Editor Blog - shawnhooper.ca
 Twitter - @shawnhooper Add

    to wp-config.php:
  38. Disable XML-RPC Blog - shawnhooper.ca
 Twitter - @shawnhooper There are

    also plugins to do this, 
 but doing so at the server side is recommended.
  39. Keep Sites Isolated Blog - shawnhooper.ca
 Twitter - @shawnhooper If

    you’re running multiple sites on the same server, keep them in separate home directories running as separate users This helps prevent cross-contamination of sites in the event of a hack.
  40. Checksum Validation Blog - shawnhooper.ca
 Twitter - @shawnhooper Using WP-CLI,

    see if files have been modified: wp core verify-checksums
 
 wp plugin verify-checksums --all
  41. Developer’s Perspective Blog - shawnhooper.ca
 Twitter - @shawnhooper

  42. Sanitization & Validation Blog - shawnhooper.ca
 Twitter - @shawnhooper

  43. Sanitization & Validation Blog - shawnhooper.ca
 Twitter - @shawnhooper There

    are a pile of functions to do input sanitization: sanitize_title() sanitize_user() balance_tags() tag_escape() is_email() sanitize_html_class() array_map() sanitize_email() sanitize_file_name() sanitize_term() sanitize_term_field() sanitize_html_class() sanitize_key() sanitize_mime_type() sanitize_option() sanitize_sql_orderby() sanitize_text_field() sanitize_title_for_query() sanitize_title_with_dashes() sanitize_user() sanitize_meta()
  44. Validation Blog - shawnhooper.ca
 Twitter - @shawnhooper Are values of

    the correct type? Do they have the expected values? 
 
 $quantity = intval( $_POST[‘quantity’] );
 or
 $quantity = absint( $_POST[‘quantity’] ); 
 
 if ( $quantity > 10 ) {
 die(‘Quantity Out of Range’);
 } 
 

  45. Escaping Text Blog - shawnhooper.ca
 Twitter - @shawnhooper esc_html( $string

    ); esc_html__( $string, $domain ); ex:
 
 Hello <?php echo esc_html( $string ); ?> !
  46. Escaping Text Blog - shawnhooper.ca
 Twitter - @shawnhooper esc_attr( $text

    ); esc_attr__( $text, $domain );
 
 Escaping a string for use in an HTML attribute tag.
 
 <div data-value=“<?php echo esc_attr( $value ); ?>”>
  47. Escaping Text Blog - shawnhooper.ca
 Twitter - @shawnhooper $allowed_html =

    array(
 'a' => array(
 'href' => array(),
 'title' => array() 
 ), 'br' => array(),
 'em' => array(),
 'strong' => array()
 ); wp_kses( $fragment, $allowed_html, $protocols);
  48. Escaping HTML Blog - shawnhooper.ca
 Twitter - @shawnhooper wp_rel_nofollow( $html

    );
 
 Adds rel=“nofollow” to every link in the HTML fragment.
  49. Sanitization & Escaping Blog - shawnhooper.ca
 Twitter - @shawnhooper For

    the official documentation on WordPress’ Validation & Sanitization Functions, see:
 
 https://codex.wordpress.org/ Validating_Sanitizing_and_Escaping_User_Data
  50. Working with the Database Blog - shawnhooper.ca
 Twitter - @shawnhooper

    Use $wpdb
  51. Working with the Database Blog - shawnhooper.ca
 Twitter - @shawnhooper

    $wpdb->insert( ‘table_name’, array( 'column1' => 'value1', 'column2' => 123 ), array( '%s', '%d' ) );
  52. Working with the Database Blog - shawnhooper.ca
 Twitter - @shawnhooper

    $wpdb->update( 'table', array( 'column1' => 'value1', 
 

 'column2' => 'value2' ), array( 'ID' => 1 ), array( '%s', // value1 '%d' // value2 ), array( '%d' ) );
  53. Working with the Database Blog - shawnhooper.ca
 Twitter - @shawnhooper

    Custom Queries should be written using the $wpdb->prepare() function. $safeSQL = $wpdb->prepare(“SELECT * FROM {$wpdb->prefix}tablename 
 


WHERE col1 = ‘%s’ AND col2 = %d”, $sParam, $iParam); $wpdb->query($safeSQL);
  54. WordPress Coding Standards Blog - shawnhooper.ca
 Twitter - @shawnhooper WordPress

    has documented coding standards that apply to its PHP, JavaScript, HTML, CSS and Accessibility components. 
 
 Although on it’s own this doesn’t necessarily improve security, it will make code more readable, and more testable, which minimizes the chance for errors! https://codex.wordpress.org/WordPress_Coding_Standards
  55. IT Security Professional’s Perspective Blog - shawnhooper.ca
 Twitter - @shawnhooper

  56. Responsible Disclosure Blog - shawnhooper.ca
 Twitter - @shawnhooper Don’t bring

    more attention to security vulnerabilities in public forums, blog posts, chats, or issue trackers without giving developers a reasonable chance to patch it first.
  57. Responsible Disclosure Blog - shawnhooper.ca
 Twitter - @shawnhooper Automattic participates

    in HackerOne, a platform for secure reporting vulnerabilities. And yes, they offer bounties! WordPress.com Hosted Sites: https://hackerone.com/automattic
  58. Responsible Disclosure Blog - shawnhooper.ca
 Twitter - @shawnhooper WordPress participates

    in HackerOne, a platform for secure reporting vulnerabilities. And yes, they offer bounties! The WordPress Open-Source Core Code https://hackerone.com/wordpress/
  59. Responsible Disclosure Blog - shawnhooper.ca
 Twitter - @shawnhooper Find a

    problem with a theme or plugin? Try contacting the authors directory. If you can’t, email: Plugins & Themes plugins@wordpress.org
  60. Responsible Disclosure Blog - shawnhooper.ca
 Twitter - @shawnhooper Since it’s

    launch with HackerOne in May 2017 52 WordPress bugs have have been resolved through reporting by 46 hacked on the platform. December 2017 (State of the Word Keynote)
  61. What do Hacked WordPress Sites Look Like? Blog - shawnhooper.ca


    Twitter - @shawnhooper
  62. What If I Get Hacked? Blog - shawnhooper.ca
 Twitter -

    @shawnhooper
  63. Shameless Promo: WordCamp Ottawa 2018 Blog - shawnhooper.ca
 Twitter -

    @shawnhooper
  64. ShawnHooper.ca 
 Twitter: @ShawnHooper THANK YOU! Blog - shawnhooper.ca
 Twitter

    - @shawnhooper