WordPress Security
•
1 like•535 views
A presentation on the security vulnerabilities of WordPress environments, along with information on how to recover from a hack and tips for securing your site.
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to WordPress Security
Similar to WordPress Security (20)
More from Jennifer Riehle McFarland
More from Jennifer Riehle McFarland (20)
Recently uploaded
Recently uploaded (20)
WordPress Security
- 1. WORDPRESS SECURITY Jen Riehle McFarland, NC State University
- 4. NEFARIOUS PURPOSES… ▸ Improve SEO for their own sites or advertisements ▸ To distribute malicious software ▸ Help attack/hack other sites ▸ As an “in” to hack the server, then use that in any number of ways, most commonly for widespread spamming
- 6. YES AND NO. (OF COURSE) Out-of-the-box, WordPress Core is basically secure as long as it’s kept up-to-date, and is hosted in a well- managed environment. Once you start adding plugins, themes, users, etc., vulnerabilities creep in…
- 8. 8% 22% 29% 41% HOW WE GET HACKED Weak user password Hosting vulnerability WordPress theme vulnerability WordPress plugin vulnerability
- 9. WORDPRESS VULNERABILITIES (51%) ▸ Wordpress Themes (29%) ▸ WordPress Plugins (22%) ▸ WordPress Core CAUSES: ▸ WP Core, themes, plugins out-of-date ▸ Poorly-written (or maliciously-written) themes or plugins ▸ Popularity and consistency of the software
- 10. HOSTING VULNERABILITIES (41%) ▸ SQL injections ▸ Poor server security ▸ Lack of understanding of WordPress CHECK FOR: ▸ Recent versions of PHP and MySQL ▸ Malware scanning and other security tools present ▸ Account isolation ▸ WordPress experience
- 11. USER VULNERABILITIES (8%) ▸ Bad habits ▸ Minimal default password requirements COMMON PROBLEMS: ▸ The “admin” username ▸ The crummy passwords (12345) ▸ User access levels
- 13. THE BASICS: START SMART ▸ Pick a solid hosting company ▸ Evaluate your themes and plugins carefully ▸ Go with those that have been vetted by WordPress ▸ Choose only those that are actively developed and/or supported ▸ Only install what you NEED ▸ Be thoughtful about who/how many should get admin- level access
- 14. THE BASICS: BACKUPS ▸ Backup all the things ▸ Your site (or sites with multisite) ▸ Your settings (what themes and plugins you’re using) ▸ Your files ▸ Your database ▸ And then back them up again somewhere off your main server ▸ Aim to save at least 6 months back
- 15. UPDATES ARE VERY EASY TO DO AND RARELY CAUSE PROBLEMS IN A WELL-MAINTAINED SITE, YET THE MAJORITY OF WORDPRESS SITES ARE OUT OF DATE. Stéfan Flickr
- 16. THE BASICS: UPDATES ▸ WordPress can be set to do updates automatically ▸ Added after version 3.7 ▸ Can be set for core, theme, plugin, and translation updates ▸ Core updates can be applied by update “types” ▸ Configure auto updates with wp-config
- 17. THE BASICS: MAINTENANCE ▸ Routine review of environments every 6-12 months: ▸ Themes and plugins not in use ▸ Anything that hasn’t been updated in the last 18-24 months (or more!) ▸ Sites (in a multisite environment) that are no longer active ▸ Checking your backups ▸ Reviewing the configuration of security plugins
- 18. THE TOOLS: SERVER/HOSTING ▸ Well-managed hosting ▸ Malware scanners ▸ ModSecurity setup ▸ htaccess limitations ▸ File permissions ▸ Account separation ▸ Server logs ▸ Good communication and working relationship
- 19. THE TOOLS: WORDPRESS ▸ wp-config options ▸ disable PHP error reporting ▸ disallow file editing ▸ disallow updating/installing themes and plugins ▸ remove commenting functionality ▸ Many other configuration options that can “harden” your installation of WordPress
- 20. THE TOOLS: WORDPRESS ▸ Security Plugins: iThemes Security, Sucuri ($), Wordfence ▸ Scanning tools: AntiVirus, WP Antivirus Site Protection ▸ Logging and tracking tools: CodeGuard ($), wp_debug_log in wp-config ▸ Theme and plugin evaluators: Theme-Check, Plugin- Check
- 22. [WORDPRESS USERS] HAVE A TENDENCY TO BE THE SORT OF PEOPLE THAT, WITHOUT REALIZING IT, LEAVE THAT BACK DOOR WIDE OPEN WITH A SIGN SAYING “WELCOME, HACKERS” AND A PLATE OF BISCUITS. Stéfan Flickr
- 23. THE TOOLS: USERS ▸ Plugins to improve default password requirements ▸ Two-step authentication ▸ Forced password standards ▸ Limit logins (attempts, locations) ▸ Don’t display usernames on the front-end ▸ Hide backend login page ▸ Use stronger password encryption
- 24. THE TOOLS: USERS ▸ Give users the minimum access level they need to get things done ▸ May need to edit user roles to achieve appropriate access levels ▸ Encourage (or force) logins from secure locations only ▸ Encourage security on local machines
- 25. THE TOOLS: USERS ▸ Use outside authentication integration: Google, OpenID, OAuth, Shibboleth ▸ Essentially outsourcing authentication to a service ▸ Allows users to re-use an id/password combination that should aid in retention
- 27. MANY PEOPLE DON’T REALIZE THEY’VE BEEN HACKED. Stéfan Flickr
- 28. AFTER THE HACK… 1. Stay calm. 2. Get your site back. 3. Clean up the hack. 4. Identify the source of the hack. 5. Address all three points of vulnerability: hosting, WordPress, and users.
- 30. GET YOUR SITE BACK ▸ If you can’t get into your site you may need to try a password reset or database edit ▸ Take a backup of what’s there - files, database, uploads - for later ▸ Lock out the hackers ▸ Remove unknown users and reset all passwords ▸ Change your keys and salts in wp-config ▸ Restore to a known good version of the site (if you have one)
- 32. CLEAN UP THE HACK ▸ Review your files and database for suspicious elements ▸ When in doubt, reinstall. ▸ New directory, WP install, reinstall all themes and plugins ▸ User accounts with new passwords ▸ Import the content from a clean backup ▸ Check your hosting for other potential damage
- 33. IDENTIFY THE SOURCE ▸ Go back through your backup after the hack ▸ Use version control to compare file changes ▸ Get help from your hosting ▸ Check logs ▸ Scan your hosting environment for malware ▸ Scan your personal machine(s) for viruses and malware
- 34. ADDRESS VULNERABILITIES ▸ Change your password again. All of them, including hosting account passwords. ▸ Start over and review all elements of the site for potential security weaknesses ▸ Scan the new site ▸ Use this experience to plan for the next hack
- 36. TWO CHOICES 1. Start over ▸ Copy and paste your old content wherever you can get it 2. Clean it up manually ▸ Where to look… ▸ Probably won’t be in WordPress core files ▸ Will probably be named innocently ▸ Will probably be your database content
- 38. AVOID COMMON MISTAKES ▸ Not updating ▸ Not cleaning out old themes and plugins ▸ Using popular plugins because they’re popular ▸ Using “admin” accounts ▸ Weak passwords ▸ Bad hosting ▸ Assuming you will never be hacked
- 39. TIPS ▸ Try to keep informed of WP Core and other updates ▸ Schedule reminders to review sites on a routine basis ▸ Check on your hosting company, especially if you’ve had them awhile ▸ Get help! Share security tips with others who edit or manage your site ▸ Consider outsourcing some of your security/support
- 40. MAKE SURE YOU HAVE BACKUPS! Stéfan Flickr