Hardening Your WordPress Website

TriLink Technologies Group Inc.TriLink Technologies Group Inc.

HARDENING YOUR WEBSITE TO ATTACKS

Making It Easier to Hack Into Someone-Else’s Website

AGENDA

• Introduction• WordPress Security Myths• BlackListing• Security Flaws With Default Installation• Threats and Counter-Threats• Backup• Additional Security• Conclusions

INTRODUCTION

• 40 Years Experience in Aerospace– Most of it in marketing

• Independent Since 2009• Added Website Creation Using WordPress

in 2011– Main selling feature is self-maintenance

• Became Concerned With Security in 2012– Client’s site was hacked

WORDPRESS SECURITY MYTHS

• My Site Is Too Small or Insignificant– Any site is a target– Link building– Spam distribution

• WordPress Is Already Secure– Yes, but you can’t leave the front door

unlocked

• The “White Screen of Death” Is The Worst That You Can See

THE WORST THAT YOU CAN SEE

BLACKLISTING

• Problem– Google blocks access to your site– Removed from search engine listing

• Resolution– Fix The Hack– Report the fix to Google– Wait for Google to lift the ban

SECURING A WORDPRESS SITE

• Starts With The Installation• Easiest To Do Before Content Added

SECURITY FLAWS WITH DEFAULT INSTALL

• Most Attacks Based On Assumption That Defaults Were Accepted

• Threats and Counters Examples Based On:– Manual install with all defaults– One user: “admin”, password: “admin123”– “Pretty” permalinks turned on– Counters manually applied

• Automated “1-Click” installers starting to allow customization

DEFAULT TABLE PREFIX

• Default WordPress Table Prefix is “wp_”– Exploited by advanced “SQL Injection” attacks– WP internal hardening improving– .htaccess techniques help (beyond today’s

scope)

• Change It By Editing “wp-config.php” file– Must be done before any content added– Use “phpMyAdmin” to delete old tables– Use iThemes Security to change prefix after

content added

DEFAULT CONTENT FOLDER

• Default of “wp-content” Can Be Exploited• iThemes Security Can Change It• Breaks Lots and Lots of Plugins– “wp-content” hard coded– Should use “content_url()”

• Not Worth the Trouble

DEFAULT ADMIN NAME

• “admin” Default Username For Administrator– Hacker only needs to guess password– Automated tools make guessing easy

• Changing The Administrator Username Doesn’t Help– WordPress can easily expose admin’s

username• Click on post author name and check url• www.site.com/?author=1 (or 2 or 3, etc.)• Confirm by trying to login

DEFAULT ADMIN NAME (CONT’D)

• Accept Default Name But Use Secondary Email• User Table Auto Indexed

– 1, 2, 3, etc.

• Set Next Index To, Say, 145– phpMyAdmin

• ALTER TABLE `wp_users` AUTO_INCREMENT = 145

– SQL Executioner• ALTER TABLE $users AUTO_INCREMENT = 145

• Create New, Real, User• Login As Real User

– Delete first user

DEFAULT ADMIN NAME (CONT’D)

• WordPress Still Exposes Usernames• phpMyAdmin– UPDATE `wp_users` SET

`user_nicename`=‘Mike’ WHERE `user_login`=“mikevens”

• SQL Executioner– UPDATE $users SET `user_nicename`=“Mike”

WHERE `user_login`=“mikevens”

DISABLE FILE EDITING FROM DASHBOARD

• Bad Practice For Anyone To Edit Files From Dashboard– No undo– No configuration control

• Edit wp-config.php• Add– define (‘DISALLOW_FILE_EDIT’, true);– Semi-colon important

WORDFENCE

• Over 1,700,000 Downloads• Masks Username On Login• Enforces Strong Passwords• Alerts For Core, Theme and Plugin Updates• Scans Files For Unauthorized Changes• Locks Out Repeated Failed Login Attempts• Monitors DNS Settings• Etc.• Has Performance-Enhancing Cache Built-In

BACKWPUP

• Over 1,260,000 Downloads• Fully Configurable– Schedule multiple jobs

• Different Backup Locations– Email, folder (not with WP folder), FTP,

DropBox, etc.

• Requires FTP and phpMyAdmin Access For Restoral

• Vaultpress.com (Paid) Provides 1-Click Restorals

ADDITIONAL SECURITY

• Restrict Logins To One IP– Effective, but limits flexibility

• Two-Factor Authentication– Duo Security (Free Plugin)– Links to account at duosecurity.com– Free for <= 10 users otherwise $1/user/month

WHITE LABEL CMS

• Rebrand WordPress– Dashboard– Logos– Login Logo

• Control Access To “Advanced” Functions– Dependent on users level

TIDY UP

• Delete All Themes Except:– One In Use (and parent, if it’s a child)– Default theme (currently twenty-fourteen)

• Delete Unneeded Plugins– Especially SQL Executioner

ON GOING SECURITY

• Keep Your Installation Up To Date– WP Core– Themes– Plugins

• WordFence Can Send Alerts– Updates– Modified files– Repeated failed login attempts

TOOLS USED

• Editor– Komodo

• Plugins– WordFence– BackWPUp– SQL Executioner– iThemes Security– Duo Security– White Label CMS

CONCLUSIONS

• Risk Is Low But Real• Risk Reduction is Easy– 80% Protection With 20% The Work

• Strong Passwords• Backup• Backup• Backup