How to Secure your Based in Essex & London Founded Primary - PDF document

13/07/2014 2 About Me! WordCamp UK 2014  Web design for 15 years How to Secure your  Based in Essex & London  Founded Primary Image WordPress Website in 2010  Mainly work with small/medium sized Mike Pead businesses www.primaryimage.com 3 About Me! Today’s Talk  Manage WordPress hosting  Why worry about for clients WordPress security?  100% WordPress  Steps you can take to  Handle all their security, secure your site … including WordPress updates 1

13/07/2014 6 % of WordPress Usage That’s over 70 million 1 websites in the world! ? Why is WordPress vulnerable? 2 Half are self-hosted. 60 % Only a fraction of 3 sites change from the default 23 % configuration. All Websites CMS Websites = WordPress is an attractive So why did I get interested ! ? target to hackers due to its in WordPress security? popularity – a victim of its own success! 2

13/07/2014 3

13/07/2014 Most attacks are automated ! (i.e. bots) 15 16 Analysis by Wordfence Bot URL requests • 4 th place: 102,800 requests: /wp-login.php Looked at 26 million • 7 th place: 31,800 requests: /wp-login.php?action=register "page not found“ • 10 th place: 24,000 requests: /wp-comments-post.php • 11 th place: 22,300 requests: /administrator/ reports from • 23 rd place: 14,200 requests: /wp-content/themes/GeoPlaces/monetize/ 30,000 • 45 th place: 8,500 requests: /author=1 websites Source: http://www.wordfence.com/blog/2014/05/top-100-page-not-found-errors-for-wordpress/ 4

13/07/2014 17 Bot URL requests So what does a botnet ? attack look like? 19 20 Consequences of an attack… ? Website Lose Lose SEO / becomes brand become inaccessible reputation blacklisted 5

13/07/2014 21 22 So is WordPress Secure? Are you sure it’s secure? • YES IT IS! • Most vulnerabilities are found in plugins and hosting environment, not the WordPress core . • WordPress is extremely good (& quick) at • And trusted by some rolling out security fixes when issues are of the biggest names found. in the world: • Many techniques used to attack WordPress could be applied to other types of CMS too. And the WordPress Codex But there are precautions you ! ! can take to secure your site … itself gives some tips: http://codex.wordpress.org/ Hardening_WordPress 6

13/07/2014 26 01 Keep WordPress updated • WHY? WordPress is open-source – means anyone can see what vulnerabilities have been fixed between versions. What simple steps can I ? take to secure my site? • HOW?  One-click upgrades are easy, quick & reliable. • Today you should all be using WordPress 3.9.1. 27 28 01 Keep WordPress updated 01 Keep WordPress updated • Survey of 350+ NHS WordPress websites: • I alerted the Trade & Investment (UKTI) Government department in March they were using WP 3.4.2 for their blog: – released in 2012 – 9 security updates had been issued Source: Terence Eden http://shkspr.mobi/blog/2014/03/2000-nhs-security/vulnerabilities-disclosed/ 7

13/07/2014 29 30 02 Keep plugins updated 03 Only use trusted plugins • WHY? Can be a big hole for allowing attacks. • WHY? Not all plugins can be trusted! • HOW? • HOW?  If running multiple sites, use a service  Get the plugin from wordpress.org or a such as WP Remote (free) to check and trusted source. install plugin updates in one dashboard.  How many downloads / reviews has it got?  When was it last updated? – How often do you check & install plugin updates? 31 32 04 Only use trusted themes 05 Choose a secure password • WHY? Brute force attacks mainly rely on using • WHY? Themes can have poorly written code, dictionary words. or worse – purposely malicious code included. • HOW? • HOW?  Use characters, numbers, capitals, etc.  Get the theme from a trusted source.  Use a unique password, don’t use the same  Examine the code yourself. for every login on the internet!  Be aware of Base64 code:  Change it regularly, at least every 3 months. TWFuIGlzIGRpc3Rpbmd1aXNoZWQsIG5vdCBvbmx5IGJ5IGh  Make sure other users also have strong passwords. pcyByZWFzb24sIGJ1dCBieSB0aGlzmd1aXNoZWQsIG5vdCft  This includes your FTP, cPanel & other passwords too! 8

13/07/2014 33 34 06 No “admin” usernames 07 You need decent hosting • WHY? Attacks can exploit vulnerabilities at a • WHY? Any element of predictability gives server- level. Don’t let your hosting account be hackers an edge. Bots will try this first! the weak link. • HOW? • HOW?  Setup a new admin account with a  Choose a reputable host, perhaps those unique username. that specialise in WordPress.  Delete the existing admin account.  Budget hosts may not always have their focus on security. 35 08 Keep regular backups! • WHY? If the worst comes to the worst, have a clean backup you can restore to! • HOW? Want more powerful steps to ?  Download a copy to your secure your WordPress site… computer.  Use an external service, e.g. myRepono.  Frequency to depend on how often your site is updated! 9

13/07/2014 37 38 09 Restrict login attempts 09 Restrict login attempts • WHY? Detect and block brute force attacks. • HOW?  Install a plugin such as iThemes Security . • Setup differently depending on whether it’s just you or members of the public logging-in! 39 40 09 Restrict login attempts 09 Restrict login attempts • BUT THERE ARE FLAWS • How about BruteProtect? It logs every failed IN THIS METHOD: attempt community-wide. Botnet attacks can come from 1000s of Botnet attacks can come from 1000s of IP IP addresses. addresses. 10

13/07/2014 41 42 10 Switch on SSL encryption 11 Obscurity • WHY? Secures • WHY? Make it harder for bots to scan for your the traffic between WordPress version. the server and your • HOW? computer, inc. your password. • HOW?  Buy an SSL certificate from your host.  Force WP-Admin SSL in iThemes Security. 43 12 Change your database prefix Things I don’t recommend:  404 detection blocking • WHY? Default MySQL tables easy to guess.  “Away mode” • HOW? Use iThemes Security or Change Database Prefix  Set “allow” IP addresses  Changing directory URLs as they can break plugins  Automatic edits to key files  Enforcing strong passwords for subscribers  Blocking whole countries 11

13/07/2014 45 46 13 Two-Factor Authentication 14 Monitor what’s happening • WHY? If you have a multi-author site, check • WHY? Provides another what they’re doing! hurdle for unauthorised • HOW? Plainview Activity Monitor users trying to login. • HOW?  Google Authenticator 48 15 Block access to system files • WHY? You don’t want prying eyes looking at .htaccess file these sensitive files! • HOW?  Add some rules to your .htaccess file. 12

13/07/2014 50 15 Block access to system files # protect files <files license.txt> <files wp-config.php> Order allow,deny Order deny,allow Deny from all Deny from all </files> </files> <files install.php> <files readme.html> Order allow,deny Order allow,deny Deny from all Deny from all </files> </files> <files error_log> Order allow,deny Deny from all </files> 51 52 15 Block access to system files 16 Build your own firewall Recommended on the WordPress Codex: • WHY? Stop dodgy requests from even # Block the include-only files. reaching your WordPress installation <IfModule mod_rewrite.c> – block them at server level. RewriteEngine On RewriteBase / RewriteRule ^ wp-admin/includes/ - [F,L] • HOW? RewriteRule !^ wp-includes/ - [S=3] RewriteRule ^ wp-includes/ [^/]+\.php$ - [F,L]  Again, add some rules to the .htaccess file. RewriteRule ^ wp-includes/js/tinymce/langs/ .+\.php - [F,L] RewriteRule ^ wp-includes/theme-compat/ - [F,L] </IfModule> 13