Slides from a talk given on April 30, 2016 at WordCamp Vernon in Vernon, British Columbia, Canada. The talk was an overview of WordPress security solutions and best practices at a beginner/intermediate level. It presented practical techniques and advice for guarding against hackers and unauthorized access to your self-hosted WordPress installation. The topic was addressed from a fairly non-technical perspective.

1. WordPress Security 101
Practical Techniques & Best Practices
Jonathan Hall, BCIS

2. Introduction

3. How Sites are Hacked
●
Exploiting code vulnerabilities in WordPress
Core, themes, or plugins
●
Gaining access to the WordPress admin via a
user account
●
Finding a way into the web server

4. Avoiding Code Vulnerabilities

5. Update, Update, Update
●
Keep WordPress, themes, and plugins up-to-
date
●
Consider enabling automatic updates
– Only enabled for minor core releases, translation
files, critical plugin/theme updates by default
– Can be expanded, e.g. using Advanced Automatic
Updates plugin

6. Update, Update, Update
WordPress 0.7.1
Source: http://planetozh.com/blog/2008/12/a-journey-through-five-years-of-wordpress-interface/

7. Minimize the Attack Surface
●
Less code = lower probability of vulnerabilities
●
Deactivate all unused plugins
●
Uninstall all plugins and themes that aren't
needed

8. Choose Themes & Plugins Carefully
●
Whenever possible, use products from reputable
theme and plugin authors
●
Paying for a theme/plugin does not guarantee
quality
●
Prefer older, more widely used themes/plugins

9. Choose Themes & Plugins Carefully
●
Check most recent release date, update
frequency

10. Use Security Scanners
●
Wordfence
●
Sucuri, iThemes Security, etc.

11. Don't Give Useful Info to Attackers
●
Disable error reporting
– PHP configuration: display_errors directive
– WordPress configuration: WP_DEBUG and
WP_DEBUG_DISPLAY constants

12. Don't Give Useful Info to Attackers
●
Disable WordPress version output
– e.g. “Meta Generator and Version Info Remover”
plugin

13. User Account Security

14. Avoid Brute Force Attacks
●
Don't use default or easily guessed usernames
– “admin”, “administrator”
– Domain name

15. Avoid Brute Force Attacks
●
Use strong passwords
– Uppercase and lowercase letters, numbers, symbols
– At least 8 characters, preferably more
– No dictionary words
●
Enforce strong passwords
– e.g. Force Strong Passwords plugin

16. Avoid Brute Force Attacks
●
Limit the number of failed login attempts
– Block the user for a specified time after X failed login
attempts
– e.g. Limit Login Attempts plugin
Limit Login Attempts lockout options

17. Two-Factor Authentication
●
Add “what you have” to “what you know”
●
Email, SMS, or mobile app based
●
e.g. Clef, Duo, Rublon Two-Factor Authentication
plugins

18. Two-Factor Authentication
Duo Two-Factor Authentication
Source: https://en-ca.wordpress.org/plugins/duo-wordpress/screenshots/

19. “Security By Obscurity”
●
Change the paths to your WordPress admin
directory and the wp-login.php script
– e.g. Protect Your Admin plugin

20. Principle of Least Privilege
●
Limit users' roles to what they actually need
●
Customize roles and capabilities if necessary
– e.g. Capability Manager Enhanced plugin
●
Disable editing of plugins and themes from the
admin
– define('DISALLOW_FILE_EDIT', true);

21. Prevent Password Sniffing
●
Don't log in to your WordPress admin on
unsecured WiFi networks
●
Consider installing an SSL certificate for admin
access

22. Web Server Security

23. FTP, Control Panel, SSH Access
●
Use strong passwords
●
Use public key authentication where possible
●
Use two-factor authentication where possible

24. Database Server
●
Use strong passwords for database users
●
Apply principle of least privilege
●
Block external access unless absolutely
necessary

25. Backups

26. Backups
●
Make backups of your database and website files
often
●
Store backups off-site
●
Check/test backups!
●
e.g. BackUpWordPress, Dropbox Backup &
Restore, UpdraftPlus Backup and Restoration
plugins

27. I've Been Hacked, Now What?

28. Recognize the Symptoms
●
Unfamiliar files in your website's directories
●
Unrecognized plugins
●
New posts or other content that you didn't write
●
Spammy links appearing in existing content
●
New users added
●
Successful admin logins from unrecognized
IPs/locations

29. What Malicious Code (May) Look Like
●
Prepended or appended to WordPress core,
plugin, or theme PHP files
●
New files with seemingly legitimate names
– login.php, config.php, etc.
●
PHP files in the uploads directory
●
Calls to eval(), often with base64_decode() or
gzinflate()
– eval(base64_decode(ZnVuY3Rpb24gbXlSZWF
sbHlCYWRGdW5jKCkgewplY2hvKCdIZWxsbyB3b
3JsZCEnKTsKZGllKCk7Cn0...

30. First Steps
●
“Quarantine” all website files
●
Backup the database
●
Restore website files and database from the
most recent clean backup
●
Immediately change all user passwords
●
Install all updates

31. Identify the Attack Vector
●
Determine when entry was first gained, and by
whom (IP address)
– WordPress login log
– Website logs
– Backups of database and files
●
Trace the attacker's actions
– Login via a compromised user account?
– Web requests with a specific URI?

32. Questions?