WordPress Security — WPBudapest meetup

Another month, another #wpbudapest meetup! If you live in Budapest and like WordPress, you should join us next time!

This month, we talked about security and I volunteered to give a talk to outline some basic WordPress security principles. You’ll find my slides below, as well as an outline of my talk with some links, and a small screencast of me going through my talk. Our meetup location is quite dark so I opted to record myself at home instead; it’s a good way to practice! :)

• Credits to Warner for all the Matrix images. Sorry for the spoilers, if you haven’t seen that movie you should! :)
• Color palette: Confidential

Here is a quick outline of my slides. It’s pretty raw, but should help you understand most of my points.

Keep your site safe — A few important WordPress security principles

What is Security

• That’s scary.
• That can seem complicated.
• That’s super super important. You should take the time to understand these things.

What kinds of attacks will you see happening?

The most common kind of attack is link injection: hackers will inject spam links everywhere, or sometimes only where you don’t see them, like in a hidden container in your footer. That kind of stuff can get your site kicked out of Google, so it should be taken seriously.

Others attackers choose to put your site down, or deface the whole website.

And a few hacked sites won’t show any public sign of injection, because the hacker only got in to gather information about you, your organization…

Why do they do it?

• For money, of course!
• To hack other sites through your site
• To gather information
• Hacktivism
• Kids playing around for the lulz

How do they do it?

There are essentially 2 different kinds of attacks:

• Targeted attacks, where the hacker targets only your site, for a specific purpose.
• Automated attacks are more common.

Automated attacks can be very simple, often try to exploit known vulnerabilities, things that got fixed in past versions of WordPress. That’s why it’s important to stay up to date.
For a hacker trying to get into a million sites a day, getting into 50 can still be valuable.

Misconceptions

WordPress suffers from a few misconceptions that I’d like to clarify:

• It happens to others, I’m not a target.

As we’ve seen earlier, that’s not true. Since most attacks are automated, anyone with a WordPress site is a target, regardless of how popular your site is.

• I’m safe, I use x security plugin

Don’t rely on just one plugin that you may or may not have configured. It’s best to think it through, as we will do together in a minute.

• I’m safe, I hide my WP version / my log in page

Automated attacks don’t care about your WP version. And some attackers don’t use your log in form to get into your site. So in a lot of cases, that is not enough.

• WordPress is not secure

We see mentions of vulnerabilities multiple times every year, so it’s easy to blame WordPress. However, the fault doesn’t lie on the tool, it lies on you, the webmaster. Most hacks are never used in the wild before they’re patched by WordPress’ dedicated security team, so as long as your site is up to date, WordPress is secure.

Good practices before to start thinking about plugins

Choose a good host

I’d recommend avoiding hosts that are not open about the things below. If you need to be transferred, or have to wait ages to get answers to basic setup questions, pick another host.
All these can be good pre-sale questions, or you can use Google to find answers.

• Version of PHP
• Do they know about WordPress? Hosts that specialize in WordPress, or have a WordPress offering, will be familiar with the most common attacks related to WP.
• How do they update things? Some hosts won’t accept old versions of WordPress, update it for you.
• Brute Force prevention measures. Do they just block without thinking about it? Go somewhere else. You need to pick a host who knows what they’re doing.
• What kind of access do they offer? Only FTP? Go somewhere else. SFTP? Better. SSH key pairs. Good.

Make an audit of how you use WordPress

Pre-made plugins / services don’t know your situation, your needs. You know best. Before to install things, think about how you use WordPress.

• Do you need your visitors to be able to register? No? Close it down for good! You can use an mu-plugin to add some of these security oriented snippets (kudos Julio Potier):

// Can't enable user registrations
function jeherve_option_users_can_register( $value ) {
	return '0';
}
add_filter( 'pre_option_users_can_register', 'jeherve_option_users_can_register' );

// Default role to subscriber
function jeherve_option_default_role( $value ) {
	return 'subscriber';
}
add_filter( 'pre_option_default_role', 'jeherve_option_default_role' );

• Audit all the users appearing under the Users menu. Do they need to be there. Do they need an admin account, or would an editor account be enough?

• What are the plugins you use?

Do you still use them? If a plugin is there but deactivated, remove it.
How old is the plugin? Is it updated often? Who is the maintainer? Do they know something about code security? What’s their reputation? All these are questions that can help you pick between a good plugin and a bad one.

Same goes for themes. Only install from trusted sources, and never install a theme you got from a simple Google Search.

• How do you update WordPress, themes, plugins? Make sure you have a policy in place. Someone has to be in charge of updating things on the site. If you can’t do it yourself, you can enable auto updates. You could also use a manage service like Jetpack or ManageWP to manage things for you.

• Do you edit plugins and themes from the dashboard?

Don’t. Really. Add this to your wp-config.php file. Some hosts actually do it for you.

define( 'DISALLOW_FILE_EDIT', true );

• Do you use pingbacks?
  You could disable them, since they’re a common attack vector on WordPress sites.

// Force deactivate pingbacks
function jeherve_deactivate_pings( $methods ) {
	unset( $methods['pingback.ping'] );
	return $methods;
}
add_filter( 'xmlrpc_methods', 'jeherve_deactivate_pings' );

• If an option will never change and shouldn’t be changed by anyone, make it impossible to change it. Here is an example with the admin email address:

// Lock down admin email address
function jeherve_option_admin_email( $value ) {
	return '[email protected]';
}
add_filter( 'option_admin_email', 'jeherve_option_admin_email' );

• Do you always access your dashboard from the same location, are you the only admin? Then only allow admin access to a specific IP range (see the codex for more). Just make sure you don’t lock wp-admin/admin-ajax, that’s used for Ajax in plugins :)

// save as .htaccess and upload to the wp-admin/ folder
# Block access to wp-admin.
order deny,allow
allow from x.x.x.x 
deny from all
# Allow access to wp-admin/admin-ajax.php
<Files admin-ajax.php>
    Order allow,deny
    Allow from all
    Satisfy any
</Files>

• Do you use a mobile app, a desktop app, a service like IFTTT, or a plugin like Jetpack?
  If you don’t, lock XML-RPC down, for good:

// In a plugin
add_filter( 'xmlrpc_enabled', '__return_false' );
// In .htaccess
<Files xmlrpc.php>
order deny,allow
deny from all
</Files>

That is a lot of steps, Luckily, plugins like WP Security Scan can help you with that audit. It will help you check basic things like database prefix, admin account, …

Let’s talk passwords

Pick a strong, unique password

Use a Password Manager:
– They even allow you to set completely random usernames, not just password. That makes things even more difficult for hackers.
– 1Password, multi platform, and that’s important nowadays as you want to be able to log in to Facebook on your mobile as well. :)
– Keepass is open source and free

Let’s make it hard everywhere

• Use SFTP, or even an SSH key pair instead of a password.
• Pick strong passwords for other control panels, like cPanel or PHPMyAdmin.
• Don’t forget your domain registrar. Hackers don’t have to get into your site if they can just redirect your domain to their own server.

2FA everywhere

Use 2 factor authentication everywhere. Most services offer that option nowadays. Each one of your accounts is important. If one gets hacked, the others can, too. See this story to make things a bit scarier.

In the space of one hour, my entire digital life was destroyed.

You can use 2Fa with WordPress as well. Check these plugins:
– Authy
– Clef
– Google Authenticator
– Jetpack (redirect to WordPress.com with SSO, and require 2FA)

HTTPS in the admin

If you don’t use HTTPS when logging in to WordPress, your username and password can be intercepted by just about anyone in your network. If you’re on a shared network, like a coworking space, or worse, an open network like a Mc Donalds or a starbucks, you don’t know who’s listening. Anyone could grab your credentials with a simple Firefox add-on like Firesheep.

Luckily, you can get free SSL certificates with services like CloudFlare. I would also recommend that you keep an eye on letsencrypt.org. This organization will start issuing free SSL certificates for everyone starting this month.

If you don’t do that, at least use a VPN when you’re not at home. Cloak is a good example, but there are many others available.

Block hackers before they can even hit your site

If you run a business, consider investing in a WAF (Web Application Firewall). They allow you to detect certain patterns, and block hackers before they can even hit your site.
– Sucuri offers one of the most popular WAF for WordPress users. CloudFlare also offers that option. You can also check Incapsula, or SiteLock.
– There are open source alternatives as well, if you have control over your server. fail2ban and ModSecurity are 2 of the most popular solutions out there. Many hosts actually use ModSecurity to mitigate attacks on their servers.

Jetpack’s Protect module can also act as a firewall and protect your log in page as well as XML-RPC.

Alright, now let’s talk plugins

There are many security plugins, I won’t cover them all. I’d suggest checking their feature pages, and see which one fits your needs the best.

• iThemes Security
• All In One WP Security
• WordFence
• Sucuri Security
• Bulletproof Security

You’re all set. How do you keep it that way?

It’s not a “set it and forget it” kind of thing.

• If you develop sites for clients, make sure they can, and will update WordPress. They should understand how important it is.
• Make sure you change passwords often. Some plugins can help you do that, like this one.
• Receive notifications for all activity on your site, with plugins like Stream.

I would also recommend you to use a backup service like VaultPress, UpdraftPlus, or Backup buddy. It’s best if your backups are stored on a separate server, so if your host is compromised, your backup won’t be. I would also recommend looking for a service that allows you to do one-click restores so you can quickly get back to a working site if you ever get compromised.

A good addition to that is a security scanning service like Sucuri, again, or VaultPress, again. Services like these will warn you when something malicious is added to your site, and will help you fix the problem or rollback to safe version.

As a cheaper solution, you could use version control, and create a repo for your site’s directory. If a file gets changed and is not committed, you’ll see it when reviewing your repository.

That’s it. Want more?

Check the Codex, or watch the video below :) If you have questions, let me know in the comments!

Until then, remember:

• You are a target.
• Audit and monitor.
• Update!