SlideShare a Scribd company logo

WordPress Security Implementation Guideline - Presentation for OWASP Romania Infosec Conference 2014

Download as PPTX, PDF
Dan Vasile
Dan Vasile

This project aims for a unified approach on WordPress security design and implementation. It is definitely more than a checklist, it's a guide for secure implementation and an invitation to consider and to analyze each individual case. There is a long list of recommended resources for securing aspects of the WordPress implementation. The project is aimed to offer open source or free resources instead of commercial ones. Some plugins have a free version and a paid one that offers extra functionality. In such cases, the focus of the project was on the free version.

Internet
1 of 32
WordPress Security Implementation Guideline Good practices and epic fails of WordPress implementations
About Me • Information Security Consultant – Application Security – Secure SDLC Dan VASILE http://www.pentest.ro dan@pentest.ro @DanCVasile
Why do I talk about WordPress? • I use WordPress • Previous talk @OWASP Ro InfoSec Conf 2013 • Working with 3rd parties on secure WordPress implementation • The project: WordPress Security Implementation Guideline
Why do I talk about WordPress? WordPress Security Implementation Guideline
Scope • Not just WordPress but Open Source adoption • Framework for secure implementation • Large scale integration
Scope • General security • Infrastructure security • WordPress security • Large-scale integration
Scope • General security • Infrastructure security • WordPress security • Large-scale integration
General & Infrastructure Security General security
Scope • General security • Infrastructure security • WordPress security • Large-scale integration
General & Infrastructure Security Infrastructure security
Scope • General security • Infrastructure security • WordPress security • Large-scale integration
WordPress security WordPress Security Implementation Guideline 20 subjects 3 main components: • Core • Plugins • Themes Manual activities & plugin alternatives
WordPress security Updates 3 main types of updates: • Core • Minor • Major WordPress > v3.7 – automatic updates for Minor
WordPress security Updates Turn on auto-updates for Major/Core define( 'WP_AUTO_UPDATE_CORE', true ); For plugins and themes add a filter add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' );
WordPress security Choose plugins carefully
WordPress security Backup What? • Files • Core installation, plugins, themes, images & files • Database How? Manual vs Automatic
WordPress security Backup horror story 1 The good • Daily backup, files & database, 365 days retention policy The bad • No geographical redundancy, no disaster recovery plan The ugly • HDD fail on main machine, faulty HDD on the backup machine • Missing data and database structure
WordPress security Backup horror story 2 The good • Proper backup to the cloud The bad • Backup credentials stored in clear text The ugly • Attacker compromising site and deleting backups
WordPress security User roles • Super Admin • Administrator • Editor • Author • Contributor • Subscriber
WordPress security Restricting access Sensitive areas of the application must be protected from unauthorized access. .htaccess Order Deny,Allow Deny from all Allow from 127.0.0.1
WordPress security Prevent brute-forcing • Add CAPTCHA • Blacklist attackers • Lock accounts Write a plugin that will lock an account for a predefined period of time after a number of failed attempts.
WordPress security Add blank index.php This should be covered by Apache configuration, but it’s not always the case.
WordPress security Missing blank index.php
WordPress security Force encryption on data in transit There are cases where both port 80 and 443 are used. Sensitive operations must use SSL: define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true);
Scope • General security • Infrastructure security • WordPress security • Large scale integration
Large scale integration Large scale integration • Creating a standard image • LDAP integration & Single Sign On • Multisites • Unified management of multiple installations
Large scale integration Creating a standard image • Blank image (no data) • All the updates • All the basic shared plugins and themes (&data?) Purpose: • Testing ground for new stuff • Create new instances, secure by default
Large scale integration LDAP integration & Single Sign On • Integration with Active Directory • Single Sign On (SSO) Why? • Centralized user management • Use existing hierarchy
Large scale integration Multisites • Built-in WordPress functionality • End users can create their own sites on demand Downside • Shared components (plugins)
Large scale integration Unified management of multiple installations • Self-hosted and cloud solutions Why? • Centralized login and management • Push updates to all instances
What’s next? Next steps • Contribute to the project Wordpress Security Implementation Guideline • Share the knowledge • Write secure code for WordPress • Help others
Q&A

Recommended

Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security BasicsRyan Plas
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyAnton Dedov
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 
10 Ways to Secure WordPress
10 Ways to Secure WordPress10 Ways to Secure WordPress
10 Ways to Secure WordPressJeremy Green
 

Recommended

Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security BasicsRyan Plas
 
Web & Cloud Security in the real world
Web & Cloud Security in the real worldWeb & Cloud Security in the real world
Web & Cloud Security in the real worldMadhu Akula
 
SANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedSANS @Night Talk: SQL Injection Exploited
SANS @Night Talk: SQL Injection ExploitedMicah Hoffman
 
ZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyZeroNights2013 testing of password policy
ZeroNights2013 testing of password policyAnton Dedov
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 
10 Ways to Secure WordPress
10 Ways to Secure WordPress10 Ways to Secure WordPress
10 Ways to Secure WordPressJeremy Green
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guideMickey Mellen
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality DevelopmentGareth Davies
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesKevin Koehler
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityMicah Hoffman
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wildrebelpixel
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hackedMarko Heijnen
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser AliHackIT Ukraine
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte SecureMichele Butcher-Jones
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I IPavu Jas
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security TipsLalit Nama
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?Nigel Harding
 
Ignite - selfhosting WordPress - tips and tricks
Ignite - selfhosting WordPress - tips and tricksIgnite - selfhosting WordPress - tips and tricks
Ignite - selfhosting WordPress - tips and tricksevilzenscientist
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkWilliam Earnhardt
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteReliqusConsulting
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014The Toolbox, Inc.
 

More Related Content

What's hot

WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guideMickey Mellen
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014Anant Shrivastava
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality DevelopmentGareth Davies
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesKevin Koehler
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityMicah Hoffman
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wildrebelpixel
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hackedMarko Heijnen
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser AliHackIT Ukraine
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I IPavu Jas
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security TipsLalit Nama
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?Nigel Harding
 
Ignite - selfhosting WordPress - tips and tricks
Ignite - selfhosting WordPress - tips and tricksIgnite - selfhosting WordPress - tips and tricks
Ignite - selfhosting WordPress - tips and tricksevilzenscientist
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Rahul
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 

What's hot (18)

WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
 
When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014When the internet bleeded : RootConf 2014
When the internet bleeded : RootConf 2014
 
Continuous Integration and Quality Development
Continuous Integration and Quality DevelopmentContinuous Integration and Quality Development
Continuous Integration and Quality Development
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy pieces
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 
IIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration VulnerabilityIIS Tilde Enumeration Vulnerability
IIS Tilde Enumeration Vulnerability
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
The moment my site got hacked
The moment my site got hackedThe moment my site got hacked
The moment my site got hacked
 
"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali"Introduction to Bug Hunting", Yasser Ali
"Introduction to Bug Hunting", Yasser Ali
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
 
Web Security Programming I I
Web Security Programming I IWeb Security Programming I I
Web Security Programming I I
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
 
WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyone
 
Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?Should you be using WordPress as your web platform?
Should you be using WordPress as your web platform?
 
Ignite - selfhosting WordPress - tips and tricks
Ignite - selfhosting WordPress - tips and tricksIgnite - selfhosting WordPress - tips and tricks
Ignite - selfhosting WordPress - tips and tricks
 
Introduction to Mod security session April 2016
Introduction to Mod security session April 2016Introduction to Mod security session April 2016
Introduction to Mod security session April 2016
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 

Similar to WordPress Security Implementation Guideline - Presentation for OWASP Romania Infosec Conference 2014

WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkWilliam Earnhardt
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteReliqusConsulting
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014The Toolbox, Inc.
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Akash Mahajan
 
Improving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerImproving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerBrett Palmer
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程Duran Hsieh
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudAlert Logic
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...Amazon Web Services
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB DeploymentMongoDB
 
Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12gameaxt
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?Nathan Van Gheem
 
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress MultisiteWPMU DEV
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterEqual Experts
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at NetflixJason Chan
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsChris Burgess
 

Similar to WordPress Security Implementation Guideline - Presentation for OWASP Romania Infosec Conference 2014 (20)

WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your Website
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014
 
Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014Security in the cloud Workshop HSTC 2014
Security in the cloud Workshop HSTC 2014
 
Past, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps InfrastructurePast, Present and Future of DevOps Infrastructure
Past, Present and Future of DevOps Infrastructure
 
Improving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with DockerImproving WordPress Development and Deployments with Docker
Improving WordPress Development and Deployments with Docker
 
W982 05092004
W982 05092004W982 05092004
W982 05092004
 
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
DevSecOps 實踐與 GitHub 進階安全: 建立安全的開發流程
 
Shared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure CloudShared Security Responsibility for the Azure Cloud
Shared Security Responsibility for the Azure Cloud
 
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
AWS Summit 2013 | India - Extend your Datacenter in the Cloud and achieve Hig...
 
Securing Your MongoDB Deployment
Securing Your MongoDB DeploymentSecuring Your MongoDB Deployment
Securing Your MongoDB Deployment
 
Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12Microsoft Offical Course 20410C_12
Microsoft Offical Course 20410C_12
 
Do you lose sleep at night?
Do you lose sleep at night?Do you lose sleep at night?
Do you lose sleep at night?
 
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
 
Datacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGeeDatacenter 2014: Trend Micro - Bill MCGee
Datacenter 2014: Trend Micro - Bill MCGee
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
Cloud Security at Netflix
Cloud Security at NetflixCloud Security at Netflix
Cloud Security at Netflix
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security Plugins
 
Azure Web Apps Advanced Security
Azure Web Apps Advanced SecurityAzure Web Apps Advanced Security
Azure Web Apps Advanced Security
 

Recently uploaded

定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMartaLoveguard
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)Christopher H Felton
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxeditsforyah
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMgdsc13
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 

Recently uploaded (20)

定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 
Magic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptxMagic exist by Marta Loveguard - presentation.pptx
Magic exist by Marta Loveguard - presentation.pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
A Good Girl's Guide to Murder (A Good Girl's Guide to Murder, #1)
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Q4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptxQ4-1-Illustrating-Hypothesis-Testing.pptx
Q4-1-Illustrating-Hypothesis-Testing.pptx
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Git and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITMGit and Github workshop GDSC MLRITM
Git and Github workshop GDSC MLRITM
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 

WordPress Security Implementation Guideline - Presentation for OWASP Romania Infosec Conference 2014

  • 1. WordPress Security Implementation Guideline Good practices and epic fails of WordPress implementations
  • 2. About Me • Information Security Consultant – Application Security – Secure SDLC Dan VASILE http://www.pentest.ro dan@pentest.ro @DanCVasile
  • 3. Why do I talk about WordPress? • I use WordPress • Previous talk @OWASP Ro InfoSec Conf 2013 • Working with 3rd parties on secure WordPress implementation • The project: WordPress Security Implementation Guideline
  • 4. Why do I talk about WordPress? WordPress Security Implementation Guideline
  • 5. Scope • Not just WordPress but Open Source adoption • Framework for secure implementation • Large scale integration
  • 6. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  • 7. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  • 8. General & Infrastructure Security General security
  • 9. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  • 10. General & Infrastructure Security Infrastructure security
  • 11. Scope • General security • Infrastructure security • WordPress security • Large-scale integration
  • 12. WordPress security WordPress Security Implementation Guideline 20 subjects 3 main components: • Core • Plugins • Themes Manual activities & plugin alternatives
  • 13. WordPress security Updates 3 main types of updates: • Core • Minor • Major WordPress > v3.7 – automatic updates for Minor
  • 14. WordPress security Updates Turn on auto-updates for Major/Core define( 'WP_AUTO_UPDATE_CORE', true ); For plugins and themes add a filter add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' );
  • 15. WordPress security Choose plugins carefully
  • 16. WordPress security Backup What? • Files • Core installation, plugins, themes, images & files • Database How? Manual vs Automatic
  • 17. WordPress security Backup horror story 1 The good • Daily backup, files & database, 365 days retention policy The bad • No geographical redundancy, no disaster recovery plan The ugly • HDD fail on main machine, faulty HDD on the backup machine • Missing data and database structure
  • 18. WordPress security Backup horror story 2 The good • Proper backup to the cloud The bad • Backup credentials stored in clear text The ugly • Attacker compromising site and deleting backups
  • 19. WordPress security User roles • Super Admin • Administrator • Editor • Author • Contributor • Subscriber
  • 20. WordPress security Restricting access Sensitive areas of the application must be protected from unauthorized access. .htaccess Order Deny,Allow Deny from all Allow from 127.0.0.1
  • 21. WordPress security Prevent brute-forcing • Add CAPTCHA • Blacklist attackers • Lock accounts Write a plugin that will lock an account for a predefined period of time after a number of failed attempts.
  • 22. WordPress security Add blank index.php This should be covered by Apache configuration, but it’s not always the case.
  • 23. WordPress security Missing blank index.php
  • 24. WordPress security Force encryption on data in transit There are cases where both port 80 and 443 are used. Sensitive operations must use SSL: define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true);
  • 25. Scope • General security • Infrastructure security • WordPress security • Large scale integration
  • 26. Large scale integration Large scale integration • Creating a standard image • LDAP integration & Single Sign On • Multisites • Unified management of multiple installations
  • 27. Large scale integration Creating a standard image • Blank image (no data) • All the updates • All the basic shared plugins and themes (&data?) Purpose: • Testing ground for new stuff • Create new instances, secure by default
  • 28. Large scale integration LDAP integration & Single Sign On • Integration with Active Directory • Single Sign On (SSO) Why? • Centralized user management • Use existing hierarchy
  • 29. Large scale integration Multisites • Built-in WordPress functionality • End users can create their own sites on demand Downside • Shared components (plugins)
  • 30. Large scale integration Unified management of multiple installations • Self-hosted and cloud solutions Why? • Centralized login and management • Push updates to all instances
  • 31. What’s next? Next steps • Contribute to the project Wordpress Security Implementation Guideline • Share the knowledge • Write secure code for WordPress • Help others
  • 32. Q&A