WordPress Security Best Practices 2019 Update

zeropointdevelopment.com for WordPress Sydney
WordPress
Security
Best Practices
2019 Update

• Use complex usernames & passwords
• Check file permissions have minimum access
• Update software often & regularly
• Use security firewalls & scan regularly
• Consider using 2-factor authentication
• Stick to reputable theme providers
• Uninstall unused code/themes/plugins
• Lock all doors, windows & switch off Internet!
@DeveloperWil #wpsyd
TL;DR

• Chinese General
• Military Strategist
• Philosopher
• Born ~512BC
Book: The Art of War
http://www.classicly.com/read-the-art-of-war-online-free/page/1
Introducing Sun Tzu

“Victorious warriors win first and then
go to war, while defeated warriors go to
war first and then seek to win.”
Don’t wait until your site gets hacked
first. Lock it down today and get
ready to defend it!
Sun Tzu Says…

“To know your Enemy, you
must become your Enemy”
Learn how hackers try to get into your
site so you can pre-emptively fix it
and be ready for what is to come.
Sun Tzu Says…

“Even the finest sword plunged into
salt water will eventually rust.”
Just because your site is secure today,
doesn’t mean it can’t get hacked
tomorrow, next month or next year.
Review & update regularly.
Sun Tzu Says…

YOU ARE AT WAR
WITH MULTIPLE
UNKNOWN
ENEMIES

There is always a current threat
The worst type of threats are those you
don’t know about
You need to understand your weaknesses
You need to build a solid defence
You need to have a plan of attack
SO BE PREPARED
Security Is Cyclic

Locked in a deep dark basement
No internet connection
No user interaction
Switched off!
= Pretty useless website
= There is a balance to be had
Ultimate Secure Site

Everything is Hackable
Best we can do is make our site
less attractive than others to hack
into.
Would you attempt to break into
this car?
https://www.youtube.com/watch?v=aLhWzMOccTg
Before We Start

The most vulnerable part of your
website is…
YOU
Buy this book!
Before We Start

Do not leave new WordPress sites in “setup
mode”. Complete the entire setup process.
Hackers can find WordPress setup pages and
install their own site – aka “WPSetup Attack”
Ref: https://www.wordfence.com/blog/2017/07/wpsetup-attack/
New WP Installations
Fundamentals

Beware when ordering a new SSL certificate
for a brand new WordPress website.
Hackers monitor SSL certificate transparency
report +30mins after new certificate being
issued.
They can take over your new site before you
complete the installation process.
Ref: https://www.wordfence.com/blog/2017/07/hackers-find-wordpress-within-30-mins/
New Sites & SSLs
Fundamentals

Not just WordPress
cPanel, email, FTP, SSH, MySQL, WordPress
Avoid typical “Administrator” usernames
admin, administrator, root, manager, debug, user,
system, default, netman, superuser, guest, backup,
sys, sysadmin, siteadmin, test, …
Usernames & Passwords
Fundamentals

Don’t replace letters with numbers or symbols.
Simple character substitution is weak.
butterfly → 8utt3rfly
This no longer works and takes
just a few days to crack!
Ref: https://pages.nist.gov/800-63-3/sp800-63b.html
Fundamentals

Avoid personal / social information
• Name and memorable bates: DoB, Marriage
• Fav footie club name, car rego, house
number
Examples of Bad Passwords
Bob1976 Swans2017 !2Nancy
The Password Paradox And Why Our
Personalities Will Get Us Hacked
Fundamentals

1) Use a random 16 (at least) character password
UPPER, lower, d1g1ts, punctuat!on
b9G#Z4YVemTN^X6S
2) Use 4 random words stringed together:
correct horse battery staple
correcthorsebatterystaple
Fundamentals

Random character & multi-word passwords
= difficult for you to remember 
= difficult for hackers to guess ☺
Try to avoid reusing the same password on
multiple sites.
Read The Real Life Risks Of Re Using The Same
Passwords
Fundamentals

Use a password service such as LastPass
Local 256-bit encryption, SSL data
transfer, 2-factor authentication
Free 14-day Last Pass Trial
Fundamentals

Consider forcing users to have a strong
password
Force Strong Passwords plugin.
http://wordpress.org/plugins/force-strong-
passwords/
Gives more flexibility than built-in WordPress
Fundamentals

Only allow one login per device.
Restrict logins under same username on
multiple devices (i.e. username/pass sharing)
WordPress Bouncer plugin
http://wordpress.org/plugins/wp-bouncer/
Fundamentals

Change the default WordPress salt keys in wp-
config.php
WordPress uses cookies to store session
information. These are hashed with MD5 +
salt keys in the wp-config.php file
https://api.wordpress.org/secret-key/1.1/salt/
Session Safety: Salk Keys
Fundamentals

Restrict the number of users with the
Administrator role.
You do need at least 1 Admin user to
administer the site – do you need any more
than that?
Editor role is sufficient for somebody to manage
90% of all the site’s day-to-day content.
Admin & Editor Users
Fundamentals

Understanding Linux file permissions is key
Linux File Permissions
Files & Perms

Each file and directory has three user based
permission groups:
• u – the user who owns the file or directory (owner)
• g - the group to which the user belongs
• o - all other users on the system (not owner or
user’s group), this is the permission group that you
want to watch the most.
Permission Groups
Files & Perms

Each file or directory has three basic
permission types:
• r - a user's capability to read the contents of the file
• w - a user's capability to write or modify a file or
directory
• x - a user's capability to execute (run) a file or view
the contents of a directory.
Permission Types
Files & Perms

In general…
WordPress folders/directories = 755
WordPress files = 644
Some hosting companies may insist you set
/wp-content/uploads to 777
Move to another hosting company!
Files, Folders & Permissions
Files & Perms

Probably your three most important sys files are:
.htaccess (Apache Web Server)
= permalinks, redirects, error files, directory pswds, etc
This should be locked down to CHMOD 444
php.ini
= PHP version, extensions, remote opens, file uploads, etc
wp-config.php
= WordPress DB username & password, Salts
These should be locked down to CHMOD 440
Config Files & Permissions
Files & Perms

Malware can be hidden in Themes, Plugins &
other server scripts
Sucuri detects and cleans malware on servers
De-blacklists your server/site
Notify by SMS, Email, Private Twitter etc
http://sucuri.net/ USD $199.99 per site per
year
Malware Clean Server
Files & Perms

Update WordPress Core, Themes and Plugins
regularly = at least weekly
ManageWP service good for multiple sites
https://managewp.com
Update Regularly
WordPress

Automatic Updates are in WordPress core for
point releases only by default.
For more control, in wp-config.php
define( 'WP_AUTO_UPDATE_CORE', true );
• true - Development, minor, and major updates are all
enabled
• false - Development, minor, and major updates are all
disabled
• 'minor’ - Minor updates are enabled, development, and
major updates are disabled
Update Regularly
WordPress

In your theme’s functions.php
add_filter( 'auto_update_plugin', '__return_true’ );
add_filter( 'auto_update_theme', '__return_true’ );
For specific plugin & theme updates see:
https://codex.wordpress.org/Configuring_Automatic_Background_Updates
Update Plugins & Themes
WordPress

Especially “free” themes and torrents
– Likely to contain spam links & malware
– Malware can read your wp-config.php file and
email it to the hacker = you’re screwed
– Don’t use themes or plugins from torrent sites!
– Always try to download from original source
Read: http://premium.wpmudev.org/blog/free-wordpress-
themes-ultimate-guide/
Beware “Free” Premium Downloads

Search through files for:
Base64_decode edoced_46esaB and eval
Decode at: http://www.base64decode.org/
Use Theme Authenticity Checker
http://wordpress.org/plugins/tac/
Exploit Scanner
http://wordpress.org/plugins/exploit-scanner/
Beware “Free” Premium Downloads

Not all Base64_decode function calls are evil!
WordPress uses the function extensively
throughout the core.
Should be easy to decode and work out if good
or bad in plugins or themes.
What is Base64?

In general
• Not being maintained
• No security issues being fixed
• Uses outdated/flawed functions/practices
• Known exploit vectors available on Interwebs
Avoid Old Plugins
WordPress

Popular image/thumbnail resizing script
Bundled in many older themes and plugins
Responsible for many many WordPress
security breaches
“The ability for a site visitor to load content from a
remote website and to make the web server write that
remote content to a web accessible directory is the cause
of the vulnerability in timthumb.php.”
Ref: http://markmaunder.com/2011/08/02/technical-details-and-scripts-of-the-wordpress-timthumb-php-hack/
Beware of TimThumb
WordPress

Script was “fixed” of exploits however old
versions still lurk out there.
Search for TimThumb and check you are using
the “fixed” version 2.8.14
https://code.google.com/p/timthumb/
Beware of TimThumb
WordPress

The nature of TimThumb still makes it
potentially very dangerous to have on your
site.
TimThumb is no longer supported or
maintained as of Sept 2014
http://www.binarymoon.co.uk/2014/09/timthumb-end-life/
Read this:
https://zeropointdevelopment.com/timthumb-is-evil/
Beware of TimThumb
WordPress

Won’t make your site “secure” from hacks
Will encrypt the data transmitted between
computer and server
More on SSL certificates at
https://letsencrypt.org/docs/faq/
SSL Certificates

If you have an SSL certificate..
Force all Dashboard and Logins to use HTTPS
In wp-config.php
define('FORCE_SSL_ADMIN', true);
define('FORCE_SSL_LOGIN', true);
HTTPS Dashboard
WordPress

Gives additional level of security.
WordFence plugin is recommended:
http://www.wordfence.com/
Scans for…
malware, TimThumb, differences in core/plugin/theme files from
repository, new available updates, login limiter, force strong
passwords, trojans, SQL injection, DNS changes, files outside
WordPress folder, hide login errors, prevent creating ‘admin’
user, country blocking*, cell phone sign-in*, advanced scheduled
scans*, Cryptocurrency miners
*premium functions
Software Firewalls
WordPress

New breed of malware (ref: The rise of cryptocurrency miners as
malware).
JS cryptocurrency miner (mostly Coinhive).
Runs in browser when visitor opens infected
page.
Uses 100% of your computer’s CPU power.
Grey area between legit use & as malware:
• Some firewall & malware scanners look past
mining code
• Wordfence detects known miner scripts
Cryptocurrency Miners
New Threat

Brute force attacks try to repeatedly guess
username & password.
Block IP address after X number of
unsuccessful login attempts within a time
period.
Limit Login Attempts Reloaded plugin
https://wordpress.org/plugins/limit-login-attempts-reloaded/
Prevent Login Attempts
WordPress

Don’t give the hackers a
helping hand
Remove that info!
Add this to functions.php
add_filter(‘login_errors', '__return_null');
Don’t Show Login Errors
WordPress

There is NO EXCUSE not to back up your
entire site frequently (real-time, hourly, daily,
weekly).
Back up to email https://wordpress.org/plugins/updraftplus/
Back up to Dropbox http://wordpress.org/plugins/wordpress-backup-to-dropbox/
Back up to Amazon S3 http://wordpress.org/plugins/xcloner-backup-and-restore/
Backup Buddy https://ithemes.com/purchase/backupbuddy/
VaultPress http://vaultpress.com/
Set your retention frequency.
Can you restore from an issue that’s been happening for 2
months?
Check your backup files – do a test restore!
Back Your Site Up
WordPress

Security for the Paranoid

Using another device to generate an
authentication code e.g. Mobile phone app
WP Login Details + Authenticator Code = 2FA
Google Authenticator
Two Factor/Two Step Authentication

WordPress stores user passwords in the database as
salted MD5 hashes using Portable PHP password
hashing framework
e.g. $P$BdJlqDtx7PsXLuUAUcuiRRd9NebMKP.
Passwords themselves are not stored in the DB
Password can be replaced in DB with MD5 hash.
After login it’s replaced by a salted MD5 hash.
PASSWORD TYPE
PASSWORD HASH
WordPress Password Storage

MD5 hash designed for high volume, not security.
“collision resistance” ~264 MD5 has been broken
but not resistance to preimages or second-
preimages.
MD5 + salts still poor choice as it’s designed to be
fast. Modern GPUs generate billions of candidate
passwords per second i.e. brute force
Ref: https://en.wikipedia.org/wiki/MD5
Ref: https://en.wikipedia.org/wiki/Collision_attack
Ref: http://security.stackexchange.com/questions/15790/why-do-people-still-use-recommend-md5-if-it-is-cracked-since-
1996
Is MD5 Insecure?

Bcrypt is an adaptive hashing algorithm.
Bcrypt intentionally takes a relatively long time
to be calculated; over time, the iteration count
can be increased to make it even slower.
This is done intentionally to resist brute force
attacks as computational power increases.
Ref: https://en.wikipedia.org/wiki/Bcrypt
Bcrypt Alternative

Plugin: https://roots.io/plugins/bcrypt-
password/
Note: requires PHP >= 5.5.0
Bcrypt Plugin

Is two factor authentication
not enough for you?
Biometric authentication uses part of our own
body as the second verification part.
This is going to be the normal way of
authenticating with systems in the not-so-
distant future.
Biometric Authentication

Fingerprint via mobile phone
https://wordpress.org/plugins/rapid-secure-login/
Fingerprint and facial recognition via mobile phone
https://wordpress.org/plugins/launchkey/
Biometric Authentication

Move the wp-content folder to a new location.
Add the following into wp-config.php before
the line: /* That's all, stop editing! Happy blogging. */
define ('WP_CONTENT_DIR','/full/path/to/your/content/dir');
define ('WP_CONTENT_URL','http://example.com/full/path/to/your/content/dirs/url');
Warning: badly developed plugins & themes
may have hard-coded wp-content location.
Move wp-content Folder

Use .htaccess to protect your wp-config.php
file
<files wp-config.php>
order allow,deny
deny from all
</files>
Nobody can access the wp-config.php file now
except for the web server owner.
Protect wp-config.php

Use .htaccess to stop SQL injection attacks on
form fields and URLs.
Options +FollowSymLinks
RewriteEngine On
RewriteCond %{QUERY_STRING} (<|%3C).*script.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|[|%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|[|%[0-9A-Z]{0,2})
RewriteRule ^(.*)$ index.php [F,L]
Any requests or changes to global variables
containing <script> gets blocked.
SQL Injection Protection

Many hosts allow directories to be browsed.
Use .htaccess to stop directory browsing
Options –Indexes
Prevent Directory Browsing

Password protect wp-admin folder using
cPanel and .htaccess + .htpasswd
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-
wordpress-admin-wp-admin-directory/
Secure wp-admin Folder

Open the .htaccess file located in your /wp-
admin/ folder (NOT the main .htaccess in root).
In the wp-admin .htaccess file, paste the
following code:
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
Allow Admin Ajax

Remove the WordPress dashboard Editor
for themes and plugins
Add to wp-config.php
define('DISALLOW_FILE_EDIT', true);
Disable User File Editor

Default MySQL DB table prefix is wp_
Change before installing new WordPress
sites.
Add to wp-config.php
$table_prefix = ‘mynewprefix_';
Existing websites – use WP Prefix Changer
https://wordpress.org/plugins/wp-prefix-changer/
Change Default Table Prefix

Does nothing to enhance security.
Once an attacker has access to your DB they
can easily find the table prefix.
SELECT DISTINCT SUBSTRING(`TABLE_NAME`
FROM 1 FOR ( LENGTH(`TABLE_NAME`)-8 ) )
FROM information_schema.TABLES
WHERE `TABLE_NAME` LIKE '%postmeta';
Output: wp_
Ref: Changing WordPress' default table prefix does nothing to enhance
security
Change Default Table Prefix

Monitor who does what on your WordPress
site.
Stream: http://wp-stream.com/
Be “Big Brother”

Using .htaccess
RewriteRule ^login$ http://www.mywebsite.com/wp-login.php [NC,L]
Now login to your site using:
http://www.mywebsite.com/login
Change wp-login.php

Add to wp-config.php:
define('WP_ADMIN_DIR', 'secret-folder');
define( 'ADMIN_COOKIE_PATH', SITECOOKIEPATH . WP_ADMIN_DIR);
Add to functions.php:
add_filter(‘site_url’, ‘zpd_wpadmin_filter', 10, 3);
function zpd_wpadmin_filter( $url, $path, $orig_scheme ) {
$old = array( "/(wp-admin)/");
$admin_dir = WP_ADMIN_DIR;
$new = array($admin_dir);
return preg_replace( $old, $new, $url, 1);
}
Change /wp-admin/ - Step 1

Add to .htaccess:
RewriteRule ^secret-folder/(.*) wp-admin/$1?%{QUERY_STRING} [L]
Now login to your site using:
http://www.mysite.com/secret-folder/
Change /wp-admin/ - Step 2

Add to .htaccess
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
Replace 123.123.123.123 with your own computer’s
IP if you use the WordPress mobile app. Remove line
5 to completely block all XML-RCP requests to your
site.
Note: this will stop Jetpack, official WP mobile app,
trackbacks and pingbacks from working.
Disable XML-RPC

Known as DoS or DDoS (distributed).
Consider using Cloudflare.
Attack Without Cloudflare Attack With Cloudflare
Denial of Service Attacks

Stay up to date with these additional security
resources.
National Vulnerability Database (WordPress)
Wordfence Blog and Free Security Scan
Sucuri Blog
Hardening WordPress from wordpress.org
WPScan Vulnerability Database
Zero Point Development Blog
More Resources

Get my free eBook.
Yours to keep
forever.
Get My eBook
goo.gl/k5brQE
Free Ebook

Did I miss anything?
Tweet to @DeveloperWil
All Done!

[Cover] zeropointdevelopment.com
[3] jamesclear.com/sun-tzu-habits
[9] activerain.com
[10] mybroadband.co.za
[11] amazon.com
[18] lastpass.com
[23] zeropointdevelopment.com
[29] managewp.com
[33] wordpress.org
[35] wordpress.org
[39] promptwebhosting.com.au
[48] mobyware.ru
[52] roots.io
[53] ibmsystemsmag.com
[54] wordpress.org
[55] wordpress.org
[58] gobalakrishnan.com
[59] trickytechs.com/wpbeginner.com
[63] wp-stream.com
[69] cloudflare.com
[Back Cover] zeropointdevelopment.com
Note: This presentation may contain affiliate
links.
Image Credits

▪ WordPress 2008+
▪ Consultant & Developer
▪ Event Organiser
@DeveloperWil
Who Am I?
zeropointdevelopment.com
wp-wingman.com

WordPress Security Best Practices 2019 Update

Recomendados

Recomendados

Más contenido relacionado

La actualidad más candente

La actualidad más candente (20)

Similar a WordPress Security Best Practices 2019 Update

Similar a WordPress Security Best Practices 2019 Update (20)

Último

Último (20)

WordPress Security Best Practices 2019 Update