Slide for WordPress Meetup Tokyo #23, 23 May 2015.

1. 1 0 W O R D P R E S S S E C U R I T Y M E A S U R E S
Y O U C A N I M P L E M E N T T O D AY !
Wo rd P re s s M e e t u p To k y o # 2 3 — M a y 2 0 1 5
Toru Miki

2. A s s i s t a n t We b m a s t e r a t Te m p l e
U n i v e r s i t y, J a p a n C a m p u s
Wo rd P re s s e x p e r i e n c e : 9 y e a r s
h t t p s : / / p ro f i l e s . w o rd p re s s . o rg /
t o r u
To r u M i k i

3. # 1 S e c u re y o u r l o c a l e n v i ro n m e n t
• Use good internet security software
• Antivirus
• Firewall
• Antispam
• etc

4. # 2 S e c u re f i l e t r a n s f e r
• Use
• SSH
• FTPS
• SFTP
• Stop using
• FTP
• Does your hosting server only allows FTP?
• Move!
C o m m a n d - l i n e
C l i e n t s o f t w a re
• W i n S C P
• F i l e Z i l l a
• C y b e rd u c k
• Tr a n s m i t
…

5. # 3 U p d a t e , u p d a t e , u p d a t e !
• Core
• Minor updates (E.g. 4.1.x, 4.2.x, 4.3.x, etc) are security fixes
• Major updates (e.g. 3.x, 4.x, 5.x, etc) includes lots of bug fixes too
• Themes
• Plugins
• If you are a developer — libraries/scripts you have used
• E.g. TimThumb script
http://wptavern.com/wordpress-security-alert-new-zero-day-
vulnerability-discovered-in-timthumb-script

6. # 4 S t ro n g p a s s w o rd
• Stronger password =
• harder for others to guess
• harder for brute force attack to succeed
• At least 8 characters, include uppercase letter(s),
include special character(s), include number(s), and not
found in the dictionary
• E.g. K#5r!g3y

7. # 4 S t ro n g p a s s w o rd
English alphabet (uppercase not distinguished)
English alphabet (lower & upper) + number
English alphabet (lower & upper) + number + special character
Type of letters used Available number of letters
Max. time needed to decrypt
No. characters
Ref: IPA 独立行政法人 情報処理推進機構：コンピュータウイルス・不正アクセスの届出状況[2008年9月分および第3四半期]について
http://www.ipa.go.jp/security/txt/2008/10outline.html
3 sec.
2 min.
9 min. 54 days
5 days
37 min. 17 days
50 yrs.
32 yrs.
0.2m yrs.
1000 yrs. 10m yrs.

8. # 4 S t ro n g p a s s w o rd
• WordPress’ password strength meter
• Password manager softwares
• 1 Password - https://agilebits.com/onepassword
• LastPass - https://lastpass.com/

9. # 5 Tw o - s t e p a u t h e n t i c a t i o n
• = Two-factor authentication/verification
• 2nd layer of secure login
• Plugins (e.g.)
• Google Authenticator - https://wordpress.org/plugins/google-authenticator/
• Rublon - https://wordpress.org/plugins/rublon/
• Jetpack - https://wordpress.org/plugins/jetpack/
• Use “sign in using your WordPress.com account” feature, and utilize its “Two Step
Authentification” feature
• E.g. Using Google Two-Factor Authentication With WordPress - Tuts+ Code Tutorial
http://code.tutsplus.com/tutorials/using-google-two-factor-authentication-with-
wordpress--cms-22263

10. # 6 L i m i t a c c e s s t o / w p - a d m i n /
• Limit by password protection (e.g. BasicAuth)
• http://codex.wordpress.org/Brute_Force_Attacks#Password_Protect_wp-login.php
• create .htpassword
• edit .htaccess
• Limit by IP address
• http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp-
admin_by_IP
• For both methods, watch out for plugin which uses admin-ajax.php
• http://codex.wordpress.org/Brute_Force_Attacks#Limit_Access_to_wp-
admin_by_IP

11. # 7 S e t t h e f i l e p e r m i s s i o n s r i g h t
• WordPress Codex’s recommendations are…
• All directories should be 755 or 750
find . -type d -print -exec chmod 755 {} ;
• No directories should ever given 777
• All files should be 644 or 640
find . -type f -print -exec chmod 644 {} ;
• Except, wp-config.php should be 440 or 400
chmod 644 wp-config.php;
Changing File Permissions « WordPress Codex
https://codex.wordpress.org/Changing_File_Permissions

12. # 8 D i s a b l e f i l e e d i t i n g
• By default, administrators can edit Theme and Plugin
files from the dashboard. This feature can be used by
an attacker to insert malicious code…
• To disable editing files in dashboard, add this to wp-
config.php
define('DISALLOW_FILE_EDIT', true);
• http://codex.wordpress.org/
Hardening_WordPress#Disable_File_Editing

13. # 1 0 G e t T h e m e s a n d P l u g i n s f ro m
t r u s t e d s o u rc e s , a n d d e l e t e i f n o t u s e d
• The official repository at WordPress.org
• Frequently updated, and still in continuous
development
• Delete any Themes and Plugins you are not using any
more

14. E x t r a — a n o t e o n “ a d m i n ” u s e r
• Username “admin” is often targeted by brute-force attack
• But even if you don’t use “admin”, attacker can find out the username
by http://example.com/?author=1
• So not using “admin” does not mean it is safe
• However, it is still a good practice because:
• We know “admin” is targeted, so it is better not use it than using it
• High number of login attempts uses so much of your server
resources, and can bring the server down

15. E x t r a — h i d e y o u r Wo rd P re s s v e r s i o n ?
• Hide you WordPress version, so the attacker won’t know which version you
are using — Not True
remove_action('wp_head', ‘wp_generator');
• There are other ways of attackers to find the version:
• http://example.com/readme.html
• Query string appended to style sheet and scripts, such as style.css?
ver=4.1.0
• And many more…
The WordPress Meta “generator” Tag Paranoia
http://codeseekah.com/2012/02/20/the-wordpress-meta-generator-tag-
paranoia/

16. E x t r a — s o m e p l u g i n s
• Wordfence Security
https://wordpress.org/plugins/wordfence/
• Login Security Solution
https://wordpress.org/plugins/login-security-solution/
• Crazy Bone
https://wordpress.org/plugins/crazy-bone/

17. E x t r a — s o m e l i n k s
• Hardening WordPress « WordPress Codex
http://codex.wordpress.org/Hardening_WordPress
• Brute Force Attacks « WordPress Codex
http://codex.wordpress.org/Brute_Force_Attacks
• WordPress Tavern
http://wptavern.com/
• Sucuri Blog | Website Security News
https://blog.sucuri.net/