際際滷

際際滷Share a Scribd company logo

WordPress Security 101

Download as PPTX, PDF
Shady A. Sharaf
Shady A. Sharaf

WordPress Security 101 outlines key steps for securing a WordPress site. It discusses preventing hacks through measures like enforcing HTTPS, strong passwords, 2FA, input sanitization and updating software. Detection methods include integrity checks of files, audit logs and uptime monitoring. If hacked, one should backup data, scan for infections, restore from backups, reset access credentials, and investigate logs to understand the breach. Advance preparation includes regular backups and following best practices for prevention.

1 of 23
WordPress Security 101 By Shady Sharaf Senior Engineer at Human Made Global, a WordPress VIP Partner. WordPress Core Contributor, and Arabic Polyglot team member. @shadyvb - linkedin.com/in/shadyvb - github.com/shadyvb
Agenda - What are the pillars of InfoSec systems - What are the concerns of site security ? - How can my site be hacked ? - How can I secure my site ? - How to know when my site is hacked ? - What to do when my site is hacked ? - What to do before my site is hacked ?
Information Security ( InfoSec ) pillars Infosec programs are built around the following core objectives: maintaining the confidentiality, integrity and availability of IT systems and business data. These objectives ensure that sensitive information is only disclosed to authorized parties (confidentiality), prevent unauthorized modification of data (integrity) and guarantee the data can be accessed by authorized parties when requested (availability).
Site security revolves around four mains stages: - Prevention - Detection - Auditing - Recovery Information Security ( InfoSec ) preps
a. Prevention
How can my site be hacked ? - Leaked credentials, Brute-forcing - XSS / Cross Site Scripting, Phishing attacks - Security vulnerabilities in code - In 3rd party code - or yours! - Security vulnerabilities in servers
How can I secure my site against .. Leaked access and Brute-force - Enforce HTTPS. ( Its free now, you know! ) - Enforce strong passwords - Use 2FA ( you should use it everywhere, ie Facebook, Google, etc.. ) - Use (re)captcha for login - Change the default admin user - Limit login attempts
How can I secure my site against .. XSS, and Phishing attacks - Use Akismet to prevent spam comments - Properly sanitize ALL user input EVERYWHERE from EVERYONE - Properly escape ALL user-generated output, in case the above didnt work
How can I secure my site against .. Security vulnerabilities /Code - Update WordPress! - Minimize amount of plugins you use - Update those plugins! - Subscribe to WP Security mailing lists - WPScan @ https://wpvulndb.com/ - WordFence @ https://www.wordfence.com/ - Scan your site using WPScan / Sucuri Security - Install a security plugin - WordFence - Sucuri Security - iThemes Security - Check plugins reviews, and their Tide score (soon) - UPDATE ALL THE THINGS!
How can I secure my site against .. Security vulnerabilities /Code - Learn about WordPress Coding Standards - Integrate PHP CodeSniffer ( and WPCS ) it in your code editor - Write proper unit-tests - Use version control, Git - Use pre-commit scripts / Continuous Integration to notify you of WPCS violations and to run unit-tests automatically on each commit - Hack yourself first! Develop with the mindset of a hacker. - - UPDATE ALL THE THINGS! - And yeah, salt up your config!
How can I secure my site against .. Security vulnerabilities /Server - Disable filesystem changes by WordPress - Stay away from shared servers! - Use WordPress managed hosting, or setup your own VPS - Hack yourself first! Scan your server using online tools. - Use SSH / SCP in place of FTP. - Disable SSH root login, create a user with minimum control for frequent tasks. - Disable password login, use private keys instead. - .. - UPDATE ALL THE THINGS!
b/c. Detection and Auditing
How do I know when my site is hacked ? - Integrity checks - Audit Logs - Uptime monitoring - User feedback
Integrity checks - Use security plugins to perform periodic integrity checks for file modifications - iThemes Security - Sucuri Security - - They email you once they detect any of the site files have changed unexpectedtly.
Audit Logs - Use auditing plugins to store and keep track of actions around your site - Stream - Audit Trail - - They keep track of different actions, like: - Content updates ( posts, terms, etc ) - User login, creation, deletion - Some has the ability to notify via email when specific action happens.
Uptime monitoring - Use online services to notify you when your site is down - Check if your host has a way to notify you when your site/server is down
User feedback - Users are your friends, keep a feedback channel open to report any unexpected behavior. - Register your site in Google Webmasters to receive critical updates on the state of your site and possible important updates that you need to do. - Ask Google if your site is hacked http://www.google.com/safebrowsing/diagnostic?site=your domain name
d. Recovery
What do I do when my site is hacked ?
What do I do when my site is hacked ? - BACKUP all files and databases, or snapshot your server. For later auditing. - Scan your site using online services, while it is still infected - Restore files and database from the nearest backup, or your last server snapshot - Review any plugins you recently installed, disable those you dont require - Reset all access, SSH, cPanel, FTP, MySQL, WordPress Users, etc. - Monitor your audit logger for any suspicious behavior - Once thats all done. Start digging what happened, by getting another isolated instance of your site/server up, and digging up the audit logs from WordPress, access/error logs of PHP and NginX/Apache/etc, and comparing files to the nearest backup you have. Or just hire a security consultant to do that for you!
What to do before my site is hacked ? - BACKUP everything - BACKUP periodically - BACKUP automatically - .. refer to Prevention
Further reading - Hardening WordPress https://codex.wordpress.org/Hardening_WordPress - WordPress Security whitepaper from Sucuri https://sucuri.net/guides/wordpress-security - WordPress: What to do when my site is hacked https://codex.wordpress.org/FAQ_My_site_was_hacked
Questions ?

More Related Content

WordPress Security 101

  • 1. WordPress Security 101 By Shady Sharaf Senior Engineer at Human Made Global, a WordPress VIP Partner. WordPress Core Contributor, and Arabic Polyglot team member. @shadyvb - linkedin.com/in/shadyvb - github.com/shadyvb
  • 2. Agenda - What are the pillars of InfoSec systems - What are the concerns of site security ? - How can my site be hacked ? - How can I secure my site ? - How to know when my site is hacked ? - What to do when my site is hacked ? - What to do before my site is hacked ?
  • 3. Information Security ( InfoSec ) pillars Infosec programs are built around the following core objectives: maintaining the confidentiality, integrity and availability of IT systems and business data. These objectives ensure that sensitive information is only disclosed to authorized parties (confidentiality), prevent unauthorized modification of data (integrity) and guarantee the data can be accessed by authorized parties when requested (availability).
  • 4. Site security revolves around four mains stages: - Prevention - Detection - Auditing - Recovery Information Security ( InfoSec ) preps
  • 6. How can my site be hacked ? - Leaked credentials, Brute-forcing - XSS / Cross Site Scripting, Phishing attacks - Security vulnerabilities in code - In 3rd party code - or yours! - Security vulnerabilities in servers
  • 7. How can I secure my site against .. Leaked access and Brute-force - Enforce HTTPS. ( Its free now, you know! ) - Enforce strong passwords - Use 2FA ( you should use it everywhere, ie Facebook, Google, etc.. ) - Use (re)captcha for login - Change the default admin user - Limit login attempts
  • 8. How can I secure my site against .. XSS, and Phishing attacks - Use Akismet to prevent spam comments - Properly sanitize ALL user input EVERYWHERE from EVERYONE - Properly escape ALL user-generated output, in case the above didnt work
  • 9. How can I secure my site against .. Security vulnerabilities /Code - Update WordPress! - Minimize amount of plugins you use - Update those plugins! - Subscribe to WP Security mailing lists - WPScan @ https://wpvulndb.com/ - WordFence @ https://www.wordfence.com/ - Scan your site using WPScan / Sucuri Security - Install a security plugin - WordFence - Sucuri Security - iThemes Security - Check plugins reviews, and their Tide score (soon) - UPDATE ALL THE THINGS!
  • 10. How can I secure my site against .. Security vulnerabilities /Code - Learn about WordPress Coding Standards - Integrate PHP CodeSniffer ( and WPCS ) it in your code editor - Write proper unit-tests - Use version control, Git - Use pre-commit scripts / Continuous Integration to notify you of WPCS violations and to run unit-tests automatically on each commit - Hack yourself first! Develop with the mindset of a hacker. - - UPDATE ALL THE THINGS! - And yeah, salt up your config!
  • 11. How can I secure my site against .. Security vulnerabilities /Server - Disable filesystem changes by WordPress - Stay away from shared servers! - Use WordPress managed hosting, or setup your own VPS - Hack yourself first! Scan your server using online tools. - Use SSH / SCP in place of FTP. - Disable SSH root login, create a user with minimum control for frequent tasks. - Disable password login, use private keys instead. - .. - UPDATE ALL THE THINGS!
  • 12. b/c. Detection and Auditing
  • 13. How do I know when my site is hacked ? - Integrity checks - Audit Logs - Uptime monitoring - User feedback
  • 14. Integrity checks - Use security plugins to perform periodic integrity checks for file modifications - iThemes Security - Sucuri Security - - They email you once they detect any of the site files have changed unexpectedtly.
  • 15. Audit Logs - Use auditing plugins to store and keep track of actions around your site - Stream - Audit Trail - - They keep track of different actions, like: - Content updates ( posts, terms, etc ) - User login, creation, deletion - Some has the ability to notify via email when specific action happens.
  • 16. Uptime monitoring - Use online services to notify you when your site is down - Check if your host has a way to notify you when your site/server is down
  • 17. User feedback - Users are your friends, keep a feedback channel open to report any unexpected behavior. - Register your site in Google Webmasters to receive critical updates on the state of your site and possible important updates that you need to do. - Ask Google if your site is hacked http://www.google.com/safebrowsing/diagnostic?site=your domain name
  • 19. What do I do when my site is hacked ?
  • 20. What do I do when my site is hacked ? - BACKUP all files and databases, or snapshot your server. For later auditing. - Scan your site using online services, while it is still infected - Restore files and database from the nearest backup, or your last server snapshot - Review any plugins you recently installed, disable those you dont require - Reset all access, SSH, cPanel, FTP, MySQL, WordPress Users, etc. - Monitor your audit logger for any suspicious behavior - Once thats all done. Start digging what happened, by getting another isolated instance of your site/server up, and digging up the audit logs from WordPress, access/error logs of PHP and NginX/Apache/etc, and comparing files to the nearest backup you have. Or just hire a security consultant to do that for you!
  • 21. What to do before my site is hacked ? - BACKUP everything - BACKUP periodically - BACKUP automatically - .. refer to Prevention
  • 22. Further reading - Hardening WordPress https://codex.wordpress.org/Hardening_WordPress - WordPress Security whitepaper from Sucuri https://sucuri.net/guides/wordpress-security - WordPress: What to do when my site is hacked https://codex.wordpress.org/FAQ_My_site_was_hacked