Introduction to WordPress Security

Understanding
WordPress Security
Yes, WordPress is Secure
Shawn Hooper, Director of IT  
Actionable.co
Blog - shawnhooper.ca 
Twitter - @shawnhooper

Director of IT at Actionable. 
WordPress Developer.
WordPress Core Contributor & Plugin
Author
WordCamp Ottawa Lead Organizer
Spoken at WordPress events in Canada,
the United States and Australia
Web Developer Since mid-1990s
Hello!

What is WordPress?

What is WordPress?
WordPress is the world’s most popular
Content Management System (CMS)
It’s Open Source.

What is WordPress?
WordPress started out as a blogging platform.
It is now a Content Management System
and an Application Framework
with a full REST API.

What is WordPress?
WordPress (the software) should not be confused
with WordPress.com, a WordPress web hosting
service run by Automattic.
Automattic was founded by WordPress  
co-founder Matt Mullenweg.
The open source project can be found at
WordPress.org

What is WordPress?
WordPress is developed primarily in PHP
Although JavaScript is becoming a larger part of
the front-end codebase with every release.
It’s database is a MySQL relational database.

Extensibility
WordPress’ real power is in its extensibility. It’s API
allows for the development of third party themes
and plugins.
5,389 Themes
54,218 Plugins
* Only in the free repo. (Feb 2018)

Market Share
https://w3techs.com/technologies/overview/content_management/all

WordPress’ Core is
Secure

but….
This market share makes it a huge target for hackers!

So What Can We Do ?

So What Can We Do ?
Let’s look at how to secure WordPress as:
A User
A System/Server Administrator
A Developer
An Information Security Professional

A User’s Perspective

Choose Wisely
The largest source of problems in WordPress
Security come from the Plugin Ecosystem.
Choose your themes & plugins wisely!

Choose Wisely
Are they regularly maintained?
Does the author(s) respond to support questions
promptly?
Are they popular?

Introduction to WordPress Security

Keep It Updated!
WordPress Core ( w/ Automatic Updates!)
WordPress Plugins
 
WordPress Themes

Backups
WordPress Core
WordPress Plugins
 
WordPress Themes
Media Library (“Uploads”)
MySQL Database

Backups
Backup Buddy by iThemes (Paid)
UpdraftPlus (Freemium)
VaultPress (starting @ $39 a year)

Backups
Some Managed Hosts include daily backups. My
favourites include:
 
 
WP Engine
Pantheon

Admin Login
Older versions of WordPress came with an
“admin” login by default.
This became a default target for attacks. Use a
different username.

Passwords
Of course, please use secure passwords.
 
password123 is not secure.

2 Factor Auth

Use Email As Login
WordPress defaults to a username login
Usernames are fairly discoverable in WordPress
The Email Login plugin forces login using an
email address instead. 
 
https://wordpress.org/plugins/wp-email-login/

Least Privilege
Only gives users the permissions they need to do
their jobs.
Subscriber - Can Read
Contributor - Can Write, but not publish
Author - Can Publish their own Posts 
Editor - Can Publish Anyone’s Posts & Pages 
Administrator - Can modify site conﬁguration

Security Plugins
SiteLock
iThemes Security 
 
WordFence 
 
Sucuri Security

Security Plugins
Limit Login Attempts 
File Monitoring 
Security Auditing 
Malware Scanning
Change Default URLs 
404 Detection 
Strong Password Enforcement 
Temporary Site Lockout (“Away Mode”) 
Permissions Monitoring 
WordPress Version Hiding

System/Server
Administrator’s
Perspective

Server Conﬁguration
Some of these recommendations can be done by
users too. But they’re not things you do IN
WordPress.

Enable HTTPS
There’s no reason these days for your website not
to be secured by SSL. LetsEncrypt offers free
certiﬁcates, and many web hosts have this as a
one-click install option.

Enable SFTP
Secure File Transfer Protocol (SFTP) is FTP over
SSH.
If you’re going to give users FTP access to their
sites, this is the best way to do it.

File & Folder Permissions
Directories - 755
Files - 644

Block Some PHP Execution
No PHP Execution in Uploads Folder:
No Execution of Conﬁg File:

Disable File Editor

Disable File Editor
Add to wp-conﬁg.php:

Disable XML-RPC
There are also plugins to do this,  
but doing so at the server side is recommended.

Keep Sites Isolated
If you’re running multiple sites on the same server,
keep them in separate home directories
running as separate users
This helps prevent cross-contamination of sites
in the event of a hack.

Checksum Validation
Using WP-CLI, see if ﬁles have been modiﬁed:
wp core verify-checksums 
 
wp plugin verify-checksums --all

Developer’s
Perspective

Sanitization & Validation

Sanitization & Validation
There are a pile of functions to do input sanitization:
sanitize_title()
sanitize_user()
balance_tags()
tag_escape()
is_email()
sanitize_html_class()
array_map()
sanitize_email()
sanitize_file_name()
sanitize_term()
sanitize_term_field()
sanitize_html_class()
sanitize_key()
sanitize_mime_type()
sanitize_option()
sanitize_sql_orderby()
sanitize_text_field()
sanitize_title_for_query()
sanitize_title_with_dashes()
sanitize_user()
sanitize_meta()

Validation
Are values of the correct type? Do they have the expected
values?  
 
$quantity = intval( $_POST[‘quantity’] ); 
or 
$quantity = absint( $_POST[‘quantity’] );  
 
if ( $quantity > 10 ) { 
die(‘Quantity Out of Range’); 
}

Escaping Text
esc_html( $string );
esc_html__( $string, $domain );
ex: 
 
Hello <?php echo esc_html( $string ); ?> !

Escaping Text
esc_attr( $text );
esc_attr__( $text, $domain ); 
 
Escaping a string for use in an HTML attribute tag. 
 
<div data-value=“<?php echo esc_attr( $value ); ?>”>

Escaping Text
$allowed_html = array( 
'a' => array( 
'href' => array(), 
'title' => array()  
),
'br' => array(), 
'em' => array(), 
'strong' => array() 
);
wp_kses( $fragment, $allowed_html, $protocols);

Escaping HTML
wp_rel_nofollow( $html ); 
 
Adds rel=“nofollow” to every link in the HTML fragment.

Sanitization & Escaping
For the ofﬁcial documentation on WordPress’ Validation &
Sanitization Functions, see: 
 
https://codex.wordpress.org/
Validating_Sanitizing_and_Escaping_User_Data

Working with the Database
Use $wpdb

$wpdb->insert(
‘table_name’,
array(
'column1' => 'value1',
'column2' => 123
),
array(
'%s',
'%d'
)
);

$wpdb->update(
'table',
array(
'column1' => 'value1',     'column2' => 'value2'
),
array( 'ID' => 1 ),
array(
'%s', // value1
'%d' // value2
),
array( '%d' )
);

Custom Queries should be written using the $wpdb->prepare() function.
$safeSQL = $wpdb->prepare(“SELECT * FROM {$wpdb->preﬁx}tablename     WHERE col1 = ‘%s’AND col2 = %d”, $sParam, $iParam);
$wpdb->query($safeSQL);

WordPress Coding
Standards
WordPress has documented coding standards that apply to its PHP,
JavaScript, HTML, CSS and Accessibility components.  
 
Although on it’s own this doesn’t necessarily improve security, it will
make code more readable, and more testable, which minimizes the
chance for errors!
https://codex.wordpress.org/WordPress_Coding_Standards

IT Security
Professional’s
Perspective

Responsible Disclosure
Don’t bring more attention to security vulnerabilities in public
forums, blog posts, chats, or issue trackers without giving
developers a reasonable chance to patch it ﬁrst.

Automattic participates in HackerOne, a platform for secure
reporting vulnerabilities. And yes, they offer bounties!
WordPress.com Hosted Sites:
https://hackerone.com/automattic

WordPress participates in HackerOne, a platform for secure
reporting vulnerabilities. And yes, they offer bounties!
The WordPress Open-Source Core Code
https://hackerone.com/wordpress/

Find a problem with a theme or plugin? Try contacting the
authors directory. If you can’t, email:
Plugins & Themes
plugins@wordpress.org

Since it’s launch with HackerOne in May 2017
52
WordPress bugs have have been resolved through
reporting by 46 hacked on the platform.
December 2017 (State of the Word Keynote)

What do Hacked
WordPress Sites Look
Like?

What If I Get Hacked?

Shameless Promo:
WordCamp Ottawa
2018

ShawnHooper.ca
 
Twitter:
@ShawnHooper
THANK YOU!

Introduction to WordPress Security

More Related Content

What's hot (20)

Similar to Introduction to WordPress Security (20)

More from Shawn Hooper (15)

Recently uploaded (20)

Introduction to WordPress Security