WordPress Security for Beginners

Editor's Notes

• #2: Security can seem intimidating and complex for many of us, but we shouldn’t (can’t) let that stop us from making sure we’re doing everything we can to secure our WordPress sites. After all, our websites are often part of our livelihood. In this session Adam will discuss the “big picture” of website security and break down the fundamental tasks needed for a strong security plan, in order of importance. Adam will provide an actionable checklist on what you can start doing today to better secure your WordPress websites. After attending this session, audience members will have a better understanding of website security as a whole and what steps they can take to mitigate risk. Attendees will be able to start building their WordPress security master plan immediately.
• #5: WP Evangelist means that I attend WordCamps and other events and listen to the community.
• #6: Vulnerability Scanning – a technique used to identify security weaknesses in a computer system and code. Used by network administrators for obvious security purposes. However, hackers can also infiltrate this security tactic to gain unauthorized access, which can open the door to other infiltration tactics and motivations. Vulnerability Scanning is essentially the gateway to additional attacks. Server Disruption – Usually one goal: shut down or render a particular website useless. Known as Distributed Denial of Service or DDoS. In layman’s terms, DDoS attacks are when a hacker seizes control over a network of zombie computers called a botnet. The botnet is then deployed to ping a certain web server to overload a website and ultimately, shut it down. Monetary Loss - This type of motivation for hackers is what everyone is most fearful about. Credit card data, etc. Not just websites: ATM Skimmer story. Information Leakage - Hackers accessing your personal and private information for various reasons. Identify theft, Social Security Numbers, usernames/passwords. Ashley Madison hack that occurred in the summer of 2015. Once hackers were able to infiltrate its customer database, they essentially had the entire company (and its fearful users) at its mercy. When hackers finally posted the Ashley Madison data, it sent the Earth rattling shock waves throughout the internet and society. Website Vandalism - Website Vandalism inspired attacks are often done more for a shock factor and to grab people’s attention. Politically driven, such as to deface a certain candidate’s website, or could simply be used just as a source of fun. Unauthorized Code Execution - typically want to infect a user with malware in order to ultimately take control of said user’s computer through the execution of commands or code. This is a powerful form of hacking that allows hackers to take complete control of the victim’s computer. When hackers run unauthorized code, this can be one of the first steps of turning a user’s computer into a zombie or bot as we mentioned in Motivation Number two. Having this kind of unprecedented access can lead to a limitless number of suspicious activities than a hacker can perform without even a trace of being caught.
• #7: What’s In It for Them? Still, the question remains: Why would anyone put in that effort? What do they get out of it? If your site does not contain any government secrets or other people’s banking info, why would they be interested in your site? Well, even in those cases, hacking your site could benefit individuals with bad intentions in different ways: Drive-by-downloads — Hackers can use your site to infect your visitors’ computers with malware like back doors, key trackers, ransomware, viruses, or other malicious software in order to capture information they can use for their own gain. Redirections — Sometimes hackers will redirect visitors from your site to other websites that generate affiliate income for them. System resources — Another possibility is that they take over your server and use the hardware for sending out spam emails, performing denial of service or brute force attacks and more. Of course, this will easily get your server — and your site — put on a blacklist or jack up your hosting cost if it is based on usage. Don’t Like You – Most Uncommon 
• #8: Don’t accept credit cards? Sensitive data? Website traffic is low? Avoided controversial topics? Only serve a local customer base? Especially owners of smaller websites often think themselves an unlikely target for hackers. After all, why would anyone care about your tiny blog? What could hackers possibly have to gain from compromising it? Traffic size, or popularity are not the deciding factors. 
• #9: Hacking Attempts Are A Matter Of Opportunity The first thing you need to understand is that it’s not about your site in particular or you personally. Most sites get hacked merely because it’s possible. It’s rare that hackers have a specific reason to go for a particular site. Most of the time hackers go for our sites because we give them an opening, unknowingly. Therefore, it’s not about logic or whether it makes sense to hack your site. No matter how small or insignificant your traffic, you are always a viable target.
• #10: Most Hacking Attacks Are Automated One of the main reasons hackers don’t differentiate between the sites of different sizes is that attacks are almost always done automatically. If you think someone typed your site address into a browser bar and had a good snoop around til they found something, you’d be dead wrong. Hackers use bots to crawl the net. Bots sniff out known vulnerabilities. Automating the process allows hackers to attack many sites at once and thus increase their odds of success dramatically. If your site gets hacked, it’s probably because it popped up on the radar of an automated script, not because someone consciously decided to target you.
• #11: As you can see, the first point of entry is most often the hosting provider. Doesn’t mean your site has been targeted directly. Likely that another site in a shared hosting environment got hacked and took the others down in the process. More than half of all successful hacks come through WordPress themes and plugins. The rest of the sites suffer from insufficient password protection, making them vulnerable to brute force attacks. 8 percent doesn’t seem like a lot, be aware that we are talking about hundreds of thousands of websites here.
• #12: Really comes down to two categories of security.
• #13: Access control speaks specifically to the process of authentication and authorization; simply put, how you log in. When I say log in, I mean more than just your website. Here are a few areas to think about when assessing access control: How do you log into your hosting panel? How do you log into your server? (i.e., FTP, SFTP, SSH) How do you log into your website? (i.e., WordPress, Dreamweaver, Joomla!) How do you log into your computer? How do you log into your social media forums?
• #14: Not just applications like WordPress, plugins, themes or other software you might be running on your server. But also your local computer, browsers, etc. Even the most experienced developers can’t always account for the threats their own code might introduce. The problem is the way we think about security from beginning to end. Most of us use things as they are designed.
• #15: Trump - Defacement Real Estate to Adult Site - Redirection Google does a good job of letting people know. You don’t want your potential visitors/customers to see this.
• #16: Be security-minded daily. Be vigilant. It’s not paranoia, it’s best practice for life. Talk about Vienna ATM skimmer. https://www.youtube.com/watch?v=ll4f0Wim4pM Gas station readers, etc. IoT hack that took down East Coast https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
• #17: Fortunately, we can all do a lot to mitigate our chances of being hacked. It’s starts with closing those openings we’ve been leaving.
• #18: Home WIFI Computer login At every step of the website creation process! Remember the Access Control I talked about? Hosting account FTP, SFTP, SSH Website login Social Media Accounts 3rd Party services you might use: Dropbox, Amazon, Instagram, Google, and others. Even IoT devices (refrigerators, tvs, etc.)
• #19: Don’t!
• #20: Plain-text transmission Has anyone sent a username/password combo in an email? Don’t send passwords over email, chat, social networks or other unencrypted forms of transmission Of course, passwords should not be shared between users or stored in plain-text anywhere no matter how convenient this may be. The practice of sharing logins and passwords flies in the face of security and accountability.
• #22: Local Anti-virus
• #23: How many of you are on the open network right now? Airports, coffee shops, even your neighbors (just noticed wife was on nieghbor open network yesterday!) True story: Betsy Davis. 7 years old. watched YouTube video on how to set up a fake Wifi access point. Only took her 11 minutes to set it up and start getting access to computers. Virtual private network (VPN): A VPN is a way of using the public internet like a secure private network. It encrypts data and routes it through remote servers, keeping the activity and location private and secure.
• #24: There was a time when plugins didn't exist. If you wanted to change something, you edited core files. Joe talked about Hooks and Filters. This is what those are for and why plugins exist for changing functionality. Can get the desired functionality you need without actually changing the core. If any developer you work with suggests making any such changes, run a mile.
• #25: Explain what a backup is. Search the plugin repo for “backup”
• #26: Core, plugins, themes you hear of people who disable WordPress core updates because “an update might break one of my plugins.” If you had to choose between a hacked site and a temporarily broken plugin, which would you choose? Plugins that are incompatible with the latest versions of WordPress are only going to stay that way for a very short time. A hacked site, on the other hand, is a far bigger problem.
• #27: Plugins and themes and anything else Sometimes we install plugins to test their functionality and then forget to remove them from our site. If a vulnerability is discovered in these plugins, your site becomes a sitting duck (especially if you don’t follow the advice above and always update the plugins). Your website is still vulnerable even if that plugin is installed on your website and not being used. The safest way to minimize the risks is to completely uninstall any plugins you are not using. There is a very easy way to know which plugins are not being used. They are marked as Inactive in the Plugin section of the WordPress admin. Delete them.
• #28: Some people might get tempted to “bypass” the payment of a good theme or plugin, by getting it from *cough* less than reputable sites. Or maybe they don’t know that it’s not the official site. The pirated themes and plugins you download for free have been maliciously tweaked. Most times a back door has been installed in the script. This allows the site where the theme or plugin is used to be remotely controlled by hackers for nefarious reasons. Would you trust your money to a known scam artist? I wouldn’t think so. Same thing for your website. Don’t trust “free” WordPress scripts coming from people whose business is stealing other people’s work.
• #29: Security conscious hosting services will have a dedicated security team who monitor the latest vulnerabilities (even 0-day hacks, i.e. those for which there is no remedy yet) and preemptively apply rules on their network firewalls to mitigate any hack attacks on your site. WordPress hosting is a bit of a hot topic, so I won’t be making recommendations here, but the WordPress hosting page does make a few suggestions. These are by no means the only security conscious hosting companies out there. 
• #30: What is PHP? PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML. Code is executed on the server, generating HTML which is then sent to the client (the browser). Pie Chart: Only 3.5% of WordPress installations run on the latest version of PHP (7.0), whilst about 26.9% run version 5.6, which is still supported. The rest of the WordPress installations (close to 80%) run on versions that are no longer supported or updated for security patches.
• #31: Up until WordPress 3.0, the default user name of the administrator login was “admin.” This created a bit of a bonanza for hackers as there was no need for them to guess the administrator username. This “sort of” still matters. Older installs or people who specifically use admin as username. If your username is currently admin, you should create a new administrator user with a username that is less obvious to guess and delete the old admin user. You can also rename the user using phpMyAdmin, or choose to run a SQL script on your database to rename the admin user:
• #32: I recommended using mix of security plugins AND cloud-based security and malware scanner options. Many decent solutions found by searching Security tag on repo
• #33: SSL (Secure Sockets Layer Encrypted links between a web server and a browser. This link ensures that all data passed between the web server and browsers remains encrypted. Many are free with Let’s Encrypt and many hosts are including this option. Google is (or will be) using this as a ranking factor
• #35: By default, WordPress allows users to enter passwords as many times as they want. Helps prevent brute force attacks on your login page To prevent this, you can limit the number of failed login attempts per user. For example, you can say after 5 failed attempts, lock the user out temporarily. If someone has more than 5 failed attempts, then your site block their IP for a temporary period of time based on your settings. You can make it 5 minutes, 15 minutes, 24 hours, and even longer.
• #36: One way of quickly and very easily securing your WordPress logins is by enabling Two Factor Authentication, also known as 2FA. 2FA creates a system to log in to your WordPress backend, besides your regular password, you will also need a time-based security token that is unique to each user. This token also expires after a period of time usually 60 seconds. The security token is typically generated by an app such as the Google Authenticator. Because there is a security token unique to each single user that expires, even if somebody knows your login credentials, they will still not be able to log in. This is because they will not have the current security token. This drastically increases the strength of your login and also helps mitigate brute force attacks on your login details. There are a number of plugins that can help you setup WordPress Two Factor Authentication. Check out 6 Best WordPress Security Authentication Plugins for some of our favorites.
• #37: No password or codes sent. Pattern matching.
• #38: This is a bit of technical thing. PHP and WordPress in general use a set of permissions associated with files and folders. Without going into too much detail, there are different types of permissions 1.Publicly writable files and directories 2. Files writable by the web server only 3. Read-only files In general, your web server typically needs to be able to write files for WordPress to work correctly, whilst the public internet NEVER needs to have write access to your files. As a general rule, folders should have 755 permissions and files should have a 644 permission. The wp-config.php file should have 400 or 440 permission.
• #39: This is another remnant of old versions of WordPress. Previously, the name of WordPress tables in the database used to start with the prefix wp_ Although this is no longer default behavior, some people might revert to this (unsafe) practice, whilst older versions of course still have to live with this. WordPress security through obscurity May still block some attempted SQL injection attacks. The procedure to rename existing wp_ tables should be done only by your trusted WordPress developer.
• #40: Explain what these are and that I’ll be referencing them. .htaccess is a configuration file for use on web servers running the Apache Web Server software. When a .htaccess file is placed in a directory which is in turn 'loaded via the Apache Web Server', then the .htaccess file is detected and executed by the Apache Web Server software before anything else runs. wp-config.php is one of the core WordPress files. It contains information about the database, including the name, host (typically localhost), username, and password. This information allows WordPress to communicate with the database to store and retrieve data (e.g. Posts, Users, Settings, etc). The file is also used to define advanced options for WordPress.
• #41: You might have come across these eight WordPress security and authentication keys in your wp-config.php file and wondered what they are. You may also have never seen or heard about them. They look something like this: These are random variables that are used to make it harder to guess or crack your WordPress passwords. Adds an element of randomness to the way that passwords are stored in your Makes them much harder to crack by brute force. Although most self-hosted sites do not have these in place, you should actually implement them. This is a relatively easy procedure: 1. Generate a set of keys using the WordPress random generator2. Edit your wp.config file and in the Authentication Unique keys section you should find a place where to add the unique keys generated in step 1 Do not share or make these keys publicly available. It defeats their purpose.
• #42: Remember htaccess? One of the first things a hacker would do if they got some kind of access to your site would be to execute PHP from within a directory. This is quite a strong WordPress security step Warning! May break some themes and plugins that might require it, but you should implement this at least in the most vulnerable directories: STAGING SITE /wp-includes/ /uploads/ This protection needs to be implemented via your .htaccess files. Add the below code to the .htaccess file in the root directory of your WordPress installation: <Files *.php>Order Allow, DenyDeny from all</Files>
• #43: When you are in the initial phases of creating a website, you’ll probably need to tinker around with themes and plugin files. By default, WordPress administrators have the rights to edit PHP files. Once your website has been developed and is live, you’ll have much less need to edit these files. However, allowing administrators to edit files is a security issue. This is because if a hacker manages to login to your site, they’ll immediately have edit privileges and they’ll be able to change files to suit their malicious needs. You can (and should) disable file editing for WordPress administrators after your website goes live through the following command in the wp-config.php file: define('DISALLOW_FILE_EDIT', true);
• #44: If your WordPress files were the human body, the wp-config.php file would be the heart. I won’t go into too much detail about wp-config.php here. But the fact that it stores such important stuff such as the login details for the database used with your WordPress installation, hashing password salts and other important configuration settings, suffice to say this file is very important. Clearly, you don’t want anybody poking around this file. I strongly recommend implementing specific security measures to safeguard this critical WordPress configuration file. You can add the following to your .htaccess files:
• #45: XML: EXtensible Markup Language RPC: Remote Procedure Call WordPress provides the ability for an application to access it remotely via what is known as an Application Programming Interface (or API). This means that applications can access your site (for benign reasons). A typical example of usage of the XML-RPC is if you are using a mobile or desktop application to update your site. There are also some plugins, which use XML-RPC. For example, Jetpack uses XML-RPC functionality. However, the XML-RPC can also be used to perform hack attempts on your website. Many believe that XML-RPC is as secure as the rest of the WordPress core, but you can rest assured that XML-RPC is something that hacking scripts are going to be probing. You’ll probably find plenty of hits to XML-RPC if you have enabled logging on your site. If you are sure that you don’t have any third party applications or no WordPress plugins are using your WordPress website via XML-RPC, you can choose to disable it using a WordPress plugin.
• #47: There are two main types of firewalls, or uses for firewalls. Network Firewalls: used to segregate different types of networks. Either keeping things from getting in, or things from getting out. Web Application Firewall: (WAF) used to secure the WordPress application itself. Hardware and software that “learns” and accepts rules. Example: Intranet – only allow traffic from certain IP range (only from company network) There are a number of WAF firewalls, some with free plans.
• #48: A Content Delivery Network’s primary use is typically to optimize the performance of your site by serving heavy resources fast. CDNs, however, provide another secondary feature: most CDNs are able to protect against a number of WordPress security issues. If you are using a CDN (and you should), make sure you are also enabling the security rules provided to improve the protection of your WordPress website.
• #49: Summary of this image https://www.wordfence.com/wp-content/uploads/2015/12/TipsforDetectingHackedWebsiteEarly_1340px.png
• #52: Tinkerer Wasted time
• #53: In their best interest to keep your safe as safe as possible.
• #54: Local machine password, WP users, hosting account, FTP/SFTP. If you categorize all these in LastPass, it will be easy to know what needs to be changed and where.
• #55: Just do it Shia Labeuf