WORDPRESS SECURITY 101

HACKERS, SCOUNDRELS, AND VILLAINS, OH MY.

PRESENTED BY: GARRY MCNEILLY KOJAC CONSULTING

PRESENTATION OVERVIEW

You will learn how to secure

your desktops & servers

Secure Word Press Websites

Basic of Themes & plugins

Develop and test is a local

environment

Basic Of MySQL and XAMPP

Best Practices for securing your

email using Server Policy Frame Work

SECURE YOUR LOCAL WORKING ENVIRONMENT

Keep your software up to date – windows update on a regular basisInstall antivirus on all computers & servers keep antivirus up to date Implement a hardware or software firewall solution when ever

possible

ANTI VIRUS, FIREWALLS, MALWARE

Free solutions www.comodo.com – Firewall and internet security remove GeekBuddy 24/7 up sell

www.zonealarm.com – Free firewall http://www.avast.com – Basic antivirus http://www.avg.com Basic free antivirus

ANTI VIRUS, FIREWALLS, MALWARE

Malware is the concealment of

Virus

Trojan Horses

Rootkits

Backdoors

Malware Byteshttp://www.malwarebytes.org

What Is It…

“Today, malware is used primarily to steal sensitive information of personal, financial, or business importance by black hat hackers with harmful intentions”

SECURE YOUR LOCAL WORKING ENVIRONMENT

Lock Down your Browser

HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure. https://www.eff.org/https-everywhere-node

No Mention of IE…

Keep your Browsers up to date

SECURE YOUR LOCAL WORKING ENVIRONMENT

Firefox add on - NoScript Security Suite 2.6.8.5

The best security you can get in a web browser!

Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.

https://addons.mozilla.org/en-US/firefox/addon/noscript/

Note It take a little while to configure your sites

WHAT HAS MY ISP DONE FOR ME LATELY

Does my ISP notify me of server / database upgrades

Do they lock me out if there are too many login attempts - and if so do they let you know

Are you on a shared server or dedicated server (Cross Contamination)

WHAT HAS MY ISP DONE FOR ME LATELY

Are your sites segmented

Do you have one master account for access to all accounts

Own one Own All

WHAT HAS MY ISP DONE FOR ME LATELY

Do you have a limitation on your MSQL data base (how many records can you have) how big can your Database be !!!

Do they offer a Sender Policy Framework for Email

What’s Technical like Phone | Email | 24/7 or when ever we decide to get back to you

WHAT HAS MY ISP DONE FOR ME LATELY

What’s there Service Level Agreement like (SLA)

Do they offer backup services

What's there data retention policy like

TWO STEP AUTHENTICATION 3RD PARTY APPS

TWO STEP AUTHENTICATION – DROP BOX3RD PARTY APPS

1. Sign in to the Dropbox website.

2. Click on your name from the upper-right of any page to open your account menu.

3. Click Settings from the account menu and select the Security tab,

4. Under the Account sign in section, next to Two-step verification, click Enable.

TWO STEP AUTHENTICATION 3RD PARTY APPS

Just a few more account that have two step authentication.

LinkedIn – New after they were hacked nearly 6.5 million user

Microsoft Accounts

Wordpress.com

Godaddy.com

FTP – DON’T GET ME STARTED !!!

File Transfer Protocol – FTPIt’s Not Secure and has no encryption of data

Stop Using It Right Now

The SSH File Transfer Protocol (also known as Secure FTP and SFTP) 

is a better solution.

FTP – DON’T GET ME STARTED !!!

You may need to contact your ISP / hosting provider to activate or install. You may also need to use different port numbers 21 or 22

Secure FTP also gives you root access to directories and subdirectories to all account – So be carful when transferring files or accessing accounts

PASSWORDS MANAGEMENT PASSWORDS VS. PASS PHRASES

Passwords

Passwords tend to be really common Dictionary words.

Easy to guess / crack

Password is a bad password

Pass Phrases

Phase Phrases tend to be much longer and hander to guess / crack

Longer character set with special characters

PASSWORDS MANAGEMENT

Password Example

Your wife name is: Tonya changed O to zero T0nya

Passphrase Example MyWifeT0nyaCant_Cook(Still common but a little

harder to crack)

PASSWORDS MANAGEMENT

Add Upper and lower case as well as special characters

MyW1feT0nyaCant_Cook#@!

And if for some reason your wife needs your password…..Change it QUICK

MyW1fe_T0nyaIs_A_GrateC00k

PASSWORDS MANAGEMENT

www.lastpass.com can be used on all devices

Auto fill users names & passwords

PASSWORDS MANAGEMENT

www.RoboForm.com

https://www.passpack.comhttp://keepass.info/

These programs have the ability to generate complex passwords that are hard to remember unless you are using a password manager

WORDPRESS SECURITY

Themes WordPress Install

Plugins Internet Service

Providers

Users / Privilege

s

Databases

WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!!

$$$ Financial gain $$$

Hackers make money in a few ways’

Affiliate marking referrals – pay per click

Zero Day exploitations

WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!!

Phama hacks (Viagra) counterfeit drugs,

Change DB | insert Spam | add a backdoor, Redirect URL

WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!!

Site redirections

SEO Poison of your keywords

Access to members ship lists

Ecommerce theft – such as Infusion soft and PayPal

Credit cards information

WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!!

Defacement of site – Script kids just #being shit heads

Install backdoor software – own one own all

Malicious redirect – they make money from Pay Per Click

Injections – Iframe specifically

Identity Theft #juststeelingyourshit

WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!!

• Email compromise allowing for Phishing attacks

• CryptoLocker ransomware attacks

‘The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment’

HOW DOES THIS AFFECT ME & MY BUSINESS

• Loss of trust with clients

• Loss of business

• Loss of time effort and lots of money to fix your website

• Tarnish your online reputation

THIS THREAT IS NOT REAL IS IT

Just a few stats to scare the crap out of you

• 12,000 to 14,000 site per day are blacklisted

• Google documents and issues 5 Million warring's per week

DOMAIN NAME MANAGEMENT

Make sure you or your clients own there Domain Name

Setup Auto renewal

Add Privacy to your domain if possible – making it harder to steal

*Domain Name Extortion

Example: www.sitedudes.comNo long term contracts my ass !!!

They did offer a complementary ass kicking…though

WORDPRESS SECURITY INSTALL REVIEW

Most WP setup out of the box are configured with

-admin (username)

-password (you create)

You have just help a hacker with ½ the answers to your login by using admin as a user name

WORDPRESS SECURITY

Install Google Authenticator Plugin for WordPress.

Hackers Now Need

- Your long user name - Long complex password - TXT sent to your phone

WORDPRESS SECURITY

Create A User name that is at least 15 characters including Upper and Lower case including special characters

Passworduse a program such at Lastpass to create a long and complex password

WORDPRESS SECURITY

Limit login attempts plugins will help to stop Brute Force attacks by locking your site after a specific amount of attempts.

WORDPRESS SECURITY

Example – Brute Force Attack

SO WHAT CAN I DO TO REDUCE MY RISK

• Remove all unused Themes & Plugins

• Monitor your website on a regular basis

• Keep you site up to date

• Change file permission from standard defaults

• Remove user and roles if they are not being used

• Keep your production server tidy – It not a backup server or file server

WP USERS & THERE ROLES

Administrator

Editor

Author

Contributor

Subscriber

SO IS YOUR SITE UP TO DATE MAJOR RELEASE VS. POINT RELEASE

WP 3.6 – 3.7 Major Release

Old calls & functionsCore Security flaws Performance Issues Core related issues

SO IS YOUR SITE UP TO DATE WP 3.7.1 POINT RELEASE

WP 3.7.1 Point Release

Bug Fix

Security Updates

Images with caption fixed

visual editor fixed

NOTE:

Major and Minor updates still have the ability to bring your site down or cause issues.

This is why you should always backup your production site.

Replicate your site in a test environment and make sure that there are no errors and issues.

TOOLS TO TEST YOUR SITE

http://sucuri.net/

Software version

Blacklisted

Malware

Malicious javascript

Malicious Iframes

Drive By Downloads

Anomaly detection

IE – only attacks

Suspicious redirects

Spam

WORDPRESS SECURITY

So what’s a Theme ???

Themes will define the look and feel of your siteTheme is a theme that inherits the functionality of another theme, called the parent theme. Child theme allows you to modify, or add to the functionality of that parent theme.

WORDPRESS SECURITY

A child theme is the safest and easiest way to modify an existing theme, whether you want to make a few tiny changes or extensive changes. Instead of modifying the theme files directly, you can create a child theme and override within.

WORDPRESS SECURITY

Responsive Design - Will resize the look and feel for Mobile devices such as smart phones, tables, netbooks,

Note: when purchasing themes look at the Developers upgrade statusIf the theme has not been updates in a while keep looking

TIMTHUMB COMMERCIAL THEMES EXPLOITATION

An image resizing utility called timthumb.php

Bundled in some commercial /free Themes

Remote Code Execution

TIMTHUMB COMMERCIAL THEMES EXPLOITATION

SQL Injection Vulnerability

Google shows over 39 million results for the script name

If you find it fix it right away

This Themes is still active and a huge problem in the WP community

CREATE A TEST ENVIORNMENT

Used to develop or replicate a website in a local environment

Test themes / plugins / applications before they go live

Use a staging environment for testing for virus / defects

PLUGINS EXPLAINED

What's a WP Plugging ???WP plugins are used to add additional functionality to your site.

Including; security, performance, calendars, social media,

Fonts, custom features, site backups,

Before install a plug in make sure its compatible with your version of WP review the author and make sure they keep up to date with current WP versions and standards and best practices

SOME KICK ASS PLUGINS

Limit login attempts

WP security

Google authentication

DEVEOLPMENT TOOLS

Notepad Plus

Asana.com – used for project management

CREATE A TEST ENVIRONMENT

Microsoft Webmatrix BitNami WordPress

local install

CREATE A TEST ENVIORNMENT TOOLS FOR CREATING A LOCAL TEST ENVIORNMENT

Microsoft Webmatrix

http://www.microsoft.com/web/webmatrix/Installing Webmatrix may not work correctly if you have Skype installed that also used port 80 or any other program that used port 80

It also requires some file modification to move it from test environment to production

CREATE A TEST ENVIORNMENT

Bitnami.com

Simple application deployment from development to production

Bitnami supports Windows, Mac OS X and Linux operating systems, VMware virtualized environments

You can also use a sub direct on your production website

CREATE A TEST ENVIRONMENT

Local development also required software to run the local database.

Xampp - http://www.apachefriends.org/en/xampp.html

Wamp - http://sourceforge.net/projects/wampserver/

The following two software use localhost for development The package includes the Apache web server, MySQL, SQLite, PHP, Perl, a FTP

CONCLUSION TO THE PRESENTATION

Question & Answers Contact Info

Garry McNeilly

Kojac Consulting

www.kojac-consulting.com

garry@kojac-consulting.com

Phone: 416-898-9084

WordPress Security 101Hackers, Scoundrels, and Villains, Oh

my.