Quick Reference Guide
Who is this person?
I am Chloe, a Threat Analyst for Wordfence. I have the following security certifications: C|EH (Certified Ethical Hacker) SSCP (System Security Certified Practitioner) Security+ CySA+ (Cybersecurity Analyst+) PenTest+ When I am not working (or while I am?), I enjoy traveling the world and exploring new places.
Google Hacking. AKA: Google Dorking
In my own terms, a methodology that uses Google Search functions to discover vulnerabilities and confidential information on sites that can be used to “break in.”
Not the most “common” or “practical” method used to discover vulnerabilities, however, it has the potential to lead to serious information disclosure and is fun & exciting for demonstration purposes.
Security Basics
CIA Triad.
Core security responsibilities include the protection of:
Confidentiality: The protection of confidential data and ensuring information isn’t disclosed to unauthorized eyes.
Integrity: Ensuring data does not become modified at rest, in transit, or just at all, period.
Availability: Ensuring resources remain available, with minimal downtime.
How does the protection of confidentiality apply to WordPress?
- Ensuring customer data isn’t exposed.
- Ensuring passwords are not exposed.
- Ensuring directories aren’t exposed, or content of sensitive file types.
- Ensuring there is no unauthorized access to the dashboard.
Common Attack Methods to Compromise Confidentiality: Authentication Bypass, credential compromise
How does the protection of integrity apply to WordPress?
- Ensuring posts/content aren’t modified to contain spam.
- Ensuring data isn’t modified.
- Ensuring files aren’t modified to contain backdoors or redirects.
Common Attack Methods to Compromise Integrity: SQL Injections, Credential Compromise, Arbitrary options updates
How does the protection of availability apply to WordPress?
- Protection against DDoS attacks.
- Protection against Brute Force Attacks (which can sometimes exhaust resources)
Common Attack Methods to Compromise Availability: DDoS, xmlrpc.php overload
Defense in depth
A security concept where security is applied in multiple layers so that if one security measure fails you/your site is protected by the next measure put in place.
Risk Tolerance
Important to determine what security controls you would like to implement.
Hardening (.htaccess)
- Disable /xmlprc.php if not needed by your site to help protect against brute force and DDoS attacks.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
- Disable directory listing.
Options -Indexes
- Enable .htpasswd protection
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
https://www.htaccesstools.com/htpasswd-generator/
Hardening (wp-config.php)
- Disable file editing in the WordPress Dashboard
/** Disable file editing in the WordPress dashboard */
define( 'DISALLOW_FILE_EDIT', true );
- Enable WordPress auto-updates for themes/plugins and core.
/** Auto updates for all plugins, themes, and core */
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'auto_update_core', '__return_true' );
- Force the use of SSL over /wp-admin (we will talk more about SSL later)
define('FORCE_SSL_ADMIN', true);
- Generate Secret Keys/Salts
https://api.wordpress.org/secret-key/1.1/salt/
More Hardening…
- Change default ‘Admin’ username.
- Make sure your new username is strong and unique.
- You can do this with a plugin, through your sites database, or by creating a new user and deleting the old user.
- Haven’t used that plugin in a year? Delete unnecessary plugins and themes.
- Making sure plugins/themes/core remain up to date.
- Maybe an auto-update failed?
- Disable PHP execution in folders where it isn’t required. (Uploads directory)
- Create an .htaccess file, upload it to the directory you want to disable PHP execution and add the following to the file:
<Files *.php>
Order allow,deny
Deny from all
</Files>
- Install an SSL certificate.
Login Security
Password Strength
- Complex: Contains at least 1 special character (@,#,$,%,^,&,*, etc…)
- Length: At least 7-14 characters.
- Unique/Diverse: Contain a combination of several unique characters (1,2,3,4,5,6,7,8,9) (!,@,#,$,%,^) (ABCDEabcde)
Never Reuse Passwords
Use a good password manager:
- LastPass (https://lastpass.com)
- 1Password (https://1password.com)
- KeePassX (https://www.keepassx.org)
Alternative to password manager? Create strong unique phrases you can remember.
Two-Factor Authentication
The use of two-factors to authenticate:
- Something you know: Password, pin, security questions, etc…
- Somewhere you are: Geolocation (You’ve signed in from a new location), etc..
- Something you have: Token, authenticator app on your phone, etc…
- Something you are: Biometics, fingerprint, iris scan, etc…
Limiting Login Attempts
This limits the amount of times a user can attempt to log into your site and can block requests by a specific set of rules. Helps protect against login security attacks.
Several Plugins Available To Help Protect your Login Security
To name a few:
- Wordfence Login Security OR Wordfence (https://wordpress.org/plugins/wordfence-login-security/)
- iThemes Security (https://wordpress.org/plugins/better-wp-security/)
- WP Limit Login Attempts (https://wordpress.org/plugins/wp-limit-login-attempts/)
- Limit Login Attempts (https://wordpress.org/plugins/miniorange-limit-login-attempts/)
Continuous Monitoring and Updates
Security Audits
Typically an inspection that goes through various points to determine if everything is up to date and there are no security holes in your system.
Checks things like:
- Is your software up to date? (MySQL, WordPress, Plugins, Themes?)
- Is there any valuable information being disclosed that shouldn’t be?
Malware/Vulnerability Scanning
Malware Scanner:
- Helps discover unwanted malware that may be present on your system that you didn’t know about.
Vulnerability Scanner:
- Helps detect unknown vulnerabilities.
A few recommendations:
- Wordfence (Plugin) (https://wordpress.org/plugins/wordfence/)
- Sucuri (Plugin) (https://wordpress.org/plugins/sucuri-scanner/)
- Nikto (Installation guide: https://github.com/sullo/nikto)
- WPScan (Installation guide: https://wpscan.org/)
Logging
Enable logging.
- Access Logs (Apache logs)
If your site ever gets compromised, you will have a nice set of logs to help you (or a forensic remediator you hire) with the information needed to determine the intrusion source and infection date.
Logs will help tell you a lot about what is happening with your sites.
Backups
Important to keep backups so if you ever are compromised you have a way to restore. (Or simply if something breaks.)
You can use built in hosting backups or a plugin like:
- Updraft+ (https://wordpress.org/plugins/updraftplus/)
- VaultPress (https://wordpress.org/plugins/vaultpress/)
- Jetpack (https://wordpress.org/plugins/jetpack/)
Install a Web Application Firewall.
WordPress has a wide attack surface and powers a lot of the internet’s websites. Plugins/Themes/Core code in general is just susceptible to vulnerabilities. Everybody makes mistakes, even if they don’t want to!
This can help block malicious attacks/users and protects against things like:
- SQL injections
- XSS vulnerabilities
- CSRF
- And more…
A few recommendations…
- Wordfence (https://www.wordfence.com/)
- Sucuri (https://sucuri.net)
- Sitelock (https://www.sitelock.com/)
- Cloudflare (https://www.cloudflare.com/waf/)
- NinjaFirewall (https://nintechnet.com/ninjafirewall/)
- AWS WAF (https://aws.amazon.com/waf/)
Install a Security Plugin
Provides several additional security features adding additional layers of protection
Usually a friendly user interface that makes it easier to secure your site.
- Some security plugin features:
- WAF
- Login Security (Brute Force, Limit Login Attempts, 2FA)
- Traffic logging.
- Malware scanners
A few popular security plugins…
- Wordfence (https://wordpress.org/plugins/wordfence/)
- BulletProof Security (https://wordpress.org/plugins/bulletproof-security/)
- Sucuri Security (https://wordpress.org/plugins/sucuri-scanner/)
- iThemes Security (formerly Better WP Security) (https://wordpress.org/plugins/better-wp-security/)
- Cerber Security, Antispam & Malware Scan (https://wordpress.org/plugins/wp-cerber/)
- All In One WP Security & Firewall (https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/)
- Ninja Firewall (https://wordpress.org/plugins/ninjafirewall/)
- Defender Security (https://wordpress.org/plugins/defender-security/)