"I know what the security team said, but the marketing department need creative freedom. do your best!"
I use Wordpress for my other blog The Gentleman Hackers Club and with a few key considerations you can protect your Wordpress project just as much as any other online application*
Things to do before you get that penetration tester in to make you feel bad.
We will cover very basic tick boxes on the bullets below and it will ensure you increased security on your Wordpress site ( you could also apply this to Joomla,Drupal,whatever CMS etc...)
- Automation Defence
Do not use shared hosting platforms. There, that was easy...
The truth is shared hosting platforms are cheaper but they are one of the highest points of compromise and leave you with problems out of your control, consider this... consider your site is secure... it's tight aint' no party like a yourwordpresshostedsecurely party.
You've won, but Sloppyjoe's website is riddled with security issues, it's like OWASP's WebGoat only he hasn't noticed, the problem is you and bob share the same server, so if an attacker comes in via Bobs website they may just well beable to hop into your folders where your site is hosted or into the database you both share... and attackers can see if you are on a shared host ... here is one example using Bing, let's pick a website (i'll search for Tooting Graphic Design - I live near Tooting and designers usually use shared hosting...
think about that when your design company offers to host a project for you
Okay, first results (this is purely for example and nothing illegal is happening here)
Okay, we have a domain name, let's Ping it and get it's IP Address...
Alright, we have an IP Address, now let's use Bing to fetch all websites that share that IP (as far as Bing is aware)
using the search query
IP: 188.8.131.52 we can see the following results:
Loads to work with, so if you where an attacker targeting one of those sites consider this... if you have read my last post on how many possible opportunities there are per link, consider how more likely success would be for an attacker if they have more than one site to work with, most of the time all you need is one flaw in one parameter.
Get yourself a Virtual Private Server (VPS) for your site, you will have full control over it, root access and it's all yours, you should only have ports open that are necessary to the project if it's a website you want port 80,443 and 22 open 80 for pain text http web 443 for secure web HTTPS and 22 for SSH SFTP Secure Shell Login and Secure File Transport)
Use nMap to make sure there are no other ports open, do this monthly and if it changes, investigate.
nmap -p- mywebsite.com -oX mywebsitescan.date.xml
I would love to tell you more about nMap, but it's bigger than this post, a lot bigger. Scan those ports!
Dead simple, keep it up-to date...
not just your Wordpress not just your plugins, but your operating system the server that is powering the site, if you work in a corporate environment then it's up-to the IT Team to look after the operating systems 'patching' check that that is their responsibility if so you can focus on being responsible for the web element - that's Wordpress and Plugins if you have a team of people champion someone to do this across your sites, lot's of people think 'hey, I have a website... cool - the end' you might, your clients might ... the truth is they sites like this (CMS's) need a bit of admin love, so log in once a week and update it if it asks, log in once a week just to see if there is any updates. UPDATE.
TLS / 'SSL'
TSL all the things.
You want those green HTTPS Bars, You want that padlock for your Wordpress Administrators security and your visitors, again if you have a IT team this can be their problem tell them that you basically want at least an A on This website SSL Labs ...
Uh on,I know what I'm dong after I publish this blog
Yea' Lets keep our connections as private as possible, it's important and it builds confidence in our visitors and reflects how we view their privacy
If you want to get your hands dirty, or you don't want a third party scanning your site yet check out this tool SSLScan I Highly recommend it.
Remember when people say SSL, they mean TLS - SSL is DEAD, do not use it.
Make sure the right people are allowed, not just those with a username and a password.
Wicked, so far you have an up-to date server on it's own hosting environment and a secure connection to it, let's get some 2 Form Authentication in place here, you might not think it's that important but maybe audit does... or maybe you do think it's important ! - good for you. there are two services I recommend DuoSec and Google Authenticator Both will do Wordpress logins and both will do SSH logins too and that's cool.
Do not use FTP,SFTP or FTPS without TLS - if that sounds confusing, Disable FTP and use SSH.
The reason we use two form authentication is so that if someone does compromise that text file on your desktop with all the account information in it, they cannot use it to access the site without having your device (smart phone, with the 2FA application running)
Do it, be cool. if you need inspiration to do it please click this link.
Threat No.1 for web hackers
Plugins are necessary most of the time, we use them because we need a function for the site in a hurry or even because we cannot afford the development time and cost of writing something that ...well is already available.
Usually on a Wordpress specific penetration test it is 90% of the time a plugin that will let the bad guys in, the plugin works fine functionally, it does that thing you need and thats why you installed it! but it doesn't do it securely. never assume a plugin is safe to use, there are some steps you can take to get confidence around installing them, The first thing you can do is have your site penetration tested by a security professional, they can throw everything and the kitchen sink at your site and see how it fairs up, you could have the plugins code reviewed by a security focused developer, make sure they have security credentials tho and haven't just watched swordfish and hackers a dozen times.
if you have no time or no more money left to do any of those things, get your hands dirty with some of the tools listed at the bottom of the article
Stop teh sCr1ptz (stop the script)
This isn't a huge topic but worth mentioning if you are welcoming input from THE INTERNET. get this on your site Google's ReCapcha It will basically drop the submission of any data (attacks?) that do not appear to be human, it's quite good, I'm not sure if it's 100% but would you rather deal with 100% or 1% right ?
Cleans thy traffic ...
Send all your traffic through cloud flare.
the benefits are, optimised content delivery but more importantly for me, it's a pretty good web application firewall, they have a free version, a business version, and a enterprise version, consider what fits best for you, also... hold back on buying your SSL/TLS certificate until you know what service you are using as they give you a 'free ssl' on some of the services, With cloudflare your traffic will be cleansed of any malicious submissions, they have seen it all before and can make it very difficult to attack sites going via them.
If you are having a penetration test done, do it before you migrate to cloud flare for more value in issues found
Tools & Resources
- WPScan Vulnerability Database
- SSL Scan
- Google Authenticator
- SSL Labs
When you see things like 'One Click Install' it makes all the things we covered look excessive and having to do ALL THAT STUFF is a drag, but look at all the things getting hacked, no one will challenge you for caring about company reputation, customer security and good security practice... what you need to be clear about is the time it takes to get this in place, you don't want the project manager saying hey we did this in 3 weeks last time what the hell, explain why you are doing it, and why as a company you should... it's a good thing, let's not be that site that got hacked and are mocked for $deity know's how long, lets not have to send an email out saying 'we care about security... and some bad dude on Darknet has your password,email address preferences and communications - be cool, be secure. it takes longer but that's only because we have been doing it wrong.