Upload File

wordpress - open source foundation for application security

  • Home
  • Documents
  • WordPress - Open Source Foundation for Application Security
32
WordPress Security Implementation Guideline Good practices and epic fails of WordPress implementations

Upload: others

Post on 05-Dec-2021

1 views

Category:

Documents


0 download

Report

TRANSCRIPT

Page 1: WordPress - Open Source Foundation for Application Security

WordPress Security Implementation Guideline

Good practices and

epic fails of WordPress implementations

Page 2: WordPress - Open Source Foundation for Application Security

About Me

• Information Security Consultant

– Application Security

– Secure SDLC

Dan VASILE

http://www.pentest.ro

[email protected]

@DanCVasile

http://nl.linkedin.com/in/dancatalinvasile
http://nl.linkedin.com/in/dancatalinvasile
http://nl.linkedin.com/in/dancatalinvasile
http://www.pentest.ro/
mailto:[email protected]
https://twitter.com/DanCVASILE
https://twitter.com/DanCVASILE
https://twitter.com/DanCVASILE
Page 3: WordPress - Open Source Foundation for Application Security

Why do I talk about WordPress?

• I use WordPress

• Previous talk @OWASP Ro InfoSec Conf 2013

• Working with 3rd parties on secure WordPress

implementation

• The project:

WordPress Security Implementation Guideline

https://www.owasp.org/images/9/9a/Dan_Catalin_VASILE_-_Hacking_the_Wordpress_EcoSystem.pdf
https://www.owasp.org/images/9/9a/Dan_Catalin_VASILE_-_Hacking_the_Wordpress_EcoSystem.pdf
https://www.owasp.org/images/9/9a/Dan_Catalin_VASILE_-_Hacking_the_Wordpress_EcoSystem.pdf
https://www.owasp.org/images/9/9a/Dan_Catalin_VASILE_-_Hacking_the_Wordpress_EcoSystem.pdf
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
Page 4: WordPress - Open Source Foundation for Application Security

Why do I talk about WordPress?

WordPress Security Implementation Guideline

https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
Page 5: WordPress - Open Source Foundation for Application Security

Scope

• Not just WordPress but Open Source adoption

• Framework for secure implementation

• Large scale integration

Page 6: WordPress - Open Source Foundation for Application Security

Scope

• General security

• Infrastructure security

• WordPress security

• Large-scale integration

Page 7: WordPress - Open Source Foundation for Application Security

Scope

• General security

• Infrastructure security

• WordPress security

• Large-scale integration

Page 8: WordPress - Open Source Foundation for Application Security

General & Infrastructure Security

General security

Page 9: WordPress - Open Source Foundation for Application Security

Scope

• General security

• Infrastructure security

• WordPress security

• Large-scale integration

Page 10: WordPress - Open Source Foundation for Application Security

General & Infrastructure Security

Infrastructure security

Page 11: WordPress - Open Source Foundation for Application Security

Scope

• General security

• Infrastructure security

• WordPress security

• Large-scale integration

Page 12: WordPress - Open Source Foundation for Application Security

WordPress security

WordPress Security Implementation Guideline

20 subjects

3 main components:

• Core

• Plugins

• Themes

Manual activities & plugin alternatives

https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
Page 13: WordPress - Open Source Foundation for Application Security

WordPress security

Updates

3 main types of updates:

• Core

• Minor

• Major

WordPress > v3.7 – automatic updates for Minor

Page 14: WordPress - Open Source Foundation for Application Security

WordPress security

Updates

Turn on auto-updates for Major/Core

define( 'WP_AUTO_UPDATE_CORE', true );

For plugins and themes add a filter add_filter( 'auto_update_plugin', '__return_true' );

add_filter( 'auto_update_theme', '__return_true' );

Page 15: WordPress - Open Source Foundation for Application Security

WordPress security

Choose plugins carefully

Page 16: WordPress - Open Source Foundation for Application Security

WordPress security

Backup

What?

• Files • Core installation, plugins, themes, images & files

• Database

How?

Manual vs Automatic

Page 17: WordPress - Open Source Foundation for Application Security

WordPress security

Backup horror story 1

The good • Daily backup, files & database, 365 days retention

policy

The bad • No geographical redundancy, no disaster recovery plan

The ugly • HDD fail on main machine, faulty HDD on the backup

machine

• Missing data and database structure

Page 18: WordPress - Open Source Foundation for Application Security

WordPress security

Backup horror story 2

The good

• Proper backup to the cloud

The bad

• Backup credentials stored in clear text

The ugly

• Attacker compromising site and deleting backups

Page 19: WordPress - Open Source Foundation for Application Security

WordPress security

User roles

• Super Admin

• Administrator

• Editor

• Author

• Contributor

• Subscriber

Page 20: WordPress - Open Source Foundation for Application Security

WordPress security

Restricting access

Sensitive areas of the application must be protected from unauthorized access.

.htaccess

Order Deny,Allow

Deny from all

Allow from 127.0.0.1

Page 21: WordPress - Open Source Foundation for Application Security

WordPress security

Prevent brute-forcing

• Add CAPTCHA

• Blacklist attackers

• Lock accounts

Write a plugin that will lock an account

for a predefined period of time after a

number of failed attempts.

Page 22: WordPress - Open Source Foundation for Application Security

WordPress security

Add blank index.php

This should be covered by Apache configuration,

but it’s not always the case.

Page 23: WordPress - Open Source Foundation for Application Security

WordPress security

Missing blank index.php

Page 24: WordPress - Open Source Foundation for Application Security

WordPress security

Force encryption on data in transit

There are cases where both port 80 and 443 are

used.

Sensitive operations must use SSL:

define('FORCE_SSL_LOGIN', true);

define('FORCE_SSL_ADMIN', true);

Page 25: WordPress - Open Source Foundation for Application Security

Scope

• General security

• Infrastructure security

• WordPress security

• Large scale integration

Page 26: WordPress - Open Source Foundation for Application Security

Large scale integration

Large scale integration

• Creating a standard image

• LDAP integration & Single Sign On

• Multisites

• Unified management of multiple installations

Page 27: WordPress - Open Source Foundation for Application Security

Large scale integration

Creating a standard image

• Blank image (no data)

• All the updates

• All the basic shared plugins and themes (&data?)

Purpose:

• Testing ground for new stuff

• Create new instances, secure by default

Page 28: WordPress - Open Source Foundation for Application Security

Large scale integration

LDAP integration & Single Sign On

• Integration with Active Directory

• Single Sign On (SSO)

Why?

• Centralized user management

• Use existing hierarchy

Page 29: WordPress - Open Source Foundation for Application Security

Large scale integration

Multisites

• Built-in WordPress functionality

• End users can create their own sites on

demand

Downside

• Shared components (plugins)

Page 30: WordPress - Open Source Foundation for Application Security

Large scale integration

Unified management of multiple installations

• Self-hosted and cloud solutions

Why?

• Centralized login and management

• Push updates to all instances

Page 31: WordPress - Open Source Foundation for Application Security

What’s next?

Next steps

• Contribute to the project

Wordpress Security Implementation Guideline

• Share the knowledge

• Write secure code for WordPress

• Help others

https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project
Page 32: WordPress - Open Source Foundation for Application Security

Q&A


2016 GE Foundation Contributions Above $10,000 Source …dsg.files.app.content.prod.s3.amazonaws.com/ge... · 2017-03-16 · 2016 GE Foundation Contributions Above $10,000 Source

Tom Jazwinski. What Is WordPress? WordPress is a free open-source content management system. Open-source means that the code can be modified by anyone

Open Source Software: WordPress LI815 Dawn Brumbley

WordPress + Joomla! + Mautic, An Open Source Hat Trick

Introduction to WordPress - mtholyoke.eduIntroduction to WordPress I. Introduction: What is WordPress? WordPress is a free, online and open-source content management tool that allows

Build a Responsive WordPress Theme With ZURBs Foundation 5 Framework

Build a Responsive WordPress Theme with Zurbs Foundation Framework

jQuery Open Source Process (Knight Foundation 2011)

Team foundation server - more than source control

Idealware - Comparing Open Source CMS: Wordpress, Joomla, Drupal & Plone

Wordpress - Verdens bedste open source system til hjemmesider

Open Source Academy Presentation on Open Source and Wordpress

Priming Your WordPress Canvas – Essentials for a Solid Foundation

Create website using open source CMS WordPress by swapnil chafale

iThemes: Premium WordPress Plugins & Tools - …...WordPress: The Perfect Platform WordPress is the perfect platform for building recurring revenue. WordPress is open source, and the

Team Foundation Server - Source Control

WordPress Development Company - Best Source for the Development

WordPress€¦ · WordPress i About the Tutorial WordPress is an open source Content Management System (CMS), which allows the users to build dynamic websites and blog. WordPress

Figuring Out WordPress - MayeCreate · Figuring Out WordPress A beginner’s guide to the awesome Open Source software that is WordPress. Presented By:

INTRODUCTION WordPress is an open source Content ... · WordPress was announced as open source in October 2009. Features User Management: It allows managing the user information such

5 Days Open Source Workshop Joomla – Wordpress – Zen Cart

Managing Open Source Better Together - Linux Foundation

Source: Foundation for Defense of Democracies The

Open Source Geospatial and the OSGeo Foundation

Make Cash. Using Open Source. And WordPress

WordPress Foundation

Umgang mit Frustration im Open-Source-Projekt WordPress

Wordpress. Wordpress… Open Source – GNU General Public License Wordpress…

WordPress, an Open Source CMS Technologies

Linux Foundation Networking Harmonizing Open Source and

Intro to the Open Source Geospatial Foundation

Open Source Geospatial Foundation: Growing Communities

Open Source CMS - Wordpress - IRLOGI · Open Source CMS - Wordpress Maps - OpenLayers 3, ... IPPC EPA IPPC facilties ... SIRBD Morphological supplementary measures

WordPressテーマ Foundation for WordPress の紹介

Build a Responsive Theme in WordPress with ZURBs Foundation 5 Framework