WordPress Security Best Practices and Penetration Testing.
Back in July 19, I went to a WordPress gathering hosted by a WordPress group via Meetup.com. This was the first event of this group I had been to and I went specifically because this meeting was a presentation about the Security and Penetration Testing of WordPress sites.
The speaker at the gathering was Tim Nash @tnash and I learnt the following –
- Confirmation that I know my subject matter because Tim and I both had the same thoughts and attitudes towards website security best practices.
- Learn something new because I accept that no one person knows it all and improvement come through education and networking at events such as these.
Tim gave a very witty and charming presentation and below are some key points that you could apply to your own WordPress website application.
So here we go….
- The majority of attacks against your website are not hardcore hackers sitting in darkened rooms wearing balaclavas. Neither are they Advanced Persistent Threats (Government’s “spooks” of dubious foreign nations). The most likely culprits your company’s WordPress installation are going to be attacked by are not humans at all, but automated software “Bots” that are searching 24/7/365 across the Internet for the next easy target to exploit.
- You my well be thinking to yourself, why would anyone attack my company website? We only do X, but a “bot” doesn’t care what your company does, it just wants to find vulnerable targets it can exploit for it’s own malicious purposes.
- WordPress Security plugins seem logically like a good idea, but they can create resource availability issues, e.g. performance degradation of your website, leading to frustrated potential clients leaving your site because of page load times.
- “Wordfence” is a good example of a plugin that you think is there to help but can/could actually create a site degradation & performance issue.
Some of the many genuine best practices recommended for your WordPress website include –
- Set WordPress core, plugins, themes & basically anything that supports the option to “Automatic Update”.
- Use Multi Factor Authentication on your WordPress accounts.
- Audit and monitor for privilege creep, who has Admin level access to your site? Do they really need that level of access just to make a blog post?
- Most users can perform all their required job functions with an Editor level account.
- Buy Themes from reputable sources for two reasons. 1) The Theme is less likely to be a Trojan horse (malicious software) and 2) You will get reliable future software updates.
- Monitor your sites up time and availability with software such as “updown.io”
- At the minimum you should be monitoring for changes to your Home page headers and footers and for changes to your Login page.
- “Stream” is a plugin that can be used to Audit Users.
- Whatever logging system you adopt, the best practice is to store log files on a separate remote server.
- The minimum you need to be logging is Error and Access logs activity.
- Disaster Recovery plans are a fundamental part of your business.
- Have backups, but you also need to Test the back ups to confirm that they will serve their purpose if and when you need them.
- You should be actively testing the security of your WordPress site. Read on….
OIC Solutions appreciates that many people don´t understand about Hacking techniques and to be honest, they don´t want to know, their business is their business and IT Security is our business.
OIC Solutions offer clients a reasonably priced security assessment of your WordPress application that will identify issues and provide tangible solutions.
Further specific information about this testing service is available here.
Maybe you want to go it alone…… That’s fair enough. The following are some of the tools we recommend.
- Kali Linux is an open source operating system crammed full of tools and is available here. It is the weapon of choice for Malicious Hackers and IT Security Professionals alike. You always have to remember that the Tool is not inherently bad. It is the intention of the user of the tool that makes the difference, but I digress into Ethics and Philosophy.
- Next establish what ports are open and accessible to the rest of the world on your web server. The more open ports there are the more attack vectors exist. You can establish your public footprint using a tool such as Nmap. A guide to using Nmap is available here and the most basic scan command is below
- Nmap -Pn <website address>
- As a Security Tester I routinely discover port 3306 (Database), port 22 (Remote Connections) and port 21 (File Transfer) open on web servers. Unless there is a serious business justification for these ports being open to the whole world, these ports should be closed.
- The next recommended action is to run a scan with a piece of software such as Nikto that will assess the overall health and security of your web server. The tool is part of the Kali operating system and a guide is available here but the most basic scan command is below.
- Nikto -h <website address> -p <port number>
- Wpscan is a tool specifically designed to assess the security of WordPress applications. Again, this tool comes free as part of the Kali Linux operating system. Information about this application is available here but the most basic scan command is below
- Wpscan –url <website address>
- Wpscan can take some tweaking to get the best of it’s usefulness. Further research on your part may be required.
These are the three tools you should be using and the three scans you should be performing.
But the next problem is “Do you know how to interpret the results?” and then “OK, I have interpreted the results, how do I fix them?”
OIC Solutions can help you with all of these questions and tasks.
You can contact us here or at firstname.lastname@example.org or on +44 (0) 207 993 2239