Best of “It’s not paranoid if they’re actually out to get you. And they are out to get you.”
In his fast-paced and engaging #DPA8 session, “Access Denied: Keeping Yourself off an Attacker’s Radar,” Paul Gilzow from the University of Missouri shared universal concepts and WordPress-specific examples for preventing exploits of your site and infrastructure through common vulnerabilities.
Why WordPress and higher education are attractive targets
WordPress has the blessing and the curse of having massive market share — over 25% of the entire web is powered by WordPress — and being open source. Open source, of course, is not bad in itself, but everyone can view the source code. Additionally, anyone can create and submit a theme or plugin, whether they know how to properly handle security or not. Finally, WordPress is famously easy to install, but not easy to secure. Many vulnerabilities occur because of weak passwords, poorly written plugins and themes, and out of date versions of the core software.
Education is an attractive target due to its sizable network capacity and availability, rich hardware infrastructure, SEO reputation, and lack of (enough) human resources to stay on top of security risks. If someone is able to gain access to the right systems, a treasure trove of personally identifiable information, confidential research data, proprietary intellectual property, and other resources are freely available. But even if they’re not attacking you or your data, they could be after the resources that you have access to.
So What Do We Do? Part 1: Use available tools to know where your vulnerabilities are.
Paul provided a rich list of available tools to scan and monitor your site for risks and vulnerabilities and gave a live-demo of one: WPScan. Using WPScan, Paul was able to quickly scan a site and learn a variety of things about the site including installed plugins and their known issues, the authors and usernames on the site. Using that information, he demonstrated how easy it was to exploit the site. (Spoiler alert: crazy easy.)
So What Do We Do? Part 2: Take counter measures to protect your site.
In general, do everything you can eliminate or limit the information that the bad guys can use to target your site.
For WordPress specifically, there are number of simple ways to hide, obfuscate, or lock down access.
- Protect wp-content
- Protect wp-includes
- Protect wp-admin
- Protect the root
Additionally, secure various areas of account enumeration.
- Prevent ?author=2
- Disable account name as permalink
- Remove author account from classes
- Remove default login error messages
- Use your school’s SSOID system
Be paranoid and be skeptical. Uninstall any plugins and themes that aren’t in use. And practice “defense in depth” — adding layer after layer of defense makes it ever-harder for someone to find a way in.
MUCH more information and specific code examples are available at: https://github.com/gilzow/access-denied
via a Creative Commons License