Download to read offline
Uploaded byJason Yingling
Ithemes presentation
The document provides a comprehensive overview of WordPress security measures using iThemes Security, emphasizing hardening techniques, access controls, and maintenance practices to protect a website from common security threats. Key features include brute force protection, two-factor authentication, login area customization, and regular backups. Additionally, it discusses advanced settings and features available in iThemes Security Pro for enhanced protection and password management.
More Related Content
Ithemes presentation
- 1. WordPress Security using iThemesSecurity Jason Yingling | Lead Developer Red8 Interactive | red8interactive.com @jason_yingling | jasonyingling.me
- 2. HHAM • Hosting • Hardening •Access • Maintenance
- 3. WordPress Hosting • Supportfor latest software • Optimized for running WordPress • Malware scanning • Work with WordPress 24/7 • Backups
- 4. Hardening • Protecting yoursite from common security risks – Don’t use the ‘admin’ username – Strong passwords – Hide the login area – Brute Force Protection – 404 Protection – Malware scanning
- 5. Access • Minimize numberof administrators • Remove file editing from dashboard • Two Factor Authentication
- 6. Maintenance • Keep WordPressup to date • Keep plugins up to date • Remove unused themes and plugins
- 7.
- 8. iThemes Landing Page •Broken down into high priority, medium priority, and low priority
- 9. Global Settings • Writeto wp- config.php • Emails for lockout notifications, file change warnings, etc.
- 10. Global Settings • Errormessages to display to locked out users
- 11. Global Settings • Enablesblacklisting repeat offenders • Good idea to switch these up from the defaults
- 12. Global Settings • Enablesblacklisting repeat offenders • Good idea to switch these up from the defaults
- 13. 404 Detection • Blocksattacker for scanning for known vulnerabilities
- 14. Away Mode • Allowsfor disabling access to the dashboard between certain hours • Do you really need to be able to edit 24/7? • Taking a vacation
- 15. Banned Users • Enable HackRepair.com’s blacklistfeature • Enable Ban Users • Permanently bans attackers IPs
- 16. Brute Force Protection •Limit the number of bad login attempts before temporarily locking out the offending host
- 17. Brute Force Protection •Switch it up from the default • 4 Max Login Attempts Per Host • 9 Max Login Attempts Per User • 6 Minutes to Remember Bad Login
- 18. Database Backups • Sendsa database backup via email or stores on server • Plugins – BackupBuddy – BackWPUp – WPmudev Snapshot – VaultPress
- 19. File Change Detection •Allows you to include and exclude specific files that may change often • Helpful to see what files were changed if an attack happens
- 20. Hide Login Area •Change login url from /wp-admin • Makes it more difficult for attacker to find login area • Avoid using iThemes default /wplogin
- 21. SSL • Requires SSLsetup on server • Allows you to force SSL for Dashboard
- 22. Strong Passwords • Enablesyou to force strong passwords for users for certain user roles
- 23. System Tweaks • Someof this may be performed by your host • Good idea to have on unless you know something conflicts on your site
- 24.
- 25.
- 26.
- 27. Advanced Settings • Changename of ‘admin’ user • Change user with id of 1
- 28. Advanced Settings • ChangeWordPress salts
- 29. Advanced Settings • Changename of wp-content directory • Not necessary on most WP specific hosts
- 30. Advanced Settings • Changedatabase prefix to make your tables harder to find
- 31. iThemes Security Pro •Allow you to temporarily bump a users access
- 32. iThemes Security Pro •More password options • Password generator on user profile • Password expiration • Force password change
- 33. iThemes Security Pro •Use Google’s reCAPTCHA for login, registration, and commenting
- 34. iThemes Security Pro •Allow users to setup Two Factor Authentication using Google Authenticator app
- 35. iThemes Security Pro •Log user activities at a certain role such as login, saving content, and more
- 36. Locked yourself out? •Login to your database via phpMyAdmin or a program like Sequel Pro • Navigate to the itsec_lockouts table • Delete the row with your IP
- 37. Locked yourself out? •Disable plugin via FTP • Navigate to /wp-content/plugins • Rename the ithemes-security plugin directory
- 38. Questions? • Jason Yingling| Red8 Interactive • @jason_yingling • http://jasonyingling.me
Editor's Notes
- #3 4 key components to WP security
- #4 We use WP Engine. They keep daily backups for 30 days and have a partnership with Sucuri for scanning havked sites and fixing issues
- #6 This gives attackers less avenues for gaining access.
- #8 - Formerly BetterWPSecurity (believe the free version shows up as that still in the file directory) - Upon activating iThemes Security you’ll get the important first steps screen
- #9 Good idea to take care of high priority items
- #10 Need to allow for iThemes to write to wp-config.php file
- #11 - Error messages to display to users / hosts for different lockout reasons
- #12 - Allows users / hosts to be banned for hitting a certain limit of lockouts within a certain time period
- #13 If you’re forgetful you may want to white list your IP. - Use this sparingly
- #14 Detects hosts that are hitting an unusually high number of 404 pages This can occur when an attacker is scanning for known vulnerabilities in plugins and themes on your site if those files don’t exist
- #15 Let’s you completely block access to the backend during certain periods Can set up daily or one-time limits
- #16 -Allows you to use hackrepair.coms list of known bad hosts / bots -Enabling ban users let’s you permanently ban bad hosts
- #17 - Brute Force Protection let’s you limit the number of bad login attempts before temporarily locking out the offending host
- #18 Good idea to avoid the iThemes defaults because as it becomes more commonly used attackers will learn the defaults (not a big thing)
- #19 Let’s you get a copy of the database emailed or stored on the server I’d suggest using other backup software that let’s you store backups at an external source such as Dropbox or Google Drive
- #20 Can detect if files were changed and show which files Can be annoying with plugin / theme updates
- #21 Makes it harder for an attacker to find your login area
- #22 -Allows you to force SSL if you have it set up on your server -
- #23 Allows you to force users at or above a certain role to use a strong password
- #24 Probably good to have these on for most simple WordPress sites
- #25 Removing the generator meta tag and displaying a random version make it more difficult for an attacker to zero in on known vulnerabilities with past versions Who doesn’t want to reduce comment spam?
- #26 -Disable the file editor hides the edit function from plugins and the Apperance menu. If you edit your theme directly form the WP-Admin you’ll want to leave the file editor on. I always edit my code from a separate program as it is more secure to have the file editor hidden.
- #27 -I don’t mess with replacing the jQuery version as it could cause issues with themes functionality if they were built for a specific version I generally leave the login error message enabled Forcing a unique nickname helps prevent users from displaying their username within a post.
- #28 Allows you to change the admin username if ‘admin’ exists and change the user id if there is a user with id of 1. Both are good to do as an attacker usually knows that account has the most access
- #29 -Salts are secret keys used by WordPress in the wp-config.php files to increase security. These can be updated from iThemes. -I generally don’t mess with this as I generate salts during the initial WordPress install
- #30 - This one can be tricky. It’s probably unneccesary on WP specific hosts as they’ll have measures in to protect wp-content and may not even allow you to change the name of this directory
- #31 -changing the database prefix to something other than wp_ is good to make it harder for an attacker to find your database tables
- #32 -These are some of the pro features for the paid version - Privilege escalation let’s you temporarily increase a users privileges, say if you have a developer that needs admin access for a week
- #33 Pro also gives you more password options such as: - adding a password generator to user profiles - setting password expirations - and forcing users to change their password on their next login
- #34 You can also add a Google reCAPTCHA field to your login screen that will help to prevent people from brute forcing your site
- #35 Pro also allows you to give users the option for Two Factor Authentication through the Google Authenticator app. This requires users to enter a specially generated 6 digit code from their phone when logging into the site A huge increase of security
- #36 -User logging let’s you track actions of users at or above a certain role -Actions like logging in and saving content