Security Lockdown

  • ianatkins

    (@ianatkins)


    8 years, 6 months ago

    First off I applaud the recent updates to WordPress that have implemented automatic updates, stronger passwords and the raft of recent security patches. Thank you.

    Sadly I feel WordPress is increasingly becoming a victim of its’ own success, maintaining a secure site (especially multiple) is becoming a burden. Sites I monitor see a ridiculous amount of malicious traffic, the internet is a seemingly more hostile place.

    I can’t help but think there will always be bugs, flaws and new attack vectors. I wander if good strategy would be to lock down some of code base / attack vectors.

    A security step during the installation could offer options to:

    – Remove user roles that are not required. (why do subscribers see the admin area?!)
    – Disable comments (how many people now use WordPress as a CMS rather than blog, or use external comment providers).
    – Disable Appearance > Editor.
    – Disable XML-RPC
    – Along with a few other best practises as outlined in http://codex.wordpress.org/Hardening_WordPress

    Yes most of this can be handled by plugins, functions.php or wp-config.php but it would be great to have some sensible defaults and reduce the risk by reducing the scope of default functionality.

    ps. Very interested to hear if other site owners are experiencing similar levels of malicious activity.

Viewing 7 replies - 1 through 7 (of 7 total)
  • Clayton James

    (@claytonjames)

    8 years, 6 months ago

    – Remove user roles that are not required. (why do subscribers see the admin area?!)

    Users need to have (and should have) access to their profile information. Access to additional dashboard or administration features is determined by the additional roles, and granted only through user trust established by a site administrator.

    All current user roles each fulfill a need for assigning a specific level of user access, based on those well thought-out roles. The access levels and permissions granted to each of the roles can already be pretty easily re-defined on a granular level (plugin) but not everyone needs or wants to do that.

    – Disable comments (how many people now use WordPress as a CMS rather than blog, or use external comment providers).

    That capability is already present by default, and in more than one level of control.

    – Disable Appearance > Editor.

    Why? (Honest question..)

    Disable XML-RPC

    It used to be disabled by default, and user configurable without the aid of a plugin. There’s an interesting discussion about that here: https://core.trac.wordpress.org/ticket/21509 Many more are pretty easy to find – and more recent 🙂

    Yes most of this can be handled by plugins, functions.php or wp-config.php but it would be great to have some sensible defaults and reduce the risk by reducing the scope of default functionality.

    I think WordPress does a remarkable job in regard to sensible defaults. You’ll never be able to please everyone, but the fact that WordPress relies on plugins to extend its functionality, allows it to appeal to a wider audience of users – each with their one unique ideas, needs, and interests.

    Very interested to hear if other site owners are experiencing similar levels of malicious activity.

    Constantly. It’s an internet thing. 🙂

    Sites I monitor see a ridiculous amount of malicious traffic, the internet is a seemingly more hostile place.

    I can’t agree more. The higher the software (any software) profile and popularity, the bigger the target it becomes.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    8 years, 6 months ago

    the internet is a seemingly more hostile place

    Not really. It’s always been this hostile. Trust me on that.

    While it’s true that success makes you a target, what’s the solution? Less success? Madness.

    Best way forward is to secure yourself (use strong passwords and a password manager), and secure your systems (use a good host, don’t run insecure other things), and for the most part, that’s it. Not complicated.

    It’s a trust issue, ultimately. Place your trust well. And backup things extensively, just in case. So that you always have a fix.

    Thread Starter ianatkins

    (@ianatkins)

    8 years, 6 months ago

    @claytonjames re ‘Disabling Appearance > Editor’ – in a few blog posts on Sucuri I’ve read about the editor being used to install backdoors once access to the admin area has been gained.

    @otto in the last 10 years of building sites, this year has seen most malicious activity, my personal experience is different. I’m not suggesting making WordPress less successful – I’m suggesting having options to lock down functionality which a user doesn’t require that can be a security risk. Whilst I do put my trust in WordPress, I don’t think its stupid to minimise the risk!

    The best way we’ve found to secure / maintain our sites has been dedicated hardware, putting the sites behind a WAF, regular update routine, daily backup routines and regular uptime monitoring and strong passwords. This is quite the service overhead for smaller clients – but so be it.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    8 years, 6 months ago

    this year has seen most malicious activity

    Just to chime in briefly: that activity doesn’t mean anything. It’s log data and if you are connected on the Internet using WordPress or not, you will see those probes. You’ll see probes for Windows 95 “Ping of DEATH” or even Code Red II.

    Edit: No, not in your access_log file, on your… you get what I mean.

    *Drinks more coffee*

    They don’t mean anything. It’s when you use weak passwords that you should be worried and that’s the problem. It’s the reason that I do not use “security” plugins on my site.

    (Yes, I use Jetpack BruteProtect but that’s a quirk in my character. I don’t expect it to do anything for me. I just like data collection to help others.)

    If your site is up to date, patched and you selected good passwords then you’re fine. If the volume of those probes hit DoS levels then don’t worry about those settings above. They don’t do anything for a DoS attack and you have a different problem on your hands.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    8 years, 6 months ago

    The best way we’ve found to secure / maintain our sites has been dedicated hardware, putting the sites behind a WAF, regular update routine, daily backup routines and regular uptime monitoring and strong passwords

    All of these have been best practices for many years. Regardless of whether you use WordPress or not.

    Thread Starter ianatkins

    (@ianatkins)

    8 years, 6 months ago

    @otto Yes I don’t doubt that.

    Any thoughts on my original point? I still thinks its a sensible idea to lock down functionality that is not needed for that specific install. Even if thats an endeavour I undertake myself on a site by site basis.

    @jan Dembowski ha maybe lay off the coffee for a bit.

    Moderator Samuel Wood (Otto)

    (@otto42)

    WordPress.org Admin

    8 years, 6 months ago

    Any thoughts on my original point?

    Sure. None of your original points are security related in any way, as ClaytonJames pointed out earlier. That’s not how people “hack” sites. WordPress is secure by default. We always aim to keep it that way. Additional “hardening” measures are mostly for your own peace of mind, nothing more. I don’t bother with them, myself.

Viewing 7 replies - 1 through 7 (of 7 total)
  • The topic ‘Security Lockdown’ is closed to new replies.

Tags