We Hack Purple Podcast

We Hack Purple Podcast Episode 34 - WordPress Security Best Practices

April 21, 2021 Tanya Janca Season 1 Episode 34
We Hack Purple Podcast
We Hack Purple Podcast Episode 34 - WordPress Security Best Practices
Show Notes Transcript

 After a scheduling snafu with our guest, host Tanya Janca decided to do a deep dive on WordPress security best practices, and how she performed a security assessment on the brand-new We Hack Purple website. Plus (of course) a sneak-peak at the site! Check it out!

Thank you to our sponsor Thread Fix!

Buy Tanya's new book on #ApplicationSecurity: Alice and Bob learn Application Security.

Don’t forget to check out #WeHackPurple Academy’s NEW courses, #AppSec Foundations taught by Tanya Janca! https://academy.wehackpurple.com/

Join our Cyber Security community: https://community.wehackpurple.com/
A fun and safe place to learn and share your knowledge with other professionals in the field. 

Subscribe to our newsletter! Sponsorship info: info@wehackpurple.com

#TanyaJanca #SheHacksPurple #DevSecOps #CyberTraining

Find us on Apple Podcast, Overcast + Pod 

[Music][Music] hey hey welcome to the we hack purple podcast where usually each week we meet a different member of the information security industry to talk to them about their super cool jobs we had a really big miscommunication with our guests this week and they can't make it and so if you're really hoping to talk to that person i'm sorry but sometimes that's luck but i wanted to share a couple extra things with you and then hold an ask me anything session so if any of you have some application security questions or cyber security questions if you want to put them in the chat i'm just going to answer them until we run out but first i want to make fun of my website um so if we could bring uh the website up on the screen there we go so i have commissioned a company to make me a new website and point blank it's beautiful it is way better than our current website wehackpurple.com which i made myself over a weekend when i was in a bad mood after firing a contractor who i had hired and not had good luck with our project had been five months behind and i was just like forget it i'm just gonna throw something together and that is what we have purple.com is i kid you now i just found an html5 template and i was like good enough let's give her and because html5 is dumb i didn't need to do any security testing i didn't take advantage of any of the fancy html5 like things that it can do all the features etc i just made a dumb flat website that does nothing and then linked out to a bunch of super cool sas products that we hack purple uses to provide our academy our community our newsletter and also our swag shop but as you can see now this website is smart so this website is built in wordpress and i immediately was like i don't know wordpress it has such a bad rep in the security industry but that's old wordpress not new wordpress so back in the day yes on average people would have tons and tons and tons of different plugins and some of the plugins that they would choose were not updated not very secure etc and so a lot of web pages got broken into through the plugins and i was aware of that also previously lots of people just didn't ever update wordpress so vulnerability would be found the wordpress team would work really hard to fix it but then no one would update so now you can have it auto update and all sorts of fancy pants stuff there's also now all sorts of companies making cool wordpress plugins to help you with your security yes so obviously i wanted to get one of those so let me give you a tour a sneak peek of the soon to be live we have purple website and then i'm going to tell you things that are wrong with it which is why it's not live yet and then so don't go to it because i realize that the url is uh in the video however this is it's just a copy it's just a demo this is uh the demo for me the qa as the user so you land on the wehack purple web page and the first thing that you see is this sliding bar it's beautiful so you see the academy and then you see the community you see the podcast that's us then you see the swag store uh and lastly the newsletter oh you know what i forgot something really important i wanted to thank our sponsor threadfix thank you threadfix for sponsoring us thank you for denim group they have been 24 7 awesome with we hack purple and you may not be aware but they just sponsored yet another diversity scholarship yes thank you okay but back to the matter of making fun of my own website so if we scroll down a bit more you can see join the purple revolution i had um a bunch of characters all designed uh i've had like a graphic designer doing fancy stuff a web designer all sorts of fancy things i am awful at this visual displays of things is not my jam so i hired professionals that know what the heck they're doing and this looks really great so then we have the academy where you could see a bunch of our courses as you know we are currently working on a brand new course secure coding we just finished all um the videos for talking head as i like to call it so that's where i'm standing or walking and then speaking directly to the screen where i break the third wall or whatever it's called in television and then i'm about to start doing uh all of the exercises and kind of like the me and the small corner with just lots of code and stuff video and uh i am super excited about that so then we scroll more there's the we have purple community i love these look at the little heroes again see how they come out anyway they're already up but i really liked that i like the idea of security people are kind of like superheroes we are protecting the internet and i think that's great um so you can join the community and then there's the podcast there's v she's my friend there's sasha that's my friend there's me being a dweeb in the middle um so at the bottom it says join our newsletter you won't regret it i really hope that's true my um i have an intern she's amazing she's totally amazing and she's been working so hard to make our newsletter awesome personally i think she's done a fantastic job she's just been out of this world awesome if you're listening lillian a plus um and then there's a blog and i am going to start blogging here instead of medium.com which charges people and i don't really like that and also dev.tow i think the dev.tow people are actually really awesome um i actually had a chance to meet some of the core team and they were great they're super concerned about security which i have to tell you i quite like but i kind of want to have my own blog on my own site instead of off on someone else's site so that's part of why we chose wordpress as our technology um so then at the bottom you have this fancy thing we have like a copyright in canada you can just say copyright and then it's yours i enjoy that um you might not be aware that we hack purple is the common name of our company the legal name is jenga enterprises incorporated which i have to say is really dull that wouldn't be good for marketing but it does make it clear that it's probably me because there aren't very many jankas i'm gonna see if there's questions in the chat oh thank you nancy oh thank you kellen and then yes the cheese question is important and i will answer the cheese question at some point um so i want to show you a few more things so if we click on the academy it just brings us over to our current academy so we transferred over to this months ago because the pandemic a whole bunch of things got delayed with this project we're working with a company from india um because quite frankly like the head of that company is like besties with one of my friends that i really like and he's like this dude's awesome and like it's beautiful like clearly he did a great job but kovit has made a lot of things complex and delayed a lot of stuff so then there's our beautiful community which um you can see all sorts of parts of so you might not have been in the community before i probably shouldn't show you people's messages um but basically like there's all sorts of events and topics um so we have like a really nice event calendar lots of cool stuff i'm gonna be going to this on sunday with clint yeah um we have different topics we have different professions we have different channels anyway this is the academy i'm super biased i think it's awesome the community it is my favorite place on the internet so then we have the podcast page which like i think is awesome so this is our our guest that we're currently rescheduling ayodele she's a data scientist she's so cool we actually had swathi on already and we had annie on already and both of them were totally amazing i don't know if you remember their episodes but both them were totally awesome and this is the episode we're supposed to be doing right now but again some miscommunications and sometimes that's life and then you can see every single past episode that we've ever had with all these incredible human beings like it just goes on and on of awesome and then you click more podcasts and you can see even more so that's cool uh you can see our shopify shop where you can buy super cute swag which is um so i'm actually wearing this t-shirt right now i'm wearing the shex purple t-shirt right now um we have we have socks now but you know the actual thing that we're selling the most of is the femme hoodie we've sold by far the most of that of anything on here the femme hoodie also um the she hacks purple t-shirts have sold the best not we but she yes i have to say i'm loving it um so yeah so there's a lot of cool stuff and then there are the blogs i am the most excited for the vlog section um there's going to be a whole bunch of blogs here because i am slowly going to transfer over old blogs to here and then get rid of my original blog and uh also like i've been dying to release new content but i've been waiting specifically so that we could do this and then the pandemic and then people aren't allowed going here and there and it's just been there's been problems we've added this cute part called um testimonials so we actually have so many testimonials like we have tons and tons like we have pages and pages so we're starting with this i'm just gonna keep adding them and adding them people keep giving us reviews and stuff thank you every time you review my book every time you review our course every time you review our podcast it helps me so much it helps me find amazing sponsors like thread fix we have a bunch of cool new sponsors coming up that are different and new so we've had a long-term relationship with thread fix and we plan to continue that in many ways but they're like why don't you try getting even more sponsors and charge more money well that is friendship if uh if i tell you anything that's friendship okay so we have tons and tons and tons of testimonials then we have an about section where um i talked about us and then i had to talk about me and um i was just like i'm a giant nerd on the internet what do you want from me um and then so this is the page that i'm sort of the most excited about for you and everyone else and this is the frequently asked questions page so you might be thinking like oh like facts are boring i made a special video for every almost every single question um so i i totally am enjoying the still of my face here i look very silly i am really good at making fun of myself i'm better at than most people um and so we actually go through a whole ton of stuff so like um some of the things that i just get such common questions about so what is cyber mentoring monday how can i be involved how can i be a good mentor so i just detail everything about it for you so you no longer have to kind of search on the internet and figure it out yourself i was just like why don't i just tell everyone about woesec why don't i just tell everyone about alice and bob like why make them search all over the internet why not just make it you know easy um so the last one is one that i have wanted to tell people for a long time are you willing to volunteer or just answer a few questions or like review a blog post or have a zoom call or just perform some unpaid work for me tanya i just i just want some free consulting that's it no i have like politely been fielding this question several times per week for like years and so like i really look forward to being like direct yourself to the last question on this page like no that qualifies under me working for free for a stranger on the internet um like sometimes i like to volunteer at stuff but yeah i i get asked can i just pick your brain for like an hour like so many times per week that i wouldn't be able to hold a job i'm just like i don't know where these come from but anyway uh so i have like all sorts of different videos this is a really great face i've got going on here um but yeah i'm really excited about that and then the contact page as you might imagine super boring it's just like you can email us about the academy you can email us about the community if you're having a prom there's support training info and then you can like follow us in various places newsletter etc it's not like super it's i feel like it's what you would imagine a corporate website to like look like i hope i feel like it's a huge upgrade from our previous one um i don't know can you hear the can you hear the slack sounds because someone has been like slacking me a lot and i think i'm just gonna quit slack okay so how did we want to secure wordpress because i feel like even though our guests can't make it i still want to share a bunch of stuff okay good you can't hear my slack thank you for letting me know okay so the first thing with wordpress is you want to use the absolute nose version that's the number one most important thing use the newest version and for every single plugin you use you want to use the least number of plugins you can so one of the plugins that they gave me the list for was dummy data and they had been using dummy data to show it to me well i like came up with the data that they needed and so i was like uh so i told them now that we don't need dummy data could we remove this and remove some of our attack surface like minimizing your attack surface removing every single plug-in that you are not using that is a good thing then the next thing is are we using the latest version of every single one of them and we went through and some of them we weren't so i asked them to update them to the absolute newest version and we're going to retest make sure it's okay great oh i'm seeing a comment in the chat james newton king said he thinks about faq as automating his responses to people with questions and i love that parallel yeah well that's just it these are the questions i get all the time people are like how do i start an infosec so i just made a really nice video to give them all the best advice that i could that that i type out a lot and i feel like it's like a better quality answer for the person like receiving the answer and it also like saves me time so i have more time to do stuff like this so i'm gonna actually write all of this up in a blog post to make sure that you know anyone that's doing wordpress can get their hopefully security feet wet um so the next thing so i'm just going to go through because i made them a list so the next thing is i wanted to disable the account called admin so every wordpress has a login page for the administrator and everyone knows where it is it's not hard to find what i want to do is have a user not be named admin because that means they have to guess my username but they also have to guess the password and i want to make it as difficult as possible and so i made up a funky name for my admin user on top of that i'm gonna have the longest password i can i'm not gonna reuse it anywhere else it's gonna be a unique password for the state which you should all do for every site and i'm gonna save it in my password manager and on top of that i am installing a plug-in so that i can use multi-factor authentication for those who follow me on twitter one so i bank with like a whole bunch of different banks in canada because i enjoy distributing my risk but anyway tangerine is one of my banks who i have been hassling for over like three years now about getting multifactor got multifactor today and so obviously i set that up immediately i'm so happy for them thank you tangerine bank but i want it for wordpress obviously so we installed something called word fence so word fence is a plug-in it's 100 a year it's kind of got a waff to it like a basic web app firewall but that it also has the ability to do multi-factor authentication and i'm like yes i'm just not okay having a login that's live on the internet for one of my crown jewels just like open to anyone and so that is like a pretty decent lockdown on the admin page by changing the admin user's name to a different word then admin having a long unique password that's only used on the site and then also enabling multi-factor authentication so that is a pretty sweet deal but i felt there was like more that we could do oh also we turned on auto updates for wordpress so then i went through and looked through every single one of the various um how do i explain i went through every single one of the plugins and looked them up to see if there were any known problems and some of them had known problems in older versions so it's like we must use the latest version but none of them actually look super scary which was great because that's terrifying so then i whipped out a wasp zap and like scanned a bunch of stuff and i was like i'm gonna scan all the things and i found out there was a few things that i wasn't in love with so one um the cookie settings weren't that great so i wanted to turn on same site http only in the secure flag because if it's managing my session while i'm logged in as the admin i don't want anyone taking a look at those cookies also forcing https only only secure connections to the wehackpurple.com website so i said i'd like some security headers specifically i want hsts so that is strict transport policy uh you know strict transport security header and what that does is it forces https every time it redirects http requests to the s um so then i also want content security policy header i want us to list out the resources that are external that we're using and we are using one external resource like for some of the framing and prettiness factor and so i was like i want us to list that and i want us to block every other potential group from calling out for scripts etc and then i decided that because my website is basically dumb and doesn't really do anything that is okay with the rest like if someone frames my website it's fine it's not government website if someone comes to my website they're usually either just checking it out because they're like oh tanya's doing a thing i wonder what's up with that oh there's something in the private chat we are seeing the swag store only okay let me see what's going on with uh oh okay so um let me re-share my screen so that you can see a bit more i am going to oh stop screen i'm going to stop screen and then i'm going to reshare share screen share a window i want to share this window and i'm going to share there we go how's that name how is that my anonymous sound technician i'm gonna hope that it's okay so i wanted to make sure that the website stays up availability is very important to me and integrity so i don't want anyone logging in as the admin user and changing some of the values like they could say tanya's big jerk and she smells bad i would not like that on my company's website that seems less than ideal for sure and then confidentiality there's there's nothing that needs to remain confidential on the site it's literally public like there's no secret information i don't want people to be able to log in and change things but there's no confidentiality on the site there's nothing private or whatever if i'm working on a blog post it's something i'm going to publish in a few minutes anyway like all my blog posts pretty much become public unless they're boring and so i'm not worried about that but i really want my website to be up often i don't need 99.999 but i would like 99 i would like it to be at most the time and ideally no one is able to change its contents except me or another employee of we have purple so that's cool so then i started looking at more stuff in my scanner and so i did a bunch of spidering and such and it found a ton of pages that i felt could be removed there's a hello world page i do not need a hello world page there's some sort of academy banner page like nope other than the pages that i specifically asked to be developed i want all the rest of them removed so risk or threat surface reduction okay so that's the thing we always want to do also there's tons of tags and other things that i thought were unnecessary that are specifically for the blog functionality so if we go over to blog over here if anyone has any questions and they want to put them in the chat just that i'd let you know that it's cool so let's look at my secure design article that i wrote so if we look at the very bottom it's a long article i'm obsessed with design anyway we're letting people leave comments and i don't know about you but as a woman on the internet i tend to prefer that there's less is more when it comes to letting strangers anonymously comment on my work it tends to lead to less than positive outcomes so i said do we need this part or can we just like turn it off altogether because then we don't have to have any user input at all there's no parameters in the url address and there's no other inputs we don't have a search just tough you can't find the thing tough that's the answer on my webpage tough and so we're really limiting stuff if we remove this comment section and i don't want other i mean like getting feedback is good i do enjoy constructive feedback or positive feedback or even constructive negative feedback but that's not always what you get when you allow people to comment uniquely let's say oh is that where you host your course content how are you protecting your paid course content oh that's an excellent question thank you great question okay so let me show you so my paid course content is here on the academy and this is a sas product this is a software as a service and it's run by a canadian company called thinkific and i'm actually on vancouver island and they're on the mainland in vancouver so it's actually kind of fun because we're neighbors um and they handle all the security for me which is awesome they also handle the credit cards so i actually have no need to be pci compliant because i never handle credit cards at my company i third party all of that i'm totally uninterested in having to do pci compliance even though i'm well versed in it because i teach it so yeah they do all the protecting for me um you log in and it so you can see look at this one of the employees made it sent a thing to fiverr of me i'm like that's so weird um um so we have a bit of facts we have live training etc but mostly it's just you can see all of our courses you can learn about our certificate of completion um so we're about to have another course on here hopefully and we also have a scholarship a diversity scholarship which i feel like i should probably put a link to so you can sponsor people to go through the scholarship or yes risk transfer yes so dedicated credit card people always seem like a great idea risk transfer 100 percent yeah so like i advise lots of my clients unless you have to for your business model transfer risk to experts who are good at that just like people so while my clients will transfer their risk to me and i will help them build their appsec program or i will you know do some incident response etc i transfer my risk to stripe to paypal to um mighty networks to all of my third party companies that are doing my stuff oh why can't we see just a second let me see here oh okay so i can see it and you can't see it there we go so i have pasted that oh it's so weird that you can't see what i am seeing unless i'm looking at it okay well anyway um that's fine i'm just gonna hide this and go back here so i have a whole bunch of sass products so software as a service so this is me and this is our community.we hack purple.com is actually just a skin over top of mighty networks which is a really cool online community platform which quite i'm a huge fan it's a huge uh like giant update um it's that forward compared to our previous community platform that we were using this swag shop is built on shopify another canadian company and they started i believe in ottawa and i have spent many many hours in that building because they kindly host the owasp meetup there so and often their appsec team would come and hang out and i'm like yeah this is awesome um and so that's cool and they handle all the payments for us i don't want to handle any payments i want someone else to do that okay are there any more questions about this so i my scanner found some results actually so besides reducing our risk how do i say this besides transferring risk and reducing our threat surface ensuring everything is updated having multi-factor authentication you know changing the admin name and then also um what was the last one oh and using a unique password which you should do for everything ever i did some scanning and my scan said that there was potentially some path traversal there's a potentially some injection we said it was sql injection and honestly i'm not sure that wordpress that its database is sql in which case i'm not concerned and also it was in a url parameter to a page that is not behind authentication so i'm pretty sure that's a false positive there is a vulnerable javascript library so it's jquery um what is it let me just check is jquery 3.3.1 and i want 3.3.2 which is the latest one it's like a medium risk it's not the end of the world but i don't want it there it also saw that like my cookies had crappy weak settings uh it also saw i was missing hsts and i was missing content security policyheader and then that was it everything else the scanner was really happy i didn't want to do too much punching in the face of the site though because quite frankly um it's just in dev and i want it to be kind of gentle until they fix all of this and so i'm not sure how much more security testing i'm going to do i'm going to make sure that i do a backup that is in the cloud that is not in the same place as my live production server because that's useless and other than that i'm like i think i'm pretty good i think all my stuff is is going well so i'm pleased about securing my wordpress so i looked up all of my plugins i made sure that none of them had outstanding security issues i made sure that they are all up to date and then ran a scanner to see if there's anything fragrantly wrong ideally because the wordpress like uh the administrative module of wordpress has been pen tested like wow because wordpress itself the core if it is kept up to date and properly hardened should be quite good so the next steps are for them to fix all the stuff i found and then i will be logging in and verifying that we followed the hardening guide i'm going to check the configuration on word friends and then i think i'm probably going to be awesome does anyone have any things that they would like to add to that or any questions because otherwise then i'm going to answer the cheese question for people who watch this podcast regularly i'm going to stop sharing so stop sharing there we go hi people who listen to this regularly we talk a lot about careers about how much people make and we want to know what it's like to be able to get certain types of work what our career progression is going to like be like so i want to talk about working in application security if you get a junior role in application security it usually makes in canada either eighty thousand to a hundred thousand easily in a junior position you could be walking into a six-figure job to start there are very very few people that are qualified to work in application security which is a problem we hack purple is working really really hard at attempting to solve or make better ameliorate let's say i found my job by being a dev first finding a professional mentor having him guide me into penetration testing learning on my own watching tons of videos attending oasp conferences and meetups and then figuring out that what i actually loved was application security not pen testing i still do security testing but i wouldn't call myself a pen tester i focus on enabling software developers to do an amazing job of creating hard tough rugged secure applications abstech pays well it pays well um i have not made under six figures in a very long time uh last year though as a startup founder i did make under six figures for the first time in over a decade and i mean i did reinvest money into my company over and over again and that's why um i actually when i looked at the numbers how much money my startup made and how much i made personally like on the side just doing consulting and stuff i actually made almost as much as i had made at microsoft the year i left and the year i left i cashed out all of my stocks so i actually made more than i made at microsoft my first year starting my company and i didn't start my company until three months in so it turns out that's pretty good a lot of people don't share information like this like i am just constantly reinvesting into my company and i'm doing this because i feel that one creating more application security engineers is really important i really really believe this i also want to make just security knowledge more accessible by making on-demand courses what i'm trying to do is lower the price and make it so that anyone can take it by adding closed captioning not and application available this is again another format where i am trying to make this information affordable and accessible to as many human beings as possible previously lots of people would fly around the world teaching this stuff in person we're keeping all of this information really close to our chest i don't think we're gonna win this way and by when i mean be able to surf the internet and be safe i was watching uh this television show called the expanse so i am obsessed with the expanse book series and obviously the tv show can never be as good as the book but they have their hand terminals which are like our cell phones now and they do all these things and there's this thing that they do where someone will be reading an article and they do this motion and it sends it to another person's screen now i was watching it with someone who is not a computer scientist and they're like why can't we do that and i said because we literally can't do the most basic things securely reliably the more advanced the technology becomes if we still can't even get the basics right when we're doing big things like this it becomes very very scary and i want everyone to know the basics i want us to teach this in university i want this to be accessible to as many human beings as possible this is another reason actually why we started the the we hack purple sponsorship um like diversity sponsorship i did that specifically because i want as many human beings as possible to be able to join our field but also because i don't want tech to be exclusive to white males that could afford to go to university i don't want it to just be mostly men or mostly white people or mostly people that can afford to go to advanced education etc um i grew up poor i grew up a girl and i'm lucky because i came from a family where all the women are engineers and computer scientists both my aunts are computer scientists my mom's a mathematician chemist this is super unusual so when i was young and i was like i think i want to be a programmer they're like yeah of course you do but the average little girl does not get that exposure does not get that approval does not get those gentle influences to say you can do that and so this is the thing that's important to me i know i'm ranting but i want every single person to be able to work in security if they want to and by making things on demand on my website i know that it's not free i can't afford to give it away for free i am losing i am not making money on the company oh my money just goes back in back in but it's because this is important to me and it matters to me and i believe it matters to our industry and i believe it matters to our world that we protect the people that need protecting um okay so i have talked enough i feel like that's lots i want to thank our sponsor thread fix they make honestly i love their vulnerability management tool i'm not going to say that about every single sponsor that we have but i've used it it's beautiful it does the things i desire i want to manage vulnerabilities i don't want us to hire appendist or have them come in see some problems and then not fix them and so they let you see what's going on they let you see patterns they let you see trends and help you do a better security program overall i want to thank the weehack purple team i want to thank my soundtech i want to thank all of you i want to thank every single member of the we hack purple community every person that's attended our academy even the free courses this is you giving me your time and attention right now with the pandemic there's so much crap going on there are so few people who want to tune into a computer screen for another minute and you thinking that i am worth it and worth your time and effort i really really appreciate that and so with that i'm going to wrap up thank you for attending the wehack purple podcast next week we have my friend zenobia on and she's going to talk about yes she's so amazing we're going to talk about all sorts of things that she has learned by like starting her own company so she does marketing but in cyber specifically so i could actually stand to learn a lot from her um she is an amazing human being we have a lot of amazing guests coming up we are currently planning for season two and i think it's going to be teach me something security where i'm going to ask guests to teach me a specific thing and i always have 10 000 questions so prepare for me being inquisitive me turning things on their head me being annoying about things that that i have questions about um we are going to continue with more sponsors we're going to continue releasing more courses we're going to continue having cute lady hoodies and other adorable swag thank you so much for being a part of wehack purple please go forth and secure all the things