Kada dodjemo do Word press-a shvatamo da ima puno stvari koje možemo uraditi kako bi sprečili da hakeri iskoriste ranjivost i rupe i tako nam ugroze posao i sajt. Poslednja stvar koju želite da doživite je da se probudite i vidite da je sajt nestao i zato ćemo analizirati strategiju i tehnike koje će učiniti da nam word press sajt bude siguran i zaštićen.

WordPress – glavne slabe tačke oko zaštite i gde mu je ranjivost…

WordPress zbog neredovnog ažuriranja skripte, pluginova i teme, loše administracije i prepuštanje sajta samome sebi bez da ga neko nadzire apdejtuje i prati promene u mnogim segmentima kako zaštite tako i novina tipa AMP standard za ubrzavanje prikaza na mob. telfonima i pametnim uredjajima, DOŠAO NA LOŠ GLAS KAO NESIGURNA CMS PLATFORM, medjutim stvari se menjaju za razliku od recimo 2012-te god kada jhe wp bio zaista na dnu u rejtingu sigurnosti a najveći uzrok svega toga je POMENUTO NEAŽURIRANJE WORD PRESS-A I PLUGINOVA… NIKO NIJE RADIO BEKAP PA NI PROVAJDERI (sada je kod provajdera dnevni backup a ažuriranje se može podesiti da se radi automatski, medjutim admin mora da bude supervizor i neko ko će da sve to proveri par puta godišnje a naravno poželjno je da to bude i par puta mesečno…

Medjutim i danas je nemoguće reći da ranjivost i slabe tačke ne postoje. Prema studijama Q2 2016 study by Sucuri (developer koji se bavi pluginovima za zaštitu), WordPress nastavlja da vodi na listi najviše inficiranih sajtova današnjice (procentualno je to 74% dakle jako je poželjno da imate glavnog ADMINA koji će u pola dana i noći moći da vrati sajt u ispravno i funkcionalno stanje, makar mu plaćali mesečno ili godišnje… konkretno mi održavamo sajtove po cenama od 50-100 evra godišnje a svaku intervenciju ukoliko niste na listi sajtova koje održavano univerzalsoft.com naplaćuje 10-50 evra… dakle bolje je unapred se obezbediti i mirno spavati…). Postoji lista pluginova koji su se pokazali kao najranjiviji i mi ih zaobilazimo u širokom luku a to su napr. Gravity Forms, TimThumb, i RevSlider.

wordpress vulnerabilities

WordPress koristi preko 26% svih sajtova na svetu sa hiljadama pluginova tema i kombinacija oko svega toga, i zato ne čudi da je razvojni tim Word press-a uključio 25 experata da reaguju ASAP (As soon as possible iliti odmah). WordPress security team čini skoro polovinu zaposlenih jer ovo je platforma koja napreduje i raste takvom brzinom da nije daleko dan kada će cifra od 26% sajtova koji su u Word pressu da bude uvećana.

Razmotrimo dakle različite tipove ranjivosti i tzv rupa u word press-u.

Backdoors

Jednostavno rečeno hakeri nalaze skrivene ulaze i premoste zaštitu. Oni ne idu na klasične načine i svima znana mesta a koja se nalaze u recimo ADMIN-u, FTP, cPanel i ostalim šifrovanim mestima i zaštitama… Ne oni ne ulaze na očekivana mesta već upravo biraju skrivena tajna mesta koja nisu pod budnim okom. Po nekim istraživanjima procenat ovakvih napada je čak 71% od svih dr. načina Dakle ranjivost je upravo tamo gde je najmanje očekujemo i najmanje štitimo ta mesta pa i ne čudi procenat.

wordpress security backdoors

Backdoors su neretko šifrovani i u formatu da izgledaju kao legitimni WordPress systemski fajl, i krče sebi put ka mySQL bazi podataka i to uglavnom a kako smo već pominjali kroz neažurirane verzije samog word press-a i pluginova (bilo da su besplatni ili plaćeni…). TimThumb fiasco je očigledan primer backdoor ranjivosti koja je zbog neažuriranih skripti ugrozila milione sajtova.

Na sreću, prevencija i zaštita ovakvih slabosti je veoma jednostavna. YJednostavno skenirajte sajt sa pluginovima tipa SiteCheck wi oni će otkriti najčešća ranjiva backdoors nesta. Two-factor authentication (dupla autentifikacija), blokiranje IP-ja, restrikcija i ograničavanje admin prava kao i neovlašćena egzekucija-izvršenje PHP fajlova često je dobro oružije protiv backdoor pretnje.  Canton Becker takodje ima odličan članak o čišćenju i otklanjanju backdoor mesta u Vašoj WordPress instalaciji.

Farmaceutsko hakerisanje

Pharma Hack koristi početnički kod u neažuriranoj verziji WordPress websites ili pluginsa, izazivajući da search engines vraćaju ads-dodatke za FARMACEUTSKE PROIZVODE kada je kompromitovani sajt u pitanju povodom pretrage. Pretraživači tada uklanjaju ovaj deo koda kao spam ali to izaziva rupu

Tu rupu popune malware i sumnjive zlonamerne skripte i to je tajna rupa. Ovo se dešava kao inekcija u mySQL baziand i zahteva čišćenjepa je ponekad jedini lek apdejtovanje i word pressa i plugionova i baze

Brute-force Pokušaji Logovanja

Brute-force login pokušaji koriste automatizovane skripte da exploatišu slabe lozinke i tako dobiju pristup sajtu. Two-step authentication, limiting login attempts, monitoring unauthorized logins, blocking IPs ili korišćenje jakih lozinki jedini je lek za ovu pojavu. Ali nažalost, veliki broj vlasnika wp sajtova propusti priliku da postavi jake lozinke i tako se dešava da svakoga dana 30,000 websites u danu biva žrtva brute-force pokušaja logovanja i napada.

Maliciozna redirekcija

Maliciozna redirekcija redirects create backdoors in WordPress installations koristi FTSP, SFTP, wp-admin i ostale protokole ubacujući kodove za redirekciju. To se obično ubacuje u fajlu .htaccess ili nekom dr. root core glavnom wp fajlu. WordPress users can use free scanners that effectively detect malicious directs such as SiteCheck, Bots vs. Browsers and listening to user comments.

Denial of Service (DoS napadi)

Verovatno najopasnije od svega je, Denial of Service (DoS) ranjivost koja pogadja sam kod pomoću da kažemo BUGova i hakeri su na ovaj način kompromitovali millione websitova i pokrali millions of dollars koristeći neažurirane i verzije sa BUGOm instalacije WordPress software pomoću pomenutih DoS attacks napada. Napadi su sledili i lančano i otprilike da je najbolja zaštita po nama pre svega najnovija verzija word press-a, zatim firewall ako je moguće kod samog provajdera a ako ne onda neki plugin i svakako bekap sajta.

WordPress Sigurnosni vodič za 2016

Prema internet statistikama uživo  preko 60,000 websajtova se hakuje svakoga dana. Zato je veoma važno da odvojimo malo vremena i analiziramo preporuke koje bi pomogle da se opasnost svede na minimum a zaštita dovede do maksimuma.

wordpress sites hacked

Sadržaj – Index

1. Investiranje u dobar i siguran web hosting prostor

Svakako je dobar provajder ulaganje koje nema cenu ali nije loše ni da zakupite VPS server ako imate tehničko znanje oko linuxa i uvedite SSL protokol, i kako bi se reklo sami ste sebi najbolji čuvar. Na ovom mestu nebismo da reklamiramo niti jedno provajdera ali mi ih imamo nekoliko (nekoliko unlimited host paketa, VPS paketi sa SSL protekcijom i https protokolom su OK i naravno backup i backup…)

secure wordpress hosting

Server hardening is the key to maintaining a thoroughly-secure WordPress environment. It takes multiple layers of hardware and software level security measures to ensure the IT infrastructure hosting WordPress sites is capable of defending against sophisticated threats, both physical and virtual. For this reason, servers hosting WordPress should be updated with the latest operating system and (security) software as well as thoroughly tested and scanned for vulnerabilities and malware. A recent example of this took place when we recently had to patch NGINX for OpenSSL security vulnerabilities that were discovered.

Server treba da konfigurišete tako da koristi secure networking and file transfer encryption protocols (kao što su SFTP umesto FTP) kako biste sakrili osetljive sadržaje od malicioznih upada i napada.

2. Dobar odabir lozinki i korisničkog imena

Nećete verovati ali najpametniji i najkorisniji način je upotreba pametnih i jakih lozinki. Zvuči jednostavno ali je tako? Pogledajte SplashData’s 2015 annual list najčešće kradenih lozinki… zaista pomalo i smešno ali eto ljudi su neoprezni… ZNAM NEKE KOJI KORISTE I SVOJE BROJEVE TELEFONA ILI DATUM RODJENJA ŠTO JE VELIKA GREŠKA…

  • 123456
  • password
  • 12345
  • 12345678
  • qwerty
  • 123456789
  • 1234
  • baseball
  • dragon
  • football

TAKO JE! NAJPOPULARNIJA LOZINKA JE “123456”, a prati je u stopu termin lozinka tj password. To je jedan od razloga zašto Kinsta prilikom nove instalacije word press-a forsira upotrebu jakih lozinki u wp-admin loginu (kao što vidite dole u jedan klik instalacija opciji). Ovo je opciono…

force secure wordpress password

Osnove zaštirte počinju od osnove. Google ima odlične preporuke oko toga kako odabrati lozinke how to choose a strong password. Ili možete koristiti online alat kao što je Strong Password Generator.

Nije loše da svaki web sajt ima različite lozinket tako da mi ostavimo klijentima da kasnije sami to izmene. Postoje mnogi alati koji ih pamte lokalno last pass je jeda od alata ili KeePass. Po nama najbolji je online manager LastPass ili TeamPassword.

AI naravno nikada nemojte koristiti wp default korisničko ime a“admin”. Kreirajte neko unikatmno korisničko ime a admin obrišite kao korisnika… Dodavanje novog korisnika imate na slici ispod.

add new admin user

Nakon ste kreirali novog korisnika obavezno obrišite admin – “Admin” korisnika. Obratite pažnju da sadržaj koji je kreiran pod tim korisničkim imenom dodelite nekom drugom jer će u suprotnom sav sadržaj koji je kreirao admin biti izgubljen a to nije cilj zar ne.

delete admin attribute all content to

3. Uvek imajte poslednje i najnovije verzije WordPress-a i Pluginova

Već smo pomenuli da da je veoma važno da imate uvek najnovije verzije word press-a pluginova i tema.

keep wordpress up to date

Nažalost, milioni koriste stare verzije kako WordPress software i pluginsa, verujući da su na pravom putu uspeha… Njihovi izgovori su različiti u stilu sajt će da pukne ili neki novi plugin tj nova verzija neće da radi nakon ažuriranja i mi ovde lagano stajemo sa prevodom pa ako Vas tema zanima imate i naše tutoriale a svi naši korisnici svakako će imate pre svega backup zatim pluginove za zaštitu a ažuriranje ide automatski kodom u wp-config.php itd

Činjenica da preko polovine napada ide preko bugova u starim verzijama pluginova tema i same instaalcije word press-a dovoljan je razlog da ažuriranje zadate sebi kao nešto obavezno

Apdejtovanjem pluginova i wp-a izbegavate rizik da budete žrtva.

hacked wordpress websites plugins

Kako da apdejtujete CORE ili jezgro WordPress-a

Postoji više načina da apdejtujemo word press instalaciju. Pomoću raznih pluginova ali i ručno a što je i najčešća praksa. Ući u admin i kliknuti na Update…

update wordpress core

Sve to je moguće i preko običnog FTP-a i programa tipa Fille Zilla ali ako nemate iskustav u ovome nemojte to raditi jer kopiranje pogrešnih fajlova u pogrešan folder može imati katastrofalne posledice u smislu da sajt prestane da radi pa zato to prepustite da uradi neko ko se time već bavio i platite nekoga da Vam održava sajt!

Ukoliko hoćete sami evo koraka kako da apdejtujete instalaciju ostavljamo tekst na engleskom:

  • Delete the old wp-includes and wp-admin directories.
  • Upload the new wp-includes and wp-admin directories.
  • Upload the individual files from the new wp-content folder to your existing wp-content folder, overwriting existing files. Do NOT delete your existing wp-content folder. Do NOT delete any files or folders in your existing wp-contentdirectory (except for the one being overwritten by new files).
  • Upload all new loose files from the root directory of the new version to your existing WordPress root directory.

Kako da apdejtujete WordPress Pluginse

Updating your WordPress plugins is a very similar process to updating WordPress core. Click into “Updates” in your WordPress dashboard, select the plugins you want to update, and click on “Update Plugins.”

update wordpress plugins

Dakle poslednje verzije puginova sadrže zakrpe i štite nas od hakera…

wordpress plugins not updated

4. Izmena putanje admina

Postoji i strategija da skrijemo verziju word press-a da sakrijemo putanju od logovanja admina. Ali ako je haker rešio da napadne i sruši sajt ovo će ga samo malo zaistaviti i oduzeti mu malo više vremena.Locking down your WordPress admin nije dakle loša ideja alli i plugin koji ograničava limitira login pokušaje imamo i captcha pluginse itd… Treba sve preduzeti pa i to kako bi namučili hakere

KAKO da izmenite putanju od admina

Default putanja za logovanje je login URL domain.com/wp-admin. To svi znaju i menjanje te putanje je solidan način da se zaštitite. Z aizmenu change your WordPress login URL mi predlažemo plugin WPS Hide login koji je besplatan.

Ugradi se ui General stavku menija i nije ga teško podesiti.

changing your wordpress login url

Kako da ograničimo limitiramo login pokušaje – Limit Login Attempts

Imamo nekoliko pluginova koji to rade i jedan se čak tako i naziva limit login attempts koji zaključava IP i korisnika koji recimo 5 puta pogrešno ukuca login podatke… Može da šalje log podatke na mail može da blokira taj IP na 48 sati itd… Možete kreirati blacklistu ili crnu listu IP adresa sjajan način da se samo vi možete ulogovati sa Vašom IP adresom ukoliko je statička.

limit login attempts wordpress

Tu je i plugin koji je još jednostavniji i koji je free Login Lockdown plugin. Login LockDown snima adresa i beleži one koji su pokušali da udju na silu.. Dakle limitiranje login pokušajai izmena putanje login URL-a sa WPS Hide login pluginom su solidni načini zastite.

login lockdown wordpress

5. Prednosti od sistema Two-Factor Authentication

And of course, we can’t forget two-factor authentication! No matter how secure your password is there is always a risk of someone discovering it. Two-factor authentication involves a 2 step process in which you need not only your password to login but a second method. It is generally a text (SMS), phone call, or time-based one-time password (TOTP). In most cases, this is 100% effective in preventing brute force attacks to your WordPress site. Why? Because it is almost impossible that the attacker will have both your password and your cellphone.

There are really two parts when it comes to two-factor authentication. There is first is your account and or dashboardthat you have with your web hosting provider. If someone gets access to this they could change your passwords, delete your websites, change DNS records, and all sorts of horrible things. We here at Kinsta partnered up with Authy and havetwo-factor authentication available for your My Kinsta dashboard.

The second part of two-factor authentication pertains to your actual WordPress installation. Authy has an official WordPress plugin which you can download and use. Their free plan is limited to 100 authorizations per month, but their paid plans start at a very reasonable $0.09/auth with unlimited users and authorizations.

If you are looking for a completely free option than the Google Authenticator plugin is a great alternative. It also allows an unlimited amount of users. Once installed you can click into your user profile, mark it active and create a new secret key or scan the QR code.

wordpress two-factor authentication setup

Možete koristiti tri aplikacije na telefonima:

Svi oni su kompatibilni a pomenutim pluginovima koji menjaju putanju logovanja i limitiranja login pokusaja.

google authenticator wordpress login

6. Koristite HTTPS za Encrypted Conekciju – SSL Certificate

Sve jeftiniji SSL sertifikati koje provajderi instaliraju besplatno a commodo ga nudi na 90 dana besplatno su dobra prilika da i sami uvedete https protok pa je dakle HTTPS. HTTPS (Hyper Text Transfer Protocol Secure) mehanizam koji je sve bliži svakodnevnoj primeni i upotrebi jer su cene pale i provajderi nude besplatnu instalaciju.

https encrypted connections

1. Sigurnost

2. SEO

Google je zvanično objavio da je faktor pozicioniranja i HTTPS ranking factor. Budite ispred konkurencije.

3. Trust and Credibility

4. Referral Data

Puno ljudi izbegava https zbog erferal podataka i upozorenja oje daju neki browseri.

5. Chrome UPOZORENJA-Warnings

6. Performance

Sve su ovo neki od razloga ZA i PROTIV SSL sertifikata

7. Harden Your wp-config.php file

Your wp-config.php file is like the heart and soul of your WordPress installation. It is by far the most important file on your WordPress site. It contains your database login information and security keys which handle the encryption of information in cookies. Below are a couple things you can do to better protect this important file.

1. POMERANJE wp-config.php FAJLA

By default your wp-config.php file resides in the root directory of your WordPress installation (your /public HTML folder). But you can move this to a non-www accessible directory. Aaron Adams wrote up a great explanation of why this is beneficial.

To move your wp-config.php file simply copy everything out of it into a different file. Then in your wp-config.php file you can place the following snippet to simply include your other file. Note: the directory path might be different based on your web host and setup. Typically though it is simply one directory above.

<?php include('/home/yourname/wp-config.php');

2. Update WordPress Security Keys

WordPress security keys are a set of random variables that improve encryption of information stored in the user’s cookies. Since WordPress 2.7 there have been 4 different keys: AUTH_KEY, SECURE_AUTH_KEYLOGGED_IN_KEY, and NONCE_KEY. When you install WordPress these are generated randomly for you. However, if you have gone through multiple migrations or purchased a site from someone else, it can be good to create fresh WordPress keys.

WordPress actually has a free tool which you can use to generate random keys. You can update your current keys which are stored in your wp-config.php file.

wordpress security keys

Read more about WordPress security keys.

3. Change Permissions

Typically files in the root directory of a WordPress site will be set to 644, which means that files are readable and writeable by the owner of the file and readable by users in the group owner of that file and readable by everyone else. According to the WordPress documentation, the permissions on the wp-config.php file should be set to 440 or 400 to prevent other users on the server from reading it. You can easily change this with your FTP client.

wp-config permissions

8. Disable XML-RPC

In the past years XML-RPC has become an increasingly large target for brute force attacks. As Sucuri mentioned, one of the hidden features of XML-RPC is that you can use the system.multicall method to execute multiple methods inside a single request. That’s very useful as it allow application to pass multiple commands within one HTTP request. But what also happens is that it is used for malicious intent.

There are a few WordPress plugins like Jetpack that rely on XML-RPC, but a majority of people out there won’t need this and it can be beneficial to simply disable access to it. Not sure if XML-RPC is currently running on your website? Danilo Ercoli, from the Automattic team, wrote a little tool called the XML-RPC Validator. You can run your WordPress site through that to see if it has XML-RPC enabled. If it isn’t, you will see a failure message such as shown in the image below on the Kinsta blog.

check wordpress xml-rpc

To disable this completely you can install the free Disable XML-RPC plugin. If you are a customer here at Kinsta this is not needed because when an attack through XML-RPC is detected a little snippet of code is added into the NGINX config file to stop them in their tracks – producing a 403 error.

location ~* ^/xmlrpc.php$ { return 403; }

9. Skrivanje verzije word pess-a je takodje vid zastite

wordpress version source code

Evo kako to uraditi ručno i dodati sl funkciju

function wpversion_remove_version() { return “; } add_filter(‘the_generator’, ‘wpversion_remove_version’);

Nije loše da sklonite fajl readme.html i jednostavno ga obrišete preko FTP-a.

 

11. KORIŠĆENJE PLUGINOVA ZA ZAŠTITU

Nabrajamo neke od njijh i neke kompanije nude zaista sjajna rešenja.

Oni rade sledeće stvari:
  • Generate and force strong passwords when creating user profiles
  • Force passwords to expire and be reset on a regular basis
  • User action logging
  • Easy updates of WordPress security keys
  • Malware Scanning
  • Two-factor authentication
  • reCAPTCHAs
  • Firewalls
  • IP whitelisting
  • IP blacklisting
  • File change logs
  • Monitor DNS changes
  • Block malicious networks
  • View WHOIS information on visitors

Koristite i ExpressVPN da sifrujete saobraćaji sakrijete svoj IP.

14. Proverite File and Server Permissions

File Permissions

  • Read permissions are assigned if the user has rights to read the file.
  • Write permissions are assigned if the user has rights to write or modify the file.
  • Execute permissions are assigned if the user has the rights to run the file and/or execute it as a script.

Directory Permissions

  • Read permissions are assigned if the user has the rights to access the contents of the identified folder/directory.
  • Write  permissions are assigned if the user has the rights to add or delete files that are contained inside the folder/directory.
  • Execute permissions are assigned if the user has the rights to access the actual directory and perform functions and commands, including the ability to delete the data within the folder/directory.

You can use a free plugin like iThemes Security to scan the permissions on your WordPress site.

wordpress file permissions

  • Svi fajlovi treva da imaju 644 ili 640. Izuzetak je: wp-config.php koji ima 440 ili 400 da se spreči  čitanje tog fajla.
  • Svi folderi imaju 755 ili 750.
  • Niti jedan folder nebi trebalo da ima 777.

15. ONEMOGUĆITE EDITOVANJE FAJLOVA IZ KONTROLNE TABLE

wordpress appearance editor

Dodajte i liniju koda u wp-config.php

define(‘DISALLOW_FILE_EDIT’, true);

17. UVEK IMAJTE BEKAP

To je najbolja zaštita od napada i pada ajta… End of the story

WordPress Backup Services

WordPress backup services usually have a low monthly fee and store your backups for you in the cloud.

WordPress Backup Plugins – udraftplus ili duplicator su dovoljni

WordPress backup plugins allow you to grab your backups via FTP or integrate with an external storage source such as Amazon S3, Google Drive, or Dropbox.

Note: We don’t allow backup plugins on Kinsta server’s due to performance issues. But this is because we handle all this for you at a server level so it doesn’t slow down your WordPress site.

18. DDoS Protection

DDoS is a type of DOS attack where multiple systems are used to target a single system causing a Denial of Service (DoS) attack. DDoS attacks are nothing new – according to Britannica the first documented case dates back to early 2000. Unlike someone hacking your site, these types of attacks don’t normally harm your site but rather will simply take your site down for a few hours or days. What can you do to protect yourself? One of the best recommendations is to use a reputable 3rd party security service like Cloudflare. If you are running a business it can make sense to invest in their premium plans.

cloudflare ddos protection

Cloudflare is one of the largest DDoS protection networks in the world.  Their advanced DDoS protection can be used to mitigate DDoS attacks of all forms and sizes including those that target the UDP and ICMP protocols, as well as SYN/ACK, DNS amplification and Layer 7 attacks. Other benefits include putting you behind a proxy which helps to hide your origin IP address, although it is not bulletproof. Many customers here at Kinsta use Cloudflare.

ZAKLJUČAK

UKOLIKO NEMATE VREMENA DA SE MAČUJETE SA ZAŠTITOM, AŽURIRANJEM PLUGINOVA I TEMA BEKAPOVANJEM SKRIVANJEM FAJLOVA MENJANJEM PUTANJA PAMĆENJEM JAKIH KOMPLIKOVANIH LOZINIKI ITD OBRATITE SE NAMA I MI ĆEMO OBAVITI POSAO UMESTO VAS… POŠTO JE HOSTING PROSTOR VAŽAN FAKTOR I UKOLIKO GA LATITE PREKO NAS SVE OVO OKO ZAŠTITE SE I PODRAZUMEVA… AKO KUPITE SAMI HOSTING ONDA NAM DODATNO PLATITE GODIŠNJU CENU OD 50-100 EVRA I MIRNI STE

Have any important WordPress security tips that we missed? If so feel free to let us know below in the comments.