WordPress Security for Beginners

@ S I T E L O C K@ S I T E L O C K

WordPress Security

for BeginnersSimple Steps to Bui ld Your Master

P lan

Wo r d C a m p L o u i s v i l l e 2 0 1 6

@ S I T E L O C K

Did You Know?• There are 3.26 bi l l ion internet users as of

December 2015; that’s over 40% of the world population.• Only 44% of web traffic is from humans; 56%

of web traffic is from bots, impersonators, hacking tools, scrapers and spammers.

@ S I T E L O C K

What We’ll Cover Today• Why and How Websites Get Hacked• What We Al l Should Be Doing• Going Above and Beyond• After the Hack

@ S I T E L O C K

Adam W. Warner•WordPress Evangel is t at S i teLock•Co-Founder at FooPlug ins•Discovered WordPress in 2005•WordPress Community Addict• Fan of Fracta ls• Lover of Meatbal ls• Proud Dad!

@ S I T E L O C K

Hacking Techniques• Vulnerabi l i ty scanning• Server disruption• Monetary loss• Information leaks• Vandalism (defacement)

@ S I T E L O C K

Why Websites Get Hacked• Drive-by-downloads• Redirections• System resources• Because they don’t l ike you

@ S I T E L O C K

Why MY Site!?

@ S I T E L O C K

Opportunity• I t ’s not you, it ’s them• Because it’s possible• Because we give them an opening

@ S I T E L O C K

Automation• Most hacking attempts are automated

@ S I T E L O C K

How Websites Get Hacked• 41% get hacked through vulnerabi l i t ies in

their hosting platform• 29% by means of an insecure theme• 22% via a vulnerable plugin• 8% because of weak passwords

@ S I T E L O C K

Two Categories of Security

@ S I T E L O C K

Access Controls

@ S I T E L O C K

Software Vulnerabilities• Anywhere there is a system, there’s a

potential software vulnerabi l i ty waiting to be exploited

@ S I T E L O C K

What Do Hacks Look Like?

@ S I T E L O C K

Where Do You Start?• With yourself of course

@ S I T E L O C K

Simple Steps for Everyone

@ S I T E L O C K

Strong Passwords: Everywhere

@ S I T E L O C K

Reusing Passwords

@ S I T E L O C K

Even More About Passwords

@ S I T E L O C K

Password Managers• LastPass• Dashlane• Roboform• TrueKey

@ S I T E L O C K

Your Computer

@ S I T E L O C K

Public NetworksUse a VPN. Please!

@ S I T E L O C K

Don’t Change Core

@ S I T E L O C K

Backup. Backup. Backup.

@ S I T E L O C K

Update. Update. Update.

@ S I T E L O C K

Remove Inactive Software

@ S I T E L O C K

Install Software Only from Official Sources

@ S I T E L O C K

Choose a Secure Host

https:/ /wordpress.org/hosting/

@ S I T E L O C K

Latest Version of PHP

@ S I T E L O C K

Admin Usernames and Nicenames

@ S I T E L O C K

Security Plugins and Services

@ S I T E L O C K

SSL

@ S I T E L O C K

Kick It Up a Notch

@ S I T E L O C K

Limit Login Attempts• Limit Login Attempts• Login Lockdown

@ S I T E L O C K

2FA (Two-Factor Authentication)

@ S I T E L O C K

Clef

@ S I T E L O C K

File Permissions

@ S I T E L O C K

Default Table Prefix

@ S I T E L O C K

.htaccess and wp-config.php

@ S I T E L O C K

Authentication Keys and Salts

@ S I T E L O C K

Disable PHP Execution

@ S I T E L O C K

Disable File Editing

@ S I T E L O C K

Secure wp-config.php

@ S I T E L O C K

Disable XML-RPC?

@ S I T E L O C K

Learn More

https:/ /codex.wordpress.org/Hardening_WordPress

@ S I T E L O C K

Install a Firewall

@ S I T E L O C K

(CDN) Content Delivery Network

@ S I T E L O C K

How to Detect a Hacked Site• Visit your site often• Search for your site• Unexplained spikes in traffic• Investigate customer/visitor reports• continued…

@ S I T E L O C K

Detect a Hacked Site (con’t…)• Google Search Console (email alerts)• Remote scanner• Malware scanner• Source code scanner• Service that detects site changes

@ S I T E L O C K

What To Do If You’re Hacked

@ S I T E L O C K

Clean It Yourself

@ S I T E L O C K

Use a Service• Security is their core business• Cleans files, databases, backdoors, etc.• Remove malware warnings• Remove from blackl ists• Helps services learn for the benefit of al l

@ S I T E L O C K

What To Do After Cleanup• Change ALL passwords• Change WP secret keys and salts• Read this again: h t t p s : / /

c o d ex . w o rd p re s s . o rg / H a rd e n i n g _ Wo rd P re s s

@ S I T E L O C K

Now What?

@ S I T E L O C K

Thank You – Questions?• Fol low at:• @SiteLock• @wpmodder

• SlideShare• http://www.slideshare.net/wpprobusiness

• My Blog Posts:• http://wpdistrict.sitelock.com• http://adamwwarner.com