Embed Size (px)
Citation preview
@ S I T E L O C K@ S I T E L O C K
WordPress Security
for BeginnersSimple Steps to Bui ld Your Master
P lan
Wo r d C a m p L o u i s v i l l e 2 0 1 6
@ S I T E L O C K
Did You Know?• There are 3.26 bi l l ion internet users as of
December 2015; that’s over 40% of the world population.• Only 44% of web traffic is from humans; 56%
of web traffic is from bots, impersonators, hacking tools, scrapers and spammers.
@ S I T E L O C K
What We’ll Cover Today• Why and How Websites Get Hacked• What We Al l Should Be Doing• Going Above and Beyond• After the Hack
@ S I T E L O C K
Adam W. Warner•WordPress Evangel is t at S i teLock•Co-Founder at FooPlug ins•Discovered WordPress in 2005•WordPress Community Addict• Fan of Fracta ls• Lover of Meatbal ls• Proud Dad!
@ S I T E L O C K
Hacking Techniques• Vulnerabi l i ty scanning• Server disruption• Monetary loss• Information leaks• Vandalism (defacement)
@ S I T E L O C K
Why Websites Get Hacked• Drive-by-downloads• Redirections• System resources• Because they don’t l ike you
@ S I T E L O C K
Why MY Site!?
@ S I T E L O C K
Opportunity• I t ’s not you, it ’s them• Because it’s possible• Because we give them an opening
@ S I T E L O C K
Automation• Most hacking attempts are automated
@ S I T E L O C K
How Websites Get Hacked• 41% get hacked through vulnerabi l i t ies in
their hosting platform• 29% by means of an insecure theme• 22% via a vulnerable plugin• 8% because of weak passwords
@ S I T E L O C K
Two Categories of Security
@ S I T E L O C K
Access Controls
@ S I T E L O C K
Software Vulnerabilities• Anywhere there is a system, there’s a
potential software vulnerabi l i ty waiting to be exploited
@ S I T E L O C K
What Do Hacks Look Like?
@ S I T E L O C K
Where Do You Start?• With yourself of course
@ S I T E L O C K
Simple Steps for Everyone
@ S I T E L O C K
Strong Passwords: Everywhere
@ S I T E L O C K
Reusing Passwords
@ S I T E L O C K
Even More About Passwords
@ S I T E L O C K
Password Managers• LastPass• Dashlane• Roboform• TrueKey
@ S I T E L O C K
Your Computer
@ S I T E L O C K
Public NetworksUse a VPN. Please!
@ S I T E L O C K
Don’t Change Core
@ S I T E L O C K
Backup. Backup. Backup.
@ S I T E L O C K
Update. Update. Update.
@ S I T E L O C K
Remove Inactive Software
@ S I T E L O C K
Install Software Only from Official Sources
@ S I T E L O C K
Choose a Secure Host
https:/ /wordpress.org/hosting/
@ S I T E L O C K
Latest Version of PHP
@ S I T E L O C K
Admin Usernames and Nicenames
@ S I T E L O C K
Security Plugins and Services
@ S I T E L O C K
SSL
@ S I T E L O C K
Kick It Up a Notch
@ S I T E L O C K
Limit Login Attempts• Limit Login Attempts• Login Lockdown
@ S I T E L O C K
2FA (Two-Factor Authentication)
@ S I T E L O C K
Clef
@ S I T E L O C K
File Permissions
@ S I T E L O C K
Default Table Prefix
@ S I T E L O C K
.htaccess and wp-config.php
@ S I T E L O C K
Authentication Keys and Salts
@ S I T E L O C K
Disable PHP Execution
@ S I T E L O C K
Disable File Editing
@ S I T E L O C K
Secure wp-config.php
@ S I T E L O C K
Disable XML-RPC?
@ S I T E L O C K
Learn More
https:/ /codex.wordpress.org/Hardening_WordPress
@ S I T E L O C K
Install a Firewall
@ S I T E L O C K
(CDN) Content Delivery Network
@ S I T E L O C K
How to Detect a Hacked Site• Visit your site often• Search for your site• Unexplained spikes in traffic• Investigate customer/visitor reports• continued…
@ S I T E L O C K
Detect a Hacked Site (con’t…)• Google Search Console (email alerts)• Remote scanner• Malware scanner• Source code scanner• Service that detects site changes
@ S I T E L O C K
What To Do If You’re Hacked
@ S I T E L O C K
Clean It Yourself
@ S I T E L O C K
Use a Service• Security is their core business• Cleans files, databases, backdoors, etc.• Remove malware warnings• Remove from blackl ists• Helps services learn for the benefit of al l
@ S I T E L O C K
What To Do After Cleanup• Change ALL passwords• Change WP secret keys and salts• Read this again: h t t p s : / /
c o d ex . w o rd p re s s . o rg / H a rd e n i n g _ Wo rd P re s s
@ S I T E L O C K
Now What?
@ S I T E L O C K
Thank You – Questions?• Fol low at:• @SiteLock• @wpmodder
• SlideShare• http://www.slideshare.net/wpprobusiness
• My Blog Posts:• http://wpdistrict.sitelock.com• http://adamwwarner.com
