Embed Size (px)
Citation preview
#pubcon @schachin
Word Press is used by between 25-30% of sites.
#pubcon @schachin
#pubcon @schachin
State of Security• As of March 2016, Google reports that over 50 million
website users have been greeted with some form of warning that websites visited were either trying to steal information or install malicious software. In March 2015, that number was 17 million.
Google currently blacklists close to ~20,000 websites a week for malware and another ~50,000 a week for phishing. PhishTank alone flags over 2,000 websites a week for phishing.
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
#pubcon @schachin
Word Press is used by between 25-30% of sites (or 10 million if Gary Ilyes is correct – either or it is a lot! )
#pubcon @schachin
“Over a third of the websites online are powered by four key platforms: WordPress, Joomla!, Drupal, and Magento. WordPress is leading the CMS market with over 60% market share. This explosion and dominance by WordPress is facilitated by global-user adoption, a highly extensible platform and focus on end users. Other platform technologies have experienced growth in more niche markets, like Magento in the online commerce domain with large and enterprise organizations, and Drupal in large, enterprise, and federal organizations.”
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
WordPress is King!
#pubcon @schachin
#pubcon @schachin
#pubcon @schachin
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
#pubcon @schachin
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
#pubcon @schachin
#pubcon @schachin
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
Approximately 31% of all infection cases are misused for SEO Spam campaigns (either through PHP, Database injections or.htaccess redirections) where the site was infected with spam content or redirected visitors to spam-specific pages.
The content used is often in the form of Pharmaceutical ad placements (i.e., erectile dysfunction, Viagra, Cialis, etc...) and includes others injections for industries like Fashion and Entertainment (i.e., Casino, Porn).
#1 REASON for Getting Hacked on WordPress – SEO SPAM!
#pubcon @schachin
#pubcon @schachin
Low Hanging Fruit
#pubcon @schachin
Most Hackers Are Not Human
#pubcon @schachin
WordPress Has A Lot Of Low Hanging Fruit
#pubcon @schachin
• SEO - multiple uses here including DDOS
• SPAM – site used to send SPAM emails • MALWARE – hides the origin of the
malware• THEFT – Passwords, credit card
information, banking information, etc. • ATTACKING OTHER SITES –
Sometimes a hacker’s objective is to make a website unavailable to users.
Why Would Anyone Want to Hack Your Word Press Website?
#pubcon @schachin
http://www.wptemplate.com/wp-content/uploads/2013/07/Safety-and-Security-of-Word Press-Blog-Infographic.jpg
#pubcon @schachin
http://www.wptemplate.com/wp-content/uploads/2013/07/Safety-and-Security-of-Word Press-Blog-Infographic.jpg
• 41% by hosting platform vulnerabilities
• 29% by means of an insecure theme• 22% via a vulnerable plugin• 8% because of weak passwords
How Do WordPress Sites Get Hacked?
#pubcon @schachin
Low Hanging Fruit – Gets Picked
#pubcon @schachin
Don’t Be Low Hanging Fruit
#pubcon @schachin
Fortifying Your Site
#pubcon @schachin
Analysis = Audit
Need to review •Access•Security (Walls) •Hosting•Logins•Plugins
#pubcon @schachin
• Secure WPConfig. Makes accessing specific parts or your Word Press installation more difficult. Secure your wp-config.php file by moving it one directory above your Word Press installation.
• File Editor.Disable the File Editor in the Word Press Admin panel which means a hacker will require FTP access to access core and theme files.
• Limit Roles. Limiting access also includes the use of appropriate user roles. Don’t assign an administrator role unless a person actually requires admin functionality.
Access – Has it been limited?
#pubcon @schachin
State of Security“… out of the 11,000 + infected websites analyzed, 75% of them were on the WordPress platform and over 50% of those websites were out of date. Compare that to other similar platforms that placed less emphasis on backwards compatability, like Joomla! and Drupal, the percentage of out-of-date software was above 80%.”
~ Sucuri
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
#pubcon @schachin
Update. Update. Update.
Typical biggest hole in a WordPress site. Update not only only WordPress, but …- Inactive themes and plugins (better to
delete)- Plugins- Check that all plugins have updates
- If a plugin has not been updated in some time take it off the site.
Good example is W3Cache
Security
#pubcon @schachin
Two Most Popular Security Tools• WordFence.
– one of the most popular security plug-ins. • Sucuri
– step above just a security plug-in with their paid service you get 24/7 server side monitoring including databases and file changes
• Here are list of other Malware tools for Word Press.
Security Plug-Ins
#pubcon @schachin
BE VERY CAREFUL TO NEVER use the ONLY WHITE LIST IPs setting
in any security plug-in.
You can block unknown IPs for search engine crawlers
Security Plug-Ins
#pubcon @schachin
Hosting
#pubcon @schachin
Hosting is one of the most important ways to prevent hacking attempts. What should I look for in a good host?
• Database Support. Besides supporting the latest versions of PHP and MySQL.• Security & Malware Scanning. They should perform regular scans for malware • Backups. Company should give perform daily backups. • Site Support. Helpful to have support to chat with if your site does get hacked • WordPress Hosting Specific. WordPress has a unique set of issues not only with
security, but with how it loads. WordPress providers have specialized in addressing these issues.
Review of hosting providers. https://fancythemes.com/best-wordpress-hosting-providers/
Hosting
#pubcon @schachin
Hosting + SSL
#pubcon @schachin
• SSL (HTTPS) is an added layer of security on your site and provides a slight ranking boost in Google.
• Don’t get FREE Certificates. Go to a reputable hosting company and purchase one.
• SEO Caveat. There are many SEO issues related to moving from http to https, so make sure you have checked off those.– Aleyda Solis has created an excellent checklist.
https://docs.google.com/spreadsheets/d/1XB26X_wFoBBlQEqecj7HB79hQ7DTLIPo97SS5irwsK8/edit#gid=1975121463
Hosting + SSL
#pubcon @schachin
Logins
#pubcon @schachin
Securing your Logins.• Frequently change your passwords • Avoid using the admin username• Create a strong password• Force users to use strong passwords with Force Strong Passwords• Store passwords in a secure place like LastPass
You can take it one step further and …• Limit login attempts. Plugins like Wordfence, Sucuri, Login LockDown and Login Security Solution enable
you to constrain the number of login attempts from a single IP address within a certain amount of time. Perfect for keeping brute force attacks at bay.
• Employ two-step authentication. Adds a second layer of security that can only be passed by means of your cell phone, social network account or else. Options include Duo Two-Factor Authentication, OpenID, and Clef.
• Hide your login page. Moving wp-admin and wp-login to non-standard addresses makes it harder for hackers to attack them. You can do so via Rename wp-login.php, HideLogin+ or Lockdown WP Admin.
http://torquemag.io/2016/03/wordpress-sites-hacked/
Logins
#pubcon @schachin
Plugins
#pubcon @schachin
PluginsThese were the top three out of date, vulnerable, plugins at the point in which a website engaged Sucuri for incident response services
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
#pubcon @schachin
Hosting is one of the most important ways to prevent hacking attempts. There is …• Get it from a known source like Yoast, Scuri, Wordfence
– Hackers, SEO, Affiliate Marketers, others create legitimate plugins to get backdoor access to your site
• Check last update by developer– If it has not been updated recently, it is likely vulnerable.
• Check reviews sometimes good plugins go bad• Check number of installations
Plugins
#pubcon @schachin
Advanced
#pubcon @schachin
Add SALTs To wp-config.php• Word Press security keys were introduced in Word Press 2.6.• SALTs encrypt user cookies and make it more difficult to access this data
The keys go into your wp-config.php file here
http://torquemag.io/2016/03/wordpress-sites-hacked/
Advanced
#pubcon @schachin
Add SALTs To wp-config.php cont.Replace them with code from the Word Press SALT generator and you get something like this ..
http://torquemag.io/2016/03/wordpress-sites-hacked/
Advanced
#pubcon @schachin
Hide Your WP Version Number
• Word Press adds a meta tag to your site’s head section that shows off which version of the CMS you are running. Knowing what version you are using helps hackers know what vulnerabilities are in your site.
Below is a useful piece of code that stops Word Press from doing so:– remove_action('wp_head', 'wp_generator');Just add it to your functions.php file and you are done with it.
http://torquemag.io/2016/03/wordpress-sites-hacked/
Advanced
![[Not provided] Pubcon Vegas 2014 - Prashant Puri AdLift](https://img.pdfslide.us/doc/110x75/547e6cf95806b5c25e8b46a5/not-provided-pubcon-vegas-2014-prashant-puri-adlift.jpg)
