Your SlideShare is downloading. ×
0
WORDPRESS SECURITY 101
HACKERS, SCOUNDRELS, AND VILLAINS, OH MY

PRESENTED BY: GARRY MCNEILLY
KOJAC CONSULTING

.
PRESENTATION OVERVIEW

You will learn
how to secure
your desktops &
servers

Secure
Word Press
Websites

Basic of
Themes &...
SECURE YOUR LOCAL WORKING ENVIRONMENT

Keep your software up to date – windows update on a regular basis
Install antivir...
ANTI VIRUS, FIREWALLS, MALWARE
Free solutions
www.comodo.com – Firewall and internet security
remove GeekBuddy 24/7 up sel...
ANTI VIRUS, FIREWALLS, MALWARE
Malware is the concealment of

Virus
Trojan Horses
Rootkits
Backdoors
Malware Bytes
htt...
SECURE YOUR LOCAL WORKING ENVIRONMENT
Lock Down your Browser
HTTPS Everywhere is a Firefox and Chrome extension that encry...
SECURE YOUR LOCAL WORKING ENVIRONMENT
Firefox add on - NoScript Security Suite 2.6.8.5
The best security you can get in a ...
WHAT HAS MY ISP DONE FOR ME LATELY

Does my ISP notify me of server / database upgrades
Do they lock me out if there are...
WHAT HAS MY ISP DONE FOR ME LATELY

Are your sites segmented
Do you have one master account for access to all accounts
...
WHAT HAS MY ISP DONE FOR ME LATELY

Do you have a limitation on your MSQL data base
(how many records can you have) how b...
WHAT HAS MY ISP DONE FOR ME LATELY

What‘s there Service Level Agreement like (SLA)
Do they offer backup services
What'...
TWO STEP AUTHENTICATION
3RD PARTY APPS
TWO STEP AUTHENTICATION – DROP BOX
3RD PARTY APPS
1. Sign in to the Dropbox website.
2. Click on your name from the upperr...
TWO STEP AUTHENTICATION
3RD PARTY APPS
Just a few more account that have two step authentication.

LinkedIn – New after t...
FTP – DON’T GET ME STARTED !!!

File Transfer Protocol – FTP
It‘s Not Secure and has no encryption of
data
Stop Using It R...
FTP – DON’T GET ME STARTED !!!

You may need to contact your ISP / hosting provider

to activate or
install. You may also...
PASSWORDS MANAGEMENT
PASSWORDS VS. PASS PHRASES

Passwords

Pass Phrases

Passwords tend to be really

Phase Phrases ten...
PASSWORDS MANAGEMENT

Password Example

Your wife name is: Tonya
changed O to zero T0nya

Passphrase Example
MyWifeT0nyaCa...
PASSWORDS MANAGEMENT
Add Upper and lower case as well as special
characters
MyW1feT0nyaCant_Cook#@!
And if for some reason...
PASSWORDS MANAGEMENT

www.lastpass.com
can be used on all devices

Auto fill users names & passwords
PASSWORDS MANAGEMENT
www.RoboForm.com
https://www.passpack.com
http://keepass.info/
These programs have the ability to gen...
WORDPRESS SECURITY
WHAT WILL A HACKER GAIN FROM MESSING WITH MY
SITE !!!

$$$ Financial gain $$$
Hackers make money in a few ways‘
Affilia...
WHAT WILL A HACKER GAIN FROM MESSING WITH MY
SITE !!!

Phama hacks (Viagra) counterfeit drugs,
Change DB | insert Spam |...
WHAT WILL A HACKER GAIN FROM MESSING WITH MY
SITE !!!

Site redirections
SEO Poison of your keywords
Access to members ...
WHAT WILL A HACKER GAIN FROM MESSING WITH MY
SITE !!!

Defacement of site – Script kids just #being shit heads
Install b...
WHAT WILL A HACKER GAIN FROM MESSING WITH MY
SITE !!!

• Email compromise allowing for Phishing attacks
• CryptoLocker ran...
HOW DOES THIS AFFECT ME & MY BUSINESS

• Loss of trust with clients
• Loss of business
• Loss of time effort and lots of m...
THIS THREAT IS NOT REAL IS IT
Just a few stats to scare the crap out of you

• 12,000 to 14,000 site per day are blacklist...
DOMAIN NAME MANAGEMENT
Make sure you or your clients

*Domain Name Extortion

own there Domain Name

Setup Auto renewal
...
WORDPRESS SECURITY
INSTALL REVIEW
Most WP setup out of the box are
configured with
-admin (username)
-password (you create...
WORDPRESS SECURITY

Install Google Authenticator Plugin for
WordPress.
Hackers Now Need
- Your long user name
- Long compl...
WORDPRESS SECURITY
Create A User name that is at least
15 characters including Upper and
Lower case including special
char...
WORDPRESS SECURITY
Limit login attempts plugins will help to stop Brute Force attacks by
locking your site after a specifi...
WORDPRESS SECURITY
Example – Brute Force Attack
SO WHAT CAN I DO TO REDUCE MY RISK

• Remove all unused Themes & Plugins
• Monitor your website on a regular basis
• Keep ...
WP USERS & THERE ROLES

Administrator
Editor
Author
Contributor
Subscriber
SO IS YOUR SITE UP TO DATE
MAJOR RELEASE VS. POINT RELEASE
WP 3.6 – 3.7 Major Release

Old calls & functions
Core Securi...
SO IS YOUR SITE UP TO DATE
WP 3.7.1 POINT RELEASE
WP 3.7.1 Point Release

Bug Fix
Security Updates
Images with caption ...
TOOLS TO TEST YOUR SITE
http://sucuri.net/

Software version
Blacklisted
Malware
Malicious javascript

Malicious Ifra...
WORDPRESS SECURITY
So what‘s a Theme ???
Themes will define the look and feel of your site
Theme is a theme that inherits ...
WORDPRESS SECURITY
A child theme is the safest and easiest way to modify an existing theme,
whether you want to make a few...
WORDPRESS SECURITY
Responsive Design - Will resize the look and feel for Mobile devices
such as smart phones, tables, netb...
TIMTHUMB
COMMERCIAL THEMES EXPLOITATION
An image resizing utility called timthumb.php

Bundled in some commercial /free
...
TIMTHUMB
COMMERCIAL THEMES EXPLOITATION

SQL Injection Vulnerability
Google shows over 39 million results for the script...
CREATE A TEST ENVIORNMENT

Used to develop or replicate a website in a local environment
Test themes / plugins / applica...
PLUGINS EXPLAINED
What's a WP Plugging ???
WP plugins are used to add additional functionality to your site.
Including; se...
SOME KICK ASS PLUGINS

Limit login attempts
WP security
Google authentication
DEVEOLPMENT TOOLS

Notepad Plus
Asana.c...
CREATE A TEST ENVIRONMENT

Microsoft
Webmatrix

BitNami

WordPress
local install
CREATE A TEST ENVIORNMENT
TOOLS FOR CREATING A LOCAL TEST ENVIORNMENT
Microsoft Webmatrix
http://www.microsoft.com/web/we...
CREATE A TEST ENVIORNMENT
Bitnami.com

Simple application deployment from development to production
Bitnami supports Win...
CREATE A TEST ENVIRONMENT
Local development also required software to run the local database.

Xampp - http://www.apachef...
CONCLUSION TO THE PRESENTATION
Question & Answers
Contact Info
Garry McNeilly
Kojac Consulting
www.kojac-consulting.com
ga...
Upcoming SlideShare
Loading in...5
×

Word press security 101

190

Published on

Word press security 101
Hackers, Scoundrels, and Villains oh my...

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
190
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Transcript of "Word press security 101 "

  1. 1. WORDPRESS SECURITY 101 HACKERS, SCOUNDRELS, AND VILLAINS, OH MY PRESENTED BY: GARRY MCNEILLY KOJAC CONSULTING .
  2. 2. PRESENTATION OVERVIEW You will learn how to secure your desktops & servers Secure Word Press Websites Basic of Themes & plugins Develop and test is a local environment Basic Of MySQL and XAMPP Best Practices for securing your email using Server Policy Frame Work
  3. 3. SECURE YOUR LOCAL WORKING ENVIRONMENT Keep your software up to date – windows update on a regular basis Install antivirus on all computers & servers keep antivirus up to date Implement a hardware or software firewall solution when ever possible
  4. 4. ANTI VIRUS, FIREWALLS, MALWARE Free solutions www.comodo.com – Firewall and internet security remove GeekBuddy 24/7 up sell www.zonealarm.com – Free firewall http://www.avast.com – Basic antivirus http://www.avg.com Basic free antivirus
  5. 5. ANTI VIRUS, FIREWALLS, MALWARE Malware is the concealment of Virus Trojan Horses Rootkits Backdoors Malware Bytes http://www.malwarebytes.org What Is It… ―Today, malware is used primarily to steal sensitive information of personal, financial, or business importance by black hat hackers with harmful intentions‖
  6. 6. SECURE YOUR LOCAL WORKING ENVIRONMENT Lock Down your Browser HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure. https://www.eff.org/https-everywhere-node No Mention of IE… Keep your Browsers up to date
  7. 7. SECURE YOUR LOCAL WORKING ENVIRONMENT Firefox add on - NoScript Security Suite 2.6.8.5 The best security you can get in a web browser! Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks. https://addons.mozilla.org/en-US/firefox/addon/noscript/ Note It take a little while to configure your sites
  8. 8. WHAT HAS MY ISP DONE FOR ME LATELY Does my ISP notify me of server / database upgrades Do they lock me out if there are too many login attempts do they let you know Are you on a shared server or dedicated server (Cross Contamination) - and if so
  9. 9. WHAT HAS MY ISP DONE FOR ME LATELY Are your sites segmented Do you have one master account for access to all accounts Own one Own All
  10. 10. WHAT HAS MY ISP DONE FOR ME LATELY Do you have a limitation on your MSQL data base (how many records can you have) how big can your Database be !!! Do they offer a Sender Policy Framework for Email What‘s Technical like Phone | Email | 24/7 or when ever we decide to get back to you
  11. 11. WHAT HAS MY ISP DONE FOR ME LATELY What‘s there Service Level Agreement like (SLA) Do they offer backup services What's there data retention policy like
  12. 12. TWO STEP AUTHENTICATION 3RD PARTY APPS
  13. 13. TWO STEP AUTHENTICATION – DROP BOX 3RD PARTY APPS 1. Sign in to the Dropbox website. 2. Click on your name from the upperright of any page to open your account menu. 3. Click Settings from the account menu and select the Security tab, 4. Under the Account sign in section, next to Two-step verification, click Enable.
  14. 14. TWO STEP AUTHENTICATION 3RD PARTY APPS Just a few more account that have two step authentication. LinkedIn – New after they were hacked nearly 6.5 million user Microsoft Accounts Wordpress.com Godaddy.com
  15. 15. FTP – DON’T GET ME STARTED !!! File Transfer Protocol – FTP It‘s Not Secure and has no encryption of data Stop Using It Right Now The SSH File Transfer Protocol (also known as Secure FTP and SFTP) is a better solution.
  16. 16. FTP – DON’T GET ME STARTED !!! You may need to contact your ISP / hosting provider to activate or install. You may also need to use different port numbers 21 or 22 Secure FTP also gives you root access to directories and subdirectories to all account – So be carful when transferring files or accessing accounts
  17. 17. PASSWORDS MANAGEMENT PASSWORDS VS. PASS PHRASES Passwords Pass Phrases Passwords tend to be really Phase Phrases tend to be much common Dictionary words. Easy to guess / crack longer and hander to guess / crack Longer character set with Password is a bad password special characters
  18. 18. PASSWORDS MANAGEMENT Password Example Your wife name is: Tonya changed O to zero T0nya Passphrase Example MyWifeT0nyaCant_Cook (Still common but a little harder to crack)
  19. 19. PASSWORDS MANAGEMENT Add Upper and lower case as well as special characters MyW1feT0nyaCant_Cook#@! And if for some reason your wife needs your password…..Change it QUICK MyW1fe_T0nyaIs_A_GrateC00k
  20. 20. PASSWORDS MANAGEMENT www.lastpass.com can be used on all devices Auto fill users names & passwords
  21. 21. PASSWORDS MANAGEMENT www.RoboForm.com https://www.passpack.com http://keepass.info/ These programs have the ability to generate complex passwords that are hard to remember unless you are using a password manager
  22. 22. WORDPRESS SECURITY
  23. 23. WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! $$$ Financial gain $$$ Hackers make money in a few ways‘ Affiliate marking referrals – pay per click Zero Day exploitations
  24. 24. WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Phama hacks (Viagra) counterfeit drugs, Change DB | insert Spam | add a backdoor, Redirect URL
  25. 25. WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Site redirections SEO Poison of your keywords Access to members ship lists Ecommerce theft – such as Infusion soft and PayPal Credit cards information
  26. 26. WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Defacement of site – Script kids just #being shit heads Install backdoor software – own one own all Malicious redirect – they make money from Pay Per Click Injections – Iframe specifically Identity Theft #juststeelingyourshit
  27. 27. WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! • Email compromise allowing for Phishing attacks • CryptoLocker ransomware attacks ‗The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment‘
  28. 28. HOW DOES THIS AFFECT ME & MY BUSINESS • Loss of trust with clients • Loss of business • Loss of time effort and lots of money to fix your website • Tarnish your online reputation
  29. 29. THIS THREAT IS NOT REAL IS IT Just a few stats to scare the crap out of you • 12,000 to 14,000 site per day are blacklisted • Google documents and issues 5 Million warring's per week
  30. 30. DOMAIN NAME MANAGEMENT Make sure you or your clients *Domain Name Extortion own there Domain Name Setup Auto renewal Example: www.sitedudes.com No long term contracts my ass !!! Add Privacy to your domain if They did offer a complementary ass kicking…though possible – making it harder to steal
  31. 31. WORDPRESS SECURITY INSTALL REVIEW Most WP setup out of the box are configured with -admin (username) -password (you create) You have just help a hacker with ½ the answers to your login by using admin as a user name
  32. 32. WORDPRESS SECURITY Install Google Authenticator Plugin for WordPress. Hackers Now Need - Your long user name - Long complex password - TXT sent to your phone
  33. 33. WORDPRESS SECURITY Create A User name that is at least 15 characters including Upper and Lower case including special characters Password use a program such at Lastpass to create a long and complex password
  34. 34. WORDPRESS SECURITY Limit login attempts plugins will help to stop Brute Force attacks by locking your site after a specific amount of attempts.
  35. 35. WORDPRESS SECURITY Example – Brute Force Attack
  36. 36. SO WHAT CAN I DO TO REDUCE MY RISK • Remove all unused Themes & Plugins • Monitor your website on a regular basis • Keep you site up to date • Change file permission from standard defaults • Remove user and roles if they are not being used • Keep your production server tidy – It not a backup server or file server
  37. 37. WP USERS & THERE ROLES Administrator Editor Author Contributor Subscriber
  38. 38. SO IS YOUR SITE UP TO DATE MAJOR RELEASE VS. POINT RELEASE WP 3.6 – 3.7 Major Release Old calls & functions Core Security flaws Performance Issues Core related issues
  39. 39. SO IS YOUR SITE UP TO DATE WP 3.7.1 POINT RELEASE WP 3.7.1 Point Release Bug Fix Security Updates Images with caption fixed visual editor fixed NOTE: Major and Minor updates still have the ability to bring your site down or cause issues. This is why you should always backup your production site. Replicate your site in a test environment and make sure that there are no errors and issues.
  40. 40. TOOLS TO TEST YOUR SITE http://sucuri.net/ Software version Blacklisted Malware Malicious javascript Malicious Iframes Drive By Downloads Anomaly detection IE – only attacks Suspicious redirects Spam
  41. 41. WORDPRESS SECURITY So what‘s a Theme ??? Themes will define the look and feel of your site Theme is a theme that inherits the functionality of another theme, called the parent theme. Child theme allows you to modify, or add to the functionality of that parent theme.
  42. 42. WORDPRESS SECURITY A child theme is the safest and easiest way to modify an existing theme, whether you want to make a few tiny changes or extensive changes. Instead of modifying the theme files directly, you can create a child theme and override within.
  43. 43. WORDPRESS SECURITY Responsive Design - Will resize the look and feel for Mobile devices such as smart phones, tables, netbooks, Note: when purchasing themes look at the Developers upgrade status If the theme has not been updates in a while keep looking
  44. 44. TIMTHUMB COMMERCIAL THEMES EXPLOITATION An image resizing utility called timthumb.php Bundled in some commercial /free Remote Code Execution Themes
  45. 45. TIMTHUMB COMMERCIAL THEMES EXPLOITATION SQL Injection Vulnerability Google shows over 39 million results for the script name If you find it fix it right away This Themes is still active and a huge problem in the WP community
  46. 46. CREATE A TEST ENVIORNMENT Used to develop or replicate a website in a local environment Test themes / plugins / applications before they go live Use a staging environment for testing for virus / defects
  47. 47. PLUGINS EXPLAINED What's a WP Plugging ??? WP plugins are used to add additional functionality to your site. Including; security, performance, calendars, social media, Fonts, custom features, site backups, Before install a plug in make sure its compatible with your version of WP review the author and make sure they keep up to date with current WP versions and standards and best practices
  48. 48. SOME KICK ASS PLUGINS Limit login attempts WP security Google authentication DEVEOLPMENT TOOLS Notepad Plus Asana.com – used for project management
  49. 49. CREATE A TEST ENVIRONMENT Microsoft Webmatrix BitNami WordPress local install
  50. 50. CREATE A TEST ENVIORNMENT TOOLS FOR CREATING A LOCAL TEST ENVIORNMENT Microsoft Webmatrix http://www.microsoft.com/web/webmatrix/ Installing Webmatrix may not work correctly if you have Skype installed that also used port 80 or any other program that used port 80 It also requires some file modification to move it from test environment to production
  51. 51. CREATE A TEST ENVIORNMENT Bitnami.com Simple application deployment from development to production Bitnami supports Windows, Mac OS X and Linux operating systems, VMware virtualized environments You can also use a sub direct on your production website
  52. 52. CREATE A TEST ENVIRONMENT Local development also required software to run the local database. Xampp - http://www.apachefriends.org/en/xampp.html Wamp - http://sourceforge.net/projects/wampserver/ The following two software use localhost for development The package includes the Apache web server, MySQL, SQLite, PHP, Perl, a FTP
  53. 53. CONCLUSION TO THE PRESENTATION Question & Answers Contact Info Garry McNeilly Kojac Consulting www.kojac-consulting.com garry@kojac-consulting.com Phone: 416-898-9084 WordPress Security 101 . Hackers, Scoundrels, and Villains, Oh my
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×