Tips on how to improve the security of your WordPress site and develop better security posture. I’ll explore the motivations behind why WordPress sites get attacked and how to protect, detect and respond to these threats.

1. https://www.sucuri.net https://blog.sucuri.net

2. Who are we?
● Globally distributed website security
team
● Website Antivirus + Firewall
● Clean hundreds of websites per day
● Protect against countless attacks
● Platform agnostic

3. Who am I?
● Ben Martin @rngdmstrben
● Remediation Lead and malware slaya' at Sucuri
● Hails from Victoria BC
● ~2 years at the company cleaning websites
● Security / online privacy geek
● Music Producer & cat enthusiest

4. Building a Better Security Posture
● Security matters: All websites get
attacked!
● Responsibility & safety
● Attackers go after low hanging fruit
● Peace of Mind
Security can be complicated but the principles are actually very simple :)

6. What is 'Security Posture'?
● Security is not just a service or
software that can be
purchased
● Security is an attitude
● Development of good habits
● Critical thinking + wee bit of
healthy paranoia
There are NO silver bullet security solutions!

7. Be Proactive Not Reactive
● “We are intuitive. We drink water before we become
dehydrated. We sleep before we become overtired.
Most of the time, we automatically defend ourselves
from germs and viruses, because we have
consciously (and unconsciously) focused on
preventative maintenance for our bodies and
minds...Spend more time preventing problems
and less time fixing issues that result from a
compromise”
David L. Prowse

8. Common Myth!
● “Bob must have gone to some website
that he shouldn't have!”
● All types of websites get
attacked/compromised regardless of
content
● You don't have to go to “sketchy”
websites to find malware

9. Popular CMS = Targeted CMS
● WP is more than 20% of the Internet!
● Common targets for attackers
● Vulnerable plugins + themes are a big
problem

10. Why would someone want to hack ME!?
● Automation – targeted attacks are
usually reserved for big companies
● Same thing that motivates most bad
behaviour: Money! $$$
● Phishing, malicious redirects, drive
by downloads, blackhat SEO
● Defacements / Hacktivism

11. Security is a Priority
● We all want our websites to have excellent content, look
nice and be easy to use. Add security to that list!
● You are responsible as a site owner
● Check up on your site security every time you log in –
familiarize yourself with your environment
● Learn to recognize when something
is out of place

12. What is POOR Security Posture?
● Avoiding plugin, theme & core
updates
● Using “freemium” (pirated) plugins,
themes or other software
● Lumping multiple
websites/subdomains into the
same hosting account
● Relying on the assumption that
you won't be hacked because it is
unlikely (?)

13. Responsibility
● Responsibility to protect your
site visitors & yourself
● Protect your reputation & hard
work! “Is this site safe?”
● Consider security a priority
from day one
● Your visitors trust you & your
website

14. Plugins
● Out of date / vulnerable software is leading
cause of website infection
● Less is more
● Decrease the attack surface
● Avoid old plugins and update update update!!!
● Also helps speed/memory of site

15. Passwords
● Other leading cause of infection
● Pass123 = no bueno
● Automated password attacks
● Reusing passwords = no buneo
● Use secure, encrypted protocols
like SFTP or FTPS

16. Backups
● Backup your website. Always. ALWAYS.
● Your best friend on a rainy day
● Store them offline in a safe place
● Learn how to restore via FTP & database –
this goes a long way

17. Practical Steps to Take
● UPDATE UPDATE UPDATE!!!
● Don't keep old software on your server
● Use a security plugin (Sucuri Scanner,
Wordfence, iThemes, etc)
● Consider a firewall – paid & free options
available

18. Practical Steps to Take pt. 2
● Default settings are inherantly
unsafe for all software/hardware!
● Exercise least privilege
● define( 'DISALLOW_FILE_EDIT',
true );
● Verify your file permissions and
ownership ( 644, 755 )

19. Lock Down /wp-admin
● Don't use admin name 'admin'
● Employ the use of a CAPTCHA
● Restrict access by IP address
● Don't forget to monitor who's
logging in

20. Sucuri Scanner WP Plugin (free)
● Security activity auditing
● File integrity monitoring
● Remote malware scanning
● Website hardening

21. What if I get HACKED!?!?1
● This is when you really
appreciate being proactive
● Website compromises are
stressful but don't panic!
● Every problem has a
solution
● Not a bad idea to disclose
to your visitors

22. Protect Yourself Online
● All this talk about malware, how do I stay safe!?
● Antivirus obviously (yes even if you have a Mac)
● Practice good / responsible browsing habits
● Security browser extensions – NoScript, AdBlock, HTTPS Everywhere
● Web browser security is can be annoying & inconvenient but is very
important

23. visitorTracker_isMob( ){
● Very aggressive campaign
targeting multiple vulnerabilities
● Ultimate goal is to redirect users to
Nuclear Exploit Kit (Ransomeware,
Cryptolocker, other exploits)
● Many thousands of websites
infected + blacklisted