Your SlideShare is downloading. ×
Real WordPress Security - Kill the Noise
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Real WordPress Security - Kill the Noise

922
views

Published on

A WordPress presentation that focuses on security principles and not false sense of security through adding 20 plugins. Lets stick to the basics folks! …

A WordPress presentation that focuses on security principles and not false sense of security through adding 20 plugins. Lets stick to the basics folks!

This presentation was given at WordCamp Miami #wcmia

Published in: Technology, News & Politics

0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
922
On Slideshare
0
From Embeds
0
Number of Embeds
3
Actions
Shares
0
Downloads
12
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Real WordPress Security Kill the noise!
  • 2. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Dre Armeda Co-Founder of Sucuri Inc. – Sucuri.net Co-Host of DradCast – DradCast.com @dremeda | dremeda.com | drejitsu.com • Softball Dad • Proud Navy Veteran • Brazilian Jiu-Jitsu Player • Chargers & Angels Fan • Harley Enthusiast • Taco Lover
  • 3. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
  • 4. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security The Internet Rocks With adoption and growth comes innovation! Over 2 billion internet users today(Internet World Stats) 566% growth in the last 12 years (Internet World Stats) 861,379,000 registered hostnames - Jan14 (Tech Made Easy) 180,000,000 active websites (Tech Made Easy)
  • 5. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
  • 6. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security It’s Not All Peachy Malware – short for malicious software DoS/DDoS - Denial of Service Brute Force SPAM Links SEO Poisoning XSS SQL Injections Blacklisting DNS Poisoning Innovative thinking sparks risk
  • 7. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Malware Type Distribution SiteCheck numbers don’t lie! 26% 19% 16% 14% 11% 4% 10% Remote iFrame Includes Remote JavaScript Includes SPAM Injections Obfuscated / Encoded JavaScript Conditional Redirects Defacements Other
  • 8. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Trends
  • 9. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security How Bad is it? An explosion in web malicious links! Malicious Links 2011 2012
  • 10. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security What Are Malicious Links? Oh you’ve seen them. You’ve seen them everywhere!
  • 11. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Increase in Phishing All is not what it seems!
  • 12. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Search Engine Poisoning (SEP) Get Payday Loans or Cheap Pills.
  • 13. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Brute Force
  • 14. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Denial of Service (DoS)
  • 15. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Denial of Service (DoS)
  • 16. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Why Is This Happening? Awesome spawns not so awesome situations!
  • 17. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Almost always for the $$$
  • 18. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security How Does This Happen A new type of webmaster!
  • 19. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security The Worlds Biggest Weakness
  • 20. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Am I At Risk? The percentage of risk will never be zero! Ever See a Dodo Bird?
  • 21. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Everyone is a Target! Even you!
  • 22. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security What Can We do? Be smart. Be consistent. Cut out the noise!
  • 23. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Things You May See Your users saying they are being redirected Spam links in your HTML or even visible Google SERP shows Viagra for your keywords Google Blacklists you Sharp traffic decreases for no reason If your site is infected
  • 24. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Quick Steps Scan for malware – http://sitecheck.sucuri.net Kill WordPress sessions by resetting Salts - http://wordpress.org/support/topic/set-up-a-secret-key-in-wordpress- 25 Reset ALL passwords (WP, FTP, SSH) Replace WordPress Core Update ALL Software Look for out of place files Hire someone to audit the site and perform full server-side scan & cleanup If you think your site is infected
  • 25. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Proactive Defenses!
  • 26. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Keep Software Updated Leading cause for infection along with passwords Scared to upgrade because stuff breaks? Major vs. Point Release Run upgrade tests Do your homework Information Security is everyone’s responsibility
  • 27. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Use Trusted Sources!
  • 28. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security No Soup Kitchen Servers WordPressers act like they forgot about DEV Cross-contamination is a big deal Segment by user and account Not active. Not good enough If it’s not in use, get rid of it Production is not your archive server!
  • 29. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Reduce Access Give people enough access to do their job, nothing more; remove access when they complete their job! User Proper Roles This goes for WordPress, FTP, & DB’s, etc. Limit failed logins to thwart brute force Practice two form auth & layered login Disable PHP Execution! Least privilege to some, no privilege for most. <Files *.php> Deny from all </Files>
  • 30. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Password Management Complex – Long - Unique Password still top 5 actively used password Use unique passphrases Use different passwords across accounts Password Management Tools Password is a password not to be used as your password, ever!
  • 31. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Backup Schedule Create a schedule today! Backup outside of your production environment Multiple backups are awesome Talk to your host to see what they offer Various tools available When they hack you, reduce downtime.
  • 32. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Tools & Services Website Firewall Sucuri CloudProxy Great tools and services to help you reduce risk. Password Management LastPass KeyPass Password Safe 1Password Malware Scanning Sucuri SiteCheck UnMask Parasites Malware Cleanup Sucuri Backups Sucuri Backups VaultPress
  • 33. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Notable Resources Name Tool Sucuri Blog http://blog.sucuri.net Sucuri TV http://sucuri.tv Malware Scanner http://sitecheck.sucuri.net Malware Scanner http://unmaskparasites.com Badware Busters https://badwarebusters.org Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sites Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633 Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress Exploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 Joomla! Security and Performance FAQs http://docs.joomla.org/Security_and_Performance_FAQs Joomla! Security Checklist http://docs.joomla.org/Security_Checklist/Getting_Started
  • 34. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security Thank You For Listening Now go, reduce risk. Go!

×