Your SlideShare is downloading. ×
0
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
WordPress Security Best Practices
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WordPress Security Best Practices

3,352

Published on

The slides for Brennen Byrne and Sam Hotchkiss' talk on WordPress security best practices at WordCamp Phoenix 2014.

The slides for Brennen Byrne and Sam Hotchkiss' talk on WordPress security best practices at WordCamp Phoenix 2014.

Published in: Technology, Business
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
3,352
On Slideshare
0
From Embeds
0
Number of Embeds
23
Actions
Shares
0
Downloads
38
Comments
0
Likes
4
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. WordPress Security Best Practices Brennen Byrne @brennenbyrne Sam Hotchkiss @hotchkissconsulting
  • 2. How to make your site impossible to hack:
  • 3. Delete it.
  • 4. This talk is for the rest of you.
  • 5. For the next 100 minutes, we’ll cover the: 5 Rules • 4 Tools and • 3 Important Habits • To keep your site safe.
  • 6. Sam Hotchkiss I run a WordPress agency in Bath, Maine and am the lead developer for the WordPress security plugin BruteProtect.
  • 7. Brennen Byrne I’m one of the founders of Clef, a security plugin for WordPress that lets you log in without a password.
  • 8. WordPress Security Best Practices Brennen Byrne @brennenbyrne Sam Hotchkiss @hotchkissweb
  • 9. Slides getclef.com/wordcamp-security Checklist getclef.com/wordpress-security-checklist
  • 10. Who attacks and why? it’s not usually because they want to be friends
  • 11. pharma / affiliate if you’re not using akismet, you know these well
  • 12. link injection SEO hacking at its worst
  • 13. hacktivists Syrian Electronic Army, lulzsec, anonops, etc.
  • 14. drive by download you’re just the host
  • 15. redirects pretty much just hijacking your site
  • 16. How do they attack? know your own weaknesses
  • 17. XSS cross site scripting: comments or posts that attack other visitors to your site
  • 18. CSRF cross site request forgery: once you’re authenticated, other sites can pretend to be you
  • 19. brute force how many tries does it take to guess your password?
  • 20. brute force + botnet how long does it take an army to guess your password?
  • 21. server breach sites where you log in store your password. (even though they shouldn’t…) what happens if they mess up?
  • 22. bucket brigade an attacker sits between you and a site you log in to, when you send your password, they read it before passing it on
  • 23. but really, insecure plugins and themes WordPress core has a team of security experts looking for these flaws all the time. Most plugins do not.
  • 24. Do you need to worry? some people think that their site is too small to be attacked
  • 25. WordPress is 20% of the web most attackers are counting on a small success rate across a huge number of sites
  • 26. Bots attack every site BruteProtect blocked more than 20m attacks last year, and it’s on less than 0.01% of WordPress sites
  • 27. Botnet Economics one small site infects hundreds of users, who will help infect more, bigger sites
  • 28. Now, The Rules The first rule of WordPress is…
  • 29. 1. Respect your passwords “password” doesn’t cut it anymore
  • 30. Require strong passwords if you use them at all
  • 31. Don’t email them to anyone, ever.
  • 32. Don’t submit them without SSL on public wifi or even private wifis that you don’t know that well
  • 33. 2. respect admin even if you don’t respect your administrators
  • 34. keep admin separate only use it when you need it
  • 35. change db table prefix wp-avoidinghackersallday_users > wp_users
  • 36. make admin something other than “admin” why make things easier?
  • 37. 3. Sanitize user input you don’t know where it’s been
  • 38. do not write your own SQL or, if you do, clean it carefully before you use it
  • 39. validate data before you display it avoid running hack.js in your users’ browsers
  • 40. 4. Disclose Responsibly and quietly
  • 41. Tools not that kind of tool
  • 42. SFTP whichever you like
  • 43. BruteProtect awesome
  • 44. Clef also awesome
  • 45. Cloak because WiFi is dangerous ! (this only works for Mac users)
  • 46. Important habits good security hygiene
  • 47. check for ssl look for the little lock before typing anything
  • 48. use different passwords more important than using individually strong ones ! better yet… don’t use passwords at all
  • 49. use a password manager computers have better memories for this kind of stuff
  • 50. don’t trust new senders .exe and .zip should be feared
  • 51. educate your clients it’s your responsibility (and will save you a lot of headache)
  • 52. Cleaning up how do you recover after your site gets compromised?
  • 53. first step change all of your passwords — admin, users, host, keys, everything you can
  • 54. save wp-content copy the folder of your actual content
  • 55. scan your local machine make sure your computer is not infected
  • 56. burn it with fire /www, chron, plugins and themes
  • 57. fresh install you can restore a backup, save old themes, but nothing works as well as starting from scratch
  • 58. re-add wp-content get back the things you’ve created
  • 59. last step change all of your passwords — admin, users, host, everything you can
  • 60. Slides getclef.com/wordcamp-security Checklist getclef.com/wordpress-security-checklist
  • 61. Questions http://getclef.com/wordpress-security-checklist

×