SlideShare a Scribd company logo

The 7 Deadly Sins of WordPress Security

Joseph Herbrandson
Joseph Herbrandson

The document discusses Joseph Herbrandson's work as a researcher and account manager at Sucuri, a company that provides website security services including malware cleanup and attack protection. It outlines Sucuri's services like security scanning, malware cleanup, and blocking attacks. It also discusses common WordPress security issues like outdated plugins, weak passwords, and lack of backups. It describes the "seven deadly sins of WordPress security" including security apathy, lack of backups, and not keeping software updated. Throughout, it provides tips for improving WordPress security such as using a password manager, limiting user privileges, and installing security plugins.

Internet
1 of 39
Download to read offline
ABOUT ME WEB DESIGN AND INFORMATION SECURITY Committed to WordPress since 2008. SUCURI – Researcher and Account Manager Removing malware and protecting websites. Personally cleaned over 5,000 websites SUCURI.NET Twitter: @JHerbrandson joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
ABOUT SUCURI Over 45 Security Professionals Making a Safer Web SECURITY SCANNING & ANALYSIS Checking the health over 3 Million websites every month through our free Sitecheck Scanner: http://sitecheck.sucuri.net MALWARE CLEANUP Cleaning and remediating 300 – 400 hacked or infected websites everyday. ATTACK PROTECTION Blocking over 33 million attacks and instances of malicious traffic every month EDUCATION Providing detailed and actionable security information through our blog at http://blog.sucuri.net " joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net H ! G
ATTACK TRAFFIC ORIGINS Map.Ipviking.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
A QUICK DEMO Attack in Progress: https://www.youtube.com/watch?v=v4Xr3LrixVg joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
Sooo… WHY? It’s Just Business…probably - The Short Answer: Fame and Fortune - $BILLION Spam – Generic Pharmaceuticals, Payday Loans, Gambling, Designed Brand Knock Offs - Hacktivism – Politics and religion at the speed of download - Immaturity – Kids being kids joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
the 7 deadly sins of WordPress security SEVEN VULNERABILITY WRATH c c joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net TWO PROTECTION LUST THREE THRILL SEEKING FOUR ACCESS ALOOFNESS SIX PRINCIPLE PRIDE FIVE SERVICE GREED K w t ONE SECURITY APATHY
# sin #1 Security Apathy I Ignoring the Requirements
THE NEED FOR SECURITY THE STATE OF THE INTERNET www.internetlivestats.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
Shared Hosting Dedicated Hosting joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net Managed Hosting HOSTING OPTIONS Choose wisely Done for you All Cheap yours
MANAGED-HOSTING PROVIDERS WordPress Experts for Everyone! joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
SPEAKING OF ENVIRONMENT… Who is using the Public Wifi? joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
( II sin #2 Protection Lust Searching for the Security Holygrail
WORD of WARNING No chance of 0% risk. The next ‘0-Day’ attack is always around the corner… joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
SECURITY HEADLINES Proof: Seen the news lately? joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
c III sin #3 Thrill Seeking Skydiving is a safer thrill than going without backups
BUT I’VE NEVER HAD A PROBLEM BEFORE… Have a low profile, non-threatening site? You are still getting attention joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net s
FREE WEBSITE REBRAND joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net HACKERS HARD AT WORK PHARMACEUTICAL SPAM MAKES HACKERS TWO BILLION DOLLARS/YEAR SOLUTION: OFFSITE BACKUPS RESULT: CLEAN SITE IMMEDIATELY K $ å j
AUTOMATED BACKUPS Know you have a backup plan backup buddy vaultpress sucuri backups webhosting backups joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net ithemes.com/ backupbuddy/ $ Vaultpress.com Sucuri.net Your hosting company
t IV sin #4 Access Aloofness Sticky Notes: No longer Best for Password Management!!
top 3 passwords used in 2013 Seriously…. Password Last Year’s Rank ‘123456’ 2 ‘PASSWORD’ 1 ‘12345678’ 3 credit: SplashData.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
PASSWORD MANAGER Remembers your passwords so you don’t have to lastpass 1password keypass dashlane lastpass.com agilebits.com keepass.info dashlane.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
LEAST PRIVILEGE Does your user setup look like this? !2 !4 joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net !3 Hosting/ !7 Administrator FTP/SFTP root access control panel Editor/ contributer !1 Actual Admin Potential Hackers Friends !12 Writers Seo Guys Analysts !2 Editors !1 Random People !10 !5 Hackers Friends Again…
sin #5 w Service Greed V No such thing as Something for nothing on the front page of Google
NOT THE CODE YOU’RE LOOKING FOR… Assisting the enemy This probably shouldn’t be in your theme: if(isset($_GET['pwd'])) { eval(base64_decode("CiRhdXRoX3Bhc3MgPSAiN2U5NBhY3RpdmF0ZXM sIGNoYW5nZWQgZWxlbWVudHMgaW4gdGhlIG9yaWdpbmFsIHBsdWdp biwgZGVzaWduZWQgdG8gYmVoYXZlIGxpa2UgY2xlYW4gY29kZSwgc2ln bmFsIHRoZSBoYWNrZXIgdG8gbGV0IGl0IGtub3cgdGhhdCBpdOKAmXMg aW4uIEEgY2xlYW4gYmFjayBkb29yIGhhcyBiZWVuIG9wZW5lZCwgYW5k IHlvdXIgc2l0ZSBpcyBub3cgb24gYW4gYXV0b21hdGVkIGF0dGFjayBsaXN 0LCBtZWFudCB0byBxdWlldGx5IGluZmVjdCBhbmQgcmVpbmZlY3QgeW9 1ciBzaXRlIGFnYWluIGFuZCBhZw==“)); } joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net !
MORE THAN EXPECTED joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
K sin #6 PRINCIPLE PRIDE VI Keep to the code.
A SYSTEM TO LIVE BY 1. Protect! – Your computer has a firewall, why doesn’t your website? 2. Detect! – The same goes for AntiVirus. 3. Respond! – Clean up the mess. You have a backup right? Encompassing Actions: - Know the best practices - Mind your maintenance joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
SYSTEM IN ACTION joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
Opening doors you never knew existed c sin #7 Wrath of Vulnerabilities VII
WORDPRESS CORE Strong and Secure j Ñ ( joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net Dedicated Creators Making WordPress Solid and Secure Auto-Updates Get important patches right away. Support Everything you need at WordPress.org
WordPress Version Distribution 3.0 – 4.0 (wordpress.org/about/stats/) joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
3rd Party VULNERABILITIES Keep watch Vulnerabilities disclosed at http://blog.sucuri.net All-In-One SEO – 20 Million Downloads WPtouch – 6 Million Downloads MailPoet - 2.7 Million Downloads Custom Contact Forms – 640k Downloads Slider Revolution – Hundreds of Thousands (themeforest/codecanyon) joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
Z X Going further Transition from Mark to Master Tips, Tools, and Services
WEBSITE ANTIVIRUS & FIREWALL Protection and Detection Don’t be the mark! Understand the changes you are implementing “AntiVirus” “Firewall” joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net WordFence Sucuri Website Antivirus CloudFlare Sucuri Website Firewall “Utilities” iThemes Security BruteProtect Sucuri Security Plugin
RESOURCES Because you don’t know what you don’t know General WordPress Security: https://codex.wordpress.org/Hardening_WordPress https://blog.sucuri.net Hacking and General Security: http://www.securityfocus.com/ http://blogs.sophos.com/ Facebook Groups: WordPress Security Advanced WordPress SubReddits: Reddit.com/r/Hacking Reddit.com/r/WordPress joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
EASY PATH TO CLEANUP Response NEED: Releases of WordPress at: https://wordpress.org/download/release-archive/ Clean backup of active theme and required plugins New Passwords (WordPress, FTP, Hosting Control Panel, Everything Else) joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
THANK YOU! %

Recommended

WordCamp Baltimore - WordPress Security: Fundamentals for Business
WordCamp Baltimore - WordPress Security: Fundamentals for BusinessWordCamp Baltimore - WordPress Security: Fundamentals for Business
WordCamp Baltimore - WordPress Security: Fundamentals for BusinessJoseph Herbrandson
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site CleanSucuri
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 

Recommended

WordCamp Baltimore - WordPress Security: Fundamentals for Business
WordCamp Baltimore - WordPress Security: Fundamentals for BusinessWordCamp Baltimore - WordPress Security: Fundamentals for Business
WordCamp Baltimore - WordPress Security: Fundamentals for BusinessJoseph Herbrandson
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site CleanSucuri
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 
Sucuri Webinar: Oh No! My Website Has Been Hacked.
Sucuri Webinar: Oh No! My Website Has Been Hacked.Sucuri Webinar: Oh No! My Website Has Been Hacked.
Sucuri Webinar: Oh No! My Website Has Been Hacked.Sucuri
 
Website Security AMA: Best Practices
Website Security AMA: Best Practices Website Security AMA: Best Practices
Website Security AMA: Best Practices Adam W. Warner
 
Access Denied
Access DeniedAccess Denied
Access DeniedPaul Gilzow
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
WCBham Beginner WordPress Security
WCBham Beginner WordPress SecurityWCBham Beginner WordPress Security
WCBham Beginner WordPress SecurityGerroald Barron
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
 
The Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityThe Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityAidanChard
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Don’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsDon’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsAventis Systems, Inc.
 
Sucuri Webinar: Preventing Cross-Site Contamination for Beginners
Sucuri Webinar: Preventing Cross-Site Contamination for BeginnersSucuri Webinar: Preventing Cross-Site Contamination for Beginners
Sucuri Webinar: Preventing Cross-Site Contamination for BeginnersSucuri
 
How Silicon Valley startups are approaching security differently
How Silicon Valley startups are approaching security differentlyHow Silicon Valley startups are approaching security differently
How Silicon Valley startups are approaching security differentlyScott Cressman
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issuesebusinessmantra
 
Click or Not to Click (Cyber Security Awareness )
Click or Not to Click (Cyber Security Awareness )Click or Not to Click (Cyber Security Awareness )
Click or Not to Click (Cyber Security Awareness )Jobayer Almahmud Hossain (RHCA, RHCDS, RHCSS)
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...Steve Werby
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsChris Burgess
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Pubcon Vegas Session - WordPress Site Security Audits
Pubcon Vegas Session - WordPress Site Security AuditsPubcon Vegas Session - WordPress Site Security Audits
Pubcon Vegas Session - WordPress Site Security AuditsKristine Schachinger SEO and Online Marketing
 
Secure Web hosting provider - KTCHost
Secure Web hosting provider - KTCHostSecure Web hosting provider - KTCHost
Secure Web hosting provider - KTCHostKTC Host
 
Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force AttackHTS Hosting
 

More Related Content

What's hot

Sucuri Webinar: Oh No! My Website Has Been Hacked.
Sucuri Webinar: Oh No! My Website Has Been Hacked.Sucuri Webinar: Oh No! My Website Has Been Hacked.
Sucuri Webinar: Oh No! My Website Has Been Hacked.Sucuri
 
Website Security AMA: Best Practices
Website Security AMA: Best Practices Website Security AMA: Best Practices
Website Security AMA: Best Practices Adam W. Warner
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
WCBham Beginner WordPress Security
WCBham Beginner WordPress SecurityWCBham Beginner WordPress Security
WCBham Beginner WordPress SecurityGerroald Barron
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
 
The Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityThe Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityAidanChard
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Don’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsDon’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsAventis Systems, Inc.
 
Sucuri Webinar: Preventing Cross-Site Contamination for Beginners
Sucuri Webinar: Preventing Cross-Site Contamination for BeginnersSucuri Webinar: Preventing Cross-Site Contamination for Beginners
Sucuri Webinar: Preventing Cross-Site Contamination for BeginnersSucuri
 
How Silicon Valley startups are approaching security differently
How Silicon Valley startups are approaching security differentlyHow Silicon Valley startups are approaching security differently
How Silicon Valley startups are approaching security differentlyScott Cressman
 

What's hot (11)

Sucuri Webinar: Oh No! My Website Has Been Hacked.
Sucuri Webinar: Oh No! My Website Has Been Hacked.Sucuri Webinar: Oh No! My Website Has Been Hacked.
Sucuri Webinar: Oh No! My Website Has Been Hacked.
 
Website Security AMA: Best Practices
Website Security AMA: Best Practices Website Security AMA: Best Practices
Website Security AMA: Best Practices
 
Access Denied
Access DeniedAccess Denied
Access Denied
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
 
WCBham Beginner WordPress Security
WCBham Beginner WordPress SecurityWCBham Beginner WordPress Security
WCBham Beginner WordPress Security
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight It
 
The Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityThe Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress Security
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
 
Don’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering TrapsDon’t Fall Victim to Social Engineering Traps
Don’t Fall Victim to Social Engineering Traps
 
Sucuri Webinar: Preventing Cross-Site Contamination for Beginners
Sucuri Webinar: Preventing Cross-Site Contamination for BeginnersSucuri Webinar: Preventing Cross-Site Contamination for Beginners
Sucuri Webinar: Preventing Cross-Site Contamination for Beginners
 
How Silicon Valley startups are approaching security differently
How Silicon Valley startups are approaching security differentlyHow Silicon Valley startups are approaching security differently
How Silicon Valley startups are approaching security differently
 

Similar to The 7 Deadly Sins of WordPress Security

Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issuesebusinessmantra
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...Steve Werby
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsChris Burgess
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scriptinggmaran23
 
Secure Web hosting provider - KTCHost
Secure Web hosting provider - KTCHostSecure Web hosting provider - KTCHost
Secure Web hosting provider - KTCHostKTC Host
 
Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force AttackHTS Hosting
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorDavid Perkins
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...CiNPA Security SIG
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015NetSPI
 
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienJulien Dereumaux
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security SystemMatthew Bricker
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...Rachel Wandishin
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 

Similar to The 7 Deadly Sins of WordPress Security (20)

Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital Marketers
 
Online Security and Privacy Issues
Online Security and Privacy IssuesOnline Security and Privacy Issues
Online Security and Privacy Issues
 
Click or Not to Click (Cyber Security Awareness )
Click or Not to Click (Cyber Security Awareness )Click or Not to Click (Cyber Security Awareness )
Click or Not to Click (Cyber Security Awareness )
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press website
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
 
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
Crunching the Top 10000 Websites' Password Policies and Controls [Presented b...
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security Plugins
 
Devouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site ScriptingDevouring Security Insufficient data validation risks Cross Site Scripting
Devouring Security Insufficient data validation risks Cross Site Scripting
 
Pubcon Vegas Session - WordPress Site Security Audits
Pubcon Vegas Session - WordPress Site Security AuditsPubcon Vegas Session - WordPress Site Security Audits
Pubcon Vegas Session - WordPress Site Security Audits
 
Secure Web hosting provider - KTCHost
Secure Web hosting provider - KTCHostSecure Web hosting provider - KTCHost
Secure Web hosting provider - KTCHost
 
Information on Brute Force Attack
Information on Brute Force AttackInformation on Brute Force Attack
Information on Brute Force Attack
 
Make Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your FavorMake Every Spin Count: Putting the Security Odds in Your Favor
Make Every Spin Count: Putting the Security Odds in Your Favor
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
HackAvert
HackAvertHackAvert
HackAvert
 
BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!BSides Columbus: Active Defense - Helping threat actors hack themselves!
BSides Columbus: Active Defense - Helping threat actors hack themselves!
 
All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015All You Need is One - A ClickOnce Love Story - Secure360 2015
All You Need is One - A ClickOnce Love Story - Secure360 2015
 
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mien
 
Personal Internet Security System
Personal Internet Security SystemPersonal Internet Security System
Personal Internet Security System
 
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud... Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
Security from the Start: Optimizing Your Acquia Experience with Acquia Cloud...
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 

Recently uploaded

Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxMario
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxmibuzondetrabajo
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxAndrieCagasanAkio
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119APNIC
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxNIMMANAGANTI RAMAKRISHNA
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 

Recently uploaded (11)

Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
Company Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptxCompany Snapshot Theme for Business by Slidesgo.pptx
Company Snapshot Theme for Business by Slidesgo.pptx
 
Unidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptxUnidad 4 – Redes de ordenadores (en inglés).pptx
Unidad 4 – Redes de ordenadores (en inglés).pptx
 
TRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptxTRENDS Enabling and inhibiting dimensions.pptx
TRENDS Enabling and inhibiting dimensions.pptx
 
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119IP addressing and IPv6, presented by Paul Wilson at IETF 119
IP addressing and IPv6, presented by Paul Wilson at IETF 119
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
ETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptxETHICAL HACKING dddddddddddddddfnandni.pptx
ETHICAL HACKING dddddddddddddddfnandni.pptx
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 

The 7 Deadly Sins of WordPress Security

  • 1.
  • 2. ABOUT ME WEB DESIGN AND INFORMATION SECURITY Committed to WordPress since 2008. SUCURI – Researcher and Account Manager Removing malware and protecting websites. Personally cleaned over 5,000 websites SUCURI.NET Twitter: @JHerbrandson joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 3. ABOUT SUCURI Over 45 Security Professionals Making a Safer Web SECURITY SCANNING & ANALYSIS Checking the health over 3 Million websites every month through our free Sitecheck Scanner: http://sitecheck.sucuri.net MALWARE CLEANUP Cleaning and remediating 300 – 400 hacked or infected websites everyday. ATTACK PROTECTION Blocking over 33 million attacks and instances of malicious traffic every month EDUCATION Providing detailed and actionable security information through our blog at http://blog.sucuri.net " joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net H ! G
  • 4. ATTACK TRAFFIC ORIGINS Map.Ipviking.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 5. A QUICK DEMO Attack in Progress: https://www.youtube.com/watch?v=v4Xr3LrixVg joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 6. Sooo… WHY? It’s Just Business…probably - The Short Answer: Fame and Fortune - $BILLION Spam – Generic Pharmaceuticals, Payday Loans, Gambling, Designed Brand Knock Offs - Hacktivism – Politics and religion at the speed of download - Immaturity – Kids being kids joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 7. the 7 deadly sins of WordPress security SEVEN VULNERABILITY WRATH c c joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net TWO PROTECTION LUST THREE THRILL SEEKING FOUR ACCESS ALOOFNESS SIX PRINCIPLE PRIDE FIVE SERVICE GREED K w t ONE SECURITY APATHY
  • 8. # sin #1 Security Apathy I Ignoring the Requirements
  • 9. THE NEED FOR SECURITY THE STATE OF THE INTERNET www.internetlivestats.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 10. Shared Hosting Dedicated Hosting joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net Managed Hosting HOSTING OPTIONS Choose wisely Done for you All Cheap yours
  • 11. MANAGED-HOSTING PROVIDERS WordPress Experts for Everyone! joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 12. SPEAKING OF ENVIRONMENT… Who is using the Public Wifi? joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 13. ( II sin #2 Protection Lust Searching for the Security Holygrail
  • 14. WORD of WARNING No chance of 0% risk. The next ‘0-Day’ attack is always around the corner… joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 15. SECURITY HEADLINES Proof: Seen the news lately? joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 16. c III sin #3 Thrill Seeking Skydiving is a safer thrill than going without backups
  • 17. BUT I’VE NEVER HAD A PROBLEM BEFORE… Have a low profile, non-threatening site? You are still getting attention joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net s
  • 18. FREE WEBSITE REBRAND joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net HACKERS HARD AT WORK PHARMACEUTICAL SPAM MAKES HACKERS TWO BILLION DOLLARS/YEAR SOLUTION: OFFSITE BACKUPS RESULT: CLEAN SITE IMMEDIATELY K $ å j
  • 19. AUTOMATED BACKUPS Know you have a backup plan backup buddy vaultpress sucuri backups webhosting backups joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net ithemes.com/ backupbuddy/ $ Vaultpress.com Sucuri.net Your hosting company
  • 20. t IV sin #4 Access Aloofness Sticky Notes: No longer Best for Password Management!!
  • 21. top 3 passwords used in 2013 Seriously…. Password Last Year’s Rank ‘123456’ 2 ‘PASSWORD’ 1 ‘12345678’ 3 credit: SplashData.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 22. PASSWORD MANAGER Remembers your passwords so you don’t have to lastpass 1password keypass dashlane lastpass.com agilebits.com keepass.info dashlane.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 23. LEAST PRIVILEGE Does your user setup look like this? !2 !4 joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net !3 Hosting/ !7 Administrator FTP/SFTP root access control panel Editor/ contributer !1 Actual Admin Potential Hackers Friends !12 Writers Seo Guys Analysts !2 Editors !1 Random People !10 !5 Hackers Friends Again…
  • 24. sin #5 w Service Greed V No such thing as Something for nothing on the front page of Google
  • 25. NOT THE CODE YOU’RE LOOKING FOR… Assisting the enemy This probably shouldn’t be in your theme: if(isset($_GET['pwd'])) { eval(base64_decode("CiRhdXRoX3Bhc3MgPSAiN2U5NBhY3RpdmF0ZXM sIGNoYW5nZWQgZWxlbWVudHMgaW4gdGhlIG9yaWdpbmFsIHBsdWdp biwgZGVzaWduZWQgdG8gYmVoYXZlIGxpa2UgY2xlYW4gY29kZSwgc2ln bmFsIHRoZSBoYWNrZXIgdG8gbGV0IGl0IGtub3cgdGhhdCBpdOKAmXMg aW4uIEEgY2xlYW4gYmFjayBkb29yIGhhcyBiZWVuIG9wZW5lZCwgYW5k IHlvdXIgc2l0ZSBpcyBub3cgb24gYW4gYXV0b21hdGVkIGF0dGFjayBsaXN 0LCBtZWFudCB0byBxdWlldGx5IGluZmVjdCBhbmQgcmVpbmZlY3QgeW9 1ciBzaXRlIGFnYWluIGFuZCBhZw==“)); } joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net !
  • 26. MORE THAN EXPECTED joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 27. K sin #6 PRINCIPLE PRIDE VI Keep to the code.
  • 28. A SYSTEM TO LIVE BY 1. Protect! – Your computer has a firewall, why doesn’t your website? 2. Detect! – The same goes for AntiVirus. 3. Respond! – Clean up the mess. You have a backup right? Encompassing Actions: - Know the best practices - Mind your maintenance joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 29. SYSTEM IN ACTION joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 30. Opening doors you never knew existed c sin #7 Wrath of Vulnerabilities VII
  • 31. WORDPRESS CORE Strong and Secure j Ñ ( joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net Dedicated Creators Making WordPress Solid and Secure Auto-Updates Get important patches right away. Support Everything you need at WordPress.org
  • 32. WordPress Version Distribution 3.0 – 4.0 (wordpress.org/about/stats/) joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 33. 3rd Party VULNERABILITIES Keep watch Vulnerabilities disclosed at http://blog.sucuri.net All-In-One SEO – 20 Million Downloads WPtouch – 6 Million Downloads MailPoet - 2.7 Million Downloads Custom Contact Forms – 640k Downloads Slider Revolution – Hundreds of Thousands (themeforest/codecanyon) joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 34. Z X Going further Transition from Mark to Master Tips, Tools, and Services
  • 35. WEBSITE ANTIVIRUS & FIREWALL Protection and Detection Don’t be the mark! Understand the changes you are implementing “AntiVirus” “Firewall” joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net WordFence Sucuri Website Antivirus CloudFlare Sucuri Website Firewall “Utilities” iThemes Security BruteProtect Sucuri Security Plugin
  • 36. RESOURCES Because you don’t know what you don’t know General WordPress Security: https://codex.wordpress.org/Hardening_WordPress https://blog.sucuri.net Hacking and General Security: http://www.securityfocus.com/ http://blogs.sophos.com/ Facebook Groups: WordPress Security Advanced WordPress SubReddits: Reddit.com/r/Hacking Reddit.com/r/WordPress joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 37. EASY PATH TO CLEANUP Response NEED: Releases of WordPress at: https://wordpress.org/download/release-archive/ Clean backup of active theme and required plugins New Passwords (WordPress, FTP, Hosting Control Panel, Everything Else) joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  • 38. joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net