WordCamp Orange County: WordPress Security Fundamentals


Published on

WordPress is one the most popular website platforms on the Internet, and that makes it a prime target for malicious web users. Learn how to take the basic steps to protect yourself and your online properties.

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WordCamp Orange County: WordPress Security Fundamentals

  1. 1. WordPress securityfundamentals
  2. 2. aboutme Something Joseph Herbrandson Web design and infosec Committed to WordPress and website security since 2008 sucuri security Security Analyst - Cleaning up malware and protecting websites from infection everyday Website sucuri.net twitter.com/sucuri_security facebook.com/SucuriSec sucuri.net
  3. 3. sucuri.net Sucurisecurity • Website security Company • Operate internationally • platform agnostic (wordpress, joomla, drupal, etc…) • scan 2 million websites per month • block 4 million attacks per month • remediate 400-500 sites per day • 24/7 operations
  4. 4. The state of… theInternet sucuri.net 2.9 Billion Internet Users world wide About 950 million active sites internetlivestats.com ! 20% are wordpress…
  5. 5. No 0% Threat Rule No such thing as perfect security. If someone REALLY wants in, they will find a way. 0- Day Attacks Brand new attacks using different methods make these impossible to plan for. 0-Day attacks are resolved once it has been studied, and fix has been published. Not just Wordpress! Security starts with everyday practices. All the wrong moves made off of your website, will still affect things on your website! sucuri.net securewp Notes On
  6. 6. Who Are They? Hackersidentities sucuri.net Who are these Guys? - It can be anyone good with computers. - Intelligent and Mischievous; Enterprising and Effective. Where are they from? Most attacks come from Turkey, Syria, Tunisia, Brazil, Russia, China, and even the United States. !
  7. 7. Brute Force sql injection ddos social engineering sucuri.net what’s going on here… commonattacktypes
  8. 8. Hacked? Whyyou It’s nothing Personal Most attacks are automated and done on many websites at a time You're on the list Once you’re a target, you stay a target. Increasing your security is the best way to ask them to LEAVE YOU ALONE sucuri.net
  9. 9. The $Billionspam ! Pharma and spam attacks Viagra, Cialis, and Levitra ads, make marketers over 2 BILLION dollars every year from blackhat methods of infecting websites, and redirecting users to websites selling prescription drugs. ! sucuri.net
  10. 10. sucuri.net Sending a Message Hacktivists ! The hacktivists Turning your site into a billboard for anarchy and mayhem
  11. 11. Pillarsofsecurity Your Security Frontline Disaster Prevention backups Basic Website Maintenance Staying current Common Sense Policies Access control WordPress Intrusion Preparation sucuri.net
  12. 12. securedbackups Disaster Prevention Have a backup plan Playing defensively from the back is your best first line defense. Stored Remotely Away from your live server, and the clutches of an intruder. …more than one if possible! The more layers of your backup plan, the less likely it is to fail. Scheduled and Automated Don’t rely on yourself. sucuri.net
  13. 13. backupSolutions Options for Vault PressWeb hosting Sucuri Backups sucuri.net
  14. 14. wordpressUpdates The Importance of Your version is your level of security ! Major versus Maintenance releases ! Worried About upgrading? fear not! downgrading is a simple task ! Have an upgrade path sucuri.net As of June 2014: http://w3techs.com/technologies/details/cm-wordpress/3/all 36% 29% 6% 7% 11% 11% 3.0-3.4 3.5 3.6 3.7 3.8 3.9
  15. 15. sucuri.net allinoneSEo recent vulnerability disclosure: Update!! ! no plugin is SAFE! ! educate yourself http://blog.sucuri.net/2014/05/vulnerability-found-in-the- all-in-one-seo-pack-wordpress-plugin.html Public Service Announcemnt…
  16. 16. A little bit about passwordsecurity The tactics Sophisticated Password Guessing easier to crack than you think… ! Password Crack Times: - 8 letters = 52 seconds - 8 nums/letters = 11 minutes - with caps/!@#$… = 3 hours - 12 letters/nums/caps/!@#$ = 2 Thousand years sucuri.net
  17. 17. mostusedpassWords The web’s No. Title Ranking Last Year 1 123456 2 2 password 1 3 12345678 3 4 qwerty 5 5 abc123 4 6 123456789 New 7 111111 9 sucuri.net The following are statistics showing the most used passwords in 2013, documented from lists stolen in major organization security breaches. (SplashData.com)
  18. 18. passwordmanagers Tools of the trade: Lastpass keePass DashLane sucuri.net 1Password
  19. 19. Case study cleanup Ftp/sftp File Management Basic file cleanup with FileZilla WordPress Version Archives https://codex.wordpress.org/WordPress_Versions (Google “WordPress versions”) Theme Backups Always know where to find a clean copy of your theme sucuri.net
  20. 20. Infectedsite infection: blackhat seo spam injection Spam is displayed with Javascript turned off. Otherwise it’s hidden! Infection confirmed at the free Sucuri website scanner: http://sitecheck.sucuri.net Cleanup sucuri.net
  21. 21. Cleanup removeandreplace wp-admin and wp-includes These directories are replaceable for cleanup and downgrading versions Replace other core files The other core files outside of these two directories can be uploaded to directly replace their counterparts do not delete wp-config.php or wp-content! These are vital to the functionality of your blog, and cannot be replaced easily, or without a backup. sucuri.net
  22. 22. Cleanup removeandreplace pt.2 find your theme Your theme is replaceable if you
 haven’t made custom
 changes delete your old theme This is the most common place
 for infected WordPress files replace with clean copy Good as new! sucuri.net
  23. 23. Cleanup cleansite cleanup accomplished: Your WordPress site is now spam free! ! sucuri.net
  24. 24. sucuri.net A healthy dose of… paranoia worry about the right things: - Passwords versus Usernames - Web hosting - Plugin/Theme origin - Patching/Updating - Who your friends are
  25. 25. anyquestions?