Your SlideShare is downloading. ×
  • Like
WordCamp Orange County: WordPress Security Fundamentals
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

WordCamp Orange County: WordPress Security Fundamentals


WordPress is one the most popular website platforms on the Internet, and that makes it a prime target for malicious web users. Learn how to take the basic steps to protect yourself and your online …

WordPress is one the most popular website platforms on the Internet, and that makes it a prime target for malicious web users. Learn how to take the basic steps to protect yourself and your online properties.

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
    Be the first to like this
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide


  • 1. WordPress securityfundamentals
  • 2. aboutme Something Joseph Herbrandson Web design and infosec Committed to WordPress and website security since 2008 sucuri security Security Analyst - Cleaning up malware and protecting websites from infection everyday Website
  • 3. Sucurisecurity • Website security Company • Operate internationally • platform agnostic (wordpress, joomla, drupal, etc…) • scan 2 million websites per month • block 4 million attacks per month • remediate 400-500 sites per day • 24/7 operations
  • 4. The state of… theInternet 2.9 Billion Internet Users world wide About 950 million active sites ! 20% are wordpress…
  • 5. No 0% Threat Rule No such thing as perfect security. If someone REALLY wants in, they will find a way. 0- Day Attacks Brand new attacks using different methods make these impossible to plan for. 0-Day attacks are resolved once it has been studied, and fix has been published. Not just Wordpress! Security starts with everyday practices. All the wrong moves made off of your website, will still affect things on your website! securewp Notes On
  • 6. Who Are They? Hackersidentities Who are these Guys? - It can be anyone good with computers. - Intelligent and Mischievous; Enterprising and Effective. Where are they from? Most attacks come from Turkey, Syria, Tunisia, Brazil, Russia, China, and even the United States. !
  • 7. Brute Force sql injection ddos social engineering what’s going on here… commonattacktypes
  • 8. Hacked? Whyyou It’s nothing Personal Most attacks are automated and done on many websites at a time You're on the list Once you’re a target, you stay a target. Increasing your security is the best way to ask them to LEAVE YOU ALONE
  • 9. The $Billionspam ! Pharma and spam attacks Viagra, Cialis, and Levitra ads, make marketers over 2 BILLION dollars every year from blackhat methods of infecting websites, and redirecting users to websites selling prescription drugs. !
  • 10. Sending a Message Hacktivists ! The hacktivists Turning your site into a billboard for anarchy and mayhem
  • 11. Pillarsofsecurity Your Security Frontline Disaster Prevention backups Basic Website Maintenance Staying current Common Sense Policies Access control WordPress Intrusion Preparation
  • 12. securedbackups Disaster Prevention Have a backup plan Playing defensively from the back is your best first line defense. Stored Remotely Away from your live server, and the clutches of an intruder. …more than one if possible! The more layers of your backup plan, the less likely it is to fail. Scheduled and Automated Don’t rely on yourself.
  • 13. backupSolutions Options for Vault PressWeb hosting Sucuri Backups
  • 14. wordpressUpdates The Importance of Your version is your level of security ! Major versus Maintenance releases ! Worried About upgrading? fear not! downgrading is a simple task ! Have an upgrade path As of June 2014: 36% 29% 6% 7% 11% 11% 3.0-3.4 3.5 3.6 3.7 3.8 3.9
  • 15. allinoneSEo recent vulnerability disclosure: Update!! ! no plugin is SAFE! ! educate yourself all-in-one-seo-pack-wordpress-plugin.html Public Service Announcemnt…
  • 16. A little bit about passwordsecurity The tactics Sophisticated Password Guessing easier to crack than you think… ! Password Crack Times: - 8 letters = 52 seconds - 8 nums/letters = 11 minutes - with caps/!@#$… = 3 hours - 12 letters/nums/caps/!@#$ = 2 Thousand years
  • 17. mostusedpassWords The web’s No. Title Ranking Last Year 1 123456 2 2 password 1 3 12345678 3 4 qwerty 5 5 abc123 4 6 123456789 New 7 111111 9 The following are statistics showing the most used passwords in 2013, documented from lists stolen in major organization security breaches. (
  • 18. passwordmanagers Tools of the trade: Lastpass keePass DashLane 1Password
  • 19. Case study cleanup Ftp/sftp File Management Basic file cleanup with FileZilla WordPress Version Archives (Google “WordPress versions”) Theme Backups Always know where to find a clean copy of your theme
  • 20. Infectedsite infection: blackhat seo spam injection Spam is displayed with Javascript turned off. Otherwise it’s hidden! Infection confirmed at the free Sucuri website scanner: Cleanup
  • 21. Cleanup removeandreplace wp-admin and wp-includes These directories are replaceable for cleanup and downgrading versions Replace other core files The other core files outside of these two directories can be uploaded to directly replace their counterparts do not delete wp-config.php or wp-content! These are vital to the functionality of your blog, and cannot be replaced easily, or without a backup.
  • 22. Cleanup removeandreplace pt.2 find your theme Your theme is replaceable if you
 haven’t made custom
 changes delete your old theme This is the most common place
 for infected WordPress files replace with clean copy Good as new!
  • 23. Cleanup cleansite cleanup accomplished: Your WordPress site is now spam free! !
  • 24. A healthy dose of… paranoia worry about the right things: - Passwords versus Usernames - Web hosting - Plugin/Theme origin - Patching/Updating - Who your friends are
  • 25. anyquestions?