WordPress is one the most popular website platforms on the Internet, and that makes it a prime target for malicious web users. Learn how to take the basic steps to protect yourself and your online properties.
Web design and infosec
Committed to WordPress and website security
Security Analyst - Cleaning up malware and
protecting websites from infection everyday
• Website security Company
• Operate internationally
• platform agnostic (wordpress,
joomla, drupal, etc…)
• scan 2 million websites per month
• block 4 million attacks per month
• remediate 400-500 sites per day
• 24/7 operations
The state of…
2.9 Billion Internet Users world wide
About 950 million active sites
20% are wordpress…
No 0% Threat Rule
No such thing as perfect security. If someone
REALLY wants in, they will ﬁnd a way.
0- Day Attacks
Brand new attacks using diﬀerent methods
make these impossible to plan for. 0-Day
attacks are resolved once it has been studied,
and ﬁx has been published.
Not just Wordpress!
Security starts with everyday practices. All
the wrong moves made oﬀ of your website,
will still aﬀect things on your website!
Who Are They?
Who are these Guys?
- It can be anyone good with computers.
- Intelligent and Mischievous; Enterprising and Eﬀective.
Where are they from?
Most attacks come from Turkey, Syria, Tunisia, Brazil, Russia, China, and even the United States.
Brute Force sql injection ddos social engineering
what’s going on here…
It’s nothing Personal
Most attacks are automated and done on
many websites at a time
You're on the list
Once you’re a target, you stay a target.
Increasing your security is the best way to
ask them to LEAVE YOU ALONE
Pharma and spam attacks
Viagra, Cialis, and Levitra ads, make
marketers over 2 BILLION dollars every year
from blackhat methods of infecting websites,
and redirecting users to websites selling
Sending a Message
Turning your site into a billboard for anarchy
Frontline Disaster Prevention
Basic Website Maintenance
Common Sense Policies
Have a backup plan
Playing defensively from the back is your best
ﬁrst line defense.
Away from your live server, and the clutches
of an intruder.
…more than one if possible!
The more layers of your backup plan, the less
likely it is to fail.
Scheduled and Automated
Don’t rely on yourself.
Vault PressWeb hosting Sucuri Backups
The Importance of
Your version is your level of security
Major versus Maintenance releases
Worried About upgrading? fear not!
downgrading is a simple task
Have an upgrade path
As of June 2014: http://w3techs.com/technologies/details/cm-wordpress/3/all
3.0-3.4 3.5 3.6 3.7 3.8 3.9
recent vulnerability disclosure: Update!!
no plugin is SAFE!
Public Service Announcemnt…
A little bit about
Sophisticated Password Guessing
easier to crack than you think…
Password Crack Times:
- 8 letters = 52 seconds
- 8 nums/letters = 11 minutes
- with caps/!@#$… = 3 hours
- 12 letters/nums/caps/!@#$ =
2 Thousand years
No. Title Ranking Last Year
1 123456 2
2 password 1
3 12345678 3
4 qwerty 5
5 abc123 4
6 123456789 New
7 111111 9
The following are statistics showing the most used passwords in 2013,
documented from lists stolen in major organization security breaches.
Tools of the trade:
Lastpass keePass DashLane
Ftp/sftp File Management
Basic ﬁle cleanup with FileZilla
WordPress Version Archives
(Google “WordPress versions”)
Always know where to ﬁnd a clean copy of your
infection: blackhat seo spam injection
Infection conﬁrmed at the free Sucuri website scanner: http://sitecheck.sucuri.net
wp-admin and wp-includes
These directories are replaceable for cleanup
and downgrading versions
Replace other core files
The other core ﬁles outside of these two
directories can be uploaded to directly
replace their counterparts
do not delete wp-config.php or
These are vital to the functionality of your
blog, and cannot be replaced easily, or
without a backup.
find your theme
Your theme is replaceable if you
haven’t made custom
delete your old theme
This is the most common place
for infected WordPress ﬁles
replace with clean copy
Good as new!
Your WordPress site is now spam free!
A healthy dose of…
worry about the right things:
- Passwords versus Usernames
- Web hosting
- Plugin/Theme origin
- Who your friends are