Upcoming SlideShare
Dont Sabotage Your WordPress Success - Five Security Tips
- 1. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Don’t Sabotage Your WordPress Success: Five Security Tips January 10, 2018
- 2. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 What Security Is Security is not a product. Security is a process.
- 3. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Stay Up to Date
- 4. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Stay Up to Date Look familiar?
- 5. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Stay Up to Date ● WordPress and code running on its platform (themes/plugins) will tell you when they need to be updated ● Keeping everything up to date makes your site more secure, improves performance, and adds useful features ● So why not do this simple, free thing?
- 6. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Stay Up to Date ● As of version 3.7, WordPress can update itself in the background ● Will only apply security and maintenance updates, not new feature releases ● Can be selectively disabled in WP confguration ● Automatically disabled if you use any kind of version control system
- 7. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Limit Plugin Usage
- 8. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Limit Plugin Usage ● There are 28,164 53,729 plugins in the WordPress plugin directory ● “Let's install all of them!”
- 9. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Limit Plugin Usage WordPress does not enforce any limitations on what plugins and themes can do. So: ● Each add-on you install is a potential security hole ● One poorly written add-on can slow down your whole site ● Plugins can behave like themes, and themes like plugins ● Plugins and themes can confict with each other (!) ● Plugins and themes can confict with WordPress core (!!!)
- 10. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Limit Plugin Usage Using add-ons wisely: ● Use only those add-ons that you absolutely must use ● Look for add-ons that do one thing well – Beware of “All-In-One” add-ons ● Look for add-ons that are: – Under active development – Rated highly in the WordPress.org Plugin Repository – Flagged as compatible with your version of WordPress
- 11. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Limit Plugin Usage You might be surprised at some of the things WordPress can do all by itself! ● Video/audio embedding (including YouTube) ● Tweak your theme with custom CSS ● Create an image gallery ● Add more buttons to the visual editor … and lots more!
- 12. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Handle Credentials Securely
- 13. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Handle Credentials Securely ● A major cause of security compromises is insecure handling of authentication credentials (usernames & passwords) ● The login form is the lock on your front door – be careful who you give keys to, and how you hand them over
- 14. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Handle Credentials Securely There are several sets of credentials that can be used to compromise a WordPress site: ● WP admin area ● Web hosting control panel ● MySQL database user accounts ● Server login (SSH/RDP) ● File transfer (SFTP/FTPS/FTP) Losing control of any can give a hacker a way in!
- 15. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Handle Credentials Securely Tips for managing WordPress users securely: ● Don’t share user accounts – give each user their own ● Limit full (“admin”) privileges ● Don’t transfer credentials over secure channels, like email ● Delete old accounts no longer in use
- 16. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Handle Credentials Securely “What do you mean, email isn’t secure???” ● Emails are sent unencrypted, in plain text ● Emails pass through many servers between sender and recipient ● Email accounts are frequently hacked Be safe, use Signal instead: https://signal.org/
- 17. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Don’t Reuse Credentials
- 18. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Don’t Reuse Credentials ● As a consultant/developer/designer, you probably have logins on lots of client sites ● If you reuse passwords across these sites, a hacker who fnds a way into one of them can now get into all of them
- 19. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Don’t Reuse Credentials Use strong, unique passwords for every site and service you interact with ● Strong passwords are long (16+) strings of characters ● Ideally random ● Ideally includes numbers, punctuation marks, varied capitalization ● Unique passwords are… well, unique
- 20. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Don’t Reuse Credentials A password manager can help you keep track of all those strong, unique passwords. It can also: ● Store them in an encrypted vault ● Generate new ones for you as you need them ● Integrate with your web browser ● Sync your password vault with your mobile devices
- 21. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Don’t Reuse Credentials Two basic types of password manager: ● Cloud-based: Stores your data in a remote server. Convenient, but less secure. ● Local: Stores your data directly on your device. More secure, but up to you to fgure out how to sync data across devices. Any password manager is better than no password manager at all!
- 22. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Block Brute Force Attacks
- 23. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Block Brute Force Attacks ● A “brute force” attack is an attempt to crack your site’s passwords by trying lots of them until a valid one is found ● WordPress provides no defense against these attacks out of the box ● Can also be used for denial-of-service (DoS/DDoS) attacks
- 24. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Block Brute Force Attacks There are multiple levels at which you can defend against this type of attack ● Network: at the switch/frewall ● Server: on the server(s) hosting your site ● Application: in WordPress itself, via a plugin
- 25. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Block Brute Force Attacks Tools for defending at each level: ● Network: “web application frewall” (WAF) ● Server: fail2ban ● Application: Cerber and Limit Login Attempts
- 26. Rogue Repairman Productions | Alexandria, VA | info@roguerepairman.com | 703.542.4025 Thank You! Jason A. Lefkowitz President, Rogue Repairman Productions https://roguerepairman.com jason@roguerepairman.com “Technology sucks. We make it suck less.”
Be the first to comment