Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Don't Get Hacked: WordPress Security Best Practices

1,540 views

Published on

From https://www.meetup.com/Milwaukee-WordPress-MeetUp/events/233147375/

About the Topic:

Due to popular request ("security" was the #1 ranked topic in our recent member poll), Geoff Myers of SimDex Consulting, Inc. will be presenting a general overview of WordPress security best practices to help you prevent your site from being hacked, attacked, infected, compromised, or otherwise negatively affected by third parties, human or bot.

Subtopics of this presentation will include – but are not limited to – the following:

— Apache / NGINX configuration (web server / host)
— Automatic backups (best practice)
— Automatic updates (best practice)
— CloudFlare (service / CDN)
— iThemes Security (plugin)
— PHP configuration (web server / host)
— Recovering after a hack (post-hack cleanup)
— StatusCake (uptime monitoring service)
— Sucuri (service / plugin)
— Uptime Robot (uptime monitoring service)
— Wordfence (plugin)
— And more!

About the Speaker:

Geoff Myers has been involved in and excited about business, marketing, design, and technology since 2004, when he founded SimDex Consulting, Inc. at the age of 14 in his hometown of Saint Paul, Minnesota. Although SimDex originally started as an IT consulting and support company, it evolved into a web design and development agency by 2008, and eventually matured into a full-service digital marketing consulting firm by 2016, specializing in custom WordPress web application development. For more than 12 years, Geoff has been designing and coding for the web while also growing his – and his clients' – businesses through the application of strategic marketing technologies and the development of custom-built, user-focused web applications.

Geoff originally started out building static websites with Dreamweaver in HTML and CSS, but shifted to using the Joomla! content management system (CMS) by 2008, when version 1.5 was released. In 2010, he fell in love with – and became addicted to – WordPress and its community. Since then, Geoff has designed, developed, marketed, managed, and maintained over 60 WordPress-powered websites for a wide variety of clients in terms of industry, size, type, and location. Lately, Geoff has focused on building highly personalized web applications and integrations for WordPress using PHP and MySQL, the building blocks of WordPress itself.

Questions? Contact Geoff:

Geoff Myers
President + CEO | SimDex Consulting, Inc.
geoff@simdex.org | www.simdex.org
651.447.6247 | 414.455.6675

Published in: Internet
  • Login to see the comments

Don't Get Hacked: WordPress Security Best Practices

  1. 1. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES GEOFF MYERS PRESENTS
  2. 2. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 BEFORE WE BEGIN… THIS PRESENTATION IS AVAILABLE ONLINE: simdex.org/security Get In Touch:
 geoff@simdex.org
 simdex.org
 414.455.6675
  3. 3. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 BEFORE WE BEGIN… ANNOUNCEMENTS ▸ WordPress Page Builders for Non-Developers (Create Visual Layouts Without Code)
 Tuesday, August 30 @ 9:00am — 11:00am
 C2 Graphics Productivity Solutions ▸ WordCamp Milwaukee
 Saturday, September 17 — Sunday, September 18
 UW-Milwaukee School of Continuing Education ▸ Looking for additional speakers, venues, topics, ideas, etc.
 Share your ideas on Meetup, email geoff@simdex.org, or call 414.455.6675
  4. 4. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 BEFORE WE BEGIN… ABOUT GEOFF MYERS ▸ Founded SimDex Consulting, Inc. in 2004 ▸ Web Solutions for Small + Medium Sized Businesses ▸ Digital Marketing Consultant + Strategist ▸ 10+ Years as Full Stack Web Designer + Developer ▸ 5+ Years of WordPress Development Experience ▸ 50+ WordPress Sites Built, Maintained + Marketed ▸ Academic Background in Computer Science ▸ Get In Touch: geoff@simdex.org or simdex.org or 414.455.6675
  5. 5. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 BEFORE WE BEGIN… WORDPRESS MAINTENANCE PLAN FROM SIMDEX How You Benefit: ▸ We Do Everything For You ▸ Unlimited Minor Changes + Revisions ▸ 24 Hour Response Time Guaranteed ▸ Your Total Peace of Mind ▸ Monthly Phone Consultations ▸ No Hourly Fees or Additional Costs
  6. 6. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 BEFORE WE BEGIN… WORDPRESS MAINTENANCE PLAN FROM SIMDEX Features + Services Included: ▸ Backups ▸ Monitoring ▸ Speed ▸ Changes ▸ Reports ▸ Support ▸ Consulting ▸ Security ▸ Updates
  7. 7. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 1) ▸ Low security = high risk ▸ Financial loss, debt, bankruptcy ▸ Legal liability, personal liability ▸ Privacy breach, violation ▸ Data theft, loss, corruption ▸ Damage to professional brand, reputation, customer trust ▸ Bad for business, bad for customers, bad for everyone
  8. 8. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 2) ▸ 86% of all websites tested by WhiteHat Sentinel had at least one serious* vulnerability, and most of the time, far more than one – 56% to be precise. ▸ On average, 61% of these vulnerabilities were resolved, but doing so required an average of 193 days from the first customer notification. ▸ Insufficient transport layer protection is the most likely vulnerability across vertical industries including retail trade, health care/social assistance, information technology and financial/insurance, with a range of 65-76% likelihood. ▸ Source: WhiteHat Security 2015 Website Security Statistics Report Reveals the Need to Identify Security Metrics Most Important for Vulnerability Remediation
  9. 9. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 3) ▸ Organizations that are compliance-driven to remediate vulnerabilities have the lowest average number of vulnerabilities (12 per website) and the highest remediation rate (86%). ▸ Organizations that have made the vulnerability feed-to-development process connection, exhibited roughly 40% less vulnerabilities, fixed issues nearly a month faster on average and increased remediation rates by 15%. ▸ Considering sites in health care, retail trade and finance were found to be “always vulnerable,” their remediation rates are relatively low at 20%, 21%, and 27% respectively. ▸ Source: WhiteHat Security 2015 Website Security Statistics Report Reveals the Need to Identify Security Metrics Most Important for Vulnerability Remediation
  10. 10. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES USEFUL DEFINITIONS (PART 1) ‣ Apache + NGINX = Web Server Software ‣ CDN = Content Delivery / Distribution Network ‣ DNS = Domain Name System ‣ DoS = Denial of Service Attack ‣ DDoS = Distributed DoS Attack ‣ Freemium = Free + Premium (Paid) ‣ HTTPS = Hyper Text Transfer
 Protocol Secure
  11. 11. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES USEFUL DEFINITIONS (PART 2) ‣ MySQL = Relational Database Management System (RDBMS) ‣ OWASP = Open Web Application Security Project ‣ PHP = Server-Side Scripting Language ‣ SSL = Secure Sockets Layer ‣ TLS = Transport Layer Security ‣ WAF = Web Application Firewall
  12. 12. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WHAT AFFECTS WEBSITE SECURITY? ‣ Network Infrastructure (Everything Between Client + Server) ‣ Web Browser / Client (Chrome, Firefox, Safari) ‣ Web Application (WordPress, etc.) ★ ‣ Web Server (Configuration) ★ ‣ Apache, NGINX, PHP, MySQL ‣ TLS / SSL Certificate ‣ Web Application Firewall (WAF)
  13. 13. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES GENERAL WORDPRESS SECURITY ADVICE + BEST PRACTICES ‣ Keep Software Updated (Use Latest Versions) ★ ‣ WordPress Core + Themes + Plugins ‣ Apache / NGINX + PHP + MySQL ‣ Regularly Save Backups ★ ‣ Harden Software Configuration ‣ Use HTTPS + TLS / SSL Certificate ‣ Use Web Application Firewall (WAF)
  14. 14. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES FREE(MIUM) WEBSITE SECURITY RESOURCES (PART 1) ▸ CloudFlare
 (DNS + CDN + TLS / SSL certificates + WAF) ★ ▸ Let’s Encrypt
 (TLS / SSL certificates) ▸ Qualys SSL Labs
 (checks TLS / SSL certificates) ★ ▸ Quttera
 (scans for malware)
  15. 15. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES FREE(MIUM) WEBSITE SECURITY RESOURCES (PART 2) ▸ StatusCake
 (monitors uptime) ★ ▸ Sucuri SiteCheck
 (scans for malware) ★ ▸ Uptime Robot
 (monitors uptime) ▸ VirusTotal
 (checks blacklists)
  16. 16. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES FREE(MIUM) WORDPRESS SECURITY PLUGINS (PART 1) ▸ Better Search Replace
 (global database search + replace) ▸ CloudFlare ★
 (DNS, CDN, TLS/SSL, firewall, etc.) ▸ Easy Updates Manager ★
 (automatic updates) ▸ iThemes Security ★
 (many, many features)
  17. 17. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES FREE(MIUM) WORDPRESS SECURITY PLUGINS (PART 2) ▸ Jetpack by WordPress.com
 (automatic updates, firewall, uptime monitoring) ▸ Sucuri Security
 (malware scanner) ▸ UpdraftPlus ★
 (automatic backup + restore) ▸ Wordfence Security
 (malware scanner, etc.)
  18. 18. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES CLOUDFLARE SECURITY FEATURES (PART 1) ▸ Reputation-based threat protection ▸ Comment spam protection ▸ Content scraping protection ▸ Block visitors by IP range ▸ Block visitors by country 💵 ▸ Deploy collective intelligence
 to identify new threats ▸ Notify visitors on how to
 clean their infected machine ▸ Basic DDoS protection
  19. 19. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES CLOUDFLARE SECURITY FEATURES (PART 2) ▸ Web application firewall (WAF) 💵 ▸ Built-in CloudFlare rule set 💵 ▸ OWASP ModSecurity Core rule set 💵 ▸ 3rd Party WAF rule sets 💵 ▸ Custom WAF rule support 💵 ▸ Advanced DDoS protection 💵 ▸ Advanced DDoS support 💵 ▸ BGP origin protection 💵
  20. 20. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES iTHEMES SECURITY PLUGIN FEATURES (PART 1) ▸ Prevents brute force attacks by banning hosts and users with too many invalid login attempts ▸ Scans your site to instantly report where vulnerabilities exist and fixes them in seconds ▸ Bans troublesome user agents, bots and other hosts ▸ Strengthens server security ▸ Enforces strong passwords for all accounts of a configurable minimum role
  21. 21. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES iTHEMES SECURITY PLUGIN FEATURES (PART 2) ▸ Forces SSL for admin pages (on supporting servers) ▸ Forces SSL for any page or post (on supporting servers) ▸ Turns off file editing from within WordPress admin area ▸ Detects and blocks numerous attacks to your filesystem and database ▸ Detects bots and other attempts to search for vulnerabilities.
  22. 22. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES iTHEMES SECURITY PLUGIN FEATURES (PART 3) ▸ Monitors filesystem for unauthorized changes. ▸ Run a scan for malware and blacklists on the homepage of your site. ▸ Receive email notifications when someone gets locked out after too many failed login attempts or when a file on your site has been changed. ▸ Changes the URLs for WordPress dashboard areas including login, admin and more ▸ Completely turns off the ability to login for a given time period (away mode)
  23. 23. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES iTHEMES SECURITY PLUGIN FEATURES (PART 4) ▸ Removes theme, plugin, and core update notifications from users who do not have permission to update them ▸ Removes Windows Live Write header information ▸ Removes RSD header information ▸ Renames "admin" account ▸ Changes the ID on the user with ID 1
  24. 24. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES iTHEMES SECURITY PLUGIN FEATURES (PART 5) ▸ Changes the WordPress database table prefix ▸ Changes wp-content path ▸ Removes login error messages ▸ Makes it easier for users not accustomed to WordPress to remember login and admin URLs by customizing default admin URLs ▸ Detects hidden 404 errors on your site that can affect your SEO such as bad links and missing images
  25. 25. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 1) ▸ Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website. ▸ Threat Defense Feed automatically updates firewall rules that protect you from the latest threats. Premium members receive the real-time version. ▸ Block common security threats like fake Googlebots, malicious scans from hackers and botnets. ▸ Real-time blocking of known attackers. If another site using Wordfence is attacked and blocks the attacker, your site is automatically protected. ▸ Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IP's or networks and block entire networks using the firewall. Report security threats to network owner.
  26. 26. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 2) ▸ Rate limit or block security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site. ▸ Choose whether you want to block or throttle users and robots who break your security rules. ▸ Premium users can also block countries and schedule scans for specific times and a higher frequency. ▸ Sign-in using your password and your cellphone to vastly improve login security. This is called Two Factor Authentication and is used by banks, government agencies and military world-wide for highest security authentication. ▸ Includes two-factor authentication, also referred to as cellphone sign-in.
  27. 27. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 3) ▸ Enforce strong passwords among your administrators, publishers and users. Improve login security. ▸ Checks the strength of all user and admin passwords to enhance login security. ▸ Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security. ▸ Scans for the HeartBleed vulnerability - included in the free scan for all users. ▸ Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.
  28. 28. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 4) ▸ See how files have changed. Optionally repair changed files that are security threats. ▸ Scans for signatures of over 44,000 known malware variants that are known security threats. ▸ Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more. ▸ Continuously scans for malware and phishing URL's including all URL's on the Google Safe Browsing List in all your comments, posts and files that are security threats. ▸ Scans for heuristics of backdoors, trojans, suspicious code and other security issues.
  29. 29. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 5) ▸ Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets. ▸ See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing. ▸ A real-time view of all traffic including automated bots that often constitute security threats that Javascript analytics packages never show you. ▸ Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from. ▸ Monitor your DNS security for unauthorized DNS changes.
  30. 30. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 6) ▸ Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service. ▸ Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel. ▸ WordPress Multi-Site (or WordPress MU in the older parlance) compatible. ▸ Includes Falcon Engine, the fastest WordPress caching engine available today. Falcon is faster because it reduces your web server disk and database activity to a minimum. ▸ Wordfence includes two caching modes for compatability and has cache management features like the ability to clear the cache and monitor cache usage.
  31. 31. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 7) ▸ Fully IPv6 compatible including all whois lookup, location, blocking and security functions. ▸ Includes support for other major plugins and themes like WooCommerce. ▸ The Wordfence website includes an in-depth WordPress Security Learning Center.
  32. 32. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES GEOFF’S WEBSITE SECURITY CHECKLIST (PART 1) ‣ Set up automated backups for WordPress files + database using UpdraftPlus ‣ Set up automated updates for WordPress core + themes + plugins using Easy Updates Manager ‣ Sign up for and enable CloudFlare ‣ Install free SSL certificate from CloudFlare or Let’s Encrypt
  33. 33. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES GEOFF’S WEBSITE SECURITY CHECKLIST (PART 2) ‣ Change both URLs in WordPress Settings → General to use HTTPS instead of HTTP ‣ Force HTTPS on all web server resources using .htaccess ‣ Replace all website URL instances of HTTP with HTTPS using Better Search Replace plugin ‣ Install and configure iThemes Security plugin ‣ Install and configure Wordfence Security
 plugin OR sign up for Sucuri Security
  34. 34. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES HELP! I’VE BEEN HACKED… NOW WHAT?! ▸ Post-Hack Cleanup Options (easiest to hardest): 1. Restore Pre-Hack Backup 2. Sign Up for Sucuri 3. Pay a Professional like SimDex 4. Scan + Clean It Yourself
  35. 35. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES ADDITIONAL ARTICLES + RESOURCES (PART 1) ▸ Hardening WordPress
 (from WordPress.org) ▸ Hardening WordPress Security:
 25 Essential Plugins + Tips
 (from Hongkiat) ▸ The WordPress Security Learning Center
 (from Wordfence) ▸ WordPress Security
 (from iThemes)
  36. 36. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES ADDITIONAL ARTICLES + RESOURCES (PART 2) ▸ WordPress Security
 (from Yoast) ▸ WordPress Security: The Ultimate Guide
 (from WPMU DEV) ▸ WordPress Security Tutorial
 (from SiteGround)
  37. 37. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 THAT’S IT FOR NOW… THANK YOU! Questions? Get In Touch:
 geoff@simdex.org
 simdex.org
 414.455.6675
  38. 38. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 THAT’S IT FOR NOW… THIS PRESENTATION IS AVAILABLE ONLINE: simdex.org/security Get In Touch:
 geoff@simdex.org
 simdex.org
 414.455.6675

×