Don't Get Hacked: WordPress Security Best Practices

1. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES GEOFF MYERS PRESENTS

2. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 BEFORE WE BEGIN… THIS PRESENTATION IS AVAILABLE ONLINE: simdex.org/security Get In Touch:  geoff@simdex.org  simdex.org  414.455.6675

3. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 BEFORE WE BEGIN… ANNOUNCEMENTS ▸ WordPress Page Builders for Non-Developers (Create Visual Layouts Without Code)  Tuesday, August 30 @ 9:00am — 11:00am  C2 Graphics Productivity Solutions ▸ WordCamp Milwaukee  Saturday, September 17 — Sunday, September 18  UW-Milwaukee School of Continuing Education ▸ Looking for additional speakers, venues, topics, ideas, etc.  Share your ideas on Meetup, email geoff@simdex.org, or call 414.455.6675

4. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 BEFORE WE BEGIN… ABOUT GEOFF MYERS ▸ Founded SimDex Consulting, Inc. in 2004 ▸ Web Solutions for Small + Medium Sized Businesses ▸ Digital Marketing Consultant + Strategist ▸ 10+ Years as Full Stack Web Designer + Developer ▸ 5+ Years of WordPress Development Experience ▸ 50+ WordPress Sites Built, Maintained + Marketed ▸ Academic Background in Computer Science ▸ Get In Touch: geoff@simdex.org or simdex.org or 414.455.6675

5. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 BEFORE WE BEGIN… WORDPRESS MAINTENANCE PLAN FROM SIMDEX How You Beneﬁt: ▸ We Do Everything For You ▸ Unlimited Minor Changes + Revisions ▸ 24 Hour Response Time Guaranteed ▸ Your Total Peace of Mind ▸ Monthly Phone Consultations ▸ No Hourly Fees or Additional Costs

6. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 BEFORE WE BEGIN… WORDPRESS MAINTENANCE PLAN FROM SIMDEX Features + Services Included: ▸ Backups ▸ Monitoring ▸ Speed ▸ Changes ▸ Reports ▸ Support ▸ Consulting ▸ Security ▸ Updates

7. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 1) ▸ Low security = high risk ▸ Financial loss, debt, bankruptcy ▸ Legal liability, personal liability ▸ Privacy breach, violation ▸ Data theft, loss, corruption ▸ Damage to professional brand, reputation, customer trust ▸ Bad for business, bad for customers, bad for everyone

8. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 2) ▸ 86% of all websites tested by WhiteHat Sentinel had at least one serious* vulnerability, and most of the time, far more than one – 56% to be precise. ▸ On average, 61% of these vulnerabilities were resolved, but doing so required an average of 193 days from the first customer notification. ▸ Insufficient transport layer protection is the most likely vulnerability across vertical industries including retail trade, health care/social assistance, information technology and financial/insurance, with a range of 65-76% likelihood. ▸ Source: WhiteHat Security 2015 Website Security Statistics Report Reveals the Need to Identify Security Metrics Most Important for Vulnerability Remediation

9. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 3) ▸ Organizations that are compliance-driven to remediate vulnerabilities have the lowest average number of vulnerabilities (12 per website) and the highest remediation rate (86%). ▸ Organizations that have made the vulnerability feed-to-development process connection, exhibited roughly 40% less vulnerabilities, ﬁxed issues nearly a month faster on average and increased remediation rates by 15%. ▸ Considering sites in health care, retail trade and ﬁnance were found to be “always vulnerable,” their remediation rates are relatively low at 20%, 21%, and 27% respectively. ▸ Source: WhiteHat Security 2015 Website Security Statistics Report Reveals the Need to Identify Security Metrics Most Important for Vulnerability Remediation

10. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES USEFUL DEFINITIONS (PART 1) ‣ Apache + NGINX = Web Server Software ‣ CDN = Content Delivery / Distribution Network ‣ DNS = Domain Name System ‣ DoS = Denial of Service Attack ‣ DDoS = Distributed DoS Attack ‣ Freemium = Free + Premium (Paid) ‣ HTTPS = Hyper Text Transfer  Protocol Secure

11. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES USEFUL DEFINITIONS (PART 2) ‣ MySQL = Relational Database Management System (RDBMS) ‣ OWASP = Open Web Application Security Project ‣ PHP = Server-Side Scripting Language ‣ SSL = Secure Sockets Layer ‣ TLS = Transport Layer Security ‣ WAF = Web Application Firewall

12. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WHAT AFFECTS WEBSITE SECURITY? ‣ Network Infrastructure (Everything Between Client + Server) ‣ Web Browser / Client (Chrome, Firefox, Safari) ‣ Web Application (WordPress, etc.) ★ ‣ Web Server (Conﬁguration) ★ ‣ Apache, NGINX, PHP, MySQL ‣ TLS / SSL Certiﬁcate ‣ Web Application Firewall (WAF)

13. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES GENERAL WORDPRESS SECURITY ADVICE + BEST PRACTICES ‣ Keep Software Updated (Use Latest Versions) ★ ‣ WordPress Core + Themes + Plugins ‣ Apache / NGINX + PHP + MySQL ‣ Regularly Save Backups ★ ‣ Harden Software Conﬁguration ‣ Use HTTPS + TLS / SSL Certiﬁcate ‣ Use Web Application Firewall (WAF)

14. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES FREE(MIUM) WEBSITE SECURITY RESOURCES (PART 1) ▸ CloudFlare  (DNS + CDN + TLS / SSL certificates + WAF) ★ ▸ Let’s Encrypt  (TLS / SSL certificates) ▸ Qualys SSL Labs  (checks TLS / SSL certificates) ★ ▸ Quttera  (scans for malware)

15. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES FREE(MIUM) WEBSITE SECURITY RESOURCES (PART 2) ▸ StatusCake  (monitors uptime) ★ ▸ Sucuri SiteCheck  (scans for malware) ★ ▸ Uptime Robot  (monitors uptime) ▸ VirusTotal  (checks blacklists)

16. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES FREE(MIUM) WORDPRESS SECURITY PLUGINS (PART 1) ▸ Better Search Replace  (global database search + replace) ▸ CloudFlare ★  (DNS, CDN, TLS/SSL, ﬁrewall, etc.) ▸ Easy Updates Manager ★  (automatic updates) ▸ iThemes Security ★  (many, many features)

17. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES FREE(MIUM) WORDPRESS SECURITY PLUGINS (PART 2) ▸ Jetpack by WordPress.com  (automatic updates, ﬁrewall, uptime monitoring) ▸ Sucuri Security  (malware scanner) ▸ UpdraftPlus ★  (automatic backup + restore) ▸ Wordfence Security  (malware scanner, etc.)

18. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES CLOUDFLARE SECURITY FEATURES (PART 1) ▸ Reputation-based threat protection ▸ Comment spam protection ▸ Content scraping protection ▸ Block visitors by IP range ▸ Block visitors by country 💵 ▸ Deploy collective intelligence  to identify new threats ▸ Notify visitors on how to  clean their infected machine ▸ Basic DDoS protection

19. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES CLOUDFLARE SECURITY FEATURES (PART 2) ▸ Web application ﬁrewall (WAF) 💵 ▸ Built-in CloudFlare rule set 💵 ▸ OWASP ModSecurity Core rule set 💵 ▸ 3rd Party WAF rule sets 💵 ▸ Custom WAF rule support 💵 ▸ Advanced DDoS protection 💵 ▸ Advanced DDoS support 💵 ▸ BGP origin protection 💵

20. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES iTHEMES SECURITY PLUGIN FEATURES (PART 1) ▸ Prevents brute force attacks by banning hosts and users with too many invalid login attempts ▸ Scans your site to instantly report where vulnerabilities exist and ﬁxes them in seconds ▸ Bans troublesome user agents, bots and other hosts ▸ Strengthens server security ▸ Enforces strong passwords for all accounts of a conﬁgurable minimum role

21. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES iTHEMES SECURITY PLUGIN FEATURES (PART 2) ▸ Forces SSL for admin pages (on supporting servers) ▸ Forces SSL for any page or post (on supporting servers) ▸ Turns off ﬁle editing from within WordPress admin area ▸ Detects and blocks numerous attacks to your ﬁlesystem and database ▸ Detects bots and other attempts to search for vulnerabilities.

22. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES iTHEMES SECURITY PLUGIN FEATURES (PART 3) ▸ Monitors filesystem for unauthorized changes. ▸ Run a scan for malware and blacklists on the homepage of your site. ▸ Receive email notifications when someone gets locked out after too many failed login attempts or when a file on your site has been changed. ▸ Changes the URLs for WordPress dashboard areas including login, admin and more ▸ Completely turns off the ability to login for a given time period (away mode)

23. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES iTHEMES SECURITY PLUGIN FEATURES (PART 4) ▸ Removes theme, plugin, and core update notiﬁcations from users who do not have permission to update them ▸ Removes Windows Live Write header information ▸ Removes RSD header information ▸ Renames "admin" account ▸ Changes the ID on the user with ID 1

24. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES iTHEMES SECURITY PLUGIN FEATURES (PART 5) ▸ Changes the WordPress database table preﬁx ▸ Changes wp-content path ▸ Removes login error messages ▸ Makes it easier for users not accustomed to WordPress to remember login and admin URLs by customizing default admin URLs ▸ Detects hidden 404 errors on your site that can affect your SEO such as bad links and missing images

25. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 1) ▸ Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website. ▸ Threat Defense Feed automatically updates firewall rules that protect you from the latest threats. Premium members receive the real-time version. ▸ Block common security threats like fake Googlebots, malicious scans from hackers and botnets. ▸ Real-time blocking of known attackers. If another site using Wordfence is attacked and blocks the attacker, your site is automatically protected. ▸ Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IP's or networks and block entire networks using the firewall. Report security threats to network owner.

26. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 2) ▸ Rate limit or block security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site. ▸ Choose whether you want to block or throttle users and robots who break your security rules. ▸ Premium users can also block countries and schedule scans for speciﬁc times and a higher frequency. ▸ Sign-in using your password and your cellphone to vastly improve login security. This is called Two Factor Authentication and is used by banks, government agencies and military world-wide for highest security authentication. ▸ Includes two-factor authentication, also referred to as cellphone sign-in.

27. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 3) ▸ Enforce strong passwords among your administrators, publishers and users. Improve login security. ▸ Checks the strength of all user and admin passwords to enhance login security. ▸ Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security. ▸ Scans for the HeartBleed vulnerability - included in the free scan for all users. ▸ Scans core ﬁles, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.

28. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 4) ▸ See how files have changed. Optionally repair changed files that are security threats. ▸ Scans for signatures of over 44,000 known malware variants that are known security threats. ▸ Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more. ▸ Continuously scans for malware and phishing URL's including all URL's on the Google Safe Browsing List in all your comments, posts and files that are security threats. ▸ Scans for heuristics of backdoors, trojans, suspicious code and other security issues.

29. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 5) ▸ Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets. ▸ See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing. ▸ A real-time view of all traffic including automated bots that often constitute security threats that Javascript analytics packages never show you. ▸ Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from. ▸ Monitor your DNS security for unauthorized DNS changes.

30. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 6) ▸ Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service. ▸ Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel. ▸ WordPress Multi-Site (or WordPress MU in the older parlance) compatible. ▸ Includes Falcon Engine, the fastest WordPress caching engine available today. Falcon is faster because it reduces your web server disk and database activity to a minimum. ▸ Wordfence includes two caching modes for compatability and has cache management features like the ability to clear the cache and monitor cache usage.

31. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES WORDFENCE SECURITY PLUGIN FEATURES (PART 7) ▸ Fully IPv6 compatible including all whois lookup, location, blocking and security functions. ▸ Includes support for other major plugins and themes like WooCommerce. ▸ The Wordfence website includes an in-depth WordPress Security Learning Center.

32. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES GEOFF’S WEBSITE SECURITY CHECKLIST (PART 1) ‣ Set up automated backups for WordPress ﬁles + database using UpdraftPlus ‣ Set up automated updates for WordPress core + themes + plugins using Easy Updates Manager ‣ Sign up for and enable CloudFlare ‣ Install free SSL certiﬁcate from CloudFlare or Let’s Encrypt

33. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES GEOFF’S WEBSITE SECURITY CHECKLIST (PART 2) ‣ Change both URLs in WordPress Settings → General to use HTTPS instead of HTTP ‣ Force HTTPS on all web server resources using .htaccess ‣ Replace all website URL instances of HTTP with HTTPS using Better Search Replace plugin ‣ Install and conﬁgure iThemes Security plugin ‣ Install and conﬁgure Wordfence Security  plugin OR sign up for Sucuri Security

34. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES HELP! I’VE BEEN HACKED… NOW WHAT?! ▸ Post-Hack Cleanup Options (easiest to hardest): 1. Restore Pre-Hack Backup 2. Sign Up for Sucuri 3. Pay a Professional like SimDex 4. Scan + Clean It Yourself

35. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES ADDITIONAL ARTICLES + RESOURCES (PART 1) ▸ Hardening WordPress  (from WordPress.org) ▸ Hardening WordPress Security:  25 Essential Plugins + Tips  (from Hongkiat) ▸ The WordPress Security Learning Center  (from Wordfence) ▸ WordPress Security  (from iThemes)

36. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES ADDITIONAL ARTICLES + RESOURCES (PART 2) ▸ WordPress Security  (from Yoast) ▸ WordPress Security: The Ultimate Guide  (from WPMU DEV) ▸ WordPress Security Tutorial  (from SiteGround)

37. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 THAT’S IT FOR NOW… THANK YOU! Questions? Get In Touch:  geoff@simdex.org  simdex.org  414.455.6675

38. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675 THAT’S IT FOR NOW… THIS PRESENTATION IS AVAILABLE ONLINE: simdex.org/security Get In Touch:  geoff@simdex.org  simdex.org  414.455.6675

Don't Get Hacked: WordPress Security Best Practices

Geoff Myers

Don't Get Hacked: WordPress Security Best Practices