Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Secure Wordpress…Tips and tricks
HaMiD Fadaei
Digital Marketing Officer – SEM/SEO Specialist
Telegram : HFadaei
Linkedin : HaMiDFadaei
Twitter : HaMiDFadae...
Amazing news
0.7.0 - 2003
CMS
PHP – Linux
Matt Mullenweg - 19
1382
Automattic
173
1200 - 120
IsWordpressSecure?
YES or NO
WORDPRESS
HOSTING
USER
▸ Wordpress Themes (29%)
▸ WordPress Plugins (22%)
▸ WordPress Core
CAUSES:
▸ WP Core, themes, plugins out-of-date
▸ Poorl...
▸ SQL injections
▸ Poor server security
▸ Lack of understanding of WordPress
CHECK FOR:
▸ Recent versions of PHP and MySQL...
▸ Bad habits
▸ Minimal default password requirements
COMMON PROBLEMS:
▸ The “admin” username
▸ The crummy passwords (12345...
Username Changer
Two-factor Authentication
Integrating a CAPTCHA with the WordPress Login Form
Brute Force Login Protectio...
▸ Pick a solid hosting company
▸ Evaluate your themes and plugins carefully
▸ Go with those that have been vetted by WordP...
▸ Backup all the things
▸ Your site (or sites with multisite)
▸ Your settings (what themes and plugins you’re using)
▸ You...
▸ WordPress can be set to do updates automatically
▸ Added after version 3.7
▸ Can be set for core, theme, plugin, and tra...
▸ Routine review of environments every 6-12 months:
▸ Themes and plugins not in use
▸ Anything that hasn’t been updated in...
▸ Malware scanners
▸ htaccess limitations
▸ File permissions
▸ Security Plugins: iThemes Security, Sucuri ($), Wordfence
▸...
▸ Not updating
▸ Not cleaning out old themes and plugins
▸ Using popular plugins because they’re popular
▸ Using “admin” a...
1. Stay calm.
2. Get your site back.
3. Clean up the hack.
4. Identify the source of the hack.
AFTER THE HACK…
Get your site back.
▸ try a password reset or database edit
▸ Take a backup of what’s there - files, database, uploads - fo...
Clean up the hack.
▸ Review your files and database for suspicious elements
▸ When in doubt, reinstall.
▸ New directory, WP...
Other Actions
▸ Use version control to compare file changes
▸ Get help from your hosting
▸ Check logs
▸ Scan your hosting e...
https://blog.sucuri.net/
https://codex.wordpress.org/configuring_automatic_background_updates
https://codex.wordpress.org/...
HaMiD Fadaei
Telegram : HFadaei
Linkedin : HaMiDFadaei
Twitter : HaMiDFadaei
Web : www.HFadaei.ir
Secure Wordpress - 2016[17May - Mashhad]
Secure Wordpress - 2016[17May - Mashhad]
Secure Wordpress - 2016[17May - Mashhad]
Upcoming SlideShare
Loading in …5
×

Secure Wordpress - 2016[17May - Mashhad]

478 views

Published on

Weak user password
Hosting vulnerability
WordPress theme vulnerability
WordPress plugin vulnerability

Published in: Internet
  • Be the first to comment

Secure Wordpress - 2016[17May - Mashhad]

  1. 1. Secure Wordpress…Tips and tricks
  2. 2. HaMiD Fadaei Digital Marketing Officer – SEM/SEO Specialist Telegram : HFadaei Linkedin : HaMiDFadaei Twitter : HaMiDFadaei Web : www.HFadaei.ir
  3. 3. Amazing news
  4. 4. 0.7.0 - 2003 CMS PHP – Linux Matt Mullenweg - 19 1382 Automattic 173 1200 - 120
  5. 5. IsWordpressSecure? YES or NO
  6. 6. WORDPRESS HOSTING USER
  7. 7. ▸ Wordpress Themes (29%) ▸ WordPress Plugins (22%) ▸ WordPress Core CAUSES: ▸ WP Core, themes, plugins out-of-date ▸ Poorly-written (or maliciously-written) themes or plugins ▸ Popularity of theme or plugin WORDPRESS VULNERABILITIES 51% themecheck.org Virustotal.com Anti-malware … Antivirus Exploit Scanner
  8. 8. ▸ SQL injections ▸ Poor server security ▸ Lack of understanding of WordPress CHECK FOR: ▸ Recent versions of PHP and MySQL ▸ Malware scanning and other security tools present ▸ Account isolation ▸ WordPress experience HOSTING VULNERABILITIES 41% sitecheck.sucuri.net
  9. 9. ▸ Bad habits ▸ Minimal default password requirements COMMON PROBLEMS: ▸ The “admin” username ▸ The crummy passwords (12345) ▸ User access levels USER VULNERABILITIES 8% Passwordsgenerator.net User Role Editor
  10. 10. Username Changer Two-factor Authentication Integrating a CAPTCHA with the WordPress Login Form Brute Force Login Protection Automatic Update Top usernames being attacked: admin, Admin, administrator, test, root Top passwords being tried: password, 12345678, 123admin, 123abc, qwerty
  11. 11. ▸ Pick a solid hosting company ▸ Evaluate your themes and plugins carefully ▸ Go with those that have been vetted by WordPress ▸ Choose only those that are actively developed and/or supported ▸ Only install what you NEED ▸ Be thoughtful about who/how many should get admin- level access START SMART
  12. 12. ▸ Backup all the things ▸ Your site (or sites with multisite) ▸ Your settings (what themes and plugins you’re using) ▸ Your files ▸ Your database ▸ Aim to save at least 6 months back BACKUPS VaultPress BackupBuddy WP-DB-Backup
  13. 13. ▸ WordPress can be set to do updates automatically ▸ Added after version 3.7 ▸ Can be set for core, theme, plugin, and translation updates ▸ Configure auto updates with wp-config (More) UPDATES
  14. 14. ▸ Routine review of environments every 6-12 months: ▸ Themes and plugins not in use ▸ Anything that hasn’t been updated in the last 18-24 months (or more!) ▸ Sites (in a multisite environment) that are no longer active ▸ Checking your backups ▸ Reviewing the configuration of security plugins MAINTENANCE
  15. 15. ▸ Malware scanners ▸ htaccess limitations ▸ File permissions ▸ Security Plugins: iThemes Security, Sucuri ($), Wordfence ▸ Scanning tools: AntiVirus, WP Antivirus Site Protection ▸ Logging and tracking tools: CodeGuard ($), wp_debug_log in wp- config ▸ Theme and plugin evaluators: Theme-Check, Plugin- Check Other Actions
  16. 16. ▸ Not updating ▸ Not cleaning out old themes and plugins ▸ Using popular plugins because they’re popular ▸ Using “admin” accounts ▸ Weak passwords ▸ Bad hosting AVOID COMMON MISTAKES
  17. 17. 1. Stay calm. 2. Get your site back. 3. Clean up the hack. 4. Identify the source of the hack. AFTER THE HACK…
  18. 18. Get your site back. ▸ try a password reset or database edit ▸ Take a backup of what’s there - files, database, uploads - for later ▸ Remove unknown users and reset all passwords ▸ Change your keys and salts in wp-config ▸ Restore to a known good version of the site (if you have one)
  19. 19. Clean up the hack. ▸ Review your files and database for suspicious elements ▸ When in doubt, reinstall. ▸ New directory, WP install, reinstall all themes and plugins ▸ User accounts with new passwords ▸ Import the content from a clean backup ▸ Check your hosting for other potential damage
  20. 20. Other Actions ▸ Use version control to compare file changes ▸ Get help from your hosting ▸ Check logs ▸ Scan your hosting environment for malware ▸ Scan your personal machine(s) for viruses and malware ▸ Change your password again. including hosting account passwords. ▸ Start over and review all elements for potential security weaknesses ▸ Scan the new site
  21. 21. https://blog.sucuri.net/ https://codex.wordpress.org/configuring_automatic_background_updates https://codex.wordpress.org/faq_my_site_was_hacked https://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/ http://z9.io/2008/06/08/did-your-wordpress-site-get-hacked/ http://www.cleanpagedesign.co.uk/is-your-wordpress-website-safe-from-hackers/ https://wpsmackdown.com/wordpress-security-user-accounts-passwords/ http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your- hacked-wordpress-installation/ https://howfreelance.com/blog/2016/02/prevent-wordpress-hacking https://premium.wpmudev.org/blog/get-off-googles-blacklist/ RESOURCES
  22. 22. HaMiD Fadaei Telegram : HFadaei Linkedin : HaMiDFadaei Twitter : HaMiDFadaei Web : www.HFadaei.ir

×