The 7 Deadly Sins of WordPress Security

5,694 views

Published on

Website security is important to everyone who has a website, as well as everyone who uses a website. Whether it gets five visitors a day or five-thousand, hackers are looking to compromise, break, infect and virtually own every website that they can for monetary and social purposes.

While the topic seems mysterious to most users, website security is actually a set of simple principles that everyone can adopt to keep their risk at the absolute lowest. Be on the lookout for pitfalls, keep malicious users out, and avoid The 7 Deadly Sins of WordPress Security.

Published in: Internet
  • Be the first to comment

The 7 Deadly Sins of WordPress Security

  1. ABOUT ME WEB DESIGN AND INFORMATION SECURITY Committed to WordPress since 2008. SUCURI – Researcher and Account Manager Removing malware and protecting websites. Personally cleaned over 5,000 websites SUCURI.NET Twitter: @JHerbrandson joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  2. ABOUT SUCURI Over 45 Security Professionals Making a Safer Web SECURITY SCANNING & ANALYSIS Checking the health over 3 Million websites every month through our free Sitecheck Scanner: http://sitecheck.sucuri.net MALWARE CLEANUP Cleaning and remediating 300 – 400 hacked or infected websites everyday. ATTACK PROTECTION Blocking over 33 million attacks and instances of malicious traffic every month EDUCATION Providing detailed and actionable security information through our blog at http://blog.sucuri.net " joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net H ! G
  3. ATTACK TRAFFIC ORIGINS Map.Ipviking.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  4. A QUICK DEMO Attack in Progress: https://www.youtube.com/watch?v=v4Xr3LrixVg joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  5. Sooo… WHY? It’s Just Business…probably - The Short Answer: Fame and Fortune - $BILLION Spam – Generic Pharmaceuticals, Payday Loans, Gambling, Designed Brand Knock Offs - Hacktivism – Politics and religion at the speed of download - Immaturity – Kids being kids joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  6. the 7 deadly sins of WordPress security SEVEN VULNERABILITY WRATH c c joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net TWO PROTECTION LUST THREE THRILL SEEKING FOUR ACCESS ALOOFNESS SIX PRINCIPLE PRIDE FIVE SERVICE GREED K w t ONE SECURITY APATHY
  7. # sin #1 Security Apathy I Ignoring the Requirements
  8. THE NEED FOR SECURITY THE STATE OF THE INTERNET www.internetlivestats.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  9. Shared Hosting Dedicated Hosting joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net Managed Hosting HOSTING OPTIONS Choose wisely Done for you All Cheap yours
  10. MANAGED-HOSTING PROVIDERS WordPress Experts for Everyone! joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  11. SPEAKING OF ENVIRONMENT… Who is using the Public Wifi? joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  12. ( II sin #2 Protection Lust Searching for the Security Holygrail
  13. WORD of WARNING No chance of 0% risk. The next ‘0-Day’ attack is always around the corner… joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  14. SECURITY HEADLINES Proof: Seen the news lately? joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  15. c III sin #3 Thrill Seeking Skydiving is a safer thrill than going without backups
  16. BUT I’VE NEVER HAD A PROBLEM BEFORE… Have a low profile, non-threatening site? You are still getting attention joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net s
  17. FREE WEBSITE REBRAND joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net HACKERS HARD AT WORK PHARMACEUTICAL SPAM MAKES HACKERS TWO BILLION DOLLARS/YEAR SOLUTION: OFFSITE BACKUPS RESULT: CLEAN SITE IMMEDIATELY K $ å j
  18. AUTOMATED BACKUPS Know you have a backup plan backup buddy vaultpress sucuri backups webhosting backups joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net ithemes.com/ backupbuddy/ $ Vaultpress.com Sucuri.net Your hosting company
  19. t IV sin #4 Access Aloofness Sticky Notes: No longer Best for Password Management!!
  20. top 3 passwords used in 2013 Seriously…. Password Last Year’s Rank ‘123456’ 2 ‘PASSWORD’ 1 ‘12345678’ 3 credit: SplashData.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  21. PASSWORD MANAGER Remembers your passwords so you don’t have to lastpass 1password keypass dashlane lastpass.com agilebits.com keepass.info dashlane.com joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  22. LEAST PRIVILEGE Does your user setup look like this? !2 !4 joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net !3 Hosting/ !7 Administrator FTP/SFTP root access control panel Editor/ contributer !1 Actual Admin Potential Hackers Friends !12 Writers Seo Guys Analysts !2 Editors !1 Random People !10 !5 Hackers Friends Again…
  23. sin #5 w Service Greed V No such thing as Something for nothing on the front page of Google
  24. NOT THE CODE YOU’RE LOOKING FOR… Assisting the enemy This probably shouldn’t be in your theme: if(isset($_GET['pwd'])) { eval(base64_decode("CiRhdXRoX3Bhc3MgPSAiN2U5NBhY3RpdmF0ZXM sIGNoYW5nZWQgZWxlbWVudHMgaW4gdGhlIG9yaWdpbmFsIHBsdWdp biwgZGVzaWduZWQgdG8gYmVoYXZlIGxpa2UgY2xlYW4gY29kZSwgc2ln bmFsIHRoZSBoYWNrZXIgdG8gbGV0IGl0IGtub3cgdGhhdCBpdOKAmXMg aW4uIEEgY2xlYW4gYmFjayBkb29yIGhhcyBiZWVuIG9wZW5lZCwgYW5k IHlvdXIgc2l0ZSBpcyBub3cgb24gYW4gYXV0b21hdGVkIGF0dGFjayBsaXN 0LCBtZWFudCB0byBxdWlldGx5IGluZmVjdCBhbmQgcmVpbmZlY3QgeW9 1ciBzaXRlIGFnYWluIGFuZCBhZw==“)); } joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net !
  25. MORE THAN EXPECTED joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  26. K sin #6 PRINCIPLE PRIDE VI Keep to the code.
  27. A SYSTEM TO LIVE BY 1. Protect! – Your computer has a firewall, why doesn’t your website? 2. Detect! – The same goes for AntiVirus. 3. Respond! – Clean up the mess. You have a backup right? Encompassing Actions: - Know the best practices - Mind your maintenance joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  28. SYSTEM IN ACTION joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  29. Opening doors you never knew existed c sin #7 Wrath of Vulnerabilities VII
  30. WORDPRESS CORE Strong and Secure j Ñ ( joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net Dedicated Creators Making WordPress Solid and Secure Auto-Updates Get important patches right away. Support Everything you need at WordPress.org
  31. WordPress Version Distribution 3.0 – 4.0 (wordpress.org/about/stats/) joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  32. 3rd Party VULNERABILITIES Keep watch Vulnerabilities disclosed at http://blog.sucuri.net All-In-One SEO – 20 Million Downloads WPtouch – 6 Million Downloads MailPoet - 2.7 Million Downloads Custom Contact Forms – 640k Downloads Slider Revolution – Hundreds of Thousands (themeforest/codecanyon) joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  33. Z X Going further Transition from Mark to Master Tips, Tools, and Services
  34. WEBSITE ANTIVIRUS & FIREWALL Protection and Detection Don’t be the mark! Understand the changes you are implementing “AntiVirus” “Firewall” joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net WordFence Sucuri Website Antivirus CloudFlare Sucuri Website Firewall “Utilities” iThemes Security BruteProtect Sucuri Security Plugin
  35. RESOURCES Because you don’t know what you don’t know General WordPress Security: https://codex.wordpress.org/Hardening_WordPress https://blog.sucuri.net Hacking and General Security: http://www.securityfocus.com/ http://blogs.sophos.com/ Facebook Groups: WordPress Security Advanced WordPress SubReddits: Reddit.com/r/Hacking Reddit.com/r/WordPress joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  36. EASY PATH TO CLEANUP Response NEED: Releases of WordPress at: https://wordpress.org/download/release-archive/ Clean backup of active theme and required plugins New Passwords (WordPress, FTP, Hosting Control Panel, Everything Else) joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  37. joseph herbrandson | www.sucuri.net 1-888-873-0817| joseph@sucuri.net
  38. THANK YOU! %

×