Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Securing your WordPress website - New Port Richey WP Meetup

58 views

Published on

New Port Richey WordPress Meetup - July 2017

Published in: Internet
  • Be the first to comment

  • Be the first to like this

Securing your WordPress website - New Port Richey WP Meetup

  1. 1. Presenter: Tom Townsend Tom is a Cloud Technical Manager for a Fortune Global Company and also owns and operates SMBsocial.com a local WordPress Agency. Has been using WordPress since 2007  Co-Organizer of Tampa Bay WordPress Meetup  Co-Organizer – New Port Richey WordPress Meetup  Co-Organizer WordCamp Tampa 2014,2015,2016 Contact: Email: tom@smbsocial.com SMBsocial https://www.linkedin.com/in/thomastownsend/
  2. 2. • Welcome to the first 2017 Newport Richey WordPress meetup. • Were 1 of 6 Regional Meetups that make up the Eco System of the Tampa Bay WordPress Network /Community
  3. 3. SecuriCyber security is the Hot Topic in 2017 ng your WordPress website• Cyber Attack • Phishing • Malicious Websites • Ransomware: WannaCry, Petya • Malware: GhostHook, PowerPoint Social Engineering Attack, downloader - hyperlink - subtitles in Free Movies (video players like Popcorn Time & VLC)
  4. 4. Where does YOUR website fit in? ng your WordPress website• WordPress – Good and bad • What do you need to watch out for and how can you ensure your site is secure. • From Hosting to WordPress Core, Plugins and Themes.
  5. 5. A few statistics • According to a survey of hacked WordPress site owners, brute-force attacks were the second most popular known method of hacking, with password theft not too far down the list. These attacks should be a very real concern for WordPress users. • July 03, 2017 - SQL injection vulnerability found in popular WordPress plug in https://www.scmagazineuk.com/sql-injection-vulnerability-found-in- popular-wordppress-plug-in-again/article/672839/ • April 2017 Home Routers Used to Hack WordPress Sites - There's a group of hackers who are hijacking unsecured home routers and using these devices to launch coordinated brute-force attacks on the administration panel of WordPress sites. The purpose of these attacks is for the hackers to guess the password for the admin account and take over the attacked site. https://www.bleepingcomputer.com/news/security/home-routers-used- to-hack-wordpress-sites/
  6. 6. It's NOT just WordPress sites getting hacked: • June 2017 • Year-old vulnerability allowed pro-ISIS hackers to hack US Government websites • Affected websites reportedly included (amongst others) the Department of Health for the state of Washington, the Rhode Island Department of Education, the official websites of Ohio Governor John Kasich and his wife, as well as the Ohio Department of Rehabilitation and Corrections. • all of the compromised websites were running the same content management system – DotNetNuke (better known as DNN). • There’s nothing inherently wrong with running DNN to power your website, but what is a very bad idea is not keeping your content management system up-to-date. Because the version of DNN that was being run on the defaced websites was version 7.0, released way back in 2015. The latest edition of DNN is version 9.01. https://hotforsecurity.bitdefender.com/blog/year-old-vulnerability-allowed-pro-isis-hackers-to- hack-us-government-websites-18289.html
  7. 7. It's NOT just WordPress sites getting hacked: April 2017 • Phishing scammers exploit Wix web hosting Criminals flock to free web services to establish their attack infrastructure. The latest example: A group using free website host Wix for its phishing pages http://www.infoworld.com/article/31 87346/security/phishing-scammers- exploit-wix-web-hosting.html
  8. 8. The BIG 8 Mistakes that “WILL” Co$t YOU • Mistake #1: Shoddy Hosting ** • Mistake #2: Failing to Keep Up to Date *** • Mistake #3: Using Insecure Login Information • Mistake #4: Installing Themes and Plugins from Untrustworthy Sources • Mistake #5: Hoarding Unused Plugins, Themes, and User Accounts • Mistake #6: Failing to Back Up Regularly • Mistake #7: Not Using WordPress-internal Security Measures • Mistake #8: Not Using a Security Plugin *
  9. 9. Mistake #1: Shoddy Hosting Unmasked: What 10 million passwords reveal about the people who choose them DISCLAIMER: WPEngine Affiliate Link:
  10. 10. Mistake #2: Failing to Keep Up to Date Security updates and supports installing major releases, plugins, themes, or even regular SVN checkouts! • Automatic background updates were introduced in WordPress 3.7 in an effort to promote better security, and to streamline the update experience overall. By default, only minor releases – such as for maintenance and security purposes – and translation file updates are enabled on most sites. In special cases, plugins and themes may be updated. • In WordPress, there are four types of automatic background updates: • Core updates • Plugin updates • Theme updates • Translation file updates
  11. 11. Mistake #3: Using Insecure Login Information https://www.entrepreneur.com/article/296269
  12. 12. Mistake #4: Installing Themes and Plugins from Untrustworthy Sources • Only Install Themes, Plugins and Scripts From Their Official Source • Using any software from a “FREE” Pirate site is NEVER a good idea! • Many of these “Free Download” pirated themes have maliciously tweaked scripts that install a back door which allows your site to be remotely controlled by hackers.
  13. 13. Mistake #5: Hoarding Unused Plugins, Themes, and User Accounts Inactive Plugins: Use em or loose em http://www.wpbeginner.com/beginners-guide/will-inactive-plugins-slow-down-wordpress- should-you-delete-inactive-plugins/
  14. 14. Mistake #6: Failing to Back Up Regularly
  15. 15. Mistake #7: Not Using WordPress-internal Security Measures
  16. 16. Mistake #8: Not Using a Security Plugin *
  17. 17. References Steps to help secure your WordPress website  Strengthen your password  Use email in place of a username (Don't use yahoo, aol gmail ets if you can avoid)  Introduce two-factor authentication  Backup your WordPress site regularly  Secure wp-config.php file Firewall Plugins (Security) http://www.wpbeginner.com/plugins/best-wordpress-firewall-plugins-compared/
  18. 18. References Use 2 Factor Authentication for WP Sites https://torquemag.io/2016/04/5-two-factor-authentication-plugins-wordpress/ NOTE: Clef is no longer available - Launch-key is replacement https://updraftplus.com/launch-keyy-simple-secure-logins-wave-phone/ https://getkeyy.com/faqs/ https://wordpress.org/plugins/miniorange-2-factor-authentication/#description https://wordpress.org/plugins/google-authenticator/ Also Consider: • Google Authenticator or Authy • Jetpack.com two factor through WordPress.com Mobile Apps: iPhone /Android: Google Authenticator App. Authy 2-Factor Authentication App.
  19. 19. References Manage your plugins and themes yourself or use a service provider to do this for you. Look out for Bad Plugins: Fake SEO plugin backdoors WordPress installation Utilize a Managed Service Provider to Secure your websites http://www.wp-servicemanager.com
  20. 20. References Check out my personal curated WordPress resources. Flipboard https://flipboard.com Check out WordPress Toolkit by Tom Townsend http://flip.it/EzcxyN Check out CYBER SECURITY FOR ALL by Tom Townsend http://flip.it/vByNn6
  21. 21. References New Port Richey and Tampa Bay WordPress Meetup links. https://www.meetup.com/New-Port-Richey-WordPress/ https://www.meetup.com/Tampa-Bay-WordPress/ https://tampabaywp.org/ https://www.facebook.com/groups/wptpa/ Slack – (Chat for Tampa Bay WordPress and associated Meetups) tampabaywp.slack.com (This is by invite only so you need to request through the meetup either on Tampa Bay WordPress or New Port Richey WordPress Meetup. All we need is an email to send you an invite.)
  22. 22. Thank You

×