2. What?
Ø Why do YOU need Website Security?
Ø HTTPS & SSL
Ø 4 Laws of Website Security
Ø Firewalls
Ø iQ Block Country
Ø Security Plugins
Ø Testing your Website Security
Ø Other “Reputation Management” Considerations
1/19/18
BlueSkyDigitalStrategy.com
2
3. The Fount of
All Knowledge
You have access to the greatest trove of
information in the history of the planet.
And, the amount of information is
accelerating every single day.
1/18/18
BlueSkyDigitalStrategy.com
3
4. All you have
to do is ASK.
1/18/18
BlueSkyDigitalStrategy.com
4
5. GOOGLE
(or Bing if you must)
If you encounter an error message, the chances are
very good that someone has been kind enough to
post somewhere about the solution.
Caveat: Be aware of code snippets. Don’t just copy
code without looking at it and understanding what it
does. You may inadvertently install a backdoor.
1/18/18
BlueSkyDigitalStrategy.com
5
6. WordPress Security
Ø Why do you need it?
u Protecting your Digital Assets
u Examples of WordPress Hacks
Ø What can you do?
u WordPress Core
u Backups
u Firewalls
u Security Plugins
1/18/18
BlueSkyDigitalStrategy.com
6
7. HTTPS & SSL
Ø Secure Hypertext Transfer Protocol
u Encrypted transfer of data between the client (browser) and
the server (your WordPress site).
u Required for using any payment gateway such as Stripe.
Ø Secured Socket Layer (SSL) Certificate
u Use a reputable certificate reseller.
u Proper .htaccess redirects (don’t allow both http and https
from your site.
u This alone does NOT make your WordPress site secure.
1/18/18
BlueSkyDigitalStrategy.com
7
https://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress
9. First Law of
Website Security
NOTHING
is unhackable
1/18/18
BlueSkyDigitalStrategy.com
9
10. Protect Your
Digital Asset
Ø Investment of Time/Money
Ø Traffic (e.g. ad revenue)
Ø Online Store (real revenue)
Ø Your Reputation (intangible)
1/18/18
BlueSkyDigitalStrategy.com
10
11. Why?
Ø Every week Google blacklists websites‡:
u 20,000 for malware
u 50,000 for phishing
Ø Sucuri estimates that only about 15% of infected
websites get blacklisted. That means 85% of
infected sites are freely distributing malware*.
Ø Being flagged can be devastating
u Affect visitors accessing website
u How it ranks
u Deliverability of Email
‡http://www.wpbeginner.com/wordpress-security/
*https://sucuri.net/website-security/hacked-reports/2016-q3-hacked-website-report
1/18/18
BlueSkyDigitalStrategy.com
11
12. Most Infamous
WordPress Hack
Ø What is Mossack Fonseca?
Ø Ever hear of the Panama Papers?
u Data released in April 2016.
u Partly a WP hack through the Revolution Slider plugin that was not kept up to
date. Also involved an email hack.
u 2.6 TB of data containing nearly 40 years of records.
u Widespread illicit financial activities and tax evasion through shell companies.
u > $135B lost by almost 400 companies.
u 140 politicians from more than 50 countries.
u Still running WP, but have put up a web application firewall (WAF).
https://panamapapers.icij.org/20161201-global-impact.html
https://www.theregister.co.uk/2016/04/07/panama_papers_unpatched_wordpress_drupal/
https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/
1/19/18
BlueSkyDigitalStrategy.com
12
13. Who Got Burned?
1/18/18
BlueSkyDigitalStrategy.com
13
h?ps://panamapapers.icij.org/the_power_players/
14. Recent Examples
Ø Captcha Plugin Backdoor
u Commercial plugin with >300K active installs.
u Sold in September 2017.
u New owner installed a backdoor that allowed them to install cloaked
backlinks on affected websites.
https://www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/
Ø Cryptomining Campaign Brute Force Attacks
u Targeted WordPress websites with Command & Control malware.
u Used stolen resources to both launch attacks and mine Monero.
u Malware detected by a Wordfence scan.
u Check your server resources, and monitor blacklists.
u Harden your site against Brute Force Attacks (BFAs).
https://www.wordfence.com/blog/2017/12/massive-cryptomining-campaign-wordpress/
1/18/18
BlueSkyDigitalStrategy.com
14
15. WordPress Core
Ø Open Source
Ø Very Secure
u Audited regularly by hundreds of developers.
Ø You MUST Keep it UPDATED!
u Especially all plugins.
1/18/18
BlueSkyDigitalStrategy.com
15
16. Misconception
Ø Misconception that
WordPress is not
Secure.
Ø WordPress is the
most hacked, but
only because it is by
far the most used.
1/18/18
BlueSkyDigitalStrategy.com
16
h?p://news.soGpedia.com/news/wordpress-‐conJnues-‐to-‐be-‐by-‐far-‐the-‐
most-‐hacked-‐cms-‐508558.shtml
h?ps://w3techs.com/technologies/overview/content_management/all
17. Sucuri Analyses
2016
Ø Distribution of infected
websites similar to
distribution of all
websites.
Ø Only 55-61% of
infections due to
outdated WordPress
core software.
1/18/18
BlueSkyDigitalStrategy.com
17
h?ps://sucuri.net/website-‐security/hacked-‐reports/
2016-‐q3-‐hacked-‐website-‐report
18. Most Vulnerable
Plugins
1/18/18
BlueSkyDigitalStrategy.com
18
h?ps://sucuri.net/website-‐security/hacked-‐reports/2016-‐q3-‐hacked-‐website-‐report
19. Third-Party
Themes and Plugins
Ø Thousands of them available with every
imaginable functionality.
Ø They are your greatest vulnerability.
Ø Try to use those that are well used and well
reviewed.
Ø Only purchase plugins/themes from reputable
authors.
Keep them UPDATED!
1/18/18
BlueSkyDigitalStrategy.com
19
20. Second Law of
Website Security
The Principle of
Least Privileges
1/18/18
BlueSkyDigitalStrategy.com
20
21. Role Control
Ø Give your users only the access privileges they need.
u If a user can destroy something, they will.
u Plugins such as Adminimize hide what you don’t want users
to access.
u Plugins like Capability Manager Enhanced can help you
modify the standard roles within WordPress.
1/18/18
BlueSkyDigitalStrategy.com
21
22. Strong Passwords
& Unique Nicknames
Ø Enforce Strong Passwords
u Users will complain, but they’ll get over it.
u Use “Pass Phrases” like “Mary had a little lamb.”
u NEVER allow the “admin” user account. If you have it,
remove it. It’s the first thing hackers attack using seed lists
of common passwords.
Ø Force users to use Unique Nicknames
u Hackers can harvest usernames from author pages.
1/18/18
BlueSkyDigitalStrategy.com
22
23. Third Law of
Website Security
Use Reliable
Hosting
1/18/18
BlueSkyDigitalStrategy.com
23
24. Shared Hosting
Ø Many websites on a single server
u Budget solution.
u Can be well over a hundred domains.
u Shared resources.
u Shared risks.
• If the server is compromised by just one of the websites, all will
be at risk.
Ø Recommended
u Siteground
u Stay away from shared hosts owned by Endurance Intl. Group.
u If you must, try BlueHost or DreamHost (recommended by WordPress.org).
u https://researchasahobby.com/full-list-eig-hosting-companies-brands/
1/18/18
BlueSkyDigitalStrategy.com
24
26. DIY Cloud Hosting
Ø Cloud Hosts
u Digital Ocean
u AWS (Amazon Web Services)
u Google Cloud
u UpCloud, etc…
Ø Server Management - Serverpilot.io
u Specializes in managing cloud servers running PHP.
u Manages server updates.
u Ubuntu Linux
1/18/18
BlueSkyDigitalStrategy.com
26
27. Fourth Law of
Website Security
Backup Your
Website
1/18/18
BlueSkyDigitalStrategy.com
27
28. Backup…?
Ø ALWAYS backup your ENTIRE site
u Backup both your MySQL Database and your site files.
u Don’t necessarily need to backup the WordPress core files.
Ø Backup OFF-SITE
u Some plugins save your backups to your website files. Don’t
do this.
u Backup to Google Drive, AWS S3, Google Cloud, DropBox, etc.
u I like duplicate backup sets.
Ø AUTOMATE your backups
u Choose a plugin that will schedule these for you.
u Frequency depends on how often changes are made.
1/18/18
BlueSkyDigitalStrategy.com
28
29. Backup Plugins
Ø UpDraftPlus
u 1+ million active installations.
u Saves zip files of plugins, themes, uploads, other, core
separately.
u All major cloud services.
u Automated.
u Premium version allows backups to multiple services
and easy migration and cloning.
Ø BackupBuddy (iThemes - Premium)
u Many of the features of UpDraftPlus
u I found migration and cloning difficult.
Ø Many others in the WP Repository
u BackWPup, JetPack, Duplicator, VaultPress, etc.
1/18/18
BlueSkyDigitalStrategy.com
29
31. Firewalls for
WordPress
Ø UpDraftPlus
u 1+ million active installations.
u Saves zip files of plugins, themes, uploads, other, core
separately.
u All major cloud services.
u Automated.
u Premium version allows backups to multiple services
and easy migration and cloning.
Ø BackupBuddy (iThemes - Premium)
u Many of the features of UpDraftPlus
u I found migration and cloning difficult.
Ø Many others in the WP Repository
u BackWPup, JetPack, Duplicator, VaultPress, etc.
1/18/18
BlueSkyDigitalStrategy.com
31
32. NinjaFirewall
Ø WP Edition
u 20,000+ active installations.
u Adds rules to .htaccess
u Requires write access to your
root directory -> .user.ini
; BEGIN NinjaFirewall
auto_prepend_file = /srv/users/~~~/public/wp-content/
nfwlog/ninjafirewall.php
; END NinjaFirewall
1/19/18
BlueSkyDigitalStrategy.com
32
36. iQ Block Country
Ø Free Plugin
Ø 30,000+ million active installations.
Ø Blocks access to backend or frontend based on GeoIPLite database from
MaxMind.
Ø Free database, but you must update occasionally.
Ø Subscription to database = automatic updates.
Ø Block all except whitelist.
1/19/18
BlueSkyDigitalStrategy.com
36
43. iThemes Security
Ø Not the only solution.
Ø Part of iTheme’s Toolkit.
u Worth it just for the WordPress
training they provide.
u iThemes Sync – Helps you keep
things up to date.
Ø Many settings available.
Ø Prevents Brute Force Attacks.
Ø Can interfere with PHP scripts
you want to run.
1/19/18
BlueSkyDigitalStrategy.com
43
47. WPScan
Ø Ruby Code
u Sponsored by Sucuri.
u Run from the command line on
Linux or MacOS.
u Enumerate plugins & users
among other things.
u Can be used to brute force
attack a WordPress website.
Ø https://wpscans.com
u Online version of WPScan
u Must agree that you have
permission to scan a website.
Ø WPScan will tell you if your
website is secure.
1/19/18
BlueSkyDigitalStrategy.com
47
51. Email Security
Ø DNS Records
Ø SPF – Sender Policy Framework
u Authorizes servers to send mail for your domain
u TXT Record – v=spf1 include:_spf.google.com ~all
Ø DKIM – DomainKeys Identified Mail
u Key-based DNS record for validating a domain name that is associated
with a message through cryptographic authentication.
u DKIM.org
1/18/18
BlueSkyDigitalStrategy.com
51
52. DMARC Record
Ø DMARC – Domain-based Message Authentication,
Reporting and Conformance
u DNS TXT Record
u Email-validation by specifying a policy about how to handle SPF and
DKIM failures.
u Detects and prevents Email Spoofing
u Combats phishing and email spam
u Protects your email reputation and keeps you off email blacklists.
u DMARCian.com
1/18/18
BlueSkyDigitalStrategy.com
52