SlideShare a Scribd company logo

Basic WordPress Security 2018 - WordCamp ABQ

D
Dr. Kim Kuhlman

Presentation on basic WordPress Security Issues at WordCamp Albuquerque (ABQ)

Internet
1 of 54
Download to read offline
BlueSkyDigitalStrategy.com   WordPress Security Kim Kuhlman, PhD kim@blueskydigitalstrategy.com Blue Sky Digital Strategy, LLC
What? Ø  Why do YOU need Website Security? Ø  HTTPS & SSL Ø  4 Laws of Website Security Ø  Firewalls Ø  iQ Block Country Ø  Security Plugins Ø  Testing your Website Security Ø  Other “Reputation Management” Considerations 1/19/18   BlueSkyDigitalStrategy.com   2  
The Fount of All Knowledge You have access to the greatest trove of information in the history of the planet. And, the amount of information is accelerating every single day. 1/18/18   BlueSkyDigitalStrategy.com   3  
All you have to do is ASK. 1/18/18   BlueSkyDigitalStrategy.com   4  
GOOGLE (or Bing if you must) If you encounter an error message, the chances are very good that someone has been kind enough to post somewhere about the solution. Caveat: Be aware of code snippets. Don’t just copy code without looking at it and understanding what it does. You may inadvertently install a backdoor. 1/18/18   BlueSkyDigitalStrategy.com   5  
WordPress Security Ø Why do you need it? u  Protecting your Digital Assets u  Examples of WordPress Hacks Ø What can you do? u  WordPress Core u  Backups u  Firewalls u  Security Plugins 1/18/18   BlueSkyDigitalStrategy.com   6  
HTTPS & SSL Ø  Secure Hypertext Transfer Protocol u  Encrypted transfer of data between the client (browser) and the server (your WordPress site). u  Required for using any payment gateway such as Stripe. Ø  Secured Socket Layer (SSL) Certificate u  Use a reputable certificate reseller. u  Proper .htaccess redirects (don’t allow both http and https from your site. u  This alone does NOT make your WordPress site secure. 1/18/18   BlueSkyDigitalStrategy.com   7   https://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress
HTTPS Plugins 1/19/18   BlueSkyDigitalStrategy.com   8  
First Law of Website Security NOTHING is unhackable 1/18/18   BlueSkyDigitalStrategy.com   9  
Protect Your Digital Asset Ø Investment of Time/Money Ø Traffic (e.g. ad revenue) Ø Online Store (real revenue) Ø Your Reputation (intangible) 1/18/18   BlueSkyDigitalStrategy.com   10  
Why? Ø  Every week Google blacklists websites‡: u  20,000 for malware u  50,000 for phishing Ø  Sucuri estimates that only about 15% of infected websites get blacklisted. That means 85% of infected sites are freely distributing malware*. Ø  Being flagged can be devastating u  Affect visitors accessing website u  How it ranks u  Deliverability of Email ‡http://www.wpbeginner.com/wordpress-security/ *https://sucuri.net/website-security/hacked-reports/2016-q3-hacked-website-report 1/18/18   BlueSkyDigitalStrategy.com   11  
Most Infamous WordPress Hack Ø  What is Mossack Fonseca? Ø  Ever hear of the Panama Papers? u  Data released in April 2016. u  Partly a WP hack through the Revolution Slider plugin that was not kept up to date. Also involved an email hack. u  2.6 TB of data containing nearly 40 years of records. u  Widespread illicit financial activities and tax evasion through shell companies. u  > $135B lost by almost 400 companies. u  140 politicians from more than 50 countries. u  Still running WP, but have put up a web application firewall (WAF). https://panamapapers.icij.org/20161201-global-impact.html https://www.theregister.co.uk/2016/04/07/panama_papers_unpatched_wordpress_drupal/ https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/ 1/19/18   BlueSkyDigitalStrategy.com   12  
Who Got Burned? 1/18/18   BlueSkyDigitalStrategy.com   13   h?ps://panamapapers.icij.org/the_power_players/  
Recent Examples Ø  Captcha Plugin Backdoor u  Commercial plugin with >300K active installs. u  Sold in September 2017. u  New owner installed a backdoor that allowed them to install cloaked backlinks on affected websites. https://www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/ Ø  Cryptomining Campaign Brute Force Attacks u  Targeted WordPress websites with Command & Control malware. u  Used stolen resources to both launch attacks and mine Monero. u  Malware detected by a Wordfence scan. u  Check your server resources, and monitor blacklists. u  Harden your site against Brute Force Attacks (BFAs). https://www.wordfence.com/blog/2017/12/massive-cryptomining-campaign-wordpress/ 1/18/18   BlueSkyDigitalStrategy.com   14  
WordPress Core Ø Open Source Ø Very Secure u  Audited regularly by hundreds of developers. Ø You MUST Keep it UPDATED! u  Especially all plugins. 1/18/18   BlueSkyDigitalStrategy.com   15  
Misconception Ø  Misconception that WordPress is not Secure. Ø  WordPress is the most hacked, but only because it is by far the most used. 1/18/18   BlueSkyDigitalStrategy.com   16   h?p://news.soGpedia.com/news/wordpress-­‐conJnues-­‐to-­‐be-­‐by-­‐far-­‐the-­‐ most-­‐hacked-­‐cms-­‐508558.shtml   h?ps://w3techs.com/technologies/overview/content_management/all  
Sucuri Analyses 2016 Ø  Distribution of infected websites similar to distribution of all websites. Ø  Only 55-61% of infections due to outdated WordPress core software. 1/18/18   BlueSkyDigitalStrategy.com   17   h?ps://sucuri.net/website-­‐security/hacked-­‐reports/ 2016-­‐q3-­‐hacked-­‐website-­‐report  
Most Vulnerable Plugins 1/18/18   BlueSkyDigitalStrategy.com   18   h?ps://sucuri.net/website-­‐security/hacked-­‐reports/2016-­‐q3-­‐hacked-­‐website-­‐report  
Third-Party Themes and Plugins Ø  Thousands of them available with every imaginable functionality. Ø  They are your greatest vulnerability. Ø  Try to use those that are well used and well reviewed. Ø  Only purchase plugins/themes from reputable authors. Keep them UPDATED! 1/18/18   BlueSkyDigitalStrategy.com   19  
Second Law of Website Security The Principle of Least Privileges 1/18/18   BlueSkyDigitalStrategy.com   20  
Role Control Ø  Give your users only the access privileges they need. u  If a user can destroy something, they will. u  Plugins such as Adminimize hide what you don’t want users to access. u  Plugins like Capability Manager Enhanced can help you modify the standard roles within WordPress. 1/18/18   BlueSkyDigitalStrategy.com   21  
Strong Passwords & Unique Nicknames Ø  Enforce Strong Passwords u  Users will complain, but they’ll get over it. u  Use “Pass Phrases” like “Mary had a little lamb.” u  NEVER allow the “admin” user account. If you have it, remove it. It’s the first thing hackers attack using seed lists of common passwords. Ø  Force users to use Unique Nicknames u  Hackers can harvest usernames from author pages. 1/18/18   BlueSkyDigitalStrategy.com   22  
Third Law of Website Security Use Reliable Hosting 1/18/18   BlueSkyDigitalStrategy.com   23  
Shared Hosting Ø  Many websites on a single server u  Budget solution. u  Can be well over a hundred domains. u  Shared resources. u  Shared risks. •  If the server is compromised by just one of the websites, all will be at risk. Ø  Recommended u  Siteground u  Stay away from shared hosts owned by Endurance Intl. Group. u  If you must, try BlueHost or DreamHost (recommended by WordPress.org). u  https://researchasahobby.com/full-list-eig-hosting-companies-brands/ 1/18/18   BlueSkyDigitalStrategy.com   24  
Managed WordPress Hosting Ø  These hosts specialize in WordPress. u  VPS (Virtual Private Server) u  Managed Cloud Hosting u  Dedicated Servers Ø  Recommended u  WPEngine u  Liquid Web 1/18/18   BlueSkyDigitalStrategy.com   25  
DIY Cloud Hosting Ø  Cloud Hosts u  Digital Ocean u  AWS (Amazon Web Services) u  Google Cloud u  UpCloud, etc… Ø  Server Management - Serverpilot.io u  Specializes in managing cloud servers running PHP. u  Manages server updates. u  Ubuntu Linux 1/18/18   BlueSkyDigitalStrategy.com   26  
Fourth Law of Website Security Backup Your Website 1/18/18   BlueSkyDigitalStrategy.com   27  
Backup…? Ø  ALWAYS backup your ENTIRE site u  Backup both your MySQL Database and your site files. u  Don’t necessarily need to backup the WordPress core files. Ø  Backup OFF-SITE u  Some plugins save your backups to your website files. Don’t do this. u  Backup to Google Drive, AWS S3, Google Cloud, DropBox, etc. u  I like duplicate backup sets. Ø  AUTOMATE your backups u  Choose a plugin that will schedule these for you. u  Frequency depends on how often changes are made. 1/18/18   BlueSkyDigitalStrategy.com   28  
Backup Plugins Ø  UpDraftPlus u  1+ million active installations. u  Saves zip files of plugins, themes, uploads, other, core separately. u  All major cloud services. u  Automated. u  Premium version allows backups to multiple services and easy migration and cloning. Ø  BackupBuddy (iThemes - Premium) u  Many of the features of UpDraftPlus u  I found migration and cloning difficult. Ø  Many others in the WP Repository u  BackWPup, JetPack, Duplicator, VaultPress, etc. 1/18/18   BlueSkyDigitalStrategy.com   29  
Firewall Plugins 1/19/18   BlueSkyDigitalStrategy.com   30  
Firewalls for WordPress Ø  UpDraftPlus u  1+ million active installations. u  Saves zip files of plugins, themes, uploads, other, core separately. u  All major cloud services. u  Automated. u  Premium version allows backups to multiple services and easy migration and cloning. Ø  BackupBuddy (iThemes - Premium) u  Many of the features of UpDraftPlus u  I found migration and cloning difficult. Ø  Many others in the WP Repository u  BackWPup, JetPack, Duplicator, VaultPress, etc. 1/18/18   BlueSkyDigitalStrategy.com   31  
NinjaFirewall Ø  WP Edition u  20,000+ active installations. u  Adds rules to .htaccess u  Requires write access to your root directory -> .user.ini ; BEGIN NinjaFirewall auto_prepend_file = /srv/users/~~~/public/wp-content/ nfwlog/ninjafirewall.php ; END NinjaFirewall 1/19/18   BlueSkyDigitalStrategy.com   32  
NF Policies #1 1/19/18   BlueSkyDigitalStrategy.com   33  
NF Policies #2 1/19/18   BlueSkyDigitalStrategy.com   34  
iQ Block Country 1/19/18   BlueSkyDigitalStrategy.com   35  
iQ Block Country Ø  Free Plugin Ø  30,000+ million active installations. Ø  Blocks access to backend or frontend based on GeoIPLite database from MaxMind. Ø  Free database, but you must update occasionally. Ø  Subscription to database = automatic updates. Ø  Block all except whitelist. 1/19/18   BlueSkyDigitalStrategy.com   36  
iQ Block Country Backend Options 1/19/18   BlueSkyDigitalStrategy.com   37  
Most Blocked Countries 1/19/18   BlueSkyDigitalStrategy.com   38  
Most Blocked URLs 1/19/18   BlueSkyDigitalStrategy.com   39  
Last Blocked URLs 1/19/18   BlueSkyDigitalStrategy.com   40  
WordPress Security Plugins 1/19/18   BlueSkyDigitalStrategy.com   41  
WordPress Security Plugins 1/19/18   BlueSkyDigitalStrategy.com   42  
iThemes Security Ø  Not the only solution. Ø  Part of iTheme’s Toolkit. u  Worth it just for the WordPress training they provide. u  iThemes Sync – Helps you keep things up to date. Ø  Many settings available. Ø  Prevents Brute Force Attacks. Ø  Can interfere with PHP scripts you want to run. 1/19/18   BlueSkyDigitalStrategy.com   43  
iThemes Security Dashboard #1 1/19/18   BlueSkyDigitalStrategy.com   44  
iThemes Security Dashboard #2 1/19/18   BlueSkyDigitalStrategy.com   45  
Testing Your Security 1/19/18   BlueSkyDigitalStrategy.com   46  
WPScan Ø  Ruby Code u  Sponsored by Sucuri. u  Run from the command line on Linux or MacOS. u  Enumerate plugins & users among other things. u  Can be used to brute force attack a WordPress website. Ø  https://wpscans.com u  Online version of WPScan u  Must agree that you have permission to scan a website. Ø  WPScan will tell you if your website is secure. 1/19/18   BlueSkyDigitalStrategy.com   47  
Sucuri https://sitecheck.sucuri.net/ Undoubtedly incorporates WPScan. Built in to iThemes Security 1/19/18   BlueSkyDigitalStrategy.com   48  
WordFence “Gravityscan” https://www.gravityscan.com/ https://www.wordfence.com/free-website-security-scan/ 1/19/18   BlueSkyDigitalStrategy.com   49  
Other Security Related Issues 1/19/18   BlueSkyDigitalStrategy.com   50  
Email Security Ø  DNS Records Ø  SPF – Sender Policy Framework u  Authorizes servers to send mail for your domain u  TXT Record – v=spf1 include:_spf.google.com ~all Ø  DKIM – DomainKeys Identified Mail u  Key-based DNS record for validating a domain name that is associated with a message through cryptographic authentication. u  DKIM.org 1/18/18   BlueSkyDigitalStrategy.com   51  
DMARC Record Ø  DMARC – Domain-based Message Authentication, Reporting and Conformance u  DNS TXT Record u  Email-validation by specifying a policy about how to handle SPF and DKIM failures. u  Detects and prevents Email Spoofing u  Combats phishing and email spam u  Protects your email reputation and keeps you off email blacklists. u  DMARCian.com 1/18/18   BlueSkyDigitalStrategy.com   52  
DMARC Example 1/18/18   BlueSkyDigitalStrategy.com   53   11/1/17  –  1/18/18  
Further Discussion kim@blueskydigitalstrategy.com https://www.facebook.com/blueskydigitalstrategy/ https://www.facebook.com/groups/blueskydigitalstrategy/ @blueskydigstrat https://www.linkedin.com/in/blueskydigital 1/19/18   BlueSkyDigitalStrategy.com   54  

Recommended

Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017vdrover
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...Otto Kekäläinen
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDStuartJDavidson.com
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionTony Perez
 
Basic Plugin Recommendations to get your WordPress Website Started
Basic Plugin Recommendations to get your WordPress Website StartedBasic Plugin Recommendations to get your WordPress Website Started
Basic Plugin Recommendations to get your WordPress Website StartedNile Flores
 
Httpd sys content_t_apache_linux
Httpd sys content_t_apache_linuxHttpd sys content_t_apache_linux
Httpd sys content_t_apache_linuxJames Jara
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 

Recommended

Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017vdrover
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...Otto Kekäläinen
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDStuartJDavidson.com
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionTony Perez
 
Basic Plugin Recommendations to get your WordPress Website Started
Basic Plugin Recommendations to get your WordPress Website StartedBasic Plugin Recommendations to get your WordPress Website Started
Basic Plugin Recommendations to get your WordPress Website StartedNile Flores
 
Httpd sys content_t_apache_linux
Httpd sys content_t_apache_linuxHttpd sys content_t_apache_linux
Httpd sys content_t_apache_linuxJames Jara
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
How To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb DriveHow To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb Drivekriggins
 
WordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfWordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfArthur Kasirye
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightMaurizio Pelizzone
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Dc and Online Security Presentation
Dc and Online Security PresentationDc and Online Security Presentation
Dc and Online Security Presentationakdm28
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSElsner Technologies Pvt Ltd
 
WordPress Hardening v4
WordPress Hardening v4WordPress Hardening v4
WordPress Hardening v4Maurizio Pelizzone
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?Casey Ellis
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeExtreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeEC-Council
 
Scare Ware From Ireland
Scare Ware From IrelandScare Ware From Ireland
Scare Ware From IrelandBrian Honan
 
Practical Encryption Tips and Tools
Practical Encryption Tips and ToolsPractical Encryption Tips and Tools
Practical Encryption Tips and ToolsHeidi Alexander
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...CiNPA Security SIG
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013Edouard de Lansalut
 
The Importance of Maintenance
The Importance of MaintenanceThe Importance of Maintenance
The Importance of MaintenanceMichele Butcher-Jones
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Word press bg 16x9 draft 16
Word press bg 16x9 draft 16Word press bg 16x9 draft 16
Word press bg 16x9 draft 16msz
 
Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17msz
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityNile Flores
 

More Related Content

What's hot

How To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb DriveHow To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb Drivekriggins
 
WordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfWordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfArthur Kasirye
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightMaurizio Pelizzone
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Dc and Online Security Presentation
Dc and Online Security PresentationDc and Online Security Presentation
Dc and Online Security Presentationakdm28
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSElsner Technologies Pvt Ltd
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?Casey Ellis
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeExtreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeEC-Council
 
Scare Ware From Ireland
Scare Ware From IrelandScare Ware From Ireland
Scare Ware From IrelandBrian Honan
 
Practical Encryption Tips and Tools
Practical Encryption Tips and ToolsPractical Encryption Tips and Tools
Practical Encryption Tips and ToolsHeidi Alexander
 

What's hot (11)

How To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb DriveHow To Build The Perfect Backtrack 4 Usb Drive
How To Build The Perfect Backtrack 4 Usb Drive
 
WordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdfWordPress Troubleshooting Hacks.pdf
WordPress Troubleshooting Hacks.pdf
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at night
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press website
 
Dc and Online Security Presentation
Dc and Online Security PresentationDc and Online Security Presentation
Dc and Online Security Presentation
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
 
WordPress Hardening v4
WordPress Hardening v4WordPress Hardening v4
WordPress Hardening v4
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?
 
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne BurkeExtreme Hacking: Encrypted Networks SWAT style - Wayne Burke
Extreme Hacking: Encrypted Networks SWAT style - Wayne Burke
 
Scare Ware From Ireland
Scare Ware From IrelandScare Ware From Ireland
Scare Ware From Ireland
 
Practical Encryption Tips and Tools
Practical Encryption Tips and ToolsPractical Encryption Tips and Tools
Practical Encryption Tips and Tools
 

Similar to Basic WordPress Security 2018 - WordCamp ABQ

NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...CiNPA Security SIG
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Word press bg 16x9 draft 16
Word press bg 16x9 draft 16Word press bg 16x9 draft 16
Word press bg 16x9 draft 16msz
 
Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17msz
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityNile Flores
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!CiNPA Security SIG
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
10 Ways to Speed Up and Secure your WP Site
10 Ways to Speed Up and Secure your WP Site10 Ways to Speed Up and Secure your WP Site
10 Ways to Speed Up and Secure your WP SiteFLBlogCon
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityNile Flores
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your websiteShawn DeWolfe
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 

Similar to Basic WordPress Security 2018 - WordCamp ABQ (20)

NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
Owasp top 10 2013
Owasp top 10 2013Owasp top 10 2013
Owasp top 10 2013
 
The Importance of Maintenance
The Importance of MaintenanceThe Importance of Maintenance
The Importance of Maintenance
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!OISF Aniversary: Active Defense - Helping threat actors hack themselves!
OISF Aniversary: Active Defense - Helping threat actors hack themselves!
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Word press bg 16x9 draft 16
Word press bg 16x9 draft 16Word press bg 16x9 draft 16
Word press bg 16x9 draft 16
 
Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17Web Publishing & WordPress Introduction 16x9 draft 17
Web Publishing & WordPress Introduction 16x9 draft 17
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!BSides Cleveland: Active Defense - Helping threat actors hack themselves!
BSides Cleveland: Active Defense - Helping threat actors hack themselves!
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
10 Ways to Speed Up and Secure your WP Site
10 Ways to Speed Up and Secure your WP Site10 Ways to Speed Up and Secure your WP Site
10 Ways to Speed Up and Secure your WP Site
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your website
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 

Recently uploaded

On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024APNIC
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneCall girls in Ahmedabad High profile
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkataanamikaraghav4
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebJames Anderson
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Dana Luther
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...APNIC
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneCall girls in Ahmedabad High profile
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaimessage0108
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Roomdivyansh0kumar0
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)Damian Radcliffe
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Servicesexy call girls service in goa
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Roomishabajaj13
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$kojalkojal131
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersDamian Radcliffe
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝soniya singh
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsstephieert
 

Recently uploaded (20)

On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024On Starlink, presented by Geoff Huston at NZNOG 2024
On Starlink, presented by Geoff Huston at NZNOG 2024
 
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service PuneVIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
VIP Call Girls Pune Madhuri 8617697112 Independent Escort Service Pune
 
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls KolkataRussian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
Russian Call Girls in Kolkata Ishita 🤌 8250192130 🚀 Vip Call Girls Kolkata
 
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark WebGDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
GDG Cloud Southlake 32: Kyle Hettinger: Demystifying the Dark Web
 
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
Packaging the Monolith - PHP Tek 2024 (Breaking it down one bite at a time)
 
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
'Future Evolution of the Internet' delivered by Geoff Huston at Everything Op...
 
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service ThaneRussian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
Russian Call Girls Thane Swara 8617697112 Independent Escort Service Thane
 
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
Dwarka Sector 26 Call Girls | Delhi | 9999965857 🫦 Vanshika Verma More Our Se...
 
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICECall Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
Call Girls In South Ex 📱 9999965857 🤩 Delhi 🫦 HOT AND SEXY VVIP 🍎 SERVICE
 
Gram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of indiaGram Darshan PPT cyber rural in villages of india
Gram Darshan PPT cyber rural in villages of india
 
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With RoomVIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
VIP Kolkata Call Girl Alambazar 👉 8250192130 Available With Room
 
How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)How is AI changing journalism? (v. April 2024)
How is AI changing journalism? (v. April 2024)
 
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine ServiceHot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
Hot Service (+9316020077 ) Goa Call Girls Real Photos and Genuine Service
 
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With RoomVIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
VIP Kolkata Call Girl Salt Lake 👉 8250192130 Available With Room
 
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
Call Girls Dubai Prolapsed O525547819 Call Girls In Dubai Princes$
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providersMoving Beyond Twitter/X and Facebook - Social Media for local news providers
Moving Beyond Twitter/X and Facebook - Social Media for local news providers
 
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
Call Girls In Defence Colony Delhi 💯Call Us 🔝8264348440🔝
 
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
Call Girls in Uttam Nagar Delhi 💯Call Us 🔝8264348440🔝
 
Russian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girlsRussian Call girls in Dubai +971563133746 Dubai Call girls
Russian Call girls in Dubai +971563133746 Dubai Call girls
 

Basic WordPress Security 2018 - WordCamp ABQ

  • 1. BlueSkyDigitalStrategy.com   WordPress Security Kim Kuhlman, PhD kim@blueskydigitalstrategy.com Blue Sky Digital Strategy, LLC
  • 2. What? Ø  Why do YOU need Website Security? Ø  HTTPS & SSL Ø  4 Laws of Website Security Ø  Firewalls Ø  iQ Block Country Ø  Security Plugins Ø  Testing your Website Security Ø  Other “Reputation Management” Considerations 1/19/18   BlueSkyDigitalStrategy.com   2  
  • 3. The Fount of All Knowledge You have access to the greatest trove of information in the history of the planet. And, the amount of information is accelerating every single day. 1/18/18   BlueSkyDigitalStrategy.com   3  
  • 4. All you have to do is ASK. 1/18/18   BlueSkyDigitalStrategy.com   4  
  • 5. GOOGLE (or Bing if you must) If you encounter an error message, the chances are very good that someone has been kind enough to post somewhere about the solution. Caveat: Be aware of code snippets. Don’t just copy code without looking at it and understanding what it does. You may inadvertently install a backdoor. 1/18/18   BlueSkyDigitalStrategy.com   5  
  • 6. WordPress Security Ø Why do you need it? u  Protecting your Digital Assets u  Examples of WordPress Hacks Ø What can you do? u  WordPress Core u  Backups u  Firewalls u  Security Plugins 1/18/18   BlueSkyDigitalStrategy.com   6  
  • 7. HTTPS & SSL Ø  Secure Hypertext Transfer Protocol u  Encrypted transfer of data between the client (browser) and the server (your WordPress site). u  Required for using any payment gateway such as Stripe. Ø  Secured Socket Layer (SSL) Certificate u  Use a reputable certificate reseller. u  Proper .htaccess redirects (don’t allow both http and https from your site. u  This alone does NOT make your WordPress site secure. 1/18/18   BlueSkyDigitalStrategy.com   7   https://make.wordpress.org/support/user-manual/web-publishing/https-for-wordpress
  • 8. HTTPS Plugins 1/19/18   BlueSkyDigitalStrategy.com   8  
  • 9. First Law of Website Security NOTHING is unhackable 1/18/18   BlueSkyDigitalStrategy.com   9  
  • 10. Protect Your Digital Asset Ø Investment of Time/Money Ø Traffic (e.g. ad revenue) Ø Online Store (real revenue) Ø Your Reputation (intangible) 1/18/18   BlueSkyDigitalStrategy.com   10  
  • 11. Why? Ø  Every week Google blacklists websites‡: u  20,000 for malware u  50,000 for phishing Ø  Sucuri estimates that only about 15% of infected websites get blacklisted. That means 85% of infected sites are freely distributing malware*. Ø  Being flagged can be devastating u  Affect visitors accessing website u  How it ranks u  Deliverability of Email ‡http://www.wpbeginner.com/wordpress-security/ *https://sucuri.net/website-security/hacked-reports/2016-q3-hacked-website-report 1/18/18   BlueSkyDigitalStrategy.com   11  
  • 12. Most Infamous WordPress Hack Ø  What is Mossack Fonseca? Ø  Ever hear of the Panama Papers? u  Data released in April 2016. u  Partly a WP hack through the Revolution Slider plugin that was not kept up to date. Also involved an email hack. u  2.6 TB of data containing nearly 40 years of records. u  Widespread illicit financial activities and tax evasion through shell companies. u  > $135B lost by almost 400 companies. u  140 politicians from more than 50 countries. u  Still running WP, but have put up a web application firewall (WAF). https://panamapapers.icij.org/20161201-global-impact.html https://www.theregister.co.uk/2016/04/07/panama_papers_unpatched_wordpress_drupal/ https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/ 1/19/18   BlueSkyDigitalStrategy.com   12  
  • 13. Who Got Burned? 1/18/18   BlueSkyDigitalStrategy.com   13   h?ps://panamapapers.icij.org/the_power_players/  
  • 14. Recent Examples Ø  Captcha Plugin Backdoor u  Commercial plugin with >300K active installs. u  Sold in September 2017. u  New owner installed a backdoor that allowed them to install cloaked backlinks on affected websites. https://www.wordfence.com/blog/2017/12/backdoor-captcha-plugin/ Ø  Cryptomining Campaign Brute Force Attacks u  Targeted WordPress websites with Command & Control malware. u  Used stolen resources to both launch attacks and mine Monero. u  Malware detected by a Wordfence scan. u  Check your server resources, and monitor blacklists. u  Harden your site against Brute Force Attacks (BFAs). https://www.wordfence.com/blog/2017/12/massive-cryptomining-campaign-wordpress/ 1/18/18   BlueSkyDigitalStrategy.com   14  
  • 15. WordPress Core Ø Open Source Ø Very Secure u  Audited regularly by hundreds of developers. Ø You MUST Keep it UPDATED! u  Especially all plugins. 1/18/18   BlueSkyDigitalStrategy.com   15  
  • 16. Misconception Ø  Misconception that WordPress is not Secure. Ø  WordPress is the most hacked, but only because it is by far the most used. 1/18/18   BlueSkyDigitalStrategy.com   16   h?p://news.soGpedia.com/news/wordpress-­‐conJnues-­‐to-­‐be-­‐by-­‐far-­‐the-­‐ most-­‐hacked-­‐cms-­‐508558.shtml   h?ps://w3techs.com/technologies/overview/content_management/all  
  • 17. Sucuri Analyses 2016 Ø  Distribution of infected websites similar to distribution of all websites. Ø  Only 55-61% of infections due to outdated WordPress core software. 1/18/18   BlueSkyDigitalStrategy.com   17   h?ps://sucuri.net/website-­‐security/hacked-­‐reports/ 2016-­‐q3-­‐hacked-­‐website-­‐report  
  • 18. Most Vulnerable Plugins 1/18/18   BlueSkyDigitalStrategy.com   18   h?ps://sucuri.net/website-­‐security/hacked-­‐reports/2016-­‐q3-­‐hacked-­‐website-­‐report  
  • 19. Third-Party Themes and Plugins Ø  Thousands of them available with every imaginable functionality. Ø  They are your greatest vulnerability. Ø  Try to use those that are well used and well reviewed. Ø  Only purchase plugins/themes from reputable authors. Keep them UPDATED! 1/18/18   BlueSkyDigitalStrategy.com   19  
  • 20. Second Law of Website Security The Principle of Least Privileges 1/18/18   BlueSkyDigitalStrategy.com   20  
  • 21. Role Control Ø  Give your users only the access privileges they need. u  If a user can destroy something, they will. u  Plugins such as Adminimize hide what you don’t want users to access. u  Plugins like Capability Manager Enhanced can help you modify the standard roles within WordPress. 1/18/18   BlueSkyDigitalStrategy.com   21  
  • 22. Strong Passwords & Unique Nicknames Ø  Enforce Strong Passwords u  Users will complain, but they’ll get over it. u  Use “Pass Phrases” like “Mary had a little lamb.” u  NEVER allow the “admin” user account. If you have it, remove it. It’s the first thing hackers attack using seed lists of common passwords. Ø  Force users to use Unique Nicknames u  Hackers can harvest usernames from author pages. 1/18/18   BlueSkyDigitalStrategy.com   22  
  • 23. Third Law of Website Security Use Reliable Hosting 1/18/18   BlueSkyDigitalStrategy.com   23  
  • 24. Shared Hosting Ø  Many websites on a single server u  Budget solution. u  Can be well over a hundred domains. u  Shared resources. u  Shared risks. •  If the server is compromised by just one of the websites, all will be at risk. Ø  Recommended u  Siteground u  Stay away from shared hosts owned by Endurance Intl. Group. u  If you must, try BlueHost or DreamHost (recommended by WordPress.org). u  https://researchasahobby.com/full-list-eig-hosting-companies-brands/ 1/18/18   BlueSkyDigitalStrategy.com   24  
  • 25. Managed WordPress Hosting Ø  These hosts specialize in WordPress. u  VPS (Virtual Private Server) u  Managed Cloud Hosting u  Dedicated Servers Ø  Recommended u  WPEngine u  Liquid Web 1/18/18   BlueSkyDigitalStrategy.com   25  
  • 26. DIY Cloud Hosting Ø  Cloud Hosts u  Digital Ocean u  AWS (Amazon Web Services) u  Google Cloud u  UpCloud, etc… Ø  Server Management - Serverpilot.io u  Specializes in managing cloud servers running PHP. u  Manages server updates. u  Ubuntu Linux 1/18/18   BlueSkyDigitalStrategy.com   26  
  • 27. Fourth Law of Website Security Backup Your Website 1/18/18   BlueSkyDigitalStrategy.com   27  
  • 28. Backup…? Ø  ALWAYS backup your ENTIRE site u  Backup both your MySQL Database and your site files. u  Don’t necessarily need to backup the WordPress core files. Ø  Backup OFF-SITE u  Some plugins save your backups to your website files. Don’t do this. u  Backup to Google Drive, AWS S3, Google Cloud, DropBox, etc. u  I like duplicate backup sets. Ø  AUTOMATE your backups u  Choose a plugin that will schedule these for you. u  Frequency depends on how often changes are made. 1/18/18   BlueSkyDigitalStrategy.com   28  
  • 29. Backup Plugins Ø  UpDraftPlus u  1+ million active installations. u  Saves zip files of plugins, themes, uploads, other, core separately. u  All major cloud services. u  Automated. u  Premium version allows backups to multiple services and easy migration and cloning. Ø  BackupBuddy (iThemes - Premium) u  Many of the features of UpDraftPlus u  I found migration and cloning difficult. Ø  Many others in the WP Repository u  BackWPup, JetPack, Duplicator, VaultPress, etc. 1/18/18   BlueSkyDigitalStrategy.com   29  
  • 30. Firewall Plugins 1/19/18   BlueSkyDigitalStrategy.com   30  
  • 31. Firewalls for WordPress Ø  UpDraftPlus u  1+ million active installations. u  Saves zip files of plugins, themes, uploads, other, core separately. u  All major cloud services. u  Automated. u  Premium version allows backups to multiple services and easy migration and cloning. Ø  BackupBuddy (iThemes - Premium) u  Many of the features of UpDraftPlus u  I found migration and cloning difficult. Ø  Many others in the WP Repository u  BackWPup, JetPack, Duplicator, VaultPress, etc. 1/18/18   BlueSkyDigitalStrategy.com   31  
  • 32. NinjaFirewall Ø  WP Edition u  20,000+ active installations. u  Adds rules to .htaccess u  Requires write access to your root directory -> .user.ini ; BEGIN NinjaFirewall auto_prepend_file = /srv/users/~~~/public/wp-content/ nfwlog/ninjafirewall.php ; END NinjaFirewall 1/19/18   BlueSkyDigitalStrategy.com   32  
  • 33. NF Policies #1 1/19/18   BlueSkyDigitalStrategy.com   33  
  • 34. NF Policies #2 1/19/18   BlueSkyDigitalStrategy.com   34  
  • 35. iQ Block Country 1/19/18   BlueSkyDigitalStrategy.com   35  
  • 36. iQ Block Country Ø  Free Plugin Ø  30,000+ million active installations. Ø  Blocks access to backend or frontend based on GeoIPLite database from MaxMind. Ø  Free database, but you must update occasionally. Ø  Subscription to database = automatic updates. Ø  Block all except whitelist. 1/19/18   BlueSkyDigitalStrategy.com   36  
  • 37. iQ Block Country Backend Options 1/19/18   BlueSkyDigitalStrategy.com   37  
  • 38. Most Blocked Countries 1/19/18   BlueSkyDigitalStrategy.com   38  
  • 39. Most Blocked URLs 1/19/18   BlueSkyDigitalStrategy.com   39  
  • 40. Last Blocked URLs 1/19/18   BlueSkyDigitalStrategy.com   40  
  • 41. WordPress Security Plugins 1/19/18   BlueSkyDigitalStrategy.com   41  
  • 42. WordPress Security Plugins 1/19/18   BlueSkyDigitalStrategy.com   42  
  • 43. iThemes Security Ø  Not the only solution. Ø  Part of iTheme’s Toolkit. u  Worth it just for the WordPress training they provide. u  iThemes Sync – Helps you keep things up to date. Ø  Many settings available. Ø  Prevents Brute Force Attacks. Ø  Can interfere with PHP scripts you want to run. 1/19/18   BlueSkyDigitalStrategy.com   43  
  • 44. iThemes Security Dashboard #1 1/19/18   BlueSkyDigitalStrategy.com   44  
  • 45. iThemes Security Dashboard #2 1/19/18   BlueSkyDigitalStrategy.com   45  
  • 46. Testing Your Security 1/19/18   BlueSkyDigitalStrategy.com   46  
  • 47. WPScan Ø  Ruby Code u  Sponsored by Sucuri. u  Run from the command line on Linux or MacOS. u  Enumerate plugins & users among other things. u  Can be used to brute force attack a WordPress website. Ø  https://wpscans.com u  Online version of WPScan u  Must agree that you have permission to scan a website. Ø  WPScan will tell you if your website is secure. 1/19/18   BlueSkyDigitalStrategy.com   47  
  • 48. Sucuri https://sitecheck.sucuri.net/ Undoubtedly incorporates WPScan. Built in to iThemes Security 1/19/18   BlueSkyDigitalStrategy.com   48  
  • 50. Other Security Related Issues 1/19/18   BlueSkyDigitalStrategy.com   50  
  • 51. Email Security Ø  DNS Records Ø  SPF – Sender Policy Framework u  Authorizes servers to send mail for your domain u  TXT Record – v=spf1 include:_spf.google.com ~all Ø  DKIM – DomainKeys Identified Mail u  Key-based DNS record for validating a domain name that is associated with a message through cryptographic authentication. u  DKIM.org 1/18/18   BlueSkyDigitalStrategy.com   51  
  • 52. DMARC Record Ø  DMARC – Domain-based Message Authentication, Reporting and Conformance u  DNS TXT Record u  Email-validation by specifying a policy about how to handle SPF and DKIM failures. u  Detects and prevents Email Spoofing u  Combats phishing and email spam u  Protects your email reputation and keeps you off email blacklists. u  DMARCian.com 1/18/18   BlueSkyDigitalStrategy.com   52  
  • 53. DMARC Example 1/18/18   BlueSkyDigitalStrategy.com   53   11/1/17  –  1/18/18