The document outlines a webinar on WordPress security, highlighting key topics including the WordPress threat model, attacker motives, and various types of threats. It emphasizes the importance of upgrading all components, managing access permissions, and system hardening to protect against cyber threats. Additional resources and a follow-up webinar are also mentioned.

1. #wpewebinar
May 17, 2017
#wpewebinar

2. #wpewebinar
WHAT YOU’LL LEARN:
● WordPress Threat Model
● Security @ 50,000 Feet
● Attacker Motives
● Types of Threats
● Q&A

3. #wpewebinar
Security Architect
WP Engine
Will West
● Made a gatling gun with sonar
sensor
● 6’ 8” tall
● Does not play basketball
Sr. Security Analyst
WP Engine
● Swam in the pool on the roof
● Likes tacos
● Not 6’ 8” tall
● Plays basketball
Dustin Warren

4. #wpewebinar
WordPress Threat Model

5. #wpewebinar
Themes & Plugins
● Upgrade all of the
things!
● Piracy is risky business
● Never re-use unaudited
code
WordPress Core
● Upgrade all of the
things!
● Manage access, not
everyone needs admin
Hosting Infrastructure
● Upgrade all of the
things!
● Brute-force protection
on services like SFTP &
SSH
● General system
hardening
WordPress Threat Model

6. #wpewebinar
Security @ 50,000 Feet

7. #wpewebinar
Qualifying Confidence
Internal Partners Public
Mitigation / Prevention
Segmentation
Detection / Response

8. #wpewebinar
Ecommerce and Blog on Different WordPress Installs?
Internal Partners Public
Mitigation / Prevention
Segmentation
Detection / Response

9. #wpewebinar
Host Header Injection in Password Reset
Internal Partners Public
Mitigation / Prevention
Segmentation
Detection / Response

10. #wpewebinar
Attacker Motives

11. #wpewebinar
● Money
● Spam operations
● Ad fraud
● Fame
● Hacktivism
● Malware
distribution
● Evil
Motives
“Who would want to hack my blog?”

12. #wpewebinar
Types of Threats

13. #wpewebinar
● brute-force
● SSH & FTP Injection
● SQL Injection
● Exploitation of old tools
● Unauthenticated file
upload
● XSS
● Information disclosure
● PHP File inclusion
● PHP Object injection
Attacks Malware
Bo
● Obfuscated PHP scripts
● PHP shells
● Reverse shells
● DDoS tools
● Phishing tools
● Drive-by download
exploits
● Command and control
(C2) for botnets
● Exploits for privilege
escalation
Attackers
● Criminal organizations
● Automated malware &
Malicious bots
● Hackers
● State-sponsored actors
Types of Threats

14. #wpewebinar
WHITE PAPER: 8 KEY SECURITY QUESTIONS YOUR HOSTING COMPANY SHOULD BE ABLE TO ANSWER
RESOURCES
WPSCAN VULNERABILITY DATABASE
EXPLOIT DATABASE
TORQUE ARTICLE: HOW TO SECURE YOUR WORDPRESS SITE FROM HACKERS
WP ENGINE BLOG: 15 WAYS TO HARDEN THE SECURITY OF YOUR WORDPRESS SITE
RECORDED WEBINAR: HARDEN THE HEART OF YOUR WORDPRESS SITE

15. #wpewebinar
CROP IMAGE
TO GRAY BOX
NEXT UP...
Register Now:
http://wpeng.in/pbj
Wednesday, May 24
11:00 a.m. CST,
12:00 p.m. EST,
9:00 a.m. PST,
5:00 p.m. UTC/GMT

16. #wpewebinar
THANK YOU
#wpewebinar
@wpengine