Uploaded byKojac801
PPTX, PDF516 views

Word press security 101

This document provides an overview of securing WordPress websites. It discusses securing the local work environment by keeping software updated, using antivirus and firewalls, and locking down the browser. It also covers securing WordPress installations by using strong passwords, two-factor authentication, keeping software updated, and testing sites in a local environment. The presentation aims to educate users on security best practices to protect against hackers and secure their WordPress websites.

Embed presentation

Download to read offline
WORDPRESS SECURITY 101 HACKERS, SCOUNDRELS, AND VILLAINS, OH MY PRESENTED BY: GARRY MCNEILLY KOJAC CONSULTING .
PRESENTATION OVERVIEW You will learn how to secure your desktops & servers Secure Word Press Websites Basic of Themes & plugins Develop and test is a local environment Basic Of MySQL and XAMPP Best Practices for securing your email using Server Policy Frame Work
SECURE YOUR LOCAL WORKING ENVIRONMENT Keep your software up to date – windows update on a regular basis Install antivirus on all computers & servers keep antivirus up to date Implement a hardware or software firewall solution when ever possible
ANTI VIRUS, FIREWALLS, MALWARE Free solutions www.comodo.com – Firewall and internet security remove GeekBuddy 24/7 up sell www.zonealarm.com – Free firewall http://www.avast.com – Basic antivirus http://www.avg.com Basic free antivirus
ANTI VIRUS, FIREWALLS, MALWARE Malware is the concealment of Virus Trojan Horses Rootkits Backdoors Malware Bytes http://www.malwarebytes.org What Is It… ―Today, malware is used primarily to steal sensitive information of personal, financial, or business importance by black hat hackers with harmful intentions‖
SECURE YOUR LOCAL WORKING ENVIRONMENT Lock Down your Browser HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure. https://www.eff.org/https-everywhere-node No Mention of IE… Keep your Browsers up to date
SECURE YOUR LOCAL WORKING ENVIRONMENT Firefox add on - NoScript Security Suite 2.6.8.5 The best security you can get in a web browser! Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks. https://addons.mozilla.org/en-US/firefox/addon/noscript/ Note It take a little while to configure your sites
WHAT HAS MY ISP DONE FOR ME LATELY Does my ISP notify me of server / database upgrades Do they lock me out if there are too many login attempts do they let you know Are you on a shared server or dedicated server (Cross Contamination) - and if so
WHAT HAS MY ISP DONE FOR ME LATELY Are your sites segmented Do you have one master account for access to all accounts Own one Own All
WHAT HAS MY ISP DONE FOR ME LATELY Do you have a limitation on your MSQL data base (how many records can you have) how big can your Database be !!! Do they offer a Sender Policy Framework for Email What‘s Technical like Phone | Email | 24/7 or when ever we decide to get back to you
WHAT HAS MY ISP DONE FOR ME LATELY What‘s there Service Level Agreement like (SLA) Do they offer backup services What's there data retention policy like
TWO STEP AUTHENTICATION 3RD PARTY APPS
TWO STEP AUTHENTICATION – DROP BOX 3RD PARTY APPS 1. Sign in to the Dropbox website. 2. Click on your name from the upperright of any page to open your account menu. 3. Click Settings from the account menu and select the Security tab, 4. Under the Account sign in section, next to Two-step verification, click Enable.
TWO STEP AUTHENTICATION 3RD PARTY APPS Just a few more account that have two step authentication. LinkedIn – New after they were hacked nearly 6.5 million user Microsoft Accounts Wordpress.com Godaddy.com
FTP – DON’T GET ME STARTED !!! File Transfer Protocol – FTP It‘s Not Secure and has no encryption of data Stop Using It Right Now The SSH File Transfer Protocol (also known as Secure FTP and SFTP) is a better solution.
FTP – DON’T GET ME STARTED !!! You may need to contact your ISP / hosting provider to activate or install. You may also need to use different port numbers 21 or 22 Secure FTP also gives you root access to directories and subdirectories to all account – So be carful when transferring files or accessing accounts
PASSWORDS MANAGEMENT PASSWORDS VS. PASS PHRASES Passwords Pass Phrases Passwords tend to be really Phase Phrases tend to be much common Dictionary words. Easy to guess / crack longer and hander to guess / crack Longer character set with Password is a bad password special characters
PASSWORDS MANAGEMENT Password Example Your wife name is: Tonya changed O to zero T0nya Passphrase Example MyWifeT0nyaCant_Cook (Still common but a little harder to crack)
PASSWORDS MANAGEMENT Add Upper and lower case as well as special characters MyW1feT0nyaCant_Cook#@! And if for some reason your wife needs your password…..Change it QUICK MyW1fe_T0nyaIs_A_GrateC00k
PASSWORDS MANAGEMENT www.lastpass.com can be used on all devices Auto fill users names & passwords
PASSWORDS MANAGEMENT www.RoboForm.com https://www.passpack.com http://keepass.info/ These programs have the ability to generate complex passwords that are hard to remember unless you are using a password manager
WORDPRESS SECURITY
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! $$$ Financial gain $$$ Hackers make money in a few ways‘ Affiliate marking referrals – pay per click Zero Day exploitations
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Phama hacks (Viagra) counterfeit drugs, Change DB | insert Spam | add a backdoor, Redirect URL
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Site redirections SEO Poison of your keywords Access to members ship lists Ecommerce theft – such as Infusion soft and PayPal Credit cards information
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Defacement of site – Script kids just #being shit heads Install backdoor software – own one own all Malicious redirect – they make money from Pay Per Click Injections – Iframe specifically Identity Theft #juststeelingyourshit
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! • Email compromise allowing for Phishing attacks • CryptoLocker ransomware attacks ‗The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment‘
HOW DOES THIS AFFECT ME & MY BUSINESS • Loss of trust with clients • Loss of business • Loss of time effort and lots of money to fix your website • Tarnish your online reputation
THIS THREAT IS NOT REAL IS IT Just a few stats to scare the crap out of you • 12,000 to 14,000 site per day are blacklisted • Google documents and issues 5 Million warring's per week
DOMAIN NAME MANAGEMENT Make sure you or your clients *Domain Name Extortion own there Domain Name Setup Auto renewal Example: www.sitedudes.com No long term contracts my ass !!! Add Privacy to your domain if They did offer a complementary ass kicking…though possible – making it harder to steal
WORDPRESS SECURITY INSTALL REVIEW Most WP setup out of the box are configured with -admin (username) -password (you create) You have just help a hacker with ½ the answers to your login by using admin as a user name
WORDPRESS SECURITY Install Google Authenticator Plugin for WordPress. Hackers Now Need - Your long user name - Long complex password - TXT sent to your phone
WORDPRESS SECURITY Create A User name that is at least 15 characters including Upper and Lower case including special characters Password use a program such at Lastpass to create a long and complex password
WORDPRESS SECURITY Limit login attempts plugins will help to stop Brute Force attacks by locking your site after a specific amount of attempts.
WORDPRESS SECURITY Example – Brute Force Attack
SO WHAT CAN I DO TO REDUCE MY RISK • Remove all unused Themes & Plugins • Monitor your website on a regular basis • Keep you site up to date • Change file permission from standard defaults • Remove user and roles if they are not being used • Keep your production server tidy – It not a backup server or file server
WP USERS & THERE ROLES Administrator Editor Author Contributor Subscriber
SO IS YOUR SITE UP TO DATE MAJOR RELEASE VS. POINT RELEASE WP 3.6 – 3.7 Major Release Old calls & functions Core Security flaws Performance Issues Core related issues
SO IS YOUR SITE UP TO DATE WP 3.7.1 POINT RELEASE WP 3.7.1 Point Release Bug Fix Security Updates Images with caption fixed visual editor fixed NOTE: Major and Minor updates still have the ability to bring your site down or cause issues. This is why you should always backup your production site. Replicate your site in a test environment and make sure that there are no errors and issues.
TOOLS TO TEST YOUR SITE http://sucuri.net/ Software version Blacklisted Malware Malicious javascript Malicious Iframes Drive By Downloads Anomaly detection IE – only attacks Suspicious redirects Spam
WORDPRESS SECURITY So what‘s a Theme ??? Themes will define the look and feel of your site Theme is a theme that inherits the functionality of another theme, called the parent theme. Child theme allows you to modify, or add to the functionality of that parent theme.
WORDPRESS SECURITY A child theme is the safest and easiest way to modify an existing theme, whether you want to make a few tiny changes or extensive changes. Instead of modifying the theme files directly, you can create a child theme and override within.
WORDPRESS SECURITY Responsive Design - Will resize the look and feel for Mobile devices such as smart phones, tables, netbooks, Note: when purchasing themes look at the Developers upgrade status If the theme has not been updates in a while keep looking
TIMTHUMB COMMERCIAL THEMES EXPLOITATION An image resizing utility called timthumb.php Bundled in some commercial /free Remote Code Execution Themes
TIMTHUMB COMMERCIAL THEMES EXPLOITATION SQL Injection Vulnerability Google shows over 39 million results for the script name If you find it fix it right away This Themes is still active and a huge problem in the WP community
CREATE A TEST ENVIORNMENT Used to develop or replicate a website in a local environment Test themes / plugins / applications before they go live Use a staging environment for testing for virus / defects
PLUGINS EXPLAINED What's a WP Plugging ??? WP plugins are used to add additional functionality to your site. Including; security, performance, calendars, social media, Fonts, custom features, site backups, Before install a plug in make sure its compatible with your version of WP review the author and make sure they keep up to date with current WP versions and standards and best practices
SOME KICK ASS PLUGINS Limit login attempts WP security Google authentication DEVEOLPMENT TOOLS Notepad Plus Asana.com – used for project management
CREATE A TEST ENVIRONMENT Microsoft Webmatrix BitNami WordPress local install
CREATE A TEST ENVIORNMENT TOOLS FOR CREATING A LOCAL TEST ENVIORNMENT Microsoft Webmatrix http://www.microsoft.com/web/webmatrix/ Installing Webmatrix may not work correctly if you have Skype installed that also used port 80 or any other program that used port 80 It also requires some file modification to move it from test environment to production
CREATE A TEST ENVIORNMENT Bitnami.com Simple application deployment from development to production Bitnami supports Windows, Mac OS X and Linux operating systems, VMware virtualized environments You can also use a sub direct on your production website
CREATE A TEST ENVIRONMENT Local development also required software to run the local database. Xampp - http://www.apachefriends.org/en/xampp.html Wamp - http://sourceforge.net/projects/wampserver/ The following two software use localhost for development The package includes the Apache web server, MySQL, SQLite, PHP, Perl, a FTP
CONCLUSION TO THE PRESENTATION Question & Answers Contact Info Garry McNeilly Kojac Consulting www.kojac-consulting.com garry@kojac-consulting.com Phone: 416-898-9084 WordPress Security 101 . Hackers, Scoundrels, and Villains, Oh my

More Related Content

PDF
Wordpress 101 Guide Ebook Free
byhuutienmmo
 
PPTX
WordPress Resources Nov 2014
byJudy Wilson
 
PDF
WordCamp Nashville 2015 From Zero to WordPress Publish (Beginner's WordPress)
byMichele Butcher-Jones
 
PDF
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
byVlad Lasky
 
PPTX
Migrating from WordPress.com
byAndrew Epperson
 
PPT
Securing Your WordPress Website - WordCamp GC 2011
byVlad Lasky
 
PDF
Responsible [digital] Home Ownership
byDenise (Dee) Teal
 
PPTX
WordPress End-User Security
byDre Armeda
 
Wordpress 101 Guide Ebook Free
byhuutienmmo
 
WordPress Resources Nov 2014
byJudy Wilson
 
WordCamp Nashville 2015 From Zero to WordPress Publish (Beginner's WordPress)
byMichele Butcher-Jones
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
byVlad Lasky
 
Migrating from WordPress.com
byAndrew Epperson
 
Securing Your WordPress Website - WordCamp GC 2011
byVlad Lasky
 
Responsible [digital] Home Ownership
byDenise (Dee) Teal
 
WordPress End-User Security
byDre Armeda
 

What's hot

PDF
Lockdown WordPress
byDre Armeda
 
PPT
WordPress End-User Security - WordCamp Las Vegas 2011
byDre Armeda
 
PPT
7. mastering wordpress
byMoreNiche
 
PPT
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
byDre Armeda
 
PPTX
WordPress for beginners lesson 4 fall2015 JALC
byMichele Butcher-Jones
 
PPT
Tips to improve word press security ppt
byCheap SSL Coupon Code
 
PPT
WordPress Security
byBrad Williams
 
PDF
Your Site Has Been Hacked, Now What?
byMichele Butcher-Jones
 
PPTX
WordPress Security Updated - NYC Meetup 2009
byBrad Williams
 
PPTX
Securing Your Joomla website
byMike Carson
 
KEY
Securing WordPress by Jeff Hoffman
byJeff Hoffman
 
PPT
Securing Your WordPress Website by Vlad Lasky
bywordcampgc
 
PPTX
WordCamp RI 2015 - Beginner WordPress Workshop
byElla J Designs
 
KEY
Optimize wordpress
byDavid Parsons
 
PPT
PHP SA 2013 - The weak points in our PHP projects
byxsist10
 
PDF
WordPress Security Presentation
byAndrew Paton
 
PDF
Introduction to WordPress Security
byShawn Hooper
 
PDF
WordPress Security WordCamp OC 2013
byBrad Williams
 
PDF
WordPress Security Essentials WordCamp Denver 2012
byAngela Bowman
 
PPTX
Protect Your WordPress From The Inside Out
bySiteGround.com
 
Lockdown WordPress
byDre Armeda
 
WordPress End-User Security - WordCamp Las Vegas 2011
byDre Armeda
 
7. mastering wordpress
byMoreNiche
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
byDre Armeda
 
WordPress for beginners lesson 4 fall2015 JALC
byMichele Butcher-Jones
 
Tips to improve word press security ppt
byCheap SSL Coupon Code
 
WordPress Security
byBrad Williams
 
Your Site Has Been Hacked, Now What?
byMichele Butcher-Jones
 
WordPress Security Updated - NYC Meetup 2009
byBrad Williams
 
Securing Your Joomla website
byMike Carson
 
Securing WordPress by Jeff Hoffman
byJeff Hoffman
 
Securing Your WordPress Website by Vlad Lasky
bywordcampgc
 
WordCamp RI 2015 - Beginner WordPress Workshop
byElla J Designs
 
Optimize wordpress
byDavid Parsons
 
PHP SA 2013 - The weak points in our PHP projects
byxsist10
 
WordPress Security Presentation
byAndrew Paton
 
Introduction to WordPress Security
byShawn Hooper
 
WordPress Security WordCamp OC 2013
byBrad Williams
 
WordPress Security Essentials WordCamp Denver 2012
byAngela Bowman
 
Protect Your WordPress From The Inside Out
bySiteGround.com
 

Viewers also liked

PPTX
Сказка о Фролке
byNataliya Shylo
 
PPT
бляхарский
byInterExpo Geo-siberia
 
PPSX
La fraternidad del libro, 1
byPedro Mañas Navarro
 
PDF
Menen stedelijke infogids_2014
byJan Duchau Zakelijke Dienstverlening
 
PDF
Snapshot on the French Oncology Market March 2010
bythomasmartinelli94
 
PDF
Cоздаем пробки или тюнинг postgresql для расчетных задач
byDevDay
 
PDF
infokrant Nevele februari 2014
byRegina De Meyer
 
Сказка о Фролке
byNataliya Shylo
 
бляхарский
byInterExpo Geo-siberia
 
La fraternidad del libro, 1
byPedro Mañas Navarro
 
Menen stedelijke infogids_2014
byJan Duchau Zakelijke Dienstverlening
 
Snapshot on the French Oncology Market March 2010
bythomasmartinelli94
 
Cоздаем пробки или тюнинг postgresql для расчетных задач
byDevDay
 
infokrant Nevele februari 2014
byRegina De Meyer
 

Similar to Word press security 101

PDF
Top Ten WordPress Security Tips for 2012
byBrad Williams
 
PDF
WordPress Security 101
byManifest Creative
 
PPTX
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
byBrian Layman
 
PPT
Is your Wordpress safe enough?
bysaidmurat
 
PPTX
WordPress Security and Best Practices
byRobert Vidal
 
ODP
WordPress Security
bySuzette Franck
 
PDF
Are You Safe From Hackers
byMichele Butcher-Jones
 
PDF
ResellerClub Ctrl+F5 - WordPress Security session
byPratik Jagdishwala
 
PPTX
WordPress Security - WordPress Meetup Copenhagen 2013
byThor Kristiansen
 
PPT
WordCamp Philly WordPress End-User Security
byDre Armeda
 
PPT
Blog World 2010 - How to Keep Your Blog from Being Hacked
byBrian Layman
 
PDF
WordPress Security Essentials
byAngela Bowman
 
PDF
Keep Your SIte Secure
byMichele Butcher-Jones
 
PDF
Beginning WordPress Security WordCamp North Canton 2015
byMichele Butcher-Jones
 
PDF
WordCamp Mid-Atlantic WordPress Security
byBrad Williams
 
PPTX
WordPress security
byShelley Magnezi
 
PDF
A Guide To Secure WordPress Website – A Complete Guide.pdf
byHost It Smart
 
PDF
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
PPTX
WordPress Security Best Practices
byZero Point Development
 
PPTX
Locking down word press
byZachary Russell
 
Top Ten WordPress Security Tips for 2012
byBrad Williams
 
WordPress Security 101
byManifest Creative
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
byBrian Layman
 
Is your Wordpress safe enough?
bysaidmurat
 
WordPress Security and Best Practices
byRobert Vidal
 
WordPress Security
bySuzette Franck
 
Are You Safe From Hackers
byMichele Butcher-Jones
 
ResellerClub Ctrl+F5 - WordPress Security session
byPratik Jagdishwala
 
WordPress Security - WordPress Meetup Copenhagen 2013
byThor Kristiansen
 
WordCamp Philly WordPress End-User Security
byDre Armeda
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
byBrian Layman
 
WordPress Security Essentials
byAngela Bowman
 
Keep Your SIte Secure
byMichele Butcher-Jones
 
Beginning WordPress Security WordCamp North Canton 2015
byMichele Butcher-Jones
 
WordCamp Mid-Atlantic WordPress Security
byBrad Williams
 
WordPress security
byShelley Magnezi
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
byHost It Smart
 
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
WordPress Security Best Practices
byZero Point Development
 
Locking down word press
byZachary Russell
 

Recently uploaded

PDF
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
PDF
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
PDF
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
PPTX
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
PDF
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 
PDF
DevOps GenAI_ How Generative AI Is Changing Software Delivery.pdf
byDevseccops.ai
 
PPTX
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
PDF
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
PDF
Chapter 1 Introduction to Computer Security.pdf
byGetnet Tigabie Askale -(GM)
 
PPTX
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
PDF
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
PPTX
ICT Entrepreneur Quiz for grade 7...........
bykayramos6
 
PDF
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
PDF
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
PDF
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
PPTX
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
PPTX
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
PDF
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
PDF
threat-hunters-cookbook for cybersecurity
bylobster6719
 
PDF
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 
Scott M. Graffius' Phases of Team Development - Applied to Human Teams and Hu...
byScott M. Graffius
 
Louisville User Group: Transforming Technical Debt into Technical Wealth
byLynda Kane
 
65 AI-related Posts Catalog https://tinyurl.com/mpavkr8z
byBob Marcus
 
On-Device AI with Gemma 3n and PaliGemma 2 Session Slides - GDG VESIT
bygdgcodecellcmpn
 
Josh Chu Boston - An Innovative Technology Executive
byJosh Chu Boston
 
DevOps GenAI_ How Generative AI Is Changing Software Delivery.pdf
byDevseccops.ai
 
DVCON24-IBM ai/ml driven hardware verification
byArun Joseph
 
Digital Transformation Services The Key to Futureproofing Your Business
byQuadrafort Technolgies
 
Chapter 1 Introduction to Computer Security.pdf
byGetnet Tigabie Askale -(GM)
 
KTU-PEMET413 -MODULE 2-POLYMER MATRIX COMPOSITES - LECTURE 1.pptx
byVINAY B
 
Beyond BBB: Practical Alternatives to Posterior Approximation in Bayesian Neu...
byTomasz Kusmierczyk
 
ICT Entrepreneur Quiz for grade 7...........
bykayramos6
 
oracle_apex_tamil_export_an_application.pdf
byUthamaselvan M
 
The Cost of Missing Critical Connections in Data - Suspicious Behavior Detect...
byEnterprise Knowledge
 
Best-Travel-Portal-Development-Solutions-for-Online-Growth
bykashishnagarrajput
 
Sensors-and-Actuators-in-IoT-Systems.pptx
byMuhammedNihal54
 
DATALIVA-Presentation-EN_2026 Budgeting SAP Odoo ERP
byMustafa Kuğu
 
From Compliance to Competitive Advantage Board-Level Cyber Governance Under D...
bySaraDavis91
 
threat-hunters-cookbook for cybersecurity
bylobster6719
 
Saga: The new era of transactions in a microservices architecture
byGiovanni Marigi
 

Word press security 101

  • 1.
    WORDPRESS SECURITY 101 HACKERS,SCOUNDRELS, AND VILLAINS, OH MY PRESENTED BY: GARRY MCNEILLY KOJAC CONSULTING .
  • 2.
    PRESENTATION OVERVIEW You willlearn how to secure your desktops & servers Secure Word Press Websites Basic of Themes & plugins Develop and test is a local environment Basic Of MySQL and XAMPP Best Practices for securing your email using Server Policy Frame Work
  • 3.
    SECURE YOUR LOCALWORKING ENVIRONMENT Keep your software up to date – windows update on a regular basis Install antivirus on all computers & servers keep antivirus up to date Implement a hardware or software firewall solution when ever possible
  • 4.
    ANTI VIRUS, FIREWALLS,MALWARE Free solutions www.comodo.com – Firewall and internet security remove GeekBuddy 24/7 up sell www.zonealarm.com – Free firewall http://www.avast.com – Basic antivirus http://www.avg.com Basic free antivirus
  • 5.
    ANTI VIRUS, FIREWALLS,MALWARE Malware is the concealment of Virus Trojan Horses Rootkits Backdoors Malware Bytes http://www.malwarebytes.org What Is It… ―Today, malware is used primarily to steal sensitive information of personal, financial, or business importance by black hat hackers with harmful intentions‖
  • 6.
    SECURE YOUR LOCALWORKING ENVIRONMENT Lock Down your Browser HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure. https://www.eff.org/https-everywhere-node No Mention of IE… Keep your Browsers up to date
  • 7.
    SECURE YOUR LOCALWORKING ENVIRONMENT Firefox add on - NoScript Security Suite 2.6.8.5 The best security you can get in a web browser! Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks. https://addons.mozilla.org/en-US/firefox/addon/noscript/ Note It take a little while to configure your sites
  • 8.
    WHAT HAS MYISP DONE FOR ME LATELY Does my ISP notify me of server / database upgrades Do they lock me out if there are too many login attempts do they let you know Are you on a shared server or dedicated server (Cross Contamination) - and if so
  • 9.
    WHAT HAS MYISP DONE FOR ME LATELY Are your sites segmented Do you have one master account for access to all accounts Own one Own All
  • 10.
    WHAT HAS MYISP DONE FOR ME LATELY Do you have a limitation on your MSQL data base (how many records can you have) how big can your Database be !!! Do they offer a Sender Policy Framework for Email What‘s Technical like Phone | Email | 24/7 or when ever we decide to get back to you
  • 11.
    WHAT HAS MYISP DONE FOR ME LATELY What‘s there Service Level Agreement like (SLA) Do they offer backup services What's there data retention policy like
  • 12.
  • 13.
    TWO STEP AUTHENTICATION– DROP BOX 3RD PARTY APPS 1. Sign in to the Dropbox website. 2. Click on your name from the upperright of any page to open your account menu. 3. Click Settings from the account menu and select the Security tab, 4. Under the Account sign in section, next to Two-step verification, click Enable.
  • 14.
    TWO STEP AUTHENTICATION 3RDPARTY APPS Just a few more account that have two step authentication. LinkedIn – New after they were hacked nearly 6.5 million user Microsoft Accounts Wordpress.com Godaddy.com
  • 15.
    FTP – DON’TGET ME STARTED !!! File Transfer Protocol – FTP It‘s Not Secure and has no encryption of data Stop Using It Right Now The SSH File Transfer Protocol (also known as Secure FTP and SFTP) is a better solution.
  • 16.
    FTP – DON’TGET ME STARTED !!! You may need to contact your ISP / hosting provider to activate or install. You may also need to use different port numbers 21 or 22 Secure FTP also gives you root access to directories and subdirectories to all account – So be carful when transferring files or accessing accounts
  • 17.
    PASSWORDS MANAGEMENT PASSWORDS VS.PASS PHRASES Passwords Pass Phrases Passwords tend to be really Phase Phrases tend to be much common Dictionary words. Easy to guess / crack longer and hander to guess / crack Longer character set with Password is a bad password special characters
  • 18.
    PASSWORDS MANAGEMENT Password Example Yourwife name is: Tonya changed O to zero T0nya Passphrase Example MyWifeT0nyaCant_Cook (Still common but a little harder to crack)
  • 19.
    PASSWORDS MANAGEMENT Add Upperand lower case as well as special characters MyW1feT0nyaCant_Cook#@! And if for some reason your wife needs your password…..Change it QUICK MyW1fe_T0nyaIs_A_GrateC00k
  • 20.
    PASSWORDS MANAGEMENT www.lastpass.com can beused on all devices Auto fill users names & passwords
  • 21.
    PASSWORDS MANAGEMENT www.RoboForm.com https://www.passpack.com http://keepass.info/ These programshave the ability to generate complex passwords that are hard to remember unless you are using a password manager
  • 22.
  • 23.
    WHAT WILL AHACKER GAIN FROM MESSING WITH MY SITE !!! $$$ Financial gain $$$ Hackers make money in a few ways‘ Affiliate marking referrals – pay per click Zero Day exploitations
  • 24.
    WHAT WILL AHACKER GAIN FROM MESSING WITH MY SITE !!! Phama hacks (Viagra) counterfeit drugs, Change DB | insert Spam | add a backdoor, Redirect URL
  • 25.
    WHAT WILL AHACKER GAIN FROM MESSING WITH MY SITE !!! Site redirections SEO Poison of your keywords Access to members ship lists Ecommerce theft – such as Infusion soft and PayPal Credit cards information
  • 26.
    WHAT WILL AHACKER GAIN FROM MESSING WITH MY SITE !!! Defacement of site – Script kids just #being shit heads Install backdoor software – own one own all Malicious redirect – they make money from Pay Per Click Injections – Iframe specifically Identity Theft #juststeelingyourshit
  • 27.
    WHAT WILL AHACKER GAIN FROM MESSING WITH MY SITE !!! • Email compromise allowing for Phishing attacks • CryptoLocker ransomware attacks ‗The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment‘
  • 28.
    HOW DOES THISAFFECT ME & MY BUSINESS • Loss of trust with clients • Loss of business • Loss of time effort and lots of money to fix your website • Tarnish your online reputation
  • 29.
    THIS THREAT ISNOT REAL IS IT Just a few stats to scare the crap out of you • 12,000 to 14,000 site per day are blacklisted • Google documents and issues 5 Million warring's per week
  • 30.
    DOMAIN NAME MANAGEMENT Makesure you or your clients *Domain Name Extortion own there Domain Name Setup Auto renewal Example: www.sitedudes.com No long term contracts my ass !!! Add Privacy to your domain if They did offer a complementary ass kicking…though possible – making it harder to steal
  • 31.
    WORDPRESS SECURITY INSTALL REVIEW MostWP setup out of the box are configured with -admin (username) -password (you create) You have just help a hacker with ½ the answers to your login by using admin as a user name
  • 32.
    WORDPRESS SECURITY Install GoogleAuthenticator Plugin for WordPress. Hackers Now Need - Your long user name - Long complex password - TXT sent to your phone
  • 33.
    WORDPRESS SECURITY Create AUser name that is at least 15 characters including Upper and Lower case including special characters Password use a program such at Lastpass to create a long and complex password
  • 34.
    WORDPRESS SECURITY Limit loginattempts plugins will help to stop Brute Force attacks by locking your site after a specific amount of attempts.
  • 35.
  • 36.
    SO WHAT CANI DO TO REDUCE MY RISK • Remove all unused Themes & Plugins • Monitor your website on a regular basis • Keep you site up to date • Change file permission from standard defaults • Remove user and roles if they are not being used • Keep your production server tidy – It not a backup server or file server
  • 37.
    WP USERS &THERE ROLES Administrator Editor Author Contributor Subscriber
  • 38.
    SO IS YOURSITE UP TO DATE MAJOR RELEASE VS. POINT RELEASE WP 3.6 – 3.7 Major Release Old calls & functions Core Security flaws Performance Issues Core related issues
  • 39.
    SO IS YOURSITE UP TO DATE WP 3.7.1 POINT RELEASE WP 3.7.1 Point Release Bug Fix Security Updates Images with caption fixed visual editor fixed NOTE: Major and Minor updates still have the ability to bring your site down or cause issues. This is why you should always backup your production site. Replicate your site in a test environment and make sure that there are no errors and issues.
  • 40.
    TOOLS TO TESTYOUR SITE http://sucuri.net/ Software version Blacklisted Malware Malicious javascript Malicious Iframes Drive By Downloads Anomaly detection IE – only attacks Suspicious redirects Spam
  • 41.
    WORDPRESS SECURITY So what‘sa Theme ??? Themes will define the look and feel of your site Theme is a theme that inherits the functionality of another theme, called the parent theme. Child theme allows you to modify, or add to the functionality of that parent theme.
  • 42.
    WORDPRESS SECURITY A childtheme is the safest and easiest way to modify an existing theme, whether you want to make a few tiny changes or extensive changes. Instead of modifying the theme files directly, you can create a child theme and override within.
  • 43.
    WORDPRESS SECURITY Responsive Design- Will resize the look and feel for Mobile devices such as smart phones, tables, netbooks, Note: when purchasing themes look at the Developers upgrade status If the theme has not been updates in a while keep looking
  • 44.
    TIMTHUMB COMMERCIAL THEMES EXPLOITATION Animage resizing utility called timthumb.php Bundled in some commercial /free Remote Code Execution Themes
  • 45.
    TIMTHUMB COMMERCIAL THEMES EXPLOITATION SQLInjection Vulnerability Google shows over 39 million results for the script name If you find it fix it right away This Themes is still active and a huge problem in the WP community
  • 46.
    CREATE A TESTENVIORNMENT Used to develop or replicate a website in a local environment Test themes / plugins / applications before they go live Use a staging environment for testing for virus / defects
  • 47.
    PLUGINS EXPLAINED What's aWP Plugging ??? WP plugins are used to add additional functionality to your site. Including; security, performance, calendars, social media, Fonts, custom features, site backups, Before install a plug in make sure its compatible with your version of WP review the author and make sure they keep up to date with current WP versions and standards and best practices
  • 48.
    SOME KICK ASSPLUGINS Limit login attempts WP security Google authentication DEVEOLPMENT TOOLS Notepad Plus Asana.com – used for project management
  • 49.
    CREATE A TESTENVIRONMENT Microsoft Webmatrix BitNami WordPress local install
  • 50.
    CREATE A TESTENVIORNMENT TOOLS FOR CREATING A LOCAL TEST ENVIORNMENT Microsoft Webmatrix http://www.microsoft.com/web/webmatrix/ Installing Webmatrix may not work correctly if you have Skype installed that also used port 80 or any other program that used port 80 It also requires some file modification to move it from test environment to production
  • 51.
    CREATE A TESTENVIORNMENT Bitnami.com Simple application deployment from development to production Bitnami supports Windows, Mac OS X and Linux operating systems, VMware virtualized environments You can also use a sub direct on your production website
  • 52.
    CREATE A TESTENVIRONMENT Local development also required software to run the local database. Xampp - http://www.apachefriends.org/en/xampp.html Wamp - http://sourceforge.net/projects/wampserver/ The following two software use localhost for development The package includes the Apache web server, MySQL, SQLite, PHP, Perl, a FTP
  • 53.
    CONCLUSION TO THEPRESENTATION Question & Answers Contact Info Garry McNeilly Kojac Consulting www.kojac-consulting.com garry@kojac-consulting.com Phone: 416-898-9084 WordPress Security 101 . Hackers, Scoundrels, and Villains, Oh my