SlideShare a Scribd company logo

WordPress Security and Best Practices

Download as PPTX, PDF
R
Robert Vidal

Robert Vidal is an information security professional who specializes in WordPress security. He outlines several recommendations for securing a WordPress site, including changing default usernames and passwords, removing WordPress version information, keeping software updated, using strong security plugins, limiting comments and user input, regularly backing up the site, and scanning for vulnerabilities, malware and unauthorized changes. Vidal emphasizes that there is no single solution and site owners must take an active, ongoing approach to security through multiple methods like plugins, backups and monitoring.

Internet
1 of 25
Robert Vidal, ABCP OSCP OSWP robert.vidal@infotransec.com http://www.infotransec.com WordPress Security and Best Practices
• Robert Vidal, ABCP OSCP OSWP Cert. IS-CF • Associate Business Continuity Professional (ABCP) • Certified Vulnerability and Penetration Testing Professional (OSCP) • Certified Wireless Security Professional (OSWP) • Certificate Information Security and Computer Forensics (Cert. IS-CF) • Information Security Analyst – InfoTransec (Hamilton) • Specializing in Network and Application Security • Industry Compliance and Governance • IT Industry since 2005 • Focused on Security since 2008 • Working with WordPress since 2011 About Me:
• Our focus is always on delivering high quality solutions to our clients through current industry standards and recognized frameworks and benchmarks. • Services include: • Network and Web Application Vulnerability Assessments and Penetration Testing • Information Security Services • Managed IT • Computer Forensics • Data Recovery • eDiscovery • CyberStalking / CyberBullying About InfoTransec:
• WordPress is an open-source application so anyone is able to download the application and view the system defaults and file structure. • Once a hacker has this knowledge or map of your site they can then plan an attack in attempts to exploit the site. • What this means: • Default username is known • File Structure is known • Database structure is known • Location of usernames and passwords and configuration files are known • Location of plugins, themes, and file uploads is known • WordPress version can be enumerated WordPress Defaults
• Do not use ‘admin’ as default Administrator username • Change to a complex username – similar to a complex password (Upper Case letter, lower case letter, number, and special character i.e: R0b3rtV!d@l) • Remove Author name from pages and posts • Account names are exposed when content is published • Plugin “WP Author, Date and Meta Remover” https://wordpress.org/plugins/wp-author-date-and-meta- remover/ • Use non-default database table prefixes • Upon installation – specify a unique table prefix (non wp_) • Modify WP after installation • Manually via PHP Admin & wp-config.php • Plugins “Change DB Prefix” https://wordpress.org/plugins/db-prefix-change/ • Remove WordPress version from source code • Add to functions.php “remove_action('wp_head', 'wp_generator');” • Plugins “Remove Version” https://wordpress.org/plugins/remove-version-remver/ • Delete unused themes and plugins • Hello Dolly / Akismit / Jet Pack, etc….. Recommendations:
Q: Who is Hacking your site?
A: Everyone
• Everyone from your competitors, to Black Hat SEO enthusiasts, to hackers and script kiddies. • Hackers use automated scanners and GoogleDork search techniques to locate vulnerable WordPress installations, plugins or themes, which they can exploit. • Google Dork : Search techniques used to locate websites or information that is not intended to be indexed by google • inurl:wp-content/” • inurl:"/wp-content/plugins/wp-shopping-cart/” • inurl:”wp-content/plugins/wp-dbmanager/” • What this means: • Malware can be injected into the site • Brute force login attempts can be done over time • Your site may become slow or unresponsive due to handling the excessive requests • Tools can be used to scan your site and enumerate information about your site and what is installed. • WPScan • Nmap (http-wordpress-enum - nmap plugin)
• Think Like a Hacker • Limit search exposure and restrict access to foreign visitors • If you are offering products and services to people or businesses in the Hamilton area why do you need to allow visitors from Russia, Ukraine, China? • via webmaster tools to set a preferred location • Use IP Blocker plugins to restrict access • Block information your visitors do not need to see • Modify the robot.txt file of the webpage to prevent bots from accessing sensitive information • Modify the htaccess file to ensure secure file and folder permissions are set • Take Pro-active measures: • Installed lockout plugins to lock a user out after a number of failed attempts • Scan site regularly for Malware • Sucuri site check • Use WPScan and nmap to identify what hackers can enumerate. Recommendations
• Identify Vulnerable Plugins and themes and update • http://www.wordpressexploit.com/ (WordPress Exploits) • https://wpvulndb.com/ (WordPress Vulnerability DataBase) • http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/ (Common Vulnerability Exploit – Details) • Security Plug-ins: • https://wordpress.org/plugins/wordfence/ (WordFence) • Blocking Features, Login Security, Security Scanning, Firewall, Monitoring • https://wordpress.org/plugins/sucuri-scanner/ (Sucuri Scanner) • Security Activity Auditing, File Integrity Monitoring, Remote Malware Scanning, Blacklist Monitoring, Effective Security Hardening, Post-Hack Security Actions, Security Notifications, Website Firewall • https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ (All-In-One) • User Accounts Security, Login, Registration, Database, File System Security, IP Blocking, Firewall and more…
Q: If a hacker gains access to your site, what can they do?
A: Anything they want
• Files can be added or modified without you knowing • Google may flag your site as Hacked resulting in a lower Google ranking • Your site may be filled with Spam links resulting in a lower Google ranking • May unknowingly be infecting your visitors with virus’ or malicious code. • Visitors may be immediately redirected off your site. • Website can be defaced. • Backdoors can be added which may lead to future problems. • Users can be lock you out. • Anything else they wish. What does this mean?
• Backup your files and DataBase regularly!!! Its easier to compare files or even revert to a known good build or even compare files • Use plugins that detect file changes and alerts via email. • https://wordpress.org/plugins/wordfence/ (WordFence) • Limit the number of registered users on the site, and ensure accounts have appropriate permissions. • Scan your site for malware regularly • Securi Site Check https://sitecheck.sucuri.net/ (FREE) • Google search the site regularly. • FTP into your hosting account and look for: • Files that end with xxxx_old.php • Files with unexpected extensions (image files with a .php file extension) • Look at the modification dates of your files. If all files in a directory have the same modified date and there is 1 with a different modified date – Probaly Malware or a backdoor • Look for unexpected files in your directories. (If there is a PHP files in an images directory) • Install a Web Application Firewall plugin to prevent malicious activity. • https://en-ca.wordpress.org/plugins/wp-simple-firewall/ (Simple Security Firewall) What to do:
Q: Comments – Good or Bad ?
A: Good - Comments are great for allowing interactivity with your visitors. But...
You are also allowing user input into your site. What does this mean? • A visitor can instead of a text comment inject malicious script or links into your site. • <script type="text/javascript">alert("Hello");</script> • I love your site I also found <a href=“http://badwebsite.com”> this link </a> for more information. • Visitors can promote their own site or links that may go against the reputation of your site • Online Pharmacy’s, Adult content, Profanity • This can lower your Google Ranking and SEO Reputation • This can also cause your site to be flagged by google as hacked
• Disable Comments on all pages and posts • If you wish to allow comments on your site manually approve them or only allow them on certain pages • Modify functions.php to NOT allow HTML based comments. • Review the front end of your site regularly • Google search your site regularly to ensure Google has not flagged your site due to malicious comments. • Install plugins • That allow users / visitors to report malicious or offensive comments • Block all comments • Do not allow HTML comments What to do:
Q: What is the best method to protect my site?
A1: Keep the WordPress Core, Themes and Plugins up to date. And…
A2: Backup, Backup Backup
• As components are updates Hackers are able to identify the weaknesses of previous versions. • Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages. • Hackers prey on those that are slow to update. Code is always evolving, improved and updated. What does this mean?
• Regular backups at multiple layers • MySQL • Wordpress Pages and Posts • FTP files • Update the WordPress core when updates are available • Use a Host that offers automatic updates • Update plugins and themes regularly • Delete unused plugins and themes • Install plugins that manage updates • Themes and plugins • WordPress Core What to do:
• There is no one-stop solution to secure your site. • There is no single way to recover / restore a website. • Use multiple tools and tactics to protect your site. • Ensure you know what is going on in your site. • “DON’T SET IT AND FORGET IT” • Setup email alerts • Visit and test your own site regularly • Use Google regularly to search your own site In Closing:
• Phone: +1 855-INFOSEC (463 6732) • Email: infosec@infotransec.com • Web: https://www.infotransec.com Social Media: • Twitter: @InfoTransec • Linkedin: https://www.linkedin.com/company/infotransec • Facebook: https://www.facebook.com/infotransec/ • Google+: https://plus.google.com/113904412258542168822/ Office Location: • The Atrium @ McMaster Innovation Park • 175 Longwood Road South, Suite 416A-8 • Hamilton, Ontario • L8P 0A1 Connect with InfoTransec:

Recommended

Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a pluginBrian Layman
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
stk_jj
 
WordPress Fav Plugins & Security
WordPress Fav Plugins & SecurityWordPress Fav Plugins & Security
WordPress Fav Plugins & Security
The Toolbox, Inc.
 
WordPress Intermediate Workshop
WordPress Intermediate WorkshopWordPress Intermediate Workshop
WordPress Intermediate Workshop
The Toolbox, Inc.
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
Rafał Hryniewski
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014
The Toolbox, Inc.
 

Recommended

Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
Brian Layman
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a pluginBrian Layman
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
stk_jj
 
WordPress Fav Plugins & Security
WordPress Fav Plugins & SecurityWordPress Fav Plugins & Security
WordPress Fav Plugins & Security
The Toolbox, Inc.
 
WordPress Intermediate Workshop
WordPress Intermediate WorkshopWordPress Intermediate Workshop
WordPress Intermediate Workshop
The Toolbox, Inc.
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC
Rafał Hryniewski
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014
The Toolbox, Inc.
 
Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the Problem
ColdFusionConference
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
Tiago Mendo
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Nathan Platt
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
Linkesh Kanna Velu
 
Automated testing 101
Automated testing 101Automated testing 101
Automated testing 101
Tabitha Chapman
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
Stephan Steynfaardt
 
What you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat APIWhat you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat API
Tabitha Chapman
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIs
mdawaffe
 
Wordpress Tech Talk at Atlogys
Wordpress Tech Talk at AtlogysWordpress Tech Talk at Atlogys
Wordpress Tech Talk at Atlogys
Ritika Garga
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
Abhay Bhargav
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_support
Joe Slowik
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
Soluto
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterpriseTaylor Lovett
 
Beyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconBeyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lascon
Nino Ho
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 
From WordPress With Love
From WordPress With LoveFrom WordPress With Love
From WordPress With Love
Up2 Technology
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security Essentials
Angela Bowman
 

More Related Content

What's hot

Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the Problem
ColdFusionConference
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
Tiago Mendo
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Nathan Platt
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
Denim Group
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
Lewis Ardern
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
Lewis Ardern
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
Linkesh Kanna Velu
 
Automated testing 101
Automated testing 101Automated testing 101
Automated testing 101
Tabitha Chapman
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
Stephan Steynfaardt
 
What you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat APIWhat you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat API
Tabitha Chapman
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIs
mdawaffe
 
Wordpress Tech Talk at Atlogys
Wordpress Tech Talk at AtlogysWordpress Tech Talk at Atlogys
Wordpress Tech Talk at Atlogys
Ritika Garga
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
Abhay Bhargav
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_support
Joe Slowik
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
Soluto
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterpriseTaylor Lovett
 
Beyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconBeyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lascon
Nino Ho
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
Denim Group
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Christian Schneider
 

What's hot (20)

Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the Problem
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Automated testing 101
Automated testing 101Automated testing 101
Automated testing 101
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
What you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat APIWhat you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat API
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIs
 
Wordpress Tech Talk at Atlogys
Wordpress Tech Talk at AtlogysWordpress Tech Talk at Atlogys
Wordpress Tech Talk at Atlogys
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_support
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterprise
 
Beyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconBeyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lascon
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 

Similar to WordPress Security and Best Practices

From WordPress With Love
From WordPress With LoveFrom WordPress With Love
From WordPress With Love
Up2 Technology
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security Essentials
Angela Bowman
 
Emergency WordPress Troubleshooting
Emergency WordPress TroubleshootingEmergency WordPress Troubleshooting
Emergency WordPress Troubleshooting
Tiffany Bridge
 
Website essentials things every library website should have
Website essentials things every library website should haveWebsite essentials things every library website should have
Website essentials things every library website should have
Brian Pichman
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshop
Boston WordPress
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
William Earnhardt
 
Demystifying WordPress
Demystifying WordPressDemystifying WordPress
Demystifying WordPress
Mykl Roventine
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
Think Media Inc.
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
Dan Vasile
 
NEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & SecurityNEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & Security
Michelle Davies (Hryvnak)
 
WordPress Customization and Security
WordPress Customization and SecurityWordPress Customization and Security
WordPress Customization and SecurityJoe Casabona
 
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
WPMU DEV
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
Catch Themes
 
Week6 office-hours
Week6 office-hoursWeek6 office-hours
Week6 office-hours
Randall Rode
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Ivan Storck
 
How to create a WordPress Site
How to create a WordPress Site How to create a WordPress Site
How to create a WordPress Site
MuhammadUsaid2
 
WordPress Theme Reviewers Team
WordPress Theme Reviewers TeamWordPress Theme Reviewers Team
WordPress Theme Reviewers Team
Mario Peshev
 
hardenning Operating System Server Berbasis Linux
hardenning Operating System Server Berbasis Linuxhardenning Operating System Server Berbasis Linux
hardenning Operating System Server Berbasis Linux
jokerman16
 
Best Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsBest Practices for Building WordPress Applications
Best Practices for Building WordPress Applications
Taylor Lovett
 

Similar to WordPress Security and Best Practices (20)

From WordPress With Love
From WordPress With LoveFrom WordPress With Love
From WordPress With Love
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security Essentials
 
Emergency WordPress Troubleshooting
Emergency WordPress TroubleshootingEmergency WordPress Troubleshooting
Emergency WordPress Troubleshooting
 
Website essentials things every library website should have
Website essentials things every library website should haveWebsite essentials things every library website should have
Website essentials things every library website should have
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshop
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
 
Demystifying WordPress
Demystifying WordPressDemystifying WordPress
Demystifying WordPress
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
 
NEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & SecurityNEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & Security
 
WordPress Customization and Security
WordPress Customization and SecurityWordPress Customization and Security
WordPress Customization and Security
 
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
 
Week6 office-hours
Week6 office-hoursWeek6 office-hours
Week6 office-hours
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
How to create a WordPress Site
How to create a WordPress Site How to create a WordPress Site
How to create a WordPress Site
 
WordPress Theme Reviewers Team
WordPress Theme Reviewers TeamWordPress Theme Reviewers Team
WordPress Theme Reviewers Team
 
hardenning Operating System Server Berbasis Linux
hardenning Operating System Server Berbasis Linuxhardenning Operating System Server Berbasis Linux
hardenning Operating System Server Berbasis Linux
 
Best Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsBest Practices for Building WordPress Applications
Best Practices for Building WordPress Applications
 

Recently uploaded

The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
laozhuseo02
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
Rogerio Filho
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
CIOWomenMagazine
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Brad Spiegel Macon GA
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
eutxy
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
Javier Lasa
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
JeyaPerumal1
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
3ipehhoa
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
3ipehhoa
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
GTProductions1
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
Gal Baras
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
laozhuseo02
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
3ipehhoa
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Florence Consulting
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
harveenkaur52
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
keoku
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
nhiyenphan2005
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
nirahealhty
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
ufdana
 

Recently uploaded (20)

The+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptxThe+Prospects+of+E-Commerce+in+China.pptx
The+Prospects+of+E-Commerce+in+China.pptx
 
guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...guildmasters guide to ravnica Dungeons & Dragons 5...
guildmasters guide to ravnica Dungeons & Dragons 5...
 
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
Internet of Things in Manufacturing: Revolutionizing Efficiency & Quality | C...
 
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptx
 
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
一比一原版(LBS毕业证)伦敦商学院毕业证成绩单专业办理
 
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024
 
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdfJAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
JAVIER LASA-EXPERIENCIA digital 1986-2024.pdf
 
1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...1.Wireless Communication System_Wireless communication is a broad term that i...
1.Wireless Communication System_Wireless communication is a broad term that i...
 
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
1比1复刻(bath毕业证书)英国巴斯大学毕业证学位证原版一模一样
 
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
原版仿制(uob毕业证书)英国伯明翰大学毕业证本科学历证书原版一模一样
 
Comptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guideComptia N+ Standard Networking lesson guide
Comptia N+ Standard Networking lesson guide
 
How to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptxHow to Use Contact Form 7 Like a Pro.pptx
How to Use Contact Form 7 Like a Pro.pptx
 
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shopHistory+of+E-commerce+Development+in+China-www.cfye-commerce.shop
History+of+E-commerce+Development+in+China-www.cfye-commerce.shop
 
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
急速办(bedfordhire毕业证书)英国贝德福特大学毕业证成绩单原版一模一样
 
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfMeet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdf
 
Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027Italy Agriculture Equipment Market Outlook to 2027
Italy Agriculture Equipment Market Outlook to 2027
 
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
一比一原版(SLU毕业证)圣路易斯大学毕业证成绩单专业办理
 
Bài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docxBài tập unit 1 English in the world.docx
Bài tập unit 1 English in the world.docx
 
This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!This 7-second Brain Wave Ritual Attracts Money To You.!
This 7-second Brain Wave Ritual Attracts Money To You.!
 
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
一比一原版(CSU毕业证)加利福尼亚州立大学毕业证成绩单专业办理
 

WordPress Security and Best Practices

  • 1. Robert Vidal, ABCP OSCP OSWP robert.vidal@infotransec.com http://www.infotransec.com WordPress Security and Best Practices
  • 2. • Robert Vidal, ABCP OSCP OSWP Cert. IS-CF • Associate Business Continuity Professional (ABCP) • Certified Vulnerability and Penetration Testing Professional (OSCP) • Certified Wireless Security Professional (OSWP) • Certificate Information Security and Computer Forensics (Cert. IS-CF) • Information Security Analyst – InfoTransec (Hamilton) • Specializing in Network and Application Security • Industry Compliance and Governance • IT Industry since 2005 • Focused on Security since 2008 • Working with WordPress since 2011 About Me:
  • 3. • Our focus is always on delivering high quality solutions to our clients through current industry standards and recognized frameworks and benchmarks. • Services include: • Network and Web Application Vulnerability Assessments and Penetration Testing • Information Security Services • Managed IT • Computer Forensics • Data Recovery • eDiscovery • CyberStalking / CyberBullying About InfoTransec:
  • 4. • WordPress is an open-source application so anyone is able to download the application and view the system defaults and file structure. • Once a hacker has this knowledge or map of your site they can then plan an attack in attempts to exploit the site. • What this means: • Default username is known • File Structure is known • Database structure is known • Location of usernames and passwords and configuration files are known • Location of plugins, themes, and file uploads is known • WordPress version can be enumerated WordPress Defaults
  • 5. • Do not use ‘admin’ as default Administrator username • Change to a complex username – similar to a complex password (Upper Case letter, lower case letter, number, and special character i.e: R0b3rtV!d@l) • Remove Author name from pages and posts • Account names are exposed when content is published • Plugin “WP Author, Date and Meta Remover” https://wordpress.org/plugins/wp-author-date-and-meta- remover/ • Use non-default database table prefixes • Upon installation – specify a unique table prefix (non wp_) • Modify WP after installation • Manually via PHP Admin & wp-config.php • Plugins “Change DB Prefix” https://wordpress.org/plugins/db-prefix-change/ • Remove WordPress version from source code • Add to functions.php “remove_action('wp_head', 'wp_generator');” • Plugins “Remove Version” https://wordpress.org/plugins/remove-version-remver/ • Delete unused themes and plugins • Hello Dolly / Akismit / Jet Pack, etc….. Recommendations:
  • 6. Q: Who is Hacking your site?
  • 8. • Everyone from your competitors, to Black Hat SEO enthusiasts, to hackers and script kiddies. • Hackers use automated scanners and GoogleDork search techniques to locate vulnerable WordPress installations, plugins or themes, which they can exploit. • Google Dork : Search techniques used to locate websites or information that is not intended to be indexed by google • inurl:wp-content/” • inurl:"/wp-content/plugins/wp-shopping-cart/” • inurl:”wp-content/plugins/wp-dbmanager/” • What this means: • Malware can be injected into the site • Brute force login attempts can be done over time • Your site may become slow or unresponsive due to handling the excessive requests • Tools can be used to scan your site and enumerate information about your site and what is installed. • WPScan • Nmap (http-wordpress-enum - nmap plugin)
  • 9. • Think Like a Hacker • Limit search exposure and restrict access to foreign visitors • If you are offering products and services to people or businesses in the Hamilton area why do you need to allow visitors from Russia, Ukraine, China? • via webmaster tools to set a preferred location • Use IP Blocker plugins to restrict access • Block information your visitors do not need to see • Modify the robot.txt file of the webpage to prevent bots from accessing sensitive information • Modify the htaccess file to ensure secure file and folder permissions are set • Take Pro-active measures: • Installed lockout plugins to lock a user out after a number of failed attempts • Scan site regularly for Malware • Sucuri site check • Use WPScan and nmap to identify what hackers can enumerate. Recommendations
  • 10. • Identify Vulnerable Plugins and themes and update • http://www.wordpressexploit.com/ (WordPress Exploits) • https://wpvulndb.com/ (WordPress Vulnerability DataBase) • http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/ (Common Vulnerability Exploit – Details) • Security Plug-ins: • https://wordpress.org/plugins/wordfence/ (WordFence) • Blocking Features, Login Security, Security Scanning, Firewall, Monitoring • https://wordpress.org/plugins/sucuri-scanner/ (Sucuri Scanner) • Security Activity Auditing, File Integrity Monitoring, Remote Malware Scanning, Blacklist Monitoring, Effective Security Hardening, Post-Hack Security Actions, Security Notifications, Website Firewall • https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ (All-In-One) • User Accounts Security, Login, Registration, Database, File System Security, IP Blocking, Firewall and more…
  • 11. Q: If a hacker gains access to your site, what can they do?
  • 13. • Files can be added or modified without you knowing • Google may flag your site as Hacked resulting in a lower Google ranking • Your site may be filled with Spam links resulting in a lower Google ranking • May unknowingly be infecting your visitors with virus’ or malicious code. • Visitors may be immediately redirected off your site. • Website can be defaced. • Backdoors can be added which may lead to future problems. • Users can be lock you out. • Anything else they wish. What does this mean?
  • 14. • Backup your files and DataBase regularly!!! Its easier to compare files or even revert to a known good build or even compare files • Use plugins that detect file changes and alerts via email. • https://wordpress.org/plugins/wordfence/ (WordFence) • Limit the number of registered users on the site, and ensure accounts have appropriate permissions. • Scan your site for malware regularly • Securi Site Check https://sitecheck.sucuri.net/ (FREE) • Google search the site regularly. • FTP into your hosting account and look for: • Files that end with xxxx_old.php • Files with unexpected extensions (image files with a .php file extension) • Look at the modification dates of your files. If all files in a directory have the same modified date and there is 1 with a different modified date – Probaly Malware or a backdoor • Look for unexpected files in your directories. (If there is a PHP files in an images directory) • Install a Web Application Firewall plugin to prevent malicious activity. • https://en-ca.wordpress.org/plugins/wp-simple-firewall/ (Simple Security Firewall) What to do:
  • 15. Q: Comments – Good or Bad ?
  • 16. A: Good - Comments are great for allowing interactivity with your visitors. But...
  • 17. You are also allowing user input into your site. What does this mean? • A visitor can instead of a text comment inject malicious script or links into your site. • <script type="text/javascript">alert("Hello");</script> • I love your site I also found <a href=“http://badwebsite.com”> this link </a> for more information. • Visitors can promote their own site or links that may go against the reputation of your site • Online Pharmacy’s, Adult content, Profanity • This can lower your Google Ranking and SEO Reputation • This can also cause your site to be flagged by google as hacked
  • 18. • Disable Comments on all pages and posts • If you wish to allow comments on your site manually approve them or only allow them on certain pages • Modify functions.php to NOT allow HTML based comments. • Review the front end of your site regularly • Google search your site regularly to ensure Google has not flagged your site due to malicious comments. • Install plugins • That allow users / visitors to report malicious or offensive comments • Block all comments • Do not allow HTML comments What to do:
  • 19. Q: What is the best method to protect my site?
  • 20. A1: Keep the WordPress Core, Themes and Plugins up to date. And…
  • 22. • As components are updates Hackers are able to identify the weaknesses of previous versions. • Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages. • Hackers prey on those that are slow to update. Code is always evolving, improved and updated. What does this mean?
  • 23. • Regular backups at multiple layers • MySQL • Wordpress Pages and Posts • FTP files • Update the WordPress core when updates are available • Use a Host that offers automatic updates • Update plugins and themes regularly • Delete unused plugins and themes • Install plugins that manage updates • Themes and plugins • WordPress Core What to do:
  • 24. • There is no one-stop solution to secure your site. • There is no single way to recover / restore a website. • Use multiple tools and tactics to protect your site. • Ensure you know what is going on in your site. • “DON’T SET IT AND FORGET IT” • Setup email alerts • Visit and test your own site regularly • Use Google regularly to search your own site In Closing:
  • 25. • Phone: +1 855-INFOSEC (463 6732) • Email: infosec@infotransec.com • Web: https://www.infotransec.com Social Media: • Twitter: @InfoTransec • Linkedin: https://www.linkedin.com/company/infotransec • Facebook: https://www.facebook.com/infotransec/ • Google+: https://plus.google.com/113904412258542168822/ Office Location: • The Atrium @ McMaster Innovation Park • 175 Longwood Road South, Suite 416A-8 • Hamilton, Ontario • L8P 0A1 Connect with InfoTransec: