Robert Vidal is an information security professional who specializes in WordPress security. He outlines several recommendations for securing a WordPress site, including changing default usernames and passwords, removing WordPress version information, keeping software updated, using strong security plugins, limiting comments and user input, regularly backing up the site, and scanning for vulnerabilities, malware and unauthorized changes. Vidal emphasizes that there is no single solution and site owners must take an active, ongoing approach to security through multiple methods like plugins, backups and monitoring.
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
This presentation was given in Las Vegas at BlogWorld 2010 by Brian Layman. It describes techniques that can be used to keep your WordPress website safe.
Slides form my talk - Essential security measures in ASP.NET MVC . More info on - https://hryniewski.net/essential-security-measures-in-asp-net-mvc-resources-for-talk/
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
This presentation was given in Las Vegas at BlogWorld 2010 by Brian Layman. It describes techniques that can be used to keep your WordPress website safe.
Slides form my talk - Essential security measures in ASP.NET MVC . More info on - https://hryniewski.net/essential-security-measures-in-asp-net-mvc-resources-for-talk/
In this talk I will present a brief introduction to Code Review, where we will try to understand its value and why it is so hard to implement effectively. I will also present some of the challenges we had at SAPO and how we tried to fix them.
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
When performing security assessments or participating in bug bounties, there is generally a methodology you follow when assessing source-code or performing dynamic analysis. This involves using tools, reviewing results and understanding what you should be testing for. Reviewing modern web applications can be quite challenging, and this talk will go into details on how we can automate the boring (but necessary parts) and how to set a roadmap of what should be focused on when dealing with modern JavaScript applications.
The importance of security in 2013, with more websites getting hacked daily and penetration testers being one of the most the requested IT jobs.
Develops need to be sure how secure their applications against threads like SQL injection, cross site scripting, weak passwords, brute force or dictionary attacks.
Rambling Talk given at http://2012.oc.wordcamp.org/
Supplemental information at http://mdawaffe.wordpress.com/2012/06/02/wordcamp-oc-restjson-api-talk/
Fundamentals of developing websites using wordpress. This is the first of a two lecture series covering basic to intermediate concepts in wordpress. The lecture was feature packed with live demos covering how to make a full fledged website. Learn the best practices and the core guidelines for designing websites using the wordpress stack.
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a a wide variety of attack possibilities, ranging from attacks against access control tech like Function Event Injection, JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud component.
On the other hand GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. Combined with Serverless tech/Reactive Front-end frameworks, GraphQL is very powerful for distributed apps. However, GraphQL can be abused with a variety of attacks including but not limited to Injection Attacks, Nested Resource Exhaustion attacks, Authorization Flaws among others.
This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications.
Running security tests as a part of your CI pipeline allows you to provide better and more relevant feedback to developers as quickly as possible (also known as the “Shift Left paradigm”/”DevSecOps” methodology).
Those slides are from a session at DevOpsDays TLV 2017 - how to use OWASP Zap to create valuable dynamic security tests. In those slide, I'm showing how we added those test to one of our open source project - Tweek (https://github.com/soluto/tweek)
Beyond the 'cript practical i os reverse engineering lasconNino Ho
The aim of this talk is to build a bridge between the mundane methodologies and vulnerabilities that everyone can find (and that are now being defended against), and a new approach that finds additional bugs that require assembly knowledge to discover.
The talk looks at the fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and ends with some real-world examples involving bypassing jailbreak detection.
Elevate Your Application Security Program with Burp Suite and ThreadFix Denim Group
Burp Suite is the premier software for web security testing, allowing organizations to deploy cutting-edge scanning technology to identify the very latest serious application vulnerabilities. ThreadFix is the industry leading vulnerability resolution platform that provides a window into the state of application security programs for organizations that build software. The combination of ThreadFix and Burp Suite allows organizations to efficiently identify security vulnerabilities, correlate and trend test results, and prioritize application risk to resolve vulnerabilities more quickly and more efficiently. This webinar will demonstrate how organizations can use ThreadFix and Burp Suite together to integrate application security into DevOps CI/CD pipelines and to track organization-wide metrics on progress finding and resolving web application vulnerabilities.
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers. Ultimately the aim is to free pentesters’ time by continuously reducing the amount of
recurring (easy to find) default findings, so that pentesters can use
that time to focus on the really high-hanging fruits.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
In this talk I will present a brief introduction to Code Review, where we will try to understand its value and why it is so hard to implement effectively. I will also present some of the challenges we had at SAPO and how we tried to fix them.
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
There are a number of reasons to use source code to assist in web application penetration testing such as making better use of penetration testers’ time, providing penetration testers with deeper insight into system behavior, and highlighting specific sections of so development teams can remediate vulnerabilities faster. Examples of these are provided using the open source ThreadFix plugin for the OWASP ZAP proxy and dynamic application security testing tool. These show opportunities attendees have to enhance their own penetration tests given access to source code.
This presentation covers the “ABCs” of source code assisted web application penetration testing: covering issues of attack surface enumeration, backdoor identification, and configuration issue discovery. Having access to the source lets an attacker enumerate all of the URLs and parameters an application exposes – essentially its attack surface. Knowing these allows pen testers greater application coverage during testing. In addition, access to source code can help to identify potential backdoors that have been intentionally added to the system. Comparing the results of blind spidering to a full attack surface model can identify items of interest such as hidden admin consoles or secret backdoor parameters. Finally, the presentation examines how access to source code can help identify configuration settings that may have an adverse impact on the security of the deployed application.
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
With the release of the OWASP TOP 10 2017 we saw new issues rise as contenders of most common issues in the web landscape. Much of the OWASP documentation displays issues, and remediation advice/code relating to Java, C++, and C#; however not much relating to JavaScript. JavaScript has drastically changed over the last few years with the release of Angular, React, and Vue, alongside the popular use of NodeJS and its libraries/frameworks. This talk will introduce you to the OWASP Top 10 explaining JavaScript client and server-side vulnerabilities.
When performing security assessments or participating in bug bounties, there is generally a methodology you follow when assessing source-code or performing dynamic analysis. This involves using tools, reviewing results and understanding what you should be testing for. Reviewing modern web applications can be quite challenging, and this talk will go into details on how we can automate the boring (but necessary parts) and how to set a roadmap of what should be focused on when dealing with modern JavaScript applications.
The importance of security in 2013, with more websites getting hacked daily and penetration testers being one of the most the requested IT jobs.
Develops need to be sure how secure their applications against threads like SQL injection, cross site scripting, weak passwords, brute force or dictionary attacks.
Rambling Talk given at http://2012.oc.wordcamp.org/
Supplemental information at http://mdawaffe.wordpress.com/2012/06/02/wordcamp-oc-restjson-api-talk/
Fundamentals of developing websites using wordpress. This is the first of a two lecture series covering basic to intermediate concepts in wordpress. The lecture was feature packed with live demos covering how to make a full fledged website. Learn the best practices and the core guidelines for designing websites using the wordpress stack.
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
Serverless Technology (Functions as a Service) is fast becoming the next "big thing" in the world of distributed applications. Organizations are investing a great deal of resources in this technology as a force-multiplier, cost-saver and ops-simplification cure-all. Especially with widespread support from cloud vendors, this technology is going to only become more influential. However, like everything else, Serverless apps are subject to a a wide variety of attack possibilities, ranging from attacks against access control tech like Function Event Injection, JWTs, to NoSQL Injection, to exploits against the apps themselves (deserialization, etc) escalating privileges to other cloud component.
On the other hand GraphQL (API Query Language) is the natural companion to serverless apps, where traditional REST APIs are replaced with GraphQL to provide greater flexibility, greater query parameterization and speed. GraphQL is slowly negating the need for REST APIs from being developed. Combined with Serverless tech/Reactive Front-end frameworks, GraphQL is very powerful for distributed apps. However, GraphQL can be abused with a variety of attacks including but not limited to Injection Attacks, Nested Resource Exhaustion attacks, Authorization Flaws among others.
This talk presents a red-team perspective of the various ways in which testers can discover and exploit serverless and/or GraphQL driven applications to compromise sensitive information, and gain a deeper foothold into database services, IAM services and other other cloud components. The talk will have some demos that will demonstrate practical attacks and attack possibilities against Serverless and GraphQL applications.
Running security tests as a part of your CI pipeline allows you to provide better and more relevant feedback to developers as quickly as possible (also known as the “Shift Left paradigm”/”DevSecOps” methodology).
Those slides are from a session at DevOpsDays TLV 2017 - how to use OWASP Zap to create valuable dynamic security tests. In those slide, I'm showing how we added those test to one of our open source project - Tweek (https://github.com/soluto/tweek)
Beyond the 'cript practical i os reverse engineering lasconNino Ho
The aim of this talk is to build a bridge between the mundane methodologies and vulnerabilities that everyone can find (and that are now being defended against), and a new approach that finds additional bugs that require assembly knowledge to discover.
The talk looks at the fundamentals of reversing, a primer on iOS architecture, binary patching, reversing MACH-0 binaries, and ends with some real-world examples involving bypassing jailbreak detection.
Elevate Your Application Security Program with Burp Suite and ThreadFix Denim Group
Burp Suite is the premier software for web security testing, allowing organizations to deploy cutting-edge scanning technology to identify the very latest serious application vulnerabilities. ThreadFix is the industry leading vulnerability resolution platform that provides a window into the state of application security programs for organizations that build software. The combination of ThreadFix and Burp Suite allows organizations to efficiently identify security vulnerabilities, correlate and trend test results, and prioritize application risk to resolve vulnerabilities more quickly and more efficiently. This webinar will demonstrate how organizations can use ThreadFix and Burp Suite together to integrate application security into DevOps CI/CD pipelines and to track organization-wide metrics on progress finding and resolving web application vulnerabilities.
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
In this session I will present best practices of how open source tools (used in the DevOps and security communities) can be properly chained together to form a framework that can - as part of an agile software development CI chain - perform automated checking of certain security aspects. This does not remove the requirement for manual pentests, but tries to automate early security feedback to developers. Ultimately the aim is to free pentesters’ time by continuously reducing the amount of
recurring (easy to find) default findings, so that pentesters can use
that time to focus on the really high-hanging fruits.
Based on my experience of applying SecDevOps techniques to projects, I will present the glue steps required on every commit and at nightly builds to achieve different levels of depth in automated security testing during the CI workflow.
I will conclude with a "SecDevOps Maturity Model" of different stages of automated security testing and present concrete examples of how to achieve each stage with open source security tools.
What do you do when you need to fix your WordPress website and there's no developer around to help? Here are the tools you need, the steps to take, and how to call in the cavalry.
Website essentials things every library website should haveBrian Pichman
•There are so many plugins, features, and tools that make websites better, safer, and more interactive.
This webinar will explore:
– Key plugins to enhance the user experience
– Essential tools to help design, monitor, and secure the site.
– Best practices and tips for creating the best user experience possible
– How to find areas to tweak to bring those improved experiences forward.
My talk from WordCamp Raleigh 2014 on managing a large WordPress multisite network.
Supporting lots of standalone instances of WordPress can be a nightmare. Thankfully there is WordPress Multisite. But is it right for you? And what happens when your WordPress network explodes to include thousands of users and sites? At UNC-Chapel Hill our two WordPress multisite networks (self-serve/enterprise) power over 8,000 sites across a wide range of use cases. During this presentation I primarily explore the technical aspects of running a WordPress multisite network, such as scalability, security, user experience, and administrative challenges. I share tips, lessons learned, and ongoing challenges.
Pick up tips, tricks, and techniques that illuminate how WordPress can become a viable opportunity for you to provide professional web design and maintenance services to your clients. Explore free and premium themes, plugins, and other resources that are available to help jump-start your next project. You’ll also learn step-by-step instructions to customize themes with ease.
Presented at AIGA Minnesota's Design Camp 2011.
Presentation to YYC Bloggers Meetup on Plugins and Securing WordPress.
Geared to the beginner/average user. A presentation and discussion about the basic steps to better manage your WordPress site/blog.
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...Dan Vasile
This project aims for a unified approach on WordPress security design and implementation. It is definitely more than a checklist, it's a guide for secure implementation and an invitation to consider and to analyze each individual case.
There is a long list of recommended resources for securing aspects of the WordPress implementation. The project is aimed to offer open source or free resources instead of commercial ones. Some plugins have a free version and a paid one that offers extra functionality. In such cases, the focus of the project was on the free version.
WordPress Customization & Security
Presented By: Joe Casabona and Phil Erb
Track: Technology
Session Format: Co-Presentation
Description: WordPress is one of the most popular blogging platforms used today and if you’re using it already, you already know its benefits – but let’s take things a step further. In this session, Joe and Phil will dive into how to customize your WordPress blog and theme so that it reflects your brand and serves up your content in the best ways possible, ways to make your WordPress blog more secure (and how to monitor it so that it stays that way!), and other techniques and technologies to make the most of this content management system.
2014 WordCamp Austin: Do's and Don'ts of WordPress MultisiteWPMU DEV
We’ll share our experience of building and managing large Multisite networks to provide tips and tricks for all levels including:
- minimum hosting requirements
- recommended free plugins
- coding for Multisite basics (common pitfalls)
- creative ways to leverage Multisite
- advice on painless backups, development environments, and upgrades
- a preview of the Multisite roadmap
Talk on Securing WordPress site at WordCamp Nepal 2012. I will be covering Top 10 Myths That We Live By and Building Secure WordPress Sites in Simple 10 Steps. Watch Video at http://wordpress.tv/2013/02/26/sakin-shrestha-building-secure-wordpress-sites/
Protect Your WordPress From The Inside OutSiteGround.com
The recent spike of hack attempts on various WordPress sites has made it more urgent than ever to take actions and secure your WordPress in the best possible way. In this webinar the WebDevStudios founders show the best practices and share insightful tricks how to protect your WordPress from getting hacked:
- WordPress Security Threats & Trends
- WordPress Admin Security Settings
- Securing Files, Folders & Databases
- Bullet Proof Passwords
- Vulnerable WordPress Extensions
- Recommended Plugins & Services
Bridging the Digital Gap Brad Spiegel Macon, GA Initiative.pptxBrad Spiegel Macon GA
Brad Spiegel Macon GA’s journey exemplifies the profound impact that one individual can have on their community. Through his unwavering dedication to digital inclusion, he’s not only bridging the gap in Macon but also setting an example for others to follow.
APNIC Foundation, presented by Ellisha Heppner at the PNG DNS Forum 2024APNIC
Ellisha Heppner, Grant Management Lead, presented an update on APNIC Foundation to the PNG DNS Forum held from 6 to 10 May, 2024 in Port Moresby, Papua New Guinea.
1.Wireless Communication System_Wireless communication is a broad term that i...JeyaPerumal1
Wireless communication involves the transmission of information over a distance without the help of wires, cables or any other forms of electrical conductors.
Wireless communication is a broad term that incorporates all procedures and forms of connecting and communicating between two or more devices using a wireless signal through wireless communication technologies and devices.
Features of Wireless Communication
The evolution of wireless technology has brought many advancements with its effective features.
The transmitted distance can be anywhere between a few meters (for example, a television's remote control) and thousands of kilometers (for example, radio communication).
Wireless communication can be used for cellular telephony, wireless access to the internet, wireless home networking, and so on.
Meet up Milano 14 _ Axpo Italia_ Migration from Mule3 (On-prem) to.pdfFlorence Consulting
Quattordicesimo Meetup di Milano, tenutosi a Milano il 23 Maggio 2024 dalle ore 17:00 alle ore 18:30 in presenza e da remoto.
Abbiamo parlato di come Axpo Italia S.p.A. ha ridotto il technical debt migrando le proprie APIs da Mule 3.9 a Mule 4.4 passando anche da on-premises a CloudHub 1.0.
Italy Agriculture Equipment Market Outlook to 2027harveenkaur52
Agriculture and Animal Care
Ken Research has an expertise in Agriculture and Animal Care sector and offer vast collection of information related to all major aspects such as Agriculture equipment, Crop Protection, Seed, Agriculture Chemical, Fertilizers, Protected Cultivators, Palm Oil, Hybrid Seed, Animal Feed additives and many more.
Our continuous study and findings in agriculture sector provide better insights to companies dealing with related product and services, government and agriculture associations, researchers and students to well understand the present and expected scenario.
Our Animal care category provides solutions on Animal Healthcare and related products and services, including, animal feed additives, vaccination
This 7-second Brain Wave Ritual Attracts Money To You.!nirahealhty
Discover the power of a simple 7-second brain wave ritual that can attract wealth and abundance into your life. By tapping into specific brain frequencies, this technique helps you manifest financial success effortlessly. Ready to transform your financial future? Try this powerful ritual and start attracting money today!
1. Robert Vidal, ABCP OSCP OSWP
robert.vidal@infotransec.com
http://www.infotransec.com
WordPress Security and
Best Practices
2. • Robert Vidal, ABCP OSCP OSWP Cert. IS-CF
• Associate Business Continuity Professional (ABCP)
• Certified Vulnerability and Penetration Testing Professional (OSCP)
• Certified Wireless Security Professional (OSWP)
• Certificate Information Security and Computer Forensics (Cert. IS-CF)
• Information Security Analyst – InfoTransec (Hamilton)
• Specializing in Network and Application Security
• Industry Compliance and Governance
• IT Industry since 2005
• Focused on Security since 2008
• Working with WordPress since 2011
About Me:
3. • Our focus is always on delivering high quality solutions to our clients
through current industry standards and recognized frameworks and
benchmarks.
• Services include:
• Network and Web Application Vulnerability Assessments and Penetration
Testing
• Information Security Services
• Managed IT
• Computer Forensics
• Data Recovery
• eDiscovery
• CyberStalking / CyberBullying
About InfoTransec:
4. • WordPress is an open-source application so anyone is able to download
the application and view the system defaults and file structure.
• Once a hacker has this knowledge or map of your site they can then plan
an attack in attempts to exploit the site.
• What this means:
• Default username is known
• File Structure is known
• Database structure is known
• Location of usernames and passwords and configuration files are known
• Location of plugins, themes, and file uploads is known
• WordPress version can be enumerated
WordPress Defaults
5. • Do not use ‘admin’ as default Administrator username
• Change to a complex username – similar to a complex password (Upper Case letter, lower case letter,
number, and special character i.e: R0b3rtV!d@l)
• Remove Author name from pages and posts
• Account names are exposed when content is published
• Plugin “WP Author, Date and Meta Remover” https://wordpress.org/plugins/wp-author-date-and-meta-
remover/
• Use non-default database table prefixes
• Upon installation – specify a unique table prefix (non wp_)
• Modify WP after installation
• Manually via PHP Admin & wp-config.php
• Plugins “Change DB Prefix” https://wordpress.org/plugins/db-prefix-change/
• Remove WordPress version from source code
• Add to functions.php “remove_action('wp_head', 'wp_generator');”
• Plugins “Remove Version” https://wordpress.org/plugins/remove-version-remver/
• Delete unused themes and plugins
• Hello Dolly / Akismit / Jet Pack, etc…..
Recommendations:
8. • Everyone from your competitors, to Black Hat SEO enthusiasts, to hackers and
script kiddies.
• Hackers use automated scanners and GoogleDork search techniques to locate
vulnerable WordPress installations, plugins or themes, which they can exploit.
• Google Dork : Search techniques used to locate websites or information that is not
intended to be indexed by google
• inurl:wp-content/”
• inurl:"/wp-content/plugins/wp-shopping-cart/”
• inurl:”wp-content/plugins/wp-dbmanager/”
• What this means:
• Malware can be injected into the site
• Brute force login attempts can be done over time
• Your site may become slow or unresponsive due to handling the excessive requests
• Tools can be used to scan your site and enumerate information about your site and what
is installed.
• WPScan
• Nmap (http-wordpress-enum - nmap plugin)
9. • Think Like a Hacker
• Limit search exposure and restrict access to foreign visitors
• If you are offering products and services to people or businesses in the Hamilton area
why do you need to allow visitors from Russia, Ukraine, China?
• via webmaster tools to set a preferred location
• Use IP Blocker plugins to restrict access
• Block information your visitors do not need to see
• Modify the robot.txt file of the webpage to prevent bots from accessing sensitive
information
• Modify the htaccess file to ensure secure file and folder permissions are set
• Take Pro-active measures:
• Installed lockout plugins to lock a user out after a number of failed attempts
• Scan site regularly for Malware
• Sucuri site check
• Use WPScan and nmap to identify what hackers can enumerate.
Recommendations
13. • Files can be added or modified without you knowing
• Google may flag your site as Hacked resulting in a lower Google ranking
• Your site may be filled with Spam links resulting in a lower Google ranking
• May unknowingly be infecting your visitors with virus’ or malicious code.
• Visitors may be immediately redirected off your site.
• Website can be defaced.
• Backdoors can be added which may lead to future problems.
• Users can be lock you out.
• Anything else they wish.
What does this mean?
14. • Backup your files and DataBase regularly!!!
Its easier to compare files or even revert to a known good build or even compare files
• Use plugins that detect file changes and alerts via email.
• https://wordpress.org/plugins/wordfence/ (WordFence)
• Limit the number of registered users on the site, and ensure accounts have appropriate permissions.
• Scan your site for malware regularly
• Securi Site Check https://sitecheck.sucuri.net/ (FREE)
• Google search the site regularly.
• FTP into your hosting account and look for:
• Files that end with xxxx_old.php
• Files with unexpected extensions (image files with a .php file extension)
• Look at the modification dates of your files. If all files in a directory have the same modified date and there
is 1 with a different modified date – Probaly Malware or a backdoor
• Look for unexpected files in your directories. (If there is a PHP files in an images directory)
• Install a Web Application Firewall plugin to prevent malicious activity.
• https://en-ca.wordpress.org/plugins/wp-simple-firewall/ (Simple Security Firewall)
What to do:
16. A: Good - Comments are great for
allowing interactivity with your
visitors.
But...
17. You are also allowing user input into your
site.
What does this mean?
• A visitor can instead of a text comment inject malicious script or links into
your site.
• <script type="text/javascript">alert("Hello");</script>
• I love your site I also found <a href=“http://badwebsite.com”> this link </a> for
more information.
• Visitors can promote their own site or links that may go against the
reputation of your site
• Online Pharmacy’s, Adult content, Profanity
• This can lower your Google Ranking and SEO Reputation
• This can also cause your site to be flagged by google as hacked
18. • Disable Comments on all pages and posts
• If you wish to allow comments on your site manually approve them or
only allow them on certain pages
• Modify functions.php to NOT allow HTML based comments.
• Review the front end of your site regularly
• Google search your site regularly to ensure Google has not flagged your
site due to malicious comments.
• Install plugins
• That allow users / visitors to report malicious or offensive comments
• Block all comments
• Do not allow HTML comments
What to do:
19. Q: What is the best method to
protect my site?
20. A1: Keep the WordPress Core,
Themes and Plugins up to date.
And…
22. • As components are updates Hackers are able to identify the weaknesses
of previous versions.
• Many hackers will intentionally target older versions of WordPress with
known security issues, so keep an eye on your Dashboard notification
area and don’t ignore those ‘Please update now’ messages.
• Hackers prey on those that are slow to update.
Code is always evolving, improved and
updated.
What does this mean?
23. • Regular backups at multiple layers
• MySQL
• Wordpress Pages and Posts
• FTP files
• Update the WordPress core when updates are available
• Use a Host that offers automatic updates
• Update plugins and themes regularly
• Delete unused plugins and themes
• Install plugins that manage updates
• Themes and plugins
• WordPress Core
What to do:
24. • There is no one-stop solution to secure your site.
• There is no single way to recover / restore a website.
• Use multiple tools and tactics to protect your site.
• Ensure you know what is going on in your site.
• “DON’T SET IT AND FORGET IT”
• Setup email alerts
• Visit and test your own site regularly
• Use Google regularly to search your own site
In Closing: