The document outlines best practices for website security, focusing on key areas including password management, web server security, and disaster response planning. It emphasizes the importance of keeping software up-to-date, using strong passwords, and implementing redundancy in firewalls. Additionally, it offers specific WordPress security tips, such as disabling file editing and limiting login attempts.

1. Security Best Practices

2. @VicDrover
Panama Papers

4. @VicDrover
Panama Papers

5. @VicDrover
Infected Websites by Platform
Hacked Website Report - Sucuri

6. @VicDrover
% Out-of-Date CMS
Hacked Website Report - Sucuri

7. @VicDrover
Is YOUR website is vulnerable?

8. @VicDrover
Top 3 WordPress causing hacks
Hacked Website Report - Sucuri

9. @VicDrover
RevSlider < 3.0.95 = vulnerable
https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/

11. @VicDrover
WordPress host for Ransomware
http://www.tomsguide.com/us/wordpress-ransomware-epidemic,news-22219.html

13. @VicDrover
Levels of website security

14. @VicDrover
Levels of website security

15. Client Passwords

16. @VicDrover
Password Managers

18. @VicDrover
Agency Passwords

19. @VicDrover
Trust extends to your team

20. @VicDrover
Email security

21. @VicDrover
Staff

22. Staff

23. @VicDrover
Disaster Response Plan

24. @VicDrover
Initial response
→ Who, What, When
→ Emergency contact info
→ Service provider info
◆ DNS, Server/Host, Data Center, Backups
→ 1-time use passwords

25. Agency 7

26. Agency 7

27. @VicDrover
Security policy
→ Email usage
→ Resource access
→ Password strength
→ Password duration
→ Account sharing
→ Team composition
→ Disaster planning
→ Ongoing Education

28. @VicDrover
Levels of website security
Local
Remote

29. @VicDrover
Local Resources

30. @VicDrover
PHP Usage (Joomla 3.5)
PHP 5.5
PHP 5.2
PHP 5.3
PHP 5.6
PHP 7.x
PHP 5.4

31. @VicDrover
Webserver security

32. @VicDrover
Heartbleed

33. @VicDrover
filippo.io/Heartbleed/

34. @VicDrover
Other local issues
→ SSH on non-default port, encryption keys
→ Disable FTP (vs. secure FTP)
→ Strong database password + table prefix
→ Enable logging (usually off by default)
→ Disable magic_quotes

35. @VicDrover
Levels of website security
Local
Remote

36. @VicDrover
Remote services - email

38. @VicDrover
Remote services - DNS

39. @VicDrover
Remote services - reverse proxy

40. @VicDrover
Managed Hosting

41. @VicDrover
Levels of website security

42. @VicDrover
Update all the things

43. @VicDrover
Well-known WordPress best-practices
→ Unique administrator account
→ Disable file editing, PHP Execution
→ Limit Login Attempts
→ Remove unused themes + plugins
→ Block editing of config file

44. @VicDrover
Enforce stronger passwords

45. @VicDrover
Control New Users

46. @VicDrover
Secure failed login message
function wrong_login() {
return 'Wrong username or password.';
}
add_filter('login_errors', 'wrong_login');
functions.php
http://geckogullywebsites.com/wordpress-security-tips-check-for-display-of-unnecessary-information-on-failed-login-attempts/

47. @VicDrover
Backup your site + test

48. @VicDrover
Akeeba Backup
https://www.akeebabackup.com/

49. @VicDrover
Use Redundant firewalls

51. @VicDrover
Use Redundant firewalls

52. @VicDrover
Use Redundant firewalls

53. @VicDrover
Use Redundant firewalls

54. @VicDrover
Use Redundant firewalls

55. Security Best Practices