Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Level Up Your WordPress Security

511 views

Published on

My session from #WPCampus on leveling up your WordPress Security. A 3-pronged approach (Site, Server, External)

Published in: Technology

Level Up Your WordPress Security

  1. 1. LEVEL UP YOUR WORDPRESS SECURITY By Mitch Canter – Vanderbilt University Web Communications (@thatmitchcanter)
  2. 2. Who am I?
  3. 3. Mitch Canter Senior Web Developer, Vanderbilt University Web Communications
  4. 4. SECURITY QUEST PRESS START TO BEGIN
  5. 5. 30,000
  6. 6. 30,000 Number of Websites Hacked PER DAY
  7. 7. 78%
  8. 8. 78% Built on a WordPress CMS
  9. 9. There is no secret sauce.
  10. 10. Goal: Reduce Risk
  11. 11. Proactive, Not Reactive
  12. 12. 3 PRONGED APPROACH
  13. 13. 1. SERVER 2. SITE 3. EXTERNAL
  14. 14. 1. SERVER CON Modifier, Hearts, Health
  15. 15. SSH Keys Cryptographic Keys that Give Access to a Server.
  16. 16. Isolated Execution Environments Application Specific Servers (File/Database/Etc)
  17. 17. Single Server – Single Point of Attack
  18. 18. Application Specific Isolated Servers
  19. 19. Firewalls What Services are exposed?
  20. 20. Firewall Example
  21. 21. IPTABLES UFW FIREWALL
  22. 22. Inclusive Vs. Exclusive
  23. 23. File Permissions
  24. 24. Restrict, Then Relax
  25. 25. 644 FILES 755 FOLDERS
  26. 26. 2. SITE Armor, Equipment, Shields
  27. 27. KEEP WORDPRESS UPDATED
  28. 28. No, really… KEEP WORDPRESS UPDATED
  29. 29. 56% Percent of Out-Of-Date Hacked Websites
  30. 30. TimThumb RevSlider Gravity Forms PS: The Panama Papers blamed on RevSlider exploit.
  31. 31. Plugin Audits Do I REALLY need this plugin?
  32. 32. Two Factor Authentication Multi-layer Authentication via Knowledge, Possession, or Inherance
  33. 33. XML-RPC Limitations Code to disable via filter
  34. 34. User Audits Do I REALLY need this user?
  35. 35. 1. PASSWORDS 2. ACCESS
  36. 36. “Concept of Least Privileged” Only give access to those that need it, when they need it, and only for the time they need it.
  37. 37. 3. External “Magic” Shields, Blessings
  38. 38. SSL Certificates Cryptographically Signed “Trust” of a Website
  39. 39. Let’s Encrypt FREE SSL Certificates for Everyone!
  40. 40. Sucuri Resources, Knowledge, and a Scanner Plugin
  41. 41. Vulnerable Plugins List WPCampus Website, by Paul Gilzow
  42. 42. Offsite Backups …just in case.
  43. 43. Questions?
  44. 44. Thanks! @thatmitchcanter

×