Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Wordpress security best practices - WordCamp Waukesha 2017

643 views

Published on

As a popular CMS, WordPress is a common target for hackers and bots alike. In this session, Victor discusses a host of best-practice techniques and corporate security policies that will harden your website against intruders.

Published in: Technology
  • Be the first to comment

Wordpress security best practices - WordCamp Waukesha 2017

  1. 1. Security Best Practices
  2. 2. @VicDrover Panama Papers
  3. 3. @VicDrover Panama Papers
  4. 4. @VicDrover Infected Websites by Platform Hacked Website Report - Sucuri
  5. 5. @VicDrover % Out-of-Date CMS Hacked Website Report - Sucuri
  6. 6. @VicDrover Is YOUR website is vulnerable?
  7. 7. @VicDrover Top 3 WordPress causing hacks Hacked Website Report - Sucuri
  8. 8. @VicDrover RevSlider < 3.0.95 = vulnerable https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/
  9. 9. @VicDrover WordPress host for Ransomware http://www.tomsguide.com/us/wordpress-ransomware-epidemic,news-22219.html
  10. 10. @VicDrover Levels of website security
  11. 11. @VicDrover Levels of website security
  12. 12. Client Passwords
  13. 13. @VicDrover Password Managers
  14. 14. @VicDrover Agency Passwords
  15. 15. @VicDrover Trust extends to your team
  16. 16. @VicDrover Email security
  17. 17. @VicDrover Staff
  18. 18. Staff
  19. 19. @VicDrover Disaster Response Plan
  20. 20. @VicDrover Initial response → Who, What, When → Emergency contact info → Service provider info ◆ DNS, Server/Host, Data Center, Backups → 1-time use passwords
  21. 21. Agency 7
  22. 22. Agency 7
  23. 23. @VicDrover Security policy → Email usage → Resource access → Password strength → Password duration → Account sharing → Team composition → Disaster planning → Ongoing Education
  24. 24. @VicDrover Levels of website security Local Remote
  25. 25. @VicDrover Local Resources
  26. 26. @VicDrover PHP Usage (Joomla 3.5) PHP 5.5 PHP 5.2 PHP 5.3 PHP 5.6 PHP 7.x PHP 5.4
  27. 27. @VicDrover Webserver security
  28. 28. @VicDrover Heartbleed
  29. 29. @VicDrover filippo.io/Heartbleed/
  30. 30. @VicDrover Other local issues → SSH on non-default port, encryption keys → Disable FTP (vs. secure FTP) → Strong database password + table prefix → Enable logging (usually off by default) → Disable magic_quotes
  31. 31. @VicDrover Levels of website security Local Remote
  32. 32. @VicDrover Remote services - email
  33. 33. @VicDrover Remote services - DNS
  34. 34. @VicDrover Remote services - reverse proxy
  35. 35. @VicDrover Managed Hosting
  36. 36. @VicDrover Levels of website security
  37. 37. @VicDrover Update all the things
  38. 38. @VicDrover Well-known WordPress best-practices → Unique administrator account → Disable file editing, PHP Execution → Limit Login Attempts → Remove unused themes + plugins → Block editing of config file
  39. 39. @VicDrover Enforce stronger passwords
  40. 40. @VicDrover Control New Users
  41. 41. @VicDrover Secure failed login message function wrong_login() { return 'Wrong username or password.'; } add_filter('login_errors', 'wrong_login'); functions.php http://geckogullywebsites.com/wordpress-security-tips-check-for-display-of-unnecessary-information-on-failed-login-attempts/
  42. 42. @VicDrover Backup your site + test
  43. 43. @VicDrover Akeeba Backup https://www.akeebabackup.com/
  44. 44. @VicDrover Use Redundant firewalls
  45. 45. @VicDrover Use Redundant firewalls
  46. 46. @VicDrover Use Redundant firewalls
  47. 47. @VicDrover Use Redundant firewalls
  48. 48. @VicDrover Use Redundant firewalls
  49. 49. Security Best Practices

×