Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordPress Security for Beginners

2,954 views

Published on

Security can seem intimidating and complex for many of us, but we shouldn’t (can’t) let that stop us from making sure we’re doing everything we can to secure our WordPress sites. After all, our websites are often part of our livelihood.

In this session Adam will discuss the “big picture” of website security and break down the fundamental tasks needed for a strong security plan, in order of importance. Adam will provide an actionable checklist on what you can start doing today to better secure your WordPress websites.

After attending this session, audience members will have a better understanding of website security as a whole and what steps they can take to mitigate risk. Attendees will be able to start building their WordPress security master plan immediately.

Published in: Internet

WordPress Security for Beginners

  1. 1. @ S I T E L O C K@ S I T E L O C K WordPress Security for Beginners Simple Steps to Build Your Master Plan Wo r d C a m p L o u i s v i l l e 2 0 1 6
  2. 2. @ S I T E L O C K Did You Know? • There are 3.26 billion internet users as of December 2015; that’s over 40% of the world population. • Only 44% of web traffic is from humans; 56% of web traffic is from bots, impersonators, hacking tools, scrapers and spammers.
  3. 3. @ S I T E L O C K What We’ll Cover Today • Why and How Websites Get Hacked • What We All Should Be Doing • Going Above and Beyond • After the Hack
  4. 4. @ S I T E L O C K Adam W. Warner • WordPress Evangelist at SiteLock • Co-Founder at FooPlugins • Discovered WordPress in 2005 • WordPress Community Addict • Fan of Fractals • Lover of Meatballs • Proud Dad!
  5. 5. @ S I T E L O C K Hacking Techniques • Vulnerability scanning • Server disruption • Monetary loss • Information leaks • Vandalism (defacement)
  6. 6. @ S I T E L O C K Why Websites Get Hacked • Drive-by-downloads • Redirections • System resources • Because they don’t like you
  7. 7. @ S I T E L O C K Why MY Site!?
  8. 8. @ S I T E L O C K Opportunity • It’s not you, it’s them • Because it’s possible • Because we give them an opening
  9. 9. @ S I T E L O C K Automation • Most hacking attempts are automated
  10. 10. @ S I T E L O C K How Websites Get Hacked • 41% get hacked through vulnerabilities in their hosting platform • 29% by means of an insecure theme • 22% via a vulnerable plugin • 8% because of weak passwords
  11. 11. @ S I T E L O C K Two Categories of Security
  12. 12. @ S I T E L O C K Access Controls
  13. 13. @ S I T E L O C K Software Vulnerabilities • Anywhere there is a system, there’s a potential software vulnerability waiting to be exploited
  14. 14. @ S I T E L O C K What Do Hacks Look Like?
  15. 15. @ S I T E L O C K Where Do You Start? • With yourself of course
  16. 16. @ S I T E L O C K Simple Steps for Everyone
  17. 17. @ S I T E L O C K Strong Passwords: Everywhere
  18. 18. @ S I T E L O C K Reusing Passwords
  19. 19. @ S I T E L O C K Even More About Passwords
  20. 20. @ S I T E L O C K Password Managers • LastPass • Dashlane • Roboform • TrueKey
  21. 21. @ S I T E L O C K Your Computer
  22. 22. @ S I T E L O C K Public Networks Use a VPN. Please!
  23. 23. @ S I T E L O C K Don’t Change Core
  24. 24. @ S I T E L O C K Backup. Backup. Backup.
  25. 25. @ S I T E L O C K Update. Update. Update.
  26. 26. @ S I T E L O C K Remove Inactive Software
  27. 27. @ S I T E L O C K Install Software Only from Official Sources
  28. 28. @ S I T E L O C K Choose a Secure Host https://wordpress.org /hosting/
  29. 29. @ S I T E L O C K Latest Version of PHP
  30. 30. @ S I T E L O C K Admin Usernames and Nicenames
  31. 31. @ S I T E L O C K Security Plugins and Services
  32. 32. @ S I T E L O C K SSL
  33. 33. @ S I T E L O C K Kick It Up a Notch
  34. 34. @ S I T E L O C K Limit Login Attempts • Limit Login Attempts • Login Lockdown
  35. 35. @ S I T E L O C K 2FA (Two-Factor Authentication)
  36. 36. @ S I T E L O C K Clef
  37. 37. @ S I T E L O C K File Permissions
  38. 38. @ S I T E L O C K Default Table Prefix
  39. 39. @ S I T E L O C K .htaccess and wp-config.php
  40. 40. @ S I T E L O C K Authentication Keys and Salts
  41. 41. @ S I T E L O C K Disable PHP Execution
  42. 42. @ S I T E L O C K Disable File Editing
  43. 43. @ S I T E L O C K Secure wp-config.php
  44. 44. @ S I T E L O C K Disable XML-RPC?
  45. 45. @ S I T E L O C K Learn More https://codex.wordpress.org /Hardening_WordPress
  46. 46. @ S I T E L O C K Install a Firewall
  47. 47. @ S I T E L O C K (CDN) Content Delivery Network
  48. 48. @ S I T E L O C K How to Detect a Hacked Site • Visit your site often • Search for your site • Unexplained spikes in traffic • Investigate customer/visitor reports • continued…
  49. 49. @ S I T E L O C K Detect a Hacked Site (con’t…) • Google Search Console (email alerts) • Remote scanner • Malware scanner • Source code scanner • Service that detects site changes
  50. 50. @ S I T E L O C K What To Do If You’re Hacked
  51. 51. @ S I T E L O C K Clean It Yourself
  52. 52. @ S I T E L O C K Use a Service • Security is their core business • Cleans files, databases, backdoors, etc. • Remove malware warnings • Remove from blacklists • Helps services learn for the benefit of all
  53. 53. @ S I T E L O C K What To Do After Cleanup • Change ALL passwords • Change WP secret keys and salts • Read this again: h tt p s : / / c o d e x .w o r d p r e s s . o r g / H a r d e n i n g _ Wo r d P r e s s
  54. 54. @ S I T E L O C K Now What?
  55. 55. @ S I T E L O C K Thank You – Questions? • Follow at: • @SiteLock • @wpmodder • SlideShare • http://www.slideshare.net/wpprobusiness • My Blog Posts: • http://wpdistrict.sitelock.com • http://adamwwarner.com

×