8/1/2015. please ask questions! 2 hacks in the news office of personnel management (opn) flash...
TRANSCRIPT
WordPress Security Best Practices
8/1/2015
Please Ask Questions!
2
Hacks In The NewsOffice of Personnel Management (OPN)Flash vulnerabilitiesSonyHeartbleediCloud Leaked PicturesHome Depot/Target Credit Card LossNSA Metadata
3
Security MathSecurity x Convenience =
Constant
4
Some security issues are out of your hands
Why Does WordPress Get Hacked?
Widely Used
Thousands plugins which are unmonitored from a single source
Same reasons Windows gets hacked more
6
What Happens When Your Site Gets Hacked
Spam links
Infect other sites
Political messages
7
Security Helps SEO
8
Basic Steps
9
Keep WordPress And Plugins Updated
10
Also remove plugins and themes you’re not using
Protect Your LoginWeak or common
passwords
Brute force attack
11
Adobe Password LeakLast summer, Adobe
lost 150 million passwords
The passwords had flaws in their encryption that let hackers easily reverse engine the password list
12
Top 100 Most Common Passwords
13
http://stricture-group.com/files/adobe-top100.txt
Improve Password Security
Use a password with upper case, lower case, numbers and symbols
Use at least 9 characters
Do not use a word that is found in a dictionary
Use a separate password for all of your sites
14
Protect Your LoginDo not use “admin” as
your admin name
Use a password manager like LastPass or Roboform to generate and store passwords
Use SFTP and not FTP
15
Be Aware of Insecure Access
16
Increase Password SecurityUse Two Factor
Authentication
Google Authenticator
17
Use A VPN(Virtual Private Network)
18
Check your home router to see if it has this functionality built in
Keep Your Sites Up To Date
19
Google Webmaster ToolsEarly Warning System
Will also give you SEO tips
20
Include Security PluginStop brute force
password attacksScan for core code
changesNotification of out of
date WP and pluginsBlock entire countries
Takes care of a lot of manual blocking
21
Other Quick TipsChange default
database table prefix from wp_
Change your authentication keys in wp-config.php (https://api.wordpress.org/secret-key/1.1/salt/)
22
Advanced Steps
23
What Is SSLhttps://www.youtube.com/watch?v=dsuVPxuU_h
cPaid
Cheap-ComodoExpensive-Verisign
FreeComdo (for 90 days)EFF's https://www.eff.org/encrypt-the-web Out in
Septemberstartssl.com (free for personal use)Self signed just for security
24
Make Sure WordPress Knows To Use SSL
Force SSL login directive in wp-config.php
WordPress HTTPS (SSL)Hasn't been updated in a while but it is a pretty
simple plugin
25
Brief Overview OfWordPress File Structure
/ (the root)/wp-admin//wp-includes//wp-content/
/themes/plugins/uploads/upgrade
26
Check Your PermissionsOnly allow the web
server to read and write, everyone else can only read
Files 664
Directories 755
27
Stupid .htaccess Tricks
Stop Key Files From Executing.htaccess
<Files *.php> deny from all</Files>
29
/wp-content/uploads
/wp-includes
Stop Key Files From Executing.htaccess
<files wp-config.php>order allow,denydeny from all</files>
30
wp-config.php
Restrict Dashboard And PostingTo Specific IP Address
.htaccess<Files wp-login.php>order deny,allowdeny from allAllow from xx.xxx.xxx.xxx</Files><files xmlrpc.php>order deny,allowdeny from allAllow from xx.xxx.xxx.xxx</files> WhatIsMyIP.com
31
wp-admin
What To Do If You WordPress Site Is
Hacked?
32
Use A CDNContent Distribution
Network
Speeds up your site
Visitors get something even if your site is down
33
Revert To BackupHosting Provider
BackUpWordPress
VaultPress
WP-DB-Backup
3-2-1 Strategy
34
Cleaning UpBack up what you
have including the database and move it offline.
Completely replace wp-admin and wp-include.
Re-install all plugins from the source.
Check all of the files in your theme.
Delete everything else. 35
Questions?
36
