8/1/2015. please ask questions! 2 hacks in the news office of personnel management (opn) flash...
TRANSCRIPT
Hacks In The NewsOffice of Personnel Management (OPN)Flash vulnerabilitiesSonyHeartbleediCloud Leaked PicturesHome Depot/Target Credit Card LossNSA Metadata
3
Why Does WordPress Get Hacked?
Widely Used
Thousands plugins which are unmonitored from a single source
Same reasons Windows gets hacked more
6
Adobe Password LeakLast summer, Adobe
lost 150 million passwords
The passwords had flaws in their encryption that let hackers easily reverse engine the password list
12
Top 100 Most Common Passwords
13
http://stricture-group.com/files/adobe-top100.txt
Improve Password Security
Use a password with upper case, lower case, numbers and symbols
Use at least 9 characters
Do not use a word that is found in a dictionary
Use a separate password for all of your sites
14
Protect Your LoginDo not use “admin” as
your admin name
Use a password manager like LastPass or Roboform to generate and store passwords
Use SFTP and not FTP
15
Use A VPN(Virtual Private Network)
18
Check your home router to see if it has this functionality built in
Include Security PluginStop brute force
password attacksScan for core code
changesNotification of out of
date WP and pluginsBlock entire countries
Takes care of a lot of manual blocking
21
Other Quick TipsChange default
database table prefix from wp_
Change your authentication keys in wp-config.php (https://api.wordpress.org/secret-key/1.1/salt/)
22
What Is SSLhttps://www.youtube.com/watch?v=dsuVPxuU_h
cPaid
Cheap-ComodoExpensive-Verisign
FreeComdo (for 90 days)EFF's https://www.eff.org/encrypt-the-web Out in
Septemberstartssl.com (free for personal use)Self signed just for security
24
Make Sure WordPress Knows To Use SSL
Force SSL login directive in wp-config.php
WordPress HTTPS (SSL)Hasn't been updated in a while but it is a pretty
simple plugin
25
Brief Overview OfWordPress File Structure
/ (the root)/wp-admin//wp-includes//wp-content/
/themes/plugins/uploads/upgrade
26
Check Your PermissionsOnly allow the web
server to read and write, everyone else can only read
Files 664
Directories 755
27
Stop Key Files From Executing.htaccess
<Files *.php> deny from all</Files>
29
/wp-content/uploads
/wp-includes
Stop Key Files From Executing.htaccess
<files wp-config.php>order allow,denydeny from all</files>
30
wp-config.php
Restrict Dashboard And PostingTo Specific IP Address
.htaccess<Files wp-login.php>order deny,allowdeny from allAllow from xx.xxx.xxx.xxx</Files><files xmlrpc.php>order deny,allowdeny from allAllow from xx.xxx.xxx.xxx</files> WhatIsMyIP.com
31
wp-admin
Use A CDNContent Distribution
Network
Speeds up your site
Visitors get something even if your site is down
33
Cleaning UpBack up what you
have including the database and move it offline.
Completely replace wp-admin and wp-include.
Re-install all plugins from the source.
Check all of the files in your theme.
Delete everything else. 35