don't get hacked: wordpress security best practices
TRANSCRIPT
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
GEOFF MYERS PRESENTS
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
BEFORE WE BEGIN…
THIS PRESENTATION IS AVAILABLE ONLINE:
simdex.org/security Get In Touch:
414.455.6675
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
BEFORE WE BEGIN…
ANNOUNCEMENTS▸ WordPress Page Builders for Non-Developers (Create Visual
Layouts Without Code) Tuesday, August 30 @ 9:00am — 11:00amC2 Graphics Productivity Solutions
▸ WordCamp MilwaukeeSaturday, September 17 — Sunday, September 18 UW-Milwaukee School of Continuing Education
▸ Looking for additional speakers, venues, topics, ideas, etc. Share your ideas on Meetup, email [email protected], or call 414.455.6675
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
BEFORE WE BEGIN…
ABOUT GEOFF MYERS▸ Founded SimDex Consulting, Inc. in 2004
▸ Web Solutions for Small + Medium Sized Businesses
▸ Digital Marketing Consultant + Strategist
▸ 10+ Years as Full Stack Web Designer + Developer
▸ 5+ Years of WordPress Development Experience
▸ 50+ WordPress Sites Built, Maintained + Marketed
▸ Academic Background in Computer Science
▸ Get In Touch: [email protected] or simdex.org or 414.455.6675
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
BEFORE WE BEGIN…
WORDPRESS MAINTENANCE PLAN FROM SIMDEXHow You Benefit:
▸ We Do Everything For You
▸ Unlimited Minor Changes + Revisions
▸ 24 Hour Response Time Guaranteed
▸ Your Total Peace of Mind
▸ Monthly Phone Consultations
▸ No Hourly Fees or Additional Costs
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
BEFORE WE BEGIN…
WORDPRESS MAINTENANCE PLAN FROM SIMDEXFeatures + Services Included:
▸ Backups
▸ Monitoring
▸ Speed
▸ Changes
▸ Reports
▸ Support
▸ Consulting
▸ Security
▸ Updates
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 1)
▸ Low security = high risk
▸ Financial loss, debt, bankruptcy
▸ Legal liability, personal liability
▸ Privacy breach, violation
▸ Data theft, loss, corruption
▸ Damage to professional brand, reputation, customer trust
▸ Bad for business, bad for customers, bad for everyone
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 2)
▸ 86% of all websites tested by WhiteHat Sentinel had at least one serious* vulnerability, and most of the time, far more than one – 56% to be precise.
▸ On average, 61% of these vulnerabilities were resolved, but doing so required an average of 193 days from the first customer notification.
▸ Insufficient transport layer protection is the most likely vulnerability across vertical industries including retail trade, health care/social assistance, information technology and financial/insurance, with a range of 65-76% likelihood.
▸ Source: WhiteHat Security 2015 Website Security Statistics Report Reveals the Need to Identify Security Metrics Most Important for Vulnerability Remediation
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 3)
▸ Organizations that are compliance-driven to remediate vulnerabilities have the lowest average number of vulnerabilities (12 per website) and the highest remediation rate (86%).
▸ Organizations that have made the vulnerability feed-to-development process connection, exhibited roughly 40% less vulnerabilities, fixed issues nearly a month faster on average and increased remediation rates by 15%.
▸ Considering sites in health care, retail trade and finance were found to be “always vulnerable,” their remediation rates are relatively low at 20%, 21%, and 27% respectively.
▸ Source: WhiteHat Security 2015 Website Security Statistics Report Reveals the Need to Identify Security Metrics Most Important for Vulnerability Remediation
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
USEFUL DEFINITIONS (PART 1)
‣ Apache + NGINX = Web Server Software
‣ CDN = Content Delivery / Distribution Network
‣ DNS = Domain Name System
‣ DoS = Denial of Service Attack
‣ DDoS = Distributed DoS Attack
‣ Freemium = Free + Premium (Paid)
‣ HTTPS = Hyper Text TransferProtocol Secure
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
USEFUL DEFINITIONS (PART 2)
‣ MySQL = Relational Database Management System (RDBMS)
‣ OWASP = Open Web Application Security Project
‣ PHP = Server-Side Scripting Language
‣ SSL = Secure Sockets Layer
‣ TLS = Transport Layer Security
‣ WAF = Web Application Firewall
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WHAT AFFECTS WEBSITE SECURITY?
‣ Network Infrastructure (Everything Between Client + Server)
‣ Web Browser / Client (Chrome, Firefox, Safari)
‣ Web Application (WordPress, etc.) ★
‣ Web Server (Configuration) ★
‣ Apache, NGINX, PHP, MySQL
‣ TLS / SSL Certificate
‣ Web Application Firewall (WAF)
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
GENERAL WORDPRESS SECURITY ADVICE + BEST PRACTICES
‣ Keep Software Updated (Use Latest Versions) ★
‣ WordPress Core + Themes + Plugins
‣ Apache / NGINX + PHP + MySQL
‣ Regularly Save Backups ★
‣ Harden Software Configuration
‣ Use HTTPS + TLS / SSL Certificate
‣ Use Web Application Firewall (WAF)
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
FREE(MIUM) WEBSITE SECURITY RESOURCES (PART 1)
▸ CloudFlare(DNS + CDN + TLS / SSL certificates + WAF) ★
▸ Let’s Encrypt(TLS / SSL certificates)
▸ Qualys SSL Labs(checks TLS / SSL certificates) ★
▸ Quttera(scans for malware)
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
FREE(MIUM) WEBSITE SECURITY RESOURCES (PART 2)
▸ StatusCake(monitors uptime) ★
▸ Sucuri SiteCheck(scans for malware) ★
▸ Uptime Robot(monitors uptime)
▸ VirusTotal(checks blacklists)
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
FREE(MIUM) WORDPRESS SECURITY PLUGINS (PART 1)
▸ Better Search Replace(global database search + replace)
▸ CloudFlare ★(DNS, CDN, TLS/SSL, firewall, etc.)
▸ Easy Updates Manager ★(automatic updates)
▸ iThemes Security ★(many, many features)
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
FREE(MIUM) WORDPRESS SECURITY PLUGINS (PART 2)
▸ Jetpack by WordPress.com(automatic updates, firewall, uptime monitoring)
▸ Sucuri Security (malware scanner)
▸ UpdraftPlus ★(automatic backup + restore)
▸ Wordfence Security(malware scanner, etc.)
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
CLOUDFLARE SECURITY FEATURES (PART 1)
▸ Reputation-based threat protection
▸ Comment spam protection
▸ Content scraping protection
▸ Block visitors by IP range
▸ Block visitors by country 💵
▸ Deploy collective intelligence to identify new threats
▸ Notify visitors on how toclean their infected machine
▸ Basic DDoS protection
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
CLOUDFLARE SECURITY FEATURES (PART 2)
▸ Web application firewall (WAF) 💵
▸ Built-in CloudFlare rule set 💵
▸ OWASP ModSecurity Core rule set 💵
▸ 3rd Party WAF rule sets 💵
▸ Custom WAF rule support 💵
▸ Advanced DDoS protection 💵
▸ Advanced DDoS support 💵
▸ BGP origin protection 💵
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
iTHEMES SECURITY PLUGIN FEATURES (PART 1)
▸ Prevents brute force attacks by banning hosts and users with too many invalid login attempts
▸ Scans your site to instantly report where vulnerabilities exist and fixes them in seconds
▸ Bans troublesome user agents, bots and other hosts
▸ Strengthens server security
▸ Enforces strong passwords for all accounts of a configurable minimum role
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
iTHEMES SECURITY PLUGIN FEATURES (PART 2)
▸ Forces SSL for admin pages (on supporting servers)
▸ Forces SSL for any page or post (on supporting servers)
▸ Turns off file editing from within WordPress admin area
▸ Detects and blocks numerous attacks to your filesystem and database
▸ Detects bots and other attempts to search for vulnerabilities.
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
iTHEMES SECURITY PLUGIN FEATURES (PART 3)
▸ Monitors filesystem for unauthorized changes.
▸ Run a scan for malware and blacklists on the homepage of your site.
▸ Receive email notifications when someone gets locked out after too many failed login attempts or when a file on your site has been changed.
▸ Changes the URLs for WordPress dashboard areas including login, admin and more
▸ Completely turns off the ability to login for a given time period (away mode)
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
iTHEMES SECURITY PLUGIN FEATURES (PART 4)
▸ Removes theme, plugin, and core update notifications from users who do not have permission to update them
▸ Removes Windows Live Write header information
▸ Removes RSD header information
▸ Renames "admin" account
▸ Changes the ID on the user with ID 1
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
iTHEMES SECURITY PLUGIN FEATURES (PART 5)
▸ Changes the WordPress database table prefix
▸ Changes wp-content path
▸ Removes login error messages
▸ Makes it easier for users not accustomed to WordPress to remember login and admin URLs by customizing default admin URLs
▸ Detects hidden 404 errors on your site that can affect your SEO such as bad links and missing images
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 1)
▸ Web Application Firewall stops you from getting hacked by identifying malicious traffic, blocking attackers before they can access your website.
▸ Threat Defense Feed automatically updates firewall rules that protect you from the latest threats. Premium members receive the real-time version.
▸ Block common security threats like fake Googlebots, malicious scans from hackers and botnets.
▸ Real-time blocking of known attackers. If another site using Wordfence is attacked and blocks the attacker, your site is automatically protected.
▸ Block entire malicious networks. Includes advanced IP and Domain WHOIS to report malicious IP's or networks and block entire networks using the firewall. Report security threats to network owner.
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 2)
▸ Rate limit or block security threats like aggressive crawlers, scrapers and bots doing security scans for vulnerabilities in your site.
▸ Choose whether you want to block or throttle users and robots who break your security rules.
▸ Premium users can also block countries and schedule scans for specific times and a higher frequency.
▸ Sign-in using your password and your cellphone to vastly improve login security. This is called Two Factor Authentication and is used by banks, government agencies and military world-wide for highest security authentication.
▸ Includes two-factor authentication, also referred to as cellphone sign-in.
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 3)
▸ Enforce strong passwords among your administrators, publishers and users. Improve login security.
▸ Checks the strength of all user and admin passwords to enhance login security.
▸ Includes login security to lock out brute force hacks and to stop WordPress from revealing info that will compromise security.
▸ Scans for the HeartBleed vulnerability - included in the free scan for all users.
▸ Scans core files, themes and plugins against WordPress.org repository versions to check their integrity. Verify security of your source.
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 4)
▸ See how files have changed. Optionally repair changed files that are security threats.
▸ Scans for signatures of over 44,000 known malware variants that are known security threats.
▸ Scans for many known backdoors that create security holes including C99, R57, RootShell, Crystal Shell, Matamu, Cybershell, W4cking, Sniper, Predator, Jackal, Phantasma, GFS, Dive, Dx and many many more.
▸ Continuously scans for malware and phishing URL's including all URL's on the Google Safe Browsing List in all your comments, posts and files that are security threats.
▸ Scans for heuristics of backdoors, trojans, suspicious code and other security issues.
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 5)
▸ Includes a firewall to block common security threats like fake Googlebots, malicious scans from hackers and botnets.
▸ See all your traffic in real-time, including robots, humans, 404 errors, logins and logouts and who is consuming most of your content. Enhances your situational awareness of which security threats your site is facing.
▸ A real-time view of all traffic including automated bots that often constitute security threats that Javascript analytics packages never show you.
▸ Real-time traffic includes reverse DNS and city-level geolocation. Know which geographic area security threats originate from.
▸ Monitor your DNS security for unauthorized DNS changes.
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 6)
▸ Monitors disk space which is related to security because many DDoS attacks attempt to consume all disk space to create denial of service.
▸ Wordfence Security for multi-site also scans all posts and comments across all blogs from one admin panel.
▸ WordPress Multi-Site (or WordPress MU in the older parlance) compatible.
▸ Includes Falcon Engine, the fastest WordPress caching engine available today. Falcon is faster because it reduces your web server disk and database activity to a minimum.
▸ Wordfence includes two caching modes for compatability and has cache management features like the ability to clear the cache and monitor cache usage.
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 7)
▸ Fully IPv6 compatible including all whois lookup, location, blocking and security functions.
▸ Includes support for other major plugins and themes like WooCommerce.
▸ The Wordfence website includes an in-depth WordPress Security Learning Center.
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
GEOFF’S WEBSITE SECURITY CHECKLIST (PART 1)
‣ Set up automated backups for WordPress files + database using UpdraftPlus
‣ Set up automated updates for WordPress core + themes + plugins using Easy Updates Manager
‣ Sign up for and enable CloudFlare
‣ Install free SSL certificate from CloudFlare or Let’s Encrypt
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
GEOFF’S WEBSITE SECURITY CHECKLIST (PART 2)
‣ Change both URLs in WordPress Settings → General to use HTTPS instead of HTTP
‣ Force HTTPS on all web server resources using .htaccess
‣ Replace all website URL instances of HTTP with HTTPS using Better Search Replace plugin
‣ Install and configure iThemes Security plugin
‣ Install and configure Wordfence Security plugin OR sign up for Sucuri Security
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
HELP! I’VE BEEN HACKED… NOW WHAT?!
▸ Post-Hack Cleanup Options (easiest to hardest):
1. Restore Pre-Hack Backup
2. Sign Up for Sucuri
3. Pay a Professional like SimDex
4. Scan + Clean It Yourself
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
ADDITIONAL ARTICLES + RESOURCES (PART 1)
▸ Hardening WordPress(from WordPress.org)
▸ Hardening WordPress Security: 25 Essential Plugins + Tips (from Hongkiat)
▸ The WordPress Security Learning Center(from Wordfence)
▸ WordPress Security(from iThemes)
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
ADDITIONAL ARTICLES + RESOURCES (PART 2)
▸ WordPress Security(from Yoast)
▸ WordPress Security: The Ultimate Guide(from WPMU DEV)
▸ WordPress Security Tutorial(from SiteGround)
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
THAT’S IT FOR NOW…
THANK YOU!
Questions? Get In Touch:
414.455.6675
[email protected] | WWW.SIMDEX.ORG | 414.455.6675
THAT’S IT FOR NOW…
THIS PRESENTATION IS AVAILABLE ONLINE:
simdex.org/security Get In Touch:
414.455.6675