intro to security (beginner's edition) wordcamp st. louis 2015
TRANSCRIPT
INTRO TOSECURITY
(BEGINNERS EDITION)Michele Butcher
CantSpeakGeek.com WPSecurityLock.com
@Michele_Butcher
Slides can be found at http://mlb.pw/wcstl2015
MICHELE BUTCHER• WordPress Specialist, Site
Cleaner, and Trainer for WP Security Lock
• WordPress Specialist for Megabytes Inc
• One Woman Wonder at Can’t Speak Geek
@michele_butcher
WHY DO HACKERS HACK?• Make bank
• Build a zombie site army
• Share their nasty malware with the world
• Get your information
• They are bored
• They want to see if they can do it@michele_butcher
WHY ARE THESE PEOPLE ATTACKING ME?
Anymore, it is not people but bots attacking your site. Hackers have programs that do the work for them.
Rarely is it people doing the hacking unless it is targeted. Strong opinion sites are a good example.
@michele_butcher
HOW DO THEY GET IN?• Guess your login. If you know it so can someone else. (Brute
force attack or man in the middle)
• Denial of Service attack (DDoS) flood your site with more traffic than it can handle
• Through a theme, file or plugin
• Through your FTP or CPanel. (Files set to read, write,execute. Brute force, anonymous login, shared hosting infection)
@michele_butcher
EVEN A TEST SITE OR A KNITTING SITE WITH ONLY 2 VISITORS CAN BE HACKED. IT CAN HAPPEN TO YOUR SITE.
@michele_butcher
It has happened to me, it can happen to you.
NEVER FEAR…THERE ARE WAYS TO KEEP THE
HACKER ATTACKERS OUT!
@michele_butcher
I promise it is not all that painful!
ALWAYS CHANGE YOUR PREFIX NAME FROM WP_ LET IT BE ANYTHING
OTHER THAN WP_FDHSFJKHS_ IS ALWAYS GOOD
I typically do not even look at what I am typing anymore when I make the WP prefix. The random the better.
@michele_butcher
Only give them access to what they NEED not what they want.
Just because they want to be an admin does not automatically make them one.
Guest bloggers should not be anymore than a contributor.
If it is only a temporary login, delete their login when they have completed their job.
If they have posts on your site, you can knock them down to subscribers so they can not change anything on your site.
If they are only doing work, delete them when their job is done.
Set up a file change detection notification to know what they are
changing in your site.
iThemes Security and other security plugins give you the option to see what all users are
doing when logged into the dashboard.
ITHEMES SECURITY PRO
Great all encompassing best practices WordPress security plugin.
Two versions a free and a premium.
http://ithemes.com/security
@michele_butcher
BRUTE PROTECT
If you are mainly worried about DDoS attacks, Brute Protect has you covered.
http://bruteprotect.com
@michele_butcher
WHO CAN SCAN MY SITE FOR MALWARE?
Google Webmaster Tools http://google.com/webmaster
VirusTotal https://virustotal.com
iThemes Security Pro htttp://ithemes.com/security
@michele_butcher
NEED AN EXTRA EYE ON YOUR SITE?
CloudFlare has a free and premium version.http://cloudflare.com
@michele_butcher
UPDATE!UPDATE!UPDATE!
Update core, update plugins, update themes, update content, update everything and update often!
The biggest source of nearly all hacks as once something is patched, it is trivial to get into the old
stuff.
@michele_butcher
IF YOU USE THEMES OR PLUGINS AT ANY OF THE ENVATO (THEMEFOREST, CODE CANYON)
ALWAYS CHECK THE BOX TO BE NOTIFIED OF UPDATES. THEY WILL NOT TELL YOU OTHERWISE
This is why the RevSlider SoakSoak infection was so widespread. Many didn't know the plugin was built within the theme.
HAVE A MINIMALIST APPROACH TO PLUGINS AND THEMES.
• Only have the plugins you are using at that time on your site. You can always upload them again later.
• Only have your theme you are using on your site.
• If something is not active, delete it.
@michele_butcher
BACK UP YOUR SITE!
SOMEWHERE, ANYWHERE, JUST HAVE A BACKUP COPY.
BackupBuddy from iThemes is a great choice.
iThemes Security will do a database backup for you.
http://ithemes.com/backupbuddy
@michele_butcher
ALWAYS BACK UP TO SOMEPLACE OTHER THAN YOUR SERVER. IF THE SERVER GETS HACKED, SO DOES YOUR
BACKUP.
EVEN BACKING A COPY TO DROPBOX OR YOUR COMPUTER IS A BETTER OPTION.
@michele_butcher
DON’T LET YOUR SITE GET LONELY.
Lonely sites can turn into zombie sites and nobody wants a zombie
@michele_butcher
IF YOUR WEBSITE GET HACKED IT IS NOT THE END OF THE WORLD.
IT CAN AND WILL BE FIXED.
@michele_butcher
WHO CLEANS HACKED WEBSITES?
Well I do over at WP Security Lock ~Smile~
http://wpsecuritylock.com
I apologize… had to do one shameful plug.
@michele_butcher
ALWAYS USE COMPLEX PASSWORDS. ALWAYS!
FOR EVERYTHING!
“PASSWORD” IS NEVER AGOOD PASSWORD!
@michele_butcher
USE SOMETHING LIKE LASTPASS OR ONE
PASSWORD TO SAVE YOUR PASSWORDS AND TO
SHARE PASSWORDS WITH OTHERS.
ANTI-VIRUSPROTECT YOUR UNIT!
Yes I even have an anti-virus on my Mac!
AVG and Avast have free versions as well as paid.Kaspersky is great with Windows and Macs.
@michele_butcher
BACK UP EVERYTHING AND BACK IT UP OFTEN.
IF YOU FEAR YOU MIGHT LOSE INFORMATION, SAVE IT IN MORE THAN ONE SPOT. BITCASA, CARBONITE, AND EXTERNAL HARD DRIVES ARE GREAT
OPTIONS OF BACKING UP DATA.
@michele_butcher