real security for wordpress

Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security

Real Security for WordPress Life, Liberty, and the Pursuit of Risk Reduction


Dre Armeda

CEO, Co-Founder of Sucuri Inc. – sucuri.net Co-Host of The DradCast – dradcast.com

@dremeda | dre.im

I wear many hats, and love tacos Harley enthusiast & Chargers fan

Infatuated with WordPress & web security. I hope hope to make the internet a safer place!


The Internet Rocks

!   Over 2 billion internet users today

!   480% growth in the last 11 years (Internet World Stats)

!   100k+ domains gained weekly (Global Domain Registry)

!   2 billion sites in 2015 (Tony Schneider – CEO, Automattic)

With adoption and growth comes innovation!


It’s Not All Peachy

Malware – short for malicious software: A software designed to disrupt operations, gather information, or

gain unauthorized access.

!   Monitor your website browsing & internet usage !   Forced Advertising

!   Redirect Affiliate Marketing Revenue

Innovative thinking sparks risk


How Bad is it?

!   2 million+ new malware strings monthly (McAfee)

!   Costs US consumers over $2bil yearly (Consumer Reports)

!   Google issues 3mil+ warnings daily. (Google)

!   Google blacklists 10k websites daily on avg. (Google)

Pretty bad, and getting worse.


How Does This Happen A new type of webmaster!


Am I At Risk?

The percentage of risk will never be zero!

Ever See a Dodo Bird?


What Can We do? Be smart. Be consistent. Cut out the noise!


Cut Out The Noise

!   Keep Software Updated !   No Soup Kitchen Servers

!   Reduce Access !   Password Management

!   Backup Schedule

K.I.S.S.


Keep Software Updated

!   Leading cause for infection along with passwords !   Scared to upgrade because stuff breaks?

!   Major vs. Point Release !   Run upgrade tests !   Do your homework

Information Security is everyone’s responsibility


No Soup Kitchen Servers

! WordPressers act like they forgot about DEV !   Cross-contamination is a big deal !   Segment by user and account !   Not active. Not good enough

If it’s not in use, get rid of it

Production is not your archive server!


Reduce Access

Give people enough access to do their job, nothing more; remove access when they complete their job!

!   User Proper Roles

!   This goes for WordPress, FTP, & DB’s, etc. !   Limit failed logins to thwart brute force !   Practice two form auth & layered login

Least privilege to some, no privilege for most.


Lets Hack a Website All you need is a couple minutes.


Password Management

!   Password still top 5 actively used password !   Use unique passphrases

!   Use different passwords across accounts !   Password Management Tools

Password is a password not to be used as your password, ever!


Backup Schedule

!   Create a schedule today! !   Backup outside of your production environment

!   Multiple backups are awesome !   Talk to your host to see what they offer

!   Various tools available

When they hack you, reduce downtime.


Tools & Services

Backups !   Backup Buddy ! VaultPress

Great tools and services to help you reduce risk.

Password Management ! LastPass ! KeyPass Password

Safe !   1Password

Malware Scanning !   Sucuri SiteCheck ! UnMask Parasites

Malware Cleanup !   Sucuri

Two Form Auth !   Google

Authenticator

Limit Failed Logins !   Limit Logon

Attempts !   Sucuri (WP

Plugin)


Thank You For Listening No go, reduce risk. Go!

real security for wordpress

Documents

automatticreal security

googlereal security

homeworkreal security

wordpress web security

sucuri wp pluginreal

wordpress dre armeda

backup schedulereal

rid of itreal security