wc maine-slideshare
DESCRIPTION
Website security is important to everyone who has a website, as well as everyone who uses a website. Whether it gets five visitors a day or five-thousand, hackers are looking to compromise, break, infect and virtually own every website that they can for monetary and social purposes. While the topic seems mysterious to most users, website security is actually a set of simple principles that everyone can adopt to keep their risk at the absolute lowest. Being a WordPress user is a great start, and the discussion will surround habits, practices and techniques to follow to keep a WordPress site secure from hackers and malware.TRANSCRIPT
WordPresssecurityfundamentalsWORDCAMPMAINE
aboutmeSomething
Joseph Herbrandson
Web design and infosec Committed to WordPress and website security since 2008
sucuri security Technical Account Manager - Cleaning up malware and protecting websites from infection everyday
- Cleaned, remediated and secured over 5,000 websites
Website sucuri.net
twitter.com/sucuri_security
facebook.com/SucuriSec
sucuri.net
sucuri.net
Sucurisecurity• SCAN: 3 MILLION DOMANS / MONTH:
sitecheck.sucuri.net
• block: 33 million / month
• CLEAN: 300-500 sites / DAY • Website security:
SERVICING OVER 250 THOUSAND DOMAINS
• platform agnostic (wordpress, joomla, drupal, etc…)
• GLOBAL OPERATIONS 24/7/365 SUPPORT
The state of…
theInternet
sucuri.net
3 Billion Internet Users world wide
1 billion active sites
internetlivestats.com
!
60% of all CMS sites
and
22% of all websites
are wordpress!
No 0% Threat Rule No such thing as perfect security. If someone REALLY wants in, they will find a way.
0- Day Attacks Brand new attacks using different methods make these impossible to plan for. 0-Day attacks are resolved once it has been studied, and fix has been published.
Not just Wordpress! Security starts with everyday practices. All the wrong moves made off of your website, will still affect things on your website!
sucuri.net
securewpNotes On
Who Are They?
Hackersidentities
sucuri.net
Who are these Guys? - It can be anyone good with computers.
- Intelligent and Mischievous; Enterprising and Effective.
Where are they from? Most attacks come from Turkey, Syria, Tunisia, Brazil, Russia, China, and even the United States.
!
Brute Force sql injection ddos social engineering
sucuri.net
what’s going on here…
commonattacktypes
Hacked?
WhyyouIt’s nothing Personal Most attacks are automated and done on many websites at a time
You're on the list Once you’re a target, you stay a target. Increasing your security is the best way to ask them to LEAVE YOU ALONE
sucuri.net
The
$Billionspam!
Pharma and spam attacks Viagra, Cialis, and Levitra ads, make marketers over 2 BILLION dollars every year from blackhat methods of infecting websites, and redirecting users to websites selling prescription drugs.
!
sucuri.net
PillarsofsecurityYour Security
Frontline Disaster Prevention
backups
Basic Website Maintenance
Staying currentCommon Sense Policies
Access control
WordPress
Preparation
sucuri.net
securedbackupsDisaster Prevention
Have a backup plan Playing defensively from the back is your best first line defense.
Stored Remotely Away from your live server, and the clutches of an intruder.
…more than one if possible! The more layers of your backup plan, the less likely it is to fail.
Scheduled and Automated Don’t rely on yourself.
sucuri.net
backupSolutionsOptions for
Vault Press
Web hosting
Sucuri Backups
sucuri.net
BACKUP BUDDY
A little bit about
passwordsecurityThe tactics Sophisticated Password Guessing
easier to crack than you think… !
Password Crack Times:
- 8 letters = 52 seconds
- 8 nums/letters = 11 minutes
- with caps/!@#$… = 3 hours
- 12 letters/nums/caps/!@#$ =
2 Thousand years
sucuri.net
mostusedpassWordsThe web’s
No. Title Ranking Last Year
1 123456 2
2 password 1
3 12345678 3
4 qwerty 5
5 abc123 4
6 123456789 New
7 111111 9
sucuri.net
The following are statistics showing the most used passwords in 2013, documented from lists stolen in major organization security breaches.
(SplashData.com)
passwordmanagersTools of the trade:
Lastpass keePass DashLane
sucuri.net
1Password
wordpressUpdatesThe Importance of
Your version is your level of security !
Major versus Maintenance releases !
Worried About upgrading? fear not! downgrading is a simple task !
Have an upgrade path
sucuri.net
As of June 2014: http://w3techs.com/technologies/details/cm-wordpress/3/all
21%
14%
5%8% 18%
34%
3.0-3.4 3.5 3.6 3.7 3.8 3.9
sucuri.net
KnowyourPluginsrecent vulnerability disclosures: Update!! All in one SEO
Mailpoet
custom contact forms
wptouch
no plugin is SAFE forever! developer vigilance is key
keep track of update and change logs
consider plugins secured by Sucuri, or other security authorities
Plug and Play for hackers!
sucuri.net
Server-Side Protection
websiteantivirusMalware Scanning SITECHECK: http://sitecheck.sucuri.net
VIRUSTOTAL: http://www.virustotal.com
wordpress security plugins Sucuri Scanner
iThemes Security (Formerly Better WP Security)
GOTMLS
WEB
premium cleanup services Sucuri Website Antivirus
Sitelock
Case study
cleanupFtp/sftp File Management Basic file cleanup with FileZilla
WordPress Version Archives https://codex.wordpress.org/WordPress_Versions (Google “WordPress versions”)
Theme Backups Always know where to find a clean copy of your theme
Infectedsiteinfection: blackhat seo spam injection
Spam is displayed with Javascript turned off. Otherwise it’s hidden!
Infection confirmed at the free Sucuri website scanner: http://sitecheck.sucuri.net
Cleanup
sucuri.net
Cleanup
removeandreplacewp-admin and wp-includes These directories are replaceable for cleanup and downgrading versions
Replace other core files The other core files outside of these two directories can be uploaded to directly replace their counterparts
do not delete wp-config.php or wp-content! These are vital to the functionality of your blog, and cannot be replaced easily, or without a backup.
sucuri.net
Cleanup
removeandreplace pt.2
find your theme Your theme is replaceable if youhaven’t made customchanges
delete your old theme This is the most common placefor infected WordPress files
replace with clean copy Good as new!
sucuri.net
Cleanup
cleansite
cleanup accomplished: Your WordPress site is now spam free!
!
sucuri.net
User-Defined Footer Text
Active Defense
websitefirewallfight back! -security checkpoint that monitors all users
- intelligent and decisive: detect attack patterns and stop them
- software versus hardware
Products: - Sucuri Website Firewall
- CloudFlare
- Sitelock
sucuri.net
A healthy dose of…
paranoia
worry about the right things: - Integrating a protection plan
- Passwords versus Usernames
- Hosting: Shared, Managed, Dedicated
- Plugin/Theme origin
- Patching/Updating
- Who your friends are
anyquestions?