WordPresssecurityfundamentalsWORDCAMPMAINE

aboutmeSomething

Joseph Herbrandson

Web design and infosec Committed to WordPress and website security since 2008

sucuri security Technical Account Manager - Cleaning up malware and protecting websites from infection everyday

- Cleaned, remediated and secured over 5,000 websites

Website sucuri.net

twitter.com/sucuri_security

facebook.com/SucuriSec

sucuri.net

sucuri.net

Sucurisecurity• SCAN: 3 MILLION DOMANS / MONTH:

sitecheck.sucuri.net

• block: 33 million / month

• CLEAN: 300-500 sites / DAY • Website security:

SERVICING OVER 250 THOUSAND DOMAINS

• platform agnostic (wordpress, joomla, drupal, etc…)

• GLOBAL OPERATIONS 24/7/365 SUPPORT

The state of…

theInternet

sucuri.net

3 Billion Internet Users world wide

1 billion active sites

internetlivestats.com

!

60% of all CMS sites

and

22% of all websites

are wordpress!

No 0% Threat Rule No such thing as perfect security. If someone REALLY wants in, they will find a way.

0- Day Attacks Brand new attacks using different methods make these impossible to plan for. 0-Day attacks are resolved once it has been studied, and fix has been published.

Not just Wordpress! Security starts with everyday practices. All the wrong moves made off of your website, will still affect things on your website!

sucuri.net

securewpNotes On

Who Are They?

Hackersidentities

sucuri.net

Who are these Guys? - It can be anyone good with computers.

- Intelligent and Mischievous; Enterprising and Effective.

Where are they from? Most attacks come from Turkey, Syria, Tunisia, Brazil, Russia, China, and even the United States.

!

Brute Force sql injection ddos social engineering

sucuri.net

what’s going on here…

commonattacktypes

Hacked?

WhyyouIt’s nothing Personal Most attacks are automated and done on many websites at a time

You're on the list Once you’re a target, you stay a target. Increasing your security is the best way to ask them to LEAVE YOU ALONE

sucuri.net

The

$Billionspam!

Pharma and spam attacks Viagra, Cialis, and Levitra ads, make marketers over 2 BILLION dollars every year from blackhat methods of infecting websites, and redirecting users to websites selling prescription drugs.

!

sucuri.net

PillarsofsecurityYour Security

Frontline Disaster Prevention

backups

Basic Website Maintenance

Staying currentCommon Sense Policies

Access control

WordPress

Preparation

sucuri.net

securedbackupsDisaster Prevention

Have a backup plan Playing defensively from the back is your best first line defense.

Stored Remotely Away from your live server, and the clutches of an intruder.

…more than one if possible! The more layers of your backup plan, the less likely it is to fail.

Scheduled and Automated Don’t rely on yourself.

sucuri.net

backupSolutionsOptions for

Vault Press

Web hosting

Sucuri Backups

sucuri.net

BACKUP BUDDY

A little bit about

passwordsecurityThe tactics Sophisticated Password Guessing

easier to crack than you think… !

Password Crack Times:

- 8 letters = 52 seconds

- 8 nums/letters = 11 minutes

- with caps/!@#$… = 3 hours

- 12 letters/nums/caps/!@#$ =

2 Thousand years

sucuri.net

mostusedpassWordsThe web’s

No. Title Ranking Last Year

1 123456 2

2 password 1

3 12345678 3

4 qwerty 5

5 abc123 4

6 123456789 New

7 111111 9

sucuri.net

The following are statistics showing the most used passwords in 2013, documented from lists stolen in major organization security breaches.

(SplashData.com)

passwordmanagersTools of the trade:

Lastpass keePass DashLane

sucuri.net

1Password

wordpressUpdatesThe Importance of

Your version is your level of security !

Major versus Maintenance releases !

Worried About upgrading? fear not! downgrading is a simple task !

Have an upgrade path

sucuri.net

As of June 2014: http://w3techs.com/technologies/details/cm-wordpress/3/all

21%

14%

5%8% 18%

34%

3.0-3.4 3.5 3.6 3.7 3.8 3.9

sucuri.net

KnowyourPluginsrecent vulnerability disclosures: Update!! All in one SEO

Mailpoet

custom contact forms

wptouch

no plugin is SAFE forever! developer vigilance is key

keep track of update and change logs

consider plugins secured by Sucuri, or other security authorities

Plug and Play for hackers!

sucuri.net

Server-Side Protection

websiteantivirusMalware Scanning SITECHECK: http://sitecheck.sucuri.net

VIRUSTOTAL: http://www.virustotal.com

wordpress security plugins Sucuri Scanner

iThemes Security (Formerly Better WP Security)

GOTMLS

WEB

premium cleanup services Sucuri Website Antivirus

Sitelock

Case study

cleanupFtp/sftp File Management Basic file cleanup with FileZilla

WordPress Version Archives https://codex.wordpress.org/WordPress_Versions (Google “WordPress versions”)

Theme Backups Always know where to find a clean copy of your theme

Infectedsiteinfection: blackhat seo spam injection

Spam is displayed with Javascript turned off. Otherwise it’s hidden!

Infection confirmed at the free Sucuri website scanner: http://sitecheck.sucuri.net

Cleanup

sucuri.net

Cleanup

removeandreplacewp-admin and wp-includes These directories are replaceable for cleanup and downgrading versions

Replace other core files The other core files outside of these two directories can be uploaded to directly replace their counterparts

do not delete wp-config.php or wp-content! These are vital to the functionality of your blog, and cannot be replaced easily, or without a backup.

sucuri.net

Cleanup

removeandreplace pt.2

find your theme Your theme is replaceable if youhaven’t made customchanges

delete your old theme This is the most common placefor infected WordPress files

replace with clean copy Good as new!

sucuri.net

Cleanup

cleansite

cleanup accomplished: Your WordPress site is now spam free!

!

sucuri.net

User-Defined Footer Text

Active Defense

websitefirewallfight back! -security checkpoint that monitors all users

- intelligent and decisive: detect attack patterns and stop them

- software versus hardware

Products: - Sucuri Website Firewall

- CloudFlare

- Sitelock

sucuri.net

A healthy dose of…

paranoia

worry about the right things: - Integrating a protection plan

- Passwords versus Usernames

- Hosting: Shared, Managed, Dedicated

- Plugin/Theme origin

- Patching/Updating

- Who your friends are

anyquestions?