wordpress security: fundamentals for professionals by joseph

38

Upload: hacong

Post on 01-Feb-2017

218 views

Category:

Documents


2 download

TRANSCRIPT

Page 1: WordPress Security: Fundamentals for Professionals by Joseph
Page 2: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

WEB DESIGN AND INFORMATION SECURITY

Committed to WordPress since 2008.

SUCURI – Researcher and Account Manager

Removing malware and protecting websites.

Personally cleaned over 5,000 websites

SUCURI.NET

Twitter: @JHerbrandson

ABOUT ME

Page 3: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

SECURITY SCANNING & ANALYSIS

Checking the health over 3 Million websites every month through our free Sitecheck Scanner: http://sitecheck.sucuri.net

MALWARE CLEANUP

Cleaning and remediating 300 – 400 hacked or infected websites everyday.

ATTACK PROTECTION

Blocking over 33 million attacks and instances of malicious traffic every month

EDUCATION

Providing detailed and actionable security information through our blog at http://blog.sucuri.net

ABOUT SUCURI Over 45 Security Professionals Making a Safer Web

!

H

G

"

Page 4: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

ATTACK TRAFFIC ORIGINS Map.Ipviking.com

Page 5: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

A QUICK DEMO Attack in Progress:

https://www.youtube.com/watch?v=v4Xr3LrixVg&list=UUzkxqKA_bkNlj1-nX5f2LNA

Page 6: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

Sooo… WHY? It’s Just Business…probably

- The Short Answer: Fame and Fortune

-  $BILLION Spam – Generic Pharmaceuticals, Payday Loans, Gambling, Designed Brand Knock Offs

-  Hacktivism – Politics and religion at the speed of download

-  Immaturity – Kids being kids

Page 7: WordPress Security: Fundamentals for Professionals by Joseph

Start with the Basics

#

I

Page 8: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

THE NEED FOR SECURITY THE STATE OF THE INTERNET

www.internetlivestats.com

Page 9: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

Shared Hosting Dedicated Hosting

Managed Hosting

HOSTING OPTIONS Choose wisely

Done for you

All yours Cheap

Page 10: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

MANAGED-HOSTING PROVIDERS WordPress Experts for Everyone!

Page 11: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

SPEAKING OF ENVIRONMENT… Who is using the Public Wifi?

Page 12: WordPress Security: Fundamentals for Professionals by Joseph

No Easy Path

( II

Page 13: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

WORD of WARNING No chance of 0% risk.

The next ‘0-Day’ attack is always around the corner…

Page 14: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

SECURITY HEADLINES Proof: Seen the news lately?

Page 15: WordPress Security: Fundamentals for Professionals by Joseph

ALWAYS Backup

c III

Page 16: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

Have a low profile, non-threatening site? You are still getting attention

BUT I’VE NEVER HAD A PROBLEM BEFORE…

s

Page 17: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

HACKERS HARD AT WORK

PHARMACEUTICAL SPAM MAKES HACKERS TWO BILLION DOLLARS/YEAR

SOLUTION: OFFSITE BACKUPS

RESULT: CLEAN SITE IMMEDIATELY

FREE WEBSITE REBRAND

K

$

j

å

Page 18: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

AUTOMATED BACKUPS Know you have a backup plan

ithemes.com/backupbuddy/

Vaultpress.com Sucuri.net Your hosting company

$

backup buddy vaultpress sucuri backups webhosting backups

Page 19: WordPress Security: Fundamentals for Professionals by Joseph

Take Password Policy Seriously

t IV

Page 20: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

Password Last Year’s Rank

‘123456’ 2

‘password’ 1

‘12345678’ 3

‘qwerty’ 5

‘abc123’ 4

Top 5 passwords used in 2013 Seriously….

credit: SplashData.com

Page 21: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

PASSWORD MANAGER Remembers your passwords so you don’t have to

lastpass.com agilebits.com keepass.info dashlane.com

lastpass 1password keypass dashlane

Page 22: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

LEAST PRIVILEGE Does your user setup look like this?

Hosting/ control panel Administrator FTP/SFTP

root access Editor/

contributer

Actual Admin

1 !Potential Hackers

7 !

Friends

12 !

Writers 2 !

Seo Guys 4 !

Analysts

2 !

Editors

1 !

Random People

10 !

5 !Hackers

3 !Friends Again…

Page 23: WordPress Security: Fundamentals for Professionals by Joseph

Steal and Be Stolen From

w

V

Page 24: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

This probably shouldn’t be in your theme:

if(isset($_GET['pwd'])) {

eval(base64_decode("CiRhdXRoX3Bhc3MgPSAiN2U5NBhY3RpdmF0ZXMsIGNoYW5nZWQgZWxlbWVudHMgaW4gdGhlIG9yaWdpbmFsIHBsdWdpbiwgZGVzaWduZWQgdG8gYmVoYXZlIGxpa2UgY2xlYW4gY29kZSwgc2lnbmFsIHRoZSBoYWNrZXIgdG8gbGV0IGl0IGtub3cgdGhhdCBpdOKAmXMgaW4uIEEgY2xlYW4gYmFjayBkb29yIGhhcyBiZWVuIG9wZW5lZCwgYW5kIHlvdXIgc2l0ZSBpcyBub3cgb24gYW4gYXV0b21hdGVkIGF0dGFjayBsaXN0LCBtZWFudCB0byBxdWlldGx5IGluZmVjdCBhbmQgcmVpbmZlY3QgeW91ciBzaXRlIGFnYWluIGFuZCBhZw==“)); }

NOT THE CODE YOU’RE LOOKING FOR… Assisting the enemy

!

Page 25: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

MORE THAN EXPECTED

Page 26: WordPress Security: Fundamentals for Professionals by Joseph

Have a System

K VI

Page 27: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

A SYSTEM TO LIVE BY

1.  Protect! – Your computer has a firewall, why doesn’t your website? 2.  Detect! – The same goes for AntiVirus. 3.  Respond! – Clean up the mess. You have a backup right?

Encompassing Actions: -  Know the best practices -  Mind your maintenance

Page 28: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

SYSTEM IN ACTION

Page 29: WordPress Security: Fundamentals for Professionals by Joseph

c Understand the Changing Landscape

VII

Page 30: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

WORDPRESS CORE Strong and Secure

Dedicated Creators

Making WordPress Solid and Secure

Auto-Updates

Get important patches right away.

Support

Everything you need at WordPress.org

( j Ñ

Page 31: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

WordPress Version Distribution 3.0 – 4.0 (wordpress.org/about/stats/)

Page 32: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

3rd Party VULNERABILITIES Keep watch

Vulnerabilities disclosed at http://blog.sucuri.net

All-In-One SEO – 20 Million Downloads WPtouch – 6 Million Downloads MailPoet - 2.7 Million Downloads Custom Contact Forms – 640k Downloads Slider Revolution – Hundreds of Thousands (themeforest/codecanyon)

Page 33: WordPress Security: Fundamentals for Professionals by Joseph

Going further

Z X

Tips, Tools, and Services

Page 34: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

Don’t be the mark! Understand the changes you are implementing

“AntiVirus” “Firewall”

WEBSITE ANTIVIRUS & FIREWALL Protection and Detection

WordFence Sucuri Website Antivirus

CloudFlare Sucuri Website Firewall

“Utilities” iThemes Security BruteProtect Sucuri Security Plugin

Page 35: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

RESOURCES Because you don’t know what you don’t know

General WordPress Security: https://codex.wordpress.org/Hardening_WordPress https://blog.sucuri.net Hacking and General Security: http://www.securityfocus.com/ http://blogs.sophos.com/ Facebook Groups: WordPress Security Advanced WordPress

SubReddits: Reddit.com/r/Hacking Reddit.com/r/WordPress

Page 36: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

EASY PATH TO CLEANUP

NEED: Releases of WordPress at: https://wordpress.org/download/release-archive/ Clean backup of active theme and required plugins New Passwords (WordPress, FTP, Hosting Control Panel, Everything Else)

Response

Page 37: WordPress Security: Fundamentals for Professionals by Joseph

joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]

Page 38: WordPress Security: Fundamentals for Professionals by Joseph

YOU! THANK

%