wordcamp orange county: wordpress security fundamentals
DESCRIPTION
WordPress is one the most popular website platforms on the Internet, and that makes it a prime target for malicious web users. Learn how to take the basic steps to protect yourself and your online properties.TRANSCRIPT
![Page 1: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/1.jpg)
WordPresssecurityfundamentals
![Page 2: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/2.jpg)
aboutmeSomething
Joseph Herbrandson
Web design and infosec Committed to WordPress and website security since 2008
sucuri security Security Analyst - Cleaning up malware and protecting websites from infection everyday
Website sucuri.net
twitter.com/sucuri_security
facebook.com/SucuriSec
sucuri.net
![Page 3: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/3.jpg)
sucuri.net
Sucurisecurity• Website security Company
• Operate internationally
• platform agnostic (wordpress, joomla, drupal, etc…)
• scan 2 million websites per month
• block 4 million attacks per month
• remediate 400-500 sites per day
• 24/7 operations
![Page 4: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/4.jpg)
The state of…
theInternet
sucuri.net
2.9 Billion Internet Users world wide
About 950 million active sites
internetlivestats.com
!
20% are wordpress…
![Page 5: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/5.jpg)
No 0% Threat Rule No such thing as perfect security. If someone REALLY wants in, they will find a way.
0- Day Attacks Brand new attacks using different methods make these impossible to plan for. 0-Day attacks are resolved once it has been studied, and fix has been published.
Not just Wordpress! Security starts with everyday practices. All the wrong moves made off of your website, will still affect things on your website!
sucuri.net
securewpNotes On
![Page 6: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/6.jpg)
Who Are They?
Hackersidentities
sucuri.net
Who are these Guys? - It can be anyone good with computers.
- Intelligent and Mischievous; Enterprising and Effective.
Where are they from? Most attacks come from Turkey, Syria, Tunisia, Brazil, Russia, China, and even the United States.
!
![Page 7: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/7.jpg)
Brute Force sql injection ddos social engineering
sucuri.net
what’s going on here…
commonattacktypes
![Page 8: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/8.jpg)
Hacked?
WhyyouIt’s nothing Personal Most attacks are automated and done on many websites at a time
You're on the list Once you’re a target, you stay a target. Increasing your security is the best way to ask them to LEAVE YOU ALONE
sucuri.net
![Page 9: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/9.jpg)
The
$Billionspam!
Pharma and spam attacks Viagra, Cialis, and Levitra ads, make marketers over 2 BILLION dollars every year from blackhat methods of infecting websites, and redirecting users to websites selling prescription drugs.
!
sucuri.net
![Page 10: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/10.jpg)
sucuri.net
Sending a Message
Hacktivists!
The hacktivists Turning your site into a billboard for anarchy and mayhem
![Page 11: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/11.jpg)
PillarsofsecurityYour Security
Frontline Disaster Preventionbackups
Basic Website MaintenanceStaying current
Common Sense PoliciesAccess control
WordPress Intrusion Preparation
sucuri.net
![Page 12: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/12.jpg)
securedbackupsDisaster Prevention
Have a backup plan Playing defensively from the back is your best first line defense.
Stored Remotely Away from your live server, and the clutches of an intruder.
…more than one if possible! The more layers of your backup plan, the less likely it is to fail.
Scheduled and Automated Don’t rely on yourself.
sucuri.net
![Page 13: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/13.jpg)
backupSolutionsOptions for
Vault PressWeb hosting Sucuri Backups
sucuri.net
![Page 14: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/14.jpg)
wordpressUpdatesThe Importance of
Your version is your level of security !
Major versus Maintenance releases !
Worried About upgrading? fear not! downgrading is a simple task !
Have an upgrade path
sucuri.net
As of June 2014: http://w3techs.com/technologies/details/cm-wordpress/3/all
36%
29%
6%
7%
11%
11%
3.0-3.4 3.5 3.6 3.7 3.8 3.9
![Page 15: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/15.jpg)
sucuri.net
allinoneSEo
recent vulnerability disclosure: Update!! !
no plugin is SAFE! !
educate yourself http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html
Public Service Announcemnt…
![Page 16: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/16.jpg)
A little bit about
passwordsecurityThe tactics Sophisticated Password Guessing
easier to crack than you think… !
Password Crack Times:
- 8 letters = 52 seconds
- 8 nums/letters = 11 minutes
- with caps/!@#$… = 3 hours
- 12 letters/nums/caps/!@#$ =
2 Thousand years
sucuri.net
![Page 17: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/17.jpg)
mostusedpassWordsThe web’s
No. Title Ranking Last Year
1 123456 2
2 password 1
3 12345678 3
4 qwerty 5
5 abc123 4
6 123456789 New
7 111111 9
sucuri.net
The following are statistics showing the most used passwords in 2013, documented from lists stolen in major organization security breaches.
(SplashData.com)
![Page 18: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/18.jpg)
passwordmanagersTools of the trade:
Lastpass keePass DashLane
sucuri.net
1Password
![Page 19: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/19.jpg)
Case study
cleanupFtp/sftp File Management Basic file cleanup with FileZilla
WordPress Version Archives https://codex.wordpress.org/WordPress_Versions (Google “WordPress versions”)
Theme Backups Always know where to find a clean copy of your theme
sucuri.net
![Page 20: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/20.jpg)
Infectedsiteinfection: blackhat seo spam injection
Spam is displayed with Javascript turned off. Otherwise it’s hidden!
Infection confirmed at the free Sucuri website scanner: http://sitecheck.sucuri.net
Cleanup
sucuri.net
![Page 21: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/21.jpg)
Cleanup
removeandreplacewp-admin and wp-includes These directories are replaceable for cleanup and downgrading versions
Replace other core files The other core files outside of these two directories can be uploaded to directly replace their counterparts
do not delete wp-config.php or wp-content! These are vital to the functionality of your blog, and cannot be replaced easily, or without a backup.
sucuri.net
![Page 22: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/22.jpg)
Cleanup
removeandreplace pt.2
find your theme Your theme is replaceable if youhaven’t made customchanges
delete your old theme This is the most common placefor infected WordPress files
replace with clean copy Good as new!
sucuri.net
![Page 23: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/23.jpg)
Cleanup
cleansite
cleanup accomplished: Your WordPress site is now spam free!
!
sucuri.net
![Page 24: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/24.jpg)
sucuri.net
A healthy dose of…
paranoia
worry about the right things: - Passwords versus Usernames
- Web hosting
- Plugin/Theme origin
- Patching/Updating
- Who your friends are
![Page 25: WordCamp Orange County: WordPress Security Fundamentals](https://reader034.vdocuments.mx/reader034/viewer/2022050920/54b6be054a7959fa048b460a/html5/thumbnails/25.jpg)
anyquestions?