PRESENTS

THE ULTIMATE GUIDE TOWORDPRESS SECURITY

IN 2020+ TIPS FOR STAYING SECURE WHILE WORKING FROM HOME

TABLE OFCONTENTS

P A R T 1 : G E T T I N GS T A R T E D W I T HW O R D P R E S S S E C U R I T Y

1

A C C O U N T L O G I NS E C U R I T Y

3

S E C U R I T Y M O N I T O R I N G14

P L U G I N & T H E M EM A N A G E M E N T20

W O R D P R E S S S E C U R I T YM Y T H S24

S I G N S O F W E B S I T EI N F E C T I O N28

W E B S I T ER E C O V E R Y32

P A R T 2 : S T A Y I N GS E C U R E W H I L EW O R K I N G F R O M H O M E

33

U S E U P D A T E D S O F T W A R E & T O O L S

P R O T E C T Y O U R S E L FA G A I N S T P H I S H I N G44

S E C U R E Y O U RI N T E R N E T47

S E R V E R S E C U R I T Y48

W R A P P I N G U P : AS E C U R I T Y C H A L L E N G E50

34

WordPress security shouldn’t be socomplicated that people are toointimidated to get started. Havingthe correct security measures inplace is crucial to the success ofany website and you can getstarted today. The truth is, most hacks can beprevented with a few simplesecurity measures. Let's take alook at some things that you cando to lock down your site.

WORDPRESSSECURITY IN 2020

P A R T 1 : G E T T I N G S T A R T E D W I T H

1

KEYS TO A SUCCESSFULWORDPRESS SECURITYSTRATEGYThere are 4 keys to a successful WordPress security strategy.

Account Login Security

Security Monitoring

Plugin & Theme Management

Website Backup Strategy

1.

2.

3.

4.

2

The great thing about WordPress is how itmakes creating a website accessible to justabout anyone. But with that accessibility comespredictability. Anyone with experience workingwith WordPress knows where changes to the siteare made: via the wp-admin area. They knowwhere they need to go to access the wp-admin,the wp-login.php page. By default, the WordPress login URL is the samefor every WordPress site, and it doesn’t requireany special permissions to access. That’s why theWordPress login page is the most attacked—andpotentially vulnerable—part of any WordPresssite.

W W W . F R A M E M A G . C O M |   2 0

ACCOUNT LOGIN SECURITY

3

BY DEFAULT, THE WORDPRESS LOGINURL IS THE SAME FOR EVERY

WORDPRESS SITE, AND IT DOESN’TREQUIRE ANY SPECIAL PERMISSIONS TOACCESS. THAT’S WHY THE WORDPRESSLOGIN PAGE IS THE MOST ATTACKED—AND POTENTIALLY VULNERABLE—PART

OF ANY WORDPRESS SITE.

7 characters will take.29 milliseconds tocrack.8 characters will take5 hours to crack.9 characters will take4 months to crack.10 characters will take1 decade to crack12 characters will take2 centuries to crack.

The number ofcharacters in yourpassword matters! Takea look at these stats.

There is a lot of confusing andcontradicting information aboutpassword security best practiceson the internet. In an effort toclear up that confusion, let’s breakdown the basics of how using astrong password improves yourWordPress security. Whenever creating a password,the first item that you will wantto consider is the length of thepassword. The list below showsthe estimated time it takes tocrack a password using a four-core i5 processor.

1. USE STRONG PASSWORDS

HOW TO SECURE YOURWORDPRESS LOGIN ACCOUNTSo what should you do? Here's a few tips to increase the security ofyour WordPress login account.

5

So as you can see, adding a singlecharacter to your password cansignificantly increase the security ofyour login. A password that it is at least12 characters long, random andincludes a large pool of characters like“ISt8XXa!28X3” will make it very difficultto crack. Unfortunately, some hackers areleveraging GPUs and stronger CPUs todecrease the amount of time neededto crack passwords. So to strengthenyour logins, also be mindful ofyour password entropy. The higher thepassword entropy is, the more difficultthe password will be to crack. For example, based on just the lengthrequirement, a password like“abcdefghijkl” is 12 characters, which isgreat and should take 200 years tocrack. However, since the passworduses sequential strings of letters, itmakes the password much morepredictable compared with a passwordlike “rfybolaawtpm” which hasrandomized characters.

W W W . F R A M E M A G . C O M |   2 0

Randomizing characters decreases thepredictability and increases thestrength of the password. But both ofthese passwords have one thing incommon that ultimately reduces thepassword entropy. Both are only usinglower case letters, limiting the pool ofpossible characters to 26. That’s whyit’s vital to include alphanumeric,upper-case letters and common ASCIIcharacters to increase the pool ofcharacters needed to crack thepassword to 92.

A password that is atleast 12 characterslong, random andincludes a large poolof characters like“ISt8XXa!28X3” willmake it very difficultto crack.

6

2. REFUSE COMPROMISEDPASSWORDS

Attackers often use compromisedpasswords as a starting point forhacking accounts because it is fasterand easier than brute-forcing allpossible password combinations. Ifyour password has been exposedand you’re reusing your credentialsacross multiple websites, attackerscould compromise your account injust one or two attempts instead ofmillions. A data breach is typically a list ofusernames, passwords and oftenother personal data that wasexposed when a site wascompromised. Recently, Troy Hunt,creator of the haveibeenpwned API,reported on his blog about the"Collection #1" Data Breach. Thisdata breach contained a staggering1,160,253,228 uniquecombinations of email addressesand passwords.

W W W . F R A M E M A G . C O M |   2 0

iThemes Security Pro leverages thepower of the haveibeenpwned APIto prevent the use of knowncompromised passwords on yourWordPress website. If yourpassword was found in a databreach, iThemes Security will requireyou to update your account’spassword immediately. 

If your password hasbeen exposed andyou’re reusing yourcredentials acrossmultiple websites,attackers couldcompromise youraccount in just one ortwo attempts insteadof millions.

7

3. USE A UNIQUE PASSWORDFOR EVERY ACCOUNT

Another best practice for onlinesecurity is using unique passwordsfor every account and website loginyou have. This is so important, we’llsay it again: you should be using adifferent password for every site. The more users you have that arereusing passwords, the weaker yourWordPress login security will be. Ina list compiled by Splash Data, themost common password included inall data dumps was 123456. TheWordPress login security of your siteis only as strong as the weakest link,so be proactive with strongpassword requirements. Ultimately, using a passwordmanager can help you keep track ofyour logins and unique passwords.With the help of a passwordmanager, you don’t have toremember your passwords.

W W W . F R A M E M A G . C O M |   2 0 8

THIS IS SO IMPORTANT, WE’LL SAY ITAGAIN: YOU SHOULD BE USING ADIFFERENT PASSWORD FOR EVERY

SITE. WHY? IF YOUR PASSWORD HASBEEN EXPOSED AND YOU’RE REUSING

YOUR CREDENTIALS ACROSSMULTIPLE WEBSITES, ATTACKERS

COULD COMPROMISE YOURACCOUNT IN JUST ONE OR TWO

ATTEMPTS INSTEAD OF MILLIONS.

By default, there isn’t anythingbuilt into WordPress to limit thenumber of failed login attemptssomeone can make. Without alimit on the number failed loginattempts an attacker can make,they can keep trying an endlessnumber of usernames andpasswords until they aresuccessful. Increase your WordPress loginsecurity by installing a WordPresssecurity plugin like iThemesSecurity Pro to limit the number offailed login attempts. The iThemesSecurity Pro WordPress BruteForce Protection feature gives youthe power to set the number ofallowed failed login attemptsbefore a username or IP is locked out.

4. LIMIT LOGIN ATTEMPTS

W W W . F R A M E M A G . C O M |   2 0

A lockout will temporarily disablethe attacker’s ability to make loginattempts. Once the attackers havebeen locked out three times, theywill be banned from even viewingthe site.

10

In addition, when you aredeveloping your WordPress loginsecurity plan, it is important to beaware that the WordPress RestAPI adds additional ways toauthenticate a WordPress user. Cookie authentication is onemethod authentication whenyou login WordPressautomatically stores a cookie soplugins and themes can performa function on your behalf.Cookie authentication willbenefit from the protections youhave added to the wp-login.php.

There are other ways to log intoWordPress besides using a loginform. Using XML-RPC, an attackercan make hundreds of usernameand password attempts in a singleHTTP request. The brute force amplificationmethod allows attackers to makethousands of username andpassword attempts using XML-RPCin just a few HTTP requests. Whenyou know an attacker can usedatabase dumps as a startingpoint and make thousands ofguesses per request, it makes theimportance of WordPress loginsecurity much clearer.

5. LIMIT OUTSIDEAUTHENTICATION ATTEMPTSPER REQUEST

W W W . F R A M E M A G . C O M |   2 0 11

We saved the best way method toincrease WordPress login securityfor last: WordPress two-factorauthentication. Two-factorauthentication requires an extracode along with your WordPressusername and password to log in. There are many methods of two-factor authentication, but not allmethods are created equal. If youcan, avoid using text for two-factorauthentication. The NationalInstitute of Standards andTechnology no longerrecommends using SMS to sendand receive authentication codes. Using a WordPress security plugin,like iThemes Security Pro, youshould enable either the email ormobile app method of two-factor.

6. USE TWO-FACTORAUTHENTICATION

W W W . F R A M E M A G . C O M |   2 0

Just note that many sites requireyou to use an email address as ausername. If an attacker hacksone of these sites, the next stepwill be to try to log into emailaccounts using the new emailaddresses and passwords theystole. If one of your users orclients are reusing compromisedpasswords on every site, theiremail account, along with theirtwo-factor email codes, will becompromised.

12

There is a balance toWordPress security.You want your websiteto be secure whilenot getting in the wayof your users andcustomers.

Passwordless login is a new way toverify a user’s identity withoutactually requiring a password tologin. Passwordless login is both safeand simple, increasing the likelihoodthat the average person will securetheir account. Passwordless loginslock down your accounts and aremuch easier to use than traditionalcredentials. You may already be using a formof passwordless login withoutrealizing it. For example, if youare using a thumbprint or FaceID to open your phone, you areusing a form of passwordlesslogin. Keep in mind that apasswordless login doesn'tnecessarily mean a passwordisn't assigned to the user. Yourphone still requires you to set apassword or a PIN, but you donot need to enter it every timeyou unlock your phone.

7. PASSWORDLESS LOGINS

W W W . F R A M E M A G . C O M |   2 0

The Passwordless Login methodprovided by iThemes Security Prowill send you an email with a “magiclink,” or a link that will log you intoWordPress with a click of abutton. This way, the passwordlesslogin requires you to have access tothe actual email account associatedwith the user, providing anotherlayer of security.

13

SECURITY MONITORINGEvery day, activity takes place on your website that may indicate nefariousactivity. What are these events and are you actively monitoring them? Thenext section will cover security monitoring on your website.

WORDPRESS SECURITY LOGSWordPress security logs providedetailed data and insights aboutactivity on your WordPresswebsite. If you know what tolook for in your logs, you caneasily identify and stopmalicious behavior on your site. WordPress security logs haveseveral benefits in your overallsecurity strategy. If your site doesget hacked, you will want to havethe best information to aide in aquick investigation and recovery.

Identity and stop maliciousbehavior. Spot activity that can alertyou of a breach. Assess how much damagewas done. Aide in the repair of ahacked site.

Here are a few ways WordPresssecurity logging helps with yoursecurity monitoring strategy:

1.

2.

3.

4.

Now let's talk about whatacitvity you should monitor.

14

IF YOUR SITE DOES GET HACKED, YOUWILL WANT TO HAVE THE BEST

INFORMATION TO AIDE IN A QUICKINVESTIGATION AND RECOVERY.

Brute force attacks refer to thetrial and error method used todiscover usernames and passwordsin order to hack into a website.WordPress doesn’t track any userlogin activity, so there isn’t anythingbuilt into WordPress to protect youfrom a brute force attack. It is up toyou to monitor your login securityto protect your WordPress site. Luckily, a brute force attack isn’tvery sophisticated, and it is prettyeasy to identify in your logs. You willneed to record the username andIP that is attempting to login andwhether or not the login wassuccessful. If you see that a singleusername or IP has consecutivemultiple failed login attempts, thechances are you are under a bruteforce attacks.

1. BRUTE FORCE ATTACKS

W W W . F R A M E M A G . C O M |   2 0

The iThemes Security Pro’s LocalBrute Force Protection featureautomatically monitors failed loginattempts and blocks brute forceattacks.

16

Even if you follow WordPresssecurity best practices, there is stilla chance for your site to becomecompromised. A compromisemeans the site has had maliciouschanges, and that is why is it is soimportant to stay on top of the filechanges on your site by recordingthem in your WordPress securitylogs. File change entries include filesadded and removed andmodifications to existing files. Nowthat you have the changesrecorded in your security logs, youshould schedule the time to auditthem. If you are an iThemesSecurity Pro user, remember toenable File Change notifications tobe notified when a file changes.

There are several legitimatereasons you would see new filechange activity in your logs, but ifthe changes made wereunexpected, you should take thetime to assure the changes werenot malicious. For example, if yousee a change made to a plugin atthe same date and time youupdated the plugin, there would beno reason to investigate.

2. FILE CHANGES

W W W . F R A M E M A G . C O M |   2 0 17

Not only should you run malwarescans, you should also berecording the results of everymalware scan in your WordPresssecurity logs. Some security logswill only record scan results thatfund malware, but that isn’tenough. It is crucial to be alerted asquickly as possible of a breach toyour site. The longer it takes foryou to know about a hack the moredamage it will do. While it feels good to see thehistory of a proactive approach tosecurity paying off, that is just abonus and not the reason torecord malware scans. If you aren’tdocumenting your scheduledscans, then you will have no way ofknowing if there are any scanfailures.

3. MALWARE SCANS

W W W . F R A M E M A G . C O M |   2 0

Not recording failed scans couldresult in you thinking that your siteis being checked daily for malwarebut, in reality, the scan is failing tocomplete.

18

1. Logins & Logouts (+ When &Where)  - The first type of useractivity you should track is whenusers log in and log out of your siteand from where. Monitoring timeand location of user’s logins canhelp you spot a user that iscompromised. Did that user loginat an unusual time or from a newplace? If so, you may want to startyour investigation with them. 2. New Users - The next activityyou should keep a record of is usercreation. A common practice for ahacker to perform is to create anew admin user in an attempt tobe covert. It is easy for you tonotice something strange with youraccount but it is much moredifficult to identify malicious activityon another user. 3. Add/Remove Plugins - We shouldnow check to see if the new userhas added or removed any pluginsfrom the site. It is vital to make a

4. USER ACTIVITY

W W W . F R A M E M A G . C O M |   2 0

record of who adds and removesplugins. Once your site has beenhacked, it will easy for the attackerto add their own custom plugin toinject malicious code into the site.Even if they don’t have access toyour server, your WordPress sitecan access it. Using a plugin theycan add redirects to your site to usein their next spamvertizementcampaign. After their maliciouscode is executed, they can thendelete the plugin to removeevidence of their crime. Lucky forus we won’t miss any of it becauseit was all documented in ourWordPress security logs. 4. Add/Edit Pages - Now it is timeto look to see if our new user hasadded any new or made changes toexisting pages or posts on the site.Have they added links to send yourtraffic to other sites? You will beable to see if any embarrassingpages have been added to the siteand get them taken down.

Keeping a record of user activity in your WordPress security logs can be yoursaving grace after a successful attack.

19

PLUGIN & THEMESMANAGEMENTPlugin and theme management play a big role in the health of your site. In thissection, we'll cover what that means.

1. UPDATE EVERYTHINGWhen your WordPress site isrunning outdated versions ofplugins, themes or WordPress, yourun the risk of having knownexploits on your site.Updates arenot just for new features or bugfixes; they can also include securitypatches for known exploits. Eventhough this is the easiest of theWordPress security vulnerabilitiesto prevent, most successful hacksuse exploits that are found inoutdated software. You can automate updates on yoursite Using the iThemes SecurityPro WordPress versionmanagement feature. Automatingyour updates ensures you get thecritical security patches thatprotect your site against

WordPress security vulnerabilitiesand as a bonus, it reduces theamount of time you spendmaintaining your WordPress site.

Keep everything onyour site updated.60% of breachesinvolvedvulnerabilities forwhich a patch wasavailable but notapplied.

20

1. AUTOMATICALLY PATCHKNOWN VULNERABILITIESHaving software with knownvulnerabilities installed on your sitegives hackers the blueprints theyneed to take over your site. It is hardto keep track of every disclosedWordPress vulnerability and comparethat list to the versions of plugins andthemes you have installed on yoursite.

The improved WordPress SecuritySite Scan powered by iThemesperforms automatic checks forknown vulnerabilities installed onyour site. And if a patch isavailable, iThemes Security Prowill now automatically apply thefix for you.

W W W . F R A M E M A G . C O M |   2 0

2. REMOVE UNUSED PLUGIN & THEMESThe PHP code on your WordPresssite should also be included in theWordPress security vulnerabilitieslist. Exploiting PHP code is a commonmethod used by hackers to gainaccess to your WordPress site, so it iscrucial you reduce the risk by limitingexploit opportunities. Uninstall andcompletely delete any unnecessaryplugins and themes on yourWordPress site to limit the number ofaccess points and executable codeon your website.

In addition, avoid using abandonedWordPress plugins. If any plugininstalled on your WordPress site hasnot received an update in six monthsor longer, you may want to makesure it hasn’t been abandoned. Aplugin not having any recent updatesdoesn’t necessarily mean it has beenabandoned, it could just mean it isfeature complete and will onlyreceive updates to ensurecompatibility with the latest versionsof WordPress and PHP.

21

3. ONLY INSTALL SOFTWAREFROM TRUSTED SOURCESOnly install WordPress plugins andthemes from trusted sources. Youshould only install software that youget from WordPress.org, well-knowncommercial repositories or directlyfrom reputable developers. You will want to avoid “nulled”version of commercial pluginsbecause they can contain maliciouscode. It doesn’t matter how you lockdown your WordPress site if you arethe one installing malware. If the WordPress plugin or theme itisn’t being distributed on thedeveloper’s website, you will want todo your due diligence beforedownloading the plugin. Reach out tothe developers to see if they are inany way affiliated with the websitethat is offering their product at a freeor discounted price.

W W W . F R A M E M A G . C O M |   2 0

Avoid “nulled” orbootleg version ofpremium pluginsbecause they usuallycontain maliciouscode. It doesn’t matterhow you lock downyour WordPress site ifyou are the oneinstalling malware.

22

AVOID “NULLED” OR BOOTLEGVERSION OF PREMIUM PLUGINS

BECAUSE THEY USUALLY CONTAINMALICIOUS CODE. IT DOESN’T MATTER

HOW YOU LOCK DOWN YOURWORDPRESS WEBSITE IF YOU ARE THE

ONE INSTALLING MALWARE.

WORDPRESSSECURITY MYTHSYou’ll find lots of security advicefloating around the internet fromwell-intentioned people whogenuinely want to help. Unfortunately, some of this adviceis built on WordPress securitymyths and don’t actually addany additional security to yourWordPress website. In fact, someWordPress security “tips” mayincrease the likelihood you will runinto issues and conflicts. We have plenty of WordPresssecurity myths to choose from, butwe are only going to focus on thetop 5 we have consistently seen inover 20,000 support tickets. Theseconversations were used as abasis for the following criteria toselect the top myths.

The Top 5 WP SecurityMyths

1. You Should Hide Your /wp-admin or /wp-login URL (AlsoKnown As "Hide Backend") The idea behind hiding the wp-admin is that hackers can’t hack whatthey can’t find. If your login URL isn’tthe standard WordPress /wp-admin/ URL, aren’t you protectedfrom brute force attacks? The truth is that most HideBackend features are simply securitythrough obscurity, which isn’t abullet-proof security strategy. Whilehiding your backend wp-admin URLcan help to mitigate some of theattacks on your login, this approachwon’t stop all of them.

24

W W W . F R A M E M A G . C O M |   2 0

3. You Should Hide your Theme Name and WordPress Version Number

If you use your browser’s developer tools, you can pretty quickly see the theme name and WordPress version number running on a WordPress site. The theory behind hiding your theme name and WP version is that if attackers have this information they will have the blueprint to break into your site.

The problem with this myth is that there isn’t an actual guy behind a keyboard looking for the perfect combination of theme and WordPress version number to attack. However, there are mindless bots that scour the internet looking for known vulnerabilities in the actual code running on your website, so hiding your theme name and WP version number won’t protect you.

4. You Should Rename Your  wp-content Directory

The wp-content directory contains your plugins, themes and media uploads folder. That is a ton of good stuff and executable code all in one directory, so it’s understandable that people want to be proactive and secure this folder..

Unfortunately, it’s a myth that changing the wp-content name will add an extra layer of security to the site. It won’t. We can easily find the name of your changed wp-content directory by using the browser developer tools. Changing the name of the directory will not add any security to your site, but it can cause conflicts.

25

5. WordPress is an InsecurePlatform

The most damaging WordPresssecurity myth is that WordPress itselfis insecure. This is simply not true.WordPress is the most popularcontent management systems in theworld, and it didn’t get that way by nottaking security seriously.

The truth is that thebiggest WordPress securityvulnerability is its users. MostWordPress hacks on the platform canbe avoided with a little effort from thesite owners.

Keep in mind that the number onereason for successful WordPresshacks is outdated software. To get apatch for a security vulnerability, youhave to keep things updated.WordPress even allows you toenable automatic updates so youdon’t have to manually run updates.But some people still don’t make it apriority to update their sites on aregular schedule. So these sites arefilled with outdated software thatmakes them ripe for attack. When ahacker uses a security hole it isn’t aWordPress flaw, it is a user flaw.

26

THE TRUTH IS THAT THEBIGGEST WORDPRESS SECURITY

VULNERABILITY IS ITS USERS. MOSTWORDPRESS HACKS ON THE

PLATFORM CAN BE AVOIDED WITH ALITTLE EFFORT FROM THE SITE

OWNERS.

SIGNS OF WEBSITE INFECTIONFinding yourself asking “Is myWordPress site hacked?” meansyou’ll want some quick answers. Inthis post, we cover seven signs ofinfection and what to do if youdiscover you’ve been hacked.

The faster you notice the signs of awebsite breach, the quicker you canget your site cleaned up. The quickeryou can get your website cleaned,the less damage the hack can do toyour website.

Not all hacks have the same goal, sothe signs of a website compromisewill depend on the attackers motive.Here are 7 different symptoms youneed to look out for when you aremonitoring the health of your site.

1. Your Homepage is DifferentChanges to your homepage seemlike an obvious sign. But how manytimes do you actually run a thoroughcheck or your homepage? I know Itypically go straight to my login URL

and not my home URL. From there, Ilog in, update my site or edit a post.After I finish what I came to do, Ioften leave without looking at mywebsite’s home page.

The primary goal of some hacks is totroll a website or gain notoriety. Sothey only change your homepage tosomething they find funny or to leavea hacked by calling card.

2. Your Website Performance HasDropped

Your site may feel sluggish when ithas an infection. You can experienceslowdowns on your website if youare experiencing brute forceattacks or if there is a malicious scriptusing your server resourcesfor cryptocurrency mining. Similarly,a DDoS (or denial of service attack)happens when a network ofIPs simultaneously sends requests toyour website in an attempt to causeit to crash.

28

W W W . F R A M E M A G . C O M |   2 0

If your site is running slowly, checkthe server access logs for anunexpected number of requests.You can also use a web applicationfirewall like the one providedby Sucuri to help protect yourwebsite against a DDoS attack. 3. Your Website ContainsMalicious or Spam Popups Ads There is a good chance a hacker hascompromised your website if yourvisitors see popups that redirectthem to a malicious website. Thegoal of this type of attack is to drivetraffic away from your site to the attacker’s site so they can targetusers with click fraud for Pay PerClick advertising. The mostfrustrating thing about this type ofhack is you may not be able to seethe popups. A popup hack can bedesigned to not show for logged inusers, which decreases the odds ofwebsite owners seeing them. Soeven when the site owner logs out,the popups will never display. Your view of the popups can also belimited if you use an ad blockerextension in your browser. Forexample, a customer reported a

popup hack and shared screenshotsand a video of the popups. After Ispent hours running through theirwebsite, I was not able to recreateanything they were reporting. I wasconvinced that their personalcomputer had been hacked and notthe website. Finally, it dawned on me why I wasn’table to see the popups. I had installedan ad blocker extension on mybrowser. As soon as I disabled the adblocker extension, I was able to seepopups everywhere. I share thisembarrassing story to hopefully saveyou from running into the samemistake. 4. You Notice a Decrease in WebsiteTraffic If you log into your Google Analyticsaccount and you notice a steep declinein website traffic, your WordPress sitecould be hacked. A drop in site trafficdeserves an investigation. There couldbe a malicious script on your site thatis redirecting visitors away from yoursite or Google could already byblacklisting your website as a malicioussite.

29

W W W . F R A M E M A G . C O M |   2 0

 The first thing you want to look for isyour website’s outbound traffic.By tracking your website with GoogleAnalytics, , you will need to configureyour site to track the traffic leaving yoursite. The easiest way to monitoroutbound traffic on your WordPress siteis to use a WordPress Google Analyticsplugin. A good Google Analytics pluginwill allow you to track specific activitywith a click of a button. 5. Unexpected File Changes If files on your website have beenchanged, added or removed, it could bea sign that your site has beencompromised. That’s why it is essentialto have a notification system in place toalert you of website file changes. You caninvestigate any unexpected changes bycomparing the changed file to a versionin a recent backup. Using a WordPress security plugin likeiThemes Security can help you track filechanges. Because of the number ofnotifications this setting can generate,you can exclude files and directories inthe File Change Detection settings. It isokay to exclude directories that youknow are going to be regularly updating.Backup and cache files are a perfectexample of this and excluding them willreduce the number of notifications youwill receive.

6. Unexpected New Admin Users If your website has any unexpectedregistrations of new admin users, that’sanother sign your WordPress site hasbeen hacked. Through an exploit of acompromised user, an attacker cancreate a new admin user. With theirnew admin privileges, the hacker isready to cause some major damageto your site. In November of 2018, we had severalreports of new admin users beingcreated on customer websites. Hackersused a vulnerability in the WP GDPRCompliance plugin(vulnerability patched in version 1.4.3)to create new admin users onWordPress sites running the plugin. Theplugin exploit allowed unauthorizedusers to modify the user registration tochange the default new-user role from a subscriber to an admin.Unfortunately, this wasn’t the onlyvulnerability and you can’t just removethe new users the attacker created andpatch the plugin.

30

W W W . F R A M E M A G . C O M |   2 0

If you had WP GDPR Compliance andWooCommerce installed, your site mighthave been injected with malicious code.The attackers were able to use theWooCommerce plugin backgroundinstaller to insert a backdoor installer inthe database. 7. Admin Users RemovedIf you are unable to log into yourWordPress site, even after a passwordreset, it may be a serious sign ofinfection. When the Gentoo Github repo gothacked the first thing the attacker didwas delete all admin users. So how didthis hacker even get into their Githubaccount? A Gentoo admin user’spassword was discovered on a differentsite. I am guessing that the usernameand password was discovered eitherthrough scraping or a database dump.Even though the admin’s password fortheir Gentoo Github account wasdifferent than one used on thecompromised account, it was verysimilar. So this would be like meusing iAmAwesome2017 as a passwordon one account

and iAmAwesome2019 on another site.So the hackers were able to figure outthe password with a little effort. You can also enable the TrustedDevices feature in iThemes Security Proto restrict admin capabilities for loginsfrom untrusted devices. If an attackersuccessfully logs into your site as anexisting admin user–either by a bruteforce attack or if the user’s credentialswere part of a database dump–they willnot have full admin capabilities. Even with the password beingcompromised, this breach could havebeen prevented if the admin was usingtwo-factor authentication. Two-Factorauthentication requires an extra codealong with your username andpassword credentials to log in. iThemesSecurity Pro allows you toenable WordPress two-factor using amobile app or email to receive youraccess additional code.

31

WEBSITE RECOVERYWhat should you do if your website is a complete loss? What if you've beenhacked and you can't get back in? The easiest and fastest way to come back froma hack is to restore from a backup. Here are ten tips to create a backup strategyand peace of mind. ELEMENTS OF A SOLIDBACKUP STRATEGY1. Choose a Backup Method - Finda dedicated backup solution likeBackupBuddy.2. Decide What to Backup - Yourbackups should include yourplugins, themes. media, uploadsand database.3. Choose Your Backup Frequency- What is your tolerance for lostdata. If you are making dailychanges to your site, you shouldhave daily backups.4. Schedule and Automate - Findthe best time to backup your siteand then use a backup plugin toautomate your backups.5. Choose an Offsite Location toStore Your Backups - Store yourbackups in a different location thanyour site's server.

6. Scan Your Backups - If yourbackup is infected it won't help youto clean your site.7. Audit Your Backup Schedules - Itis important to do periodic checks tomake sure your backup automationsare still in working order.8. Practice Restoring - When thingsgo wrong, you will need to knowhow to use your backup to restoreyour site.9. Know the Limitations of YourEnvironment - If you are on poorhosting make sure your backupstrategy is right for your site.10. Be Prepared to Migrate -Sometimes the problem is the host.Knowing how to move your site willgive you the freedom to move whenthings go wrong.

32

With more of us working fromhome than ever, it has never beenmore important to be vigilant ofpossible attacks. Our friends at Cloudflare recentlyrevealed that hacking and phishingattempts have been up by 37%and, on some days, they areblocking between four and sixtimes the number of attacks theywould usually see, since the startof the COVID-19 pandemic. Let's take a look at what you cando to protect to create a secure athome work environment

WORKINGFROM HOME

P A R T 2 : S T A Y I N G S E C U R E W H I L E

33

THE IMPORTANCE OFUSING UPDATEDSOFTWARE & TOOLSUpdates aren't just for cool new features and bug fixes, they can also includecritical security patches. Knowing what to update and how to update is the firststep in create secure and safe while working from home.

WHAT TO UPDATE & HOW TOAUTOMATE YOUR UPDATES

Y O U R O P E R A T I N G S Y S T E M

A P P L I C A T I O N S I N S T A L L E D O NY O U R D E V I C E S

W E B B R O W S E R S

R O U T E R S

34

The device you're working on has anOperating System which you will seewritten shorthand as OS. The operatingsystem is the software that worksbetween your hardware and and theapplications installed on your device.Your OS handles everything from printjobs to divvying out resources such asCPU and memory usage to theprograms running on your computer.

Your operating system plays a major roleon any device you use. That is why it is soimportant to keep the OS updated. Itdoesn't matter what other securitymeasures you have in place if you arerunning an older, vulnerable version ofyour OS.

1. YOUR OPERATING SYSTEMIt doesn't matter whatother securitymeasures you have inplace if you arerunning an older,vulnerable version ofyour operating system.

35

TYPES OF OPERATING SYSTEMS

Server OS - A server OS is anoperating system specificallydesigned to run on a server. Serveroperating systems are light weightand focused network computing.Desktop OS - A desktop OS is anoperating system designed to run ona Desktop PC or Laptop. The threemost common desktop operatingsystems are Windows, macOS, andLinux.Mobile OS - A mobile OS is anoperating system designed to run ona phone or tablet. The two mostpopular mobile operating systemsare iOS and Android.

AUTOMATING UPDATESIt is best practice to configure your operating system to updateautomatically. Auto-updating your OS means that the latest securitypatches will download and install on your device without youneeding to do anything.

36

On your Mac, choose Apple menu  > System Preferences, thenclick Software Update.To automatically install macOS updates, select “Automaticallykeep my Mac up to date.”To set advanced update options, click Advanced, then do anyof the following:

To have your Mac check for updates automatically, select“Check for updates.”To have your Mac download updates without asking, select“Download new updates when available.”To have your Mac install macOS updates automatically,select “Install macOS updates.”To have your Mac install app updates from the App Storeautomatically, select “Install app updates from the AppStore.”To have your Mac install system files and security updatesautomatically, select “Install system data files and securityupdates.”

1.

2.

3.

4. Click OK.

HOW TO SET AUTOMATICUPDATES IN MACOS

37

HOW TO SET AUTOMATICUPDATES IN WINDOWS 10

Open SettingsClick on Update & SecurityClick on Windows UpdateClick the Advanced Options button

1.2.3.4.

38

HOW TO SET AUTOMATICUPDATES IN ANDROID

Open SettingsTap on SoftwareUpdateTap DownloadUpdatesAutomatically

1.2.

3.

39

HOW TO SET AUTOMATICUPDATES IN IOS

Open SettingsTap or Click onGeneralTap or Click onSoftware UpdatesTap or Click onAutomatic Updates

1.2.

3.

4.

40

Your next line of defense is to keep the applications you install on yourdevices up to date. You can set your apps to auto-update if youdownloaded them from your operating system's app store.

2. APPLICATIONS INSTALLEDON YOUR DEVICES

HOW TO SET YOURANDROID APPS TO AUTOUPDATE1. OPEN THE GOOGLE PLAY STORE APP.

2. TAP MENU  > SETTINGS.

3. TAP AUTO-UPDATE APPS.

OVER ANY NETWORK TOUPDATE APPS USING EITHER WI-FI ORMOBILE DATA.OVER WI-FI ONLY TO UPDATE APPSONLY WHEN CONNECTED TO WI-FI .

4. SELECT AN OPTION:

HOW TO SET YOURMAC STORE APPS TOAUTO UPDATE 1. OPEN THE APP STOREPREFERENCES.

2.  CLICK THE AUTOMATICUPDATES CHECKBOX.

HOW TO SET YOURMICROSOFT STOREAPPS TO AUTOUPDATE 1. SELECT THE START SCREEN, THENSELECT MICROSOFT STORE.

2. IN MICROSOFT STORE AT THE UPPERRIGHT, SELECT THE ACCOUNT MENU(THE THREE DOTS) AND THENSELECT SETTINGS.

3. UNDER APP UPDATES, SET UPDATEAPPS AUTOMATICALLY TO ON.

HOW TO SET YOUR IOSAPPS TO AUTO UPDATE 1. OPEN SETTINGS.

2.  TAP [YOUR NAME].

3. TAP ITUNES & APP STORE.

4. TAP APP UPDATES TO ENABLEAUTOMATIC UPDATES.

41

With more of our work being done in the browser it has never been moreimportant to keep your browser up to date. If you didn't get your desktopbrowser (like Safari) from your operating system app store, you will need tomake sure it stays up to date.

3. WEB BROWSERS

HOW TO UPDATE CHROME1. ON YOUR COMPUTER, OPEN CHROME.

2. AT THE TOP RIGHT, CLICK MORE .

3. CLICK UPDATE GOOGLE CHROME.Important: I f you can't f ind this button,you're on the latest version.

4. CLICK RELAUNCH.The next t ime you restart yourbrowser, the update wil l be applied .

HOW TO UPDATE EDGE 1. ON YOUR COMPUTER, OPEN EDGE.

2. ON THE TOP RIGHT CLICK THEMENU ICON.

3. ON THE TOP RIGHT CLICK THEMENU ICON.

4. CLICK ABOUT MICROSOFT EDGE.

5. CLICK UPDATE.

42

The United States Air Force knows what can happen whenyou don't secure your router. A dumb security flaw let ahacker download US drone secrets, which could have beeneasily prevented. The vulnerability allowed anyone to use the router's FTPserver using the username: admin and password:password. The hack could have been prevented by eitherapplying the security patch that had been released prior tothe attack or updating the default passwords. Always Change the Default Username & PasswordA would be attacker can easily find your default routerlogin details, so it is crucial for you to update the usernameand use a strong password. The instructions to update your router's firmware will varyby device. Locate your router's Manufacture and modelnumber, which can typically be found on the back of yourrouter. Go to the manufacture's website to find how toupdate the firmware.

4. ROUTERS

43

Cybercriminals are taking advantageof the uncertainty and the increasedstress that the pandemic has causedall of us. Not to mention that we allhave received an increased numberof emails due to updates regardingCOVID-19.

Phishing is a method of cyber-attackusing email, social media, textmessages, and phone calls to trickthe victim into giving up personalinformation. The attacker will thenuse the information to accesspersonal accounts or commitidentity fraud.

Another goal for a phishing attack isto trick the mark into downloadingand installing malware on theirpersonal device.

PROTECTINGYOURSELF AGAINSTPHISHING

How do phishing attacks work?

Email is the most common tool usedin Phishing attacks. The attacker willdisguise the email to look like it wassent from a legitimate company. Forexample, an attacker could craft anemail to look like it was sent fromyour bank.

44

1. Look at the from email address- If you receive an email from abusiness, the portion of the sender'semail address after the "@" shouldmatch the business name. If an email is representing a companyor government entity but is using apublic email address like "@gmail" is asign of a phishing email Keep an eye out for subtlemisspellings of the domain name. Forexample, let's look at this emailaddress support@netflixx.com. Wecan see that Netflix has an extra "x" atthe end. The misspelling is a clear signthat the email was sent by a scammerand should be deleted immediately.

HOW TO SPOT A PHISHING EMAIL

2. Look for grammatical errors - Anemail that is full of grammaticalmistakes is a sign of a malicious email.All of the words may be spelledcorrectly, but sentences are missingwords that would make the sentencecoherent. For example, "Your accountis been hacked. Update password toaccount security".

Everyone makes mistakes, and notevery email with a typo or two is anattempt to scam you. However,multiple grammatical errors warrant acloser look before responding. 3. Suspicious attachments or links -It is worth pausing for a momentbefore interacting with anyattachment or links included in anemail. If you don't recognize the sender of anemail you shouldn't download anyattachments included in the email asit could contain malware and infectyour computer. If the email claims tobe from a business, you can Googletheir contact information to verify theemail was sent from them beforeopening any attachments. If an email contains a link, you canhover your mouse over the link toverify the URL is sending you where itshould be.

45

4. Watch out for urgent requests - A common trick used by scammers is to create a sense of urgency. A malicious email might manufacture a scenario that needs immediate action. The more time that you have time to think, the greater the chance you will identify the request is coming from a scammer.

You may receive an email from your "boss" asking you to pay a vendor ASAP, or from your bank informing you that your account has been hacked and immediate action is required.

PHISHINGCHECKLIST

C H E C K S E N D E R ' SE M A I L A D D R E S S

L O O K F O RG R A M M A T I C A LE R R O R S

W A T C H F O RS U S P I C I O U SA T T A C H M E N T & L I N K S

B E W A R Y O FU R G E N T R E Q U E S T S

46

There has never been a better timeto do an audit of our internetsecurity. Now that some of us areworking from home for the firsttime. We no longer have theprotection that our office ITprovided, and it is our responsibilityto protect the sensitive informationwe have trusted with. Luckily for us, there are some easythings we can do to increase thesecurity and privacy of our internettraffic drastically. 1. Update Your WiFi Password -Some manufacturers use the samedefault passwords for all of theirdevices. If you are using the password thatcame with your WiFi router, it is timeto update your password.

SECURE YOUR INTERNET2. Use a VPN - A VPN, or VirtualPrivate - Network is used creates asecure connection to anothernetwork over the internet. Using aVPN will keep whatever you arelooking at on the internet private. 3. Use an Ad Blocker - A good adblocker doesn't will not only blockads but will prevent your fromvisiting known phishing and malwaresites.

47

Server security isn't something that is always on the top of our minds.However, sever security is a critical part of every security plan. Here aresome tips that you can use to start securing your server today.

SERVER SECURITY

CHOOSE THE RIGHT WEB HOST

Update server software regularly?Does your host enable logging?Does your host offer sFTP?

Not all web hosts are created equal and choosing one solely on pricecan end up costing you way more in the long run with security issues.Most shared hosting environments are secure, but some do notproperly separate users accounts. Does your host:

48

SSL encrypts the communication that your customers type in theirbrowser and send to your site. With SLL, when someone enterstheir account name and password, it will be protected when thatinformation is sent to your site’s server for confirmation. Encrypting the username and password will make it harder for anattacker to intercept the username and password in transit fromtheir browser to your server.

HTTPS & SSL

Encrypting the username andpassword will make it harder for anattacker to intercept the usernameand password in transit from theirbrowser to your server. A content delivery network (CDN)refers to a geographically distributedgroup of servers which worktogether to provide fast delivery ofInternet content A properly configured CDN may alsohelp protect websites against somecommon malicious attacks, suchas Distributed Denial of Service(DDOS) attacks..

USE A CDN & WAFA WAF or Web Application Firewall helps protect web applications byfiltering and monitoring HTTP trafficbetween a web application and theInternet. It typically protects web applicationsfrom attacks such as cross-siteforgery, cross-site-scripting (XSS), fileinclusion, and SQL injection, amongothers. A WAF is a protocol layer7 defense (in the OSI model), and isnot designed to defend against alltypes of attacks. This method ofattack mitigation is usually part of asuite of tools which together createa holistic defense against a range ofattack vectors.

49

We covered a lot of ground in this ebook, from securingyour WordPress website to working securely fromhome. By adopting a few best practices and adoptinggood habits, you can greatly strengthen your defensesagainst the most common types of attacks. Ready to take the challenge? Right now is a great time todo a security audit of your website and work-from-homesetup to be sure your are using security best practices.Let's go!

WRAPPING UP: A SECURITY CHALLENGE

50

READY TO TAKE THE CHALLENGE?RIGHT NOW IS A GREAT TIME TO DO A

SECURITY AUDIT OF YOUR WEBSITEAND WORK-FROM-HOME SETUP TO BESURE YOUR ARE USING SECURITY BEST

PRACTICES.

TH E # 1 WORDPR E SS S ECUR I T Y P L UG I N

Get started with our single site iThemesSecurity Pro plan for just $49* with coupon

code SECUREMYWP

*Offer good on any *new* iThemes Security Pro (1 site) pluginpurchase. Coupon can't be used to renew or extend an existing

iThemes Security Pro (1 site) plugin membership.

S E C U R E M Y W P

L E A R N M O R E