A WordPress presentation that focuses on security principles and not false sense of security through adding 20 plugins. Lets stick to the basics folks!
This presentation was given at WordCamp Miami #wcmia
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Real WordPress Security - Kill the Noise
1. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Real WordPress Security
Kill the noise!
2. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Dre Armeda
Co-Founder of Sucuri Inc. – Sucuri.net
Co-Host of DradCast – DradCast.com
@dremeda | dremeda.com | drejitsu.com
• Softball Dad
• Proud Navy Veteran
• Brazilian Jiu-Jitsu Player
• Chargers & Angels Fan
• Harley Enthusiast
• Taco Lover
3. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
4. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
The Internet Rocks
With adoption and growth comes innovation!
Over 2 billion internet users today(Internet World Stats)
566% growth in the last 12 years (Internet World Stats)
861,379,000 registered hostnames - Jan14 (Tech Made Easy)
180,000,000 active websites (Tech Made Easy)
5. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
6. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
It’s Not All Peachy
Malware – short for malicious software
DoS/DDoS - Denial of Service
Brute Force
SPAM Links
SEO Poisoning
XSS
SQL Injections
Blacklisting
DNS Poisoning
Innovative thinking sparks risk
7. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Malware Type Distribution
SiteCheck numbers don’t lie!
26%
19%
16%
14%
11%
4%
10%
Remote
iFrame
Includes
Remote
JavaScript
Includes
SPAM
Injections
Obfuscated /
Encoded
JavaScript
Conditional
Redirects
Defacements Other
8. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Trends
9. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
How Bad is it?
An explosion in web malicious links!
Malicious Links
2011
2012
10. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
What Are Malicious Links?
Oh you’ve seen them. You’ve seen them everywhere!
11. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Increase in Phishing
All is not what it seems!
12. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Search Engine Poisoning (SEP)
Get Payday Loans or Cheap Pills.
13. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Brute Force
14. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Denial of Service (DoS)
15. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Denial of Service (DoS)
16. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Why Is This Happening?
Awesome spawns not so awesome situations!
17. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Almost always for the $$$
18. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
How Does This Happen
A new type of webmaster!
19. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
The Worlds Biggest Weakness
20. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Am I At Risk?
The percentage of risk
will never be zero!
Ever See a Dodo Bird?
21. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Everyone is a Target!
Even you!
22. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
What Can We do?
Be smart. Be consistent. Cut out the noise!
23. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Things You May See
Your users saying they are being redirected
Spam links in your HTML or even visible
Google SERP shows Viagra for your keywords
Google Blacklists you
Sharp traffic decreases for no reason
If your site is infected
24. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Quick Steps
Scan for malware – http://sitecheck.sucuri.net
Kill WordPress sessions by resetting Salts -
http://wordpress.org/support/topic/set-up-a-secret-key-in-wordpress-
25
Reset ALL passwords (WP, FTP, SSH)
Replace WordPress Core
Update ALL Software
Look for out of place files
Hire someone to audit the site and perform full server-side scan &
cleanup
If you think your site is infected
25. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Proactive Defenses!
26. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Keep Software Updated
Leading cause for infection along with passwords
Scared to upgrade because stuff breaks?
Major vs. Point Release
Run upgrade tests
Do your homework
Information Security is everyone’s responsibility
27. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Use Trusted Sources!
28. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
No Soup Kitchen Servers
WordPressers act like they forgot about DEV
Cross-contamination is a big deal
Segment by user and account
Not active. Not good enough
If it’s not in use, get rid of it
Production is not your archive server!
29. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Reduce Access
Give people enough access to do their job, nothing
more; remove access when they complete their job!
User Proper Roles
This goes for WordPress, FTP, & DB’s, etc.
Limit failed logins to thwart brute force
Practice two form auth & layered login
Disable PHP Execution!
Least privilege to some, no privilege for most.
<Files *.php>
Deny from all
</Files>
30. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Password Management
Complex – Long - Unique
Password still top 5 actively used password
Use unique passphrases
Use different passwords across accounts
Password Management Tools
Password is a password not to be used as your password, ever!
31. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Backup Schedule
Create a schedule today!
Backup outside of your production environment
Multiple backups are awesome
Talk to your host to see what they offer
Various tools available
When they hack you, reduce downtime.
32. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Tools & Services
Website Firewall
Sucuri CloudProxy
Great tools and services to help you reduce risk.
Password Management
LastPass
KeyPass Password
Safe
1Password
Malware Scanning
Sucuri SiteCheck
UnMask Parasites
Malware Cleanup
Sucuri
Backups
Sucuri Backups
VaultPress
33. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Notable Resources
Name Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
Malware Scanner http://sitecheck.sucuri.net
Malware Scanner http://unmaskparasites.com
Badware Busters https://badwarebusters.org
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-
sites
Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-
db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
Joomla! Security and Performance FAQs http://docs.joomla.org/Security_and_Performance_FAQs
Joomla! Security Checklist http://docs.joomla.org/Security_Checklist/Getting_Started
34. Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Thank You For Listening
Now go, reduce risk. Go!