simple wordpress security
play

Simple WordPress Security Barry Gould, BlogSec.net - PowerPoint PPT Presentation

Jan 13, 2023 •112 likes •326 views

Simple WordPress Security Barry Gould, BlogSec.net Barry@blogsec.net Why should we worry? Hacked site = Loss of business / reputation from loss of customer trust. Cleanup costs. Even small sites are at risk; bots dont discriminate!

  1. Simple WordPress Security Barry Gould, BlogSec.net Barry@blogsec.net

  2. Why should we worry? Hacked site = Loss of business / reputation from loss of customer trust. Cleanup costs. Even ‘small’ sites are at risk; bots don’t discriminate! Threats: ● BotNets - password guessing or exploitation ● Spammers / Spambots ● Black Hat Hackers & Script Kiddies

  3. Why should we worry? Ars Technica reports a BotNet with 90,000 IP addresses is trying to brute-force WordPress installs via password guessing.

  4. Why should we worry? What are they after: ● admin accounts & user accounts ○ admin access ○ email addresses & passwords ● hack your site to direct traffic to another site ○ fake Viagra, etc. ● grow their botnets - use your servers to: ○ send spam / malware ○ hack other sites ● defacement of popular sites

  5. How can I protect myself? Password Security Passwords should be UNIQUE, esp. for your own sites and your email. If you re-use passwords, when LinkedIn or Adobe gets hacked, now someone can login to your: ● email ● Facebook ● WP ● Bank Accounts

  6. Password Complexity Use Strong passwords on Important sites: ● at least 8 characters (letters + numbers/sym) ● mix upper & lower case ● best not to use words or names ● but make it easy to remember PassPhrases: long but easy to remember ● AllRoadsLeadtoRom3. (19ch) ● movie quotes, song lyrics, jingles, etc. ● random words: CorrectHorseBatteryStaple

  7. Passwords cont. Or, take a phrase & make a shorter password: ● All Roads Lead to Rome -> ArltR2013 (9ch) ● CorrectHorseBatteryStaple -> CoHoBaSt.

  8. WordPress Accounts Separate Admin account; restrict use. Delete the default ‘admin’ account! Use Editor / Author / contributor account(s) instead of using Admin all the time. Only use Admin when needed. Each account should have a different password. (at least) 1 acct. for each human; don’t share!

  9. Password guesser protection Plugin: “ Limit Login Attempts ” ● blocks attempts after 5 failed logins ● configurable # and timeout

  10. Plugins & Themes Choose your plugins carefully. "7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks "20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks" - CheckMarx, June 2013 Many WP Themes have vulnerabilities as well.

  11. Plugins & Themes Make sure all plugins & themes are safe & maintained / actively developed: ● get plugins/themes from well-known sites ● skip ones that haven’t been updated in years ● skip ones that don’t seem to have any community (forums, bug trackers, etc.) Make sure to keep everything updated! Delete themes & plugins you’re no longer using

  12. Application Security Make sure to keep everything updated! ● WP + Themes & Plugins ● OS + Apache, PHP, etc. If using managed / shared hosting, make sure host keeps things updated, or reminds you to. Check regularly.

  13. Operational Security Don’t login from shared computers, ever. (unless you’re using 2-factor auth) ● If you had to, change your password when you get to the office or home. Don’t login to anything from public networks / WiFi without SSL, SSH, SFTP ● sniffers can easily steal your password

  14. Operational Security, cont. Run Anti-Virus software on your PCs & Macs. Use secure protocols, esp. on public networks: ● HTTPS / SSL instead of HTTP for admin ● SFTP / SCP instead of FTP ● SSH instead of Telnet Applies to Phones / Tablets too. Pay attention to browser/app certificate warnings.

  15. Example Certificate Warning

  16. Operational Security, cont. Backup regularly - Data + code ● Don’t leave backup files on the server ● code backups allow reference / diff in case of hack Don’t leave sensitive info on the server or in WP: ● inactive email lists ● billing info

  17. Advanced Security Topics ● Don’t expose the database to internet ● change permissions on .htaccess! ● use a separate Dev/Staging site ○ or your PC - Desktop Server, XAMPP, Local WP... ● 2-Factor authentication ○ Google Authenticator on phone + WP plugin ● use Version Control software ● Firewalls ● WAFs (ModSecurity, etc.) ● IPS (Intrusion Protection System) ● VPNs

  18. Advanced Security Topics Network / Vulnerability Scanning: Scan yourself, using Web Application Vulnerability Scanner(s): ● Nessus ● Nikto ● Acunetix ● OpenVAS Get familiar, then watch for changes

  19. Further learning Books: WordPress 3 Ultimate Security (2011) Google is your Friend. Meetups - participate / ask questions!

  20. Questions? Questions? Future Presentations?: ● eCommerce security / PCI DSS ● Advanced WP security / lockdown Contact me : Barry@BlogSec.net http://BlogSec.net

Recommend

WORDPRESS Lesson 02.02 WordPress Editor WordPress Editor WordPress uses a simple HTML editor

WORDPRESS Lesson 02.02 WordPress Editor WordPress Editor WordPress uses a simple HTML editor

WORDPRESS Lesson 02.02 WordPress Editor WordPress Editor WordPress uses a simple HTML editor that allows users to create and update content for blog posts, pages, comments, and other content types that require a rich editing environment.

766 views • 17 slides
Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a

Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a

Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a free and open-source content management system based on PHP and MySQL. It uses a plugin architecture and a template system. It is most

367 views • 17 slides
WordPress Security Dont Be a Mark (with apologies to anyone named Mark) Will Chatham @willc

WordPress Security Dont Be a Mark (with apologies to anyone named Mark) Will Chatham @willc

WordPress Security Dont Be a Mark (with apologies to anyone named Mark) Will Chatham @willc www.willchatham.com Asheville Area WordPress Group, August 17, 2016 Overview Security Threats: Why & Who How WordPress Gets Hacked

376 views • 18 slides
Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot gray inc. @dotgray Sunday, March 15, 15 Resources Codex.WordPress.org / Hardening_WordPress Blog.Sucuri.net / WordPress Security WPSecure.net /

608 views • 32 slides
WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next

WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next

WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next set of sessions we're going to cover a lot of different topics, techniques, and technologies, all of which are going to help you better manage and

410 views • 13 slides
BEGINNER AND ADVANCED STEPS FOR WP SECURITY GEORGETOWN WORDPRESS MEETUP 03 APR 2019 @ GEORGETOWN

BEGINNER AND ADVANCED STEPS FOR WP SECURITY GEORGETOWN WORDPRESS MEETUP 03 APR 2019 @ GEORGETOWN

BEGINNER AND ADVANCED STEPS FOR WP SECURITY GEORGETOWN WORDPRESS MEETUP 03 APR 2019 @ GEORGETOWN LIBRARY www.BEACON.agency SCHEDULE AGENDA Why WordPress Security is Important 6:00p NETWORKING The Role of Web Hosting The Role of

448 views • 29 slides
BEGINNER AND ADVANCED STEPS FOR WP SECURITY RHODE ISLAND WORDPRESS MEETUP 11 Sept. 2018 @

BEGINNER AND ADVANCED STEPS FOR WP SECURITY RHODE ISLAND WORDPRESS MEETUP 11 Sept. 2018 @

BEGINNER AND ADVANCED STEPS FOR WP SECURITY RHODE ISLAND WORDPRESS MEETUP 11 Sept. 2018 @ Stillwater Books www.BEACON.agency SCHEDULE AGENDA Why WordPress Security is Important 6:00p NETWORKING The Role of Web Hosting The Role

509 views • 29 slides
WPCall Mesut Can Gurle Keerthana Krishnan WPCall Why WordPress ? WordPress powers > 24%

WPCall Mesut Can Gurle Keerthana Krishnan WPCall Why WordPress ? WordPress powers > 24%

WPCall Mesut Can Gurle Keerthana Krishnan WPCall Why WordPress ? WordPress powers > 24% of the web and rising Everything from simple websites, to blogs Complex portals and enterprise websites and even applications, are

556 views • 16 slides
Doing More with Simple Learning Platforms Brian Dusablon Traditional Delivery Mechanisms Other

Doing More with Simple Learning Platforms Brian Dusablon Traditional Delivery Mechanisms Other

Doing More with Simple Learning Platforms Brian Dusablon Traditional Delivery Mechanisms Other issues to consider: Accessibility Responsive Design Measurement Global Audience Option 1: WordPress 1: WordPress Social

352 views • 18 slides
Contributing to WordPress Sam Sidler @samuelsidler samuelsidler.com sam@wordpress.org Why

Contributing to WordPress Sam Sidler @samuelsidler samuelsidler.com sam@wordpress.org Why

Contributing to WordPress Sam Sidler @samuelsidler samuelsidler.com sam@wordpress.org Why Contribute to WordPress? Learn from the best developers Gain experience in the codebase Influence the direction of the project Make valuable

265 views • 25 slides
A Month of WordPress Plugins 2007 Ask and You May

A Month of WordPress Plugins 2007 Ask and You May

WordPress Plugins Lorelle VanFossen File Gallery WordPress Plugin A Month of WordPress Plugins 2007 Ask and You May Change WordPress Open Camp

542 views • 32 slides
Make a Simple WordPress Website wifi: MigHelp password: james2009 Photo by Christin Hume on

Make a Simple WordPress Website wifi: MigHelp password: james2009 Photo by Christin Hume on

Make a Simple WordPress Website wifi: MigHelp password: james2009 Photo by Christin Hume on Unsplash About me // Krisztina Kun Vancouver Canada (Hungarian born in Romania) started making websites in the late 1990s worked in

689 views • 19 slides
WordPress Day 8 - Underscores 1 What is underscores? _s, or underscores , is a WordPress

WordPress Day 8 - Underscores 1 What is underscores? _s, or underscores , is a WordPress

TWD 25 WordPress Day 8 - Underscores 1 What is underscores? _s, or underscores , is a WordPress starter theme. It is a code base for building custom themes. 2 Why use underscores? Maintained by Automattic developers. This is the

821 views • 47 slides
HOW YOU CAN GET INVOLVED WITH THE WORDPRESS COMMUNITY WHO WE ARE JOHN HAWKINS - WordPress

HOW YOU CAN GET INVOLVED WITH THE WORDPRESS COMMUNITY WHO WE ARE JOHN HAWKINS - WordPress

HOW YOU CAN GET INVOLVED WITH THE WORDPRESS COMMUNITY WHO WE ARE JOHN HAWKINS - WordPress developer - WordPress user for 15+ years - Owned a WP Agency for 5+ years - Organized first WordCamp in Vegas (2009) - Founded the WP Vegas

684 views • 35 slides
wordpress masterclass how to set up your own wordpress website I'm a web designer whos

wordpress masterclass how to set up your own wordpress website I'm a web designer whos

wordpress masterclass how to set up your own wordpress website I'm a web designer whos passionate about helping small businesses create a professional online brand personality that stands out from the crowd and generates an income that gives

786 views • 37 slides
WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013)

WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013)

TWD 25 WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013) weCreate Design (2014 - now) Vancouver WordPress Meetup Organizer (2017 - now) WordCamp Vancouver Lead Organizer (2018 & 2019) TWD

1.52k views • 119 slides
WordPress I Day 7 1 Tuesday, June 18, 13 Moving Your WordPress Site (within the same domain)

WordPress I Day 7 1 Tuesday, June 18, 13 Moving Your WordPress Site (within the same domain)

WordPress I Day 7 1 Tuesday, June 18, 13 Moving Your WordPress Site (within the same domain) How do I move files from a \wordpress sub- directory to the site root? A common request. Unlike a basic HTML site, we can't simply move the

593 views • 25 slides
WORDPRESS O L I V I A B I S S E T l e m o n a d e c o d e . c o m lemonadecode.online A B O U T

WORDPRESS O L I V I A B I S S E T l e m o n a d e c o d e . c o m lemonadecode.online A B O U T

H OW Y OUNG P EOPLE C AN B UILD BIG IDEAS W ITH WORDPRESS O L I V I A B I S S E T l e m o n a d e c o d e . c o m lemonadecode.online A B O U T M E Home-Schooled & Traditional Schooling WordPress User For 4 Years, Started When I

581 views • 37 slides
Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis

Project 1 Robert Windisch Automated security check for WordPress plugins Static Code Analysis Powered by RIPS Technologies High-tech company based in Bochum, Germany Supports the full feature stack of the PHP language Detects

1.06k views • 47 slides
Mike Little WordPress Co-founder WordPress: the early years. A co-founders view

Mike Little WordPress Co-founder WordPress: the early years. A co-founders view

Mike Little WordPress Co-founder WordPress: the early years. A co-founders view Democratising publishing and empowering freedom of speech since 2003. Questions? @mikelittlezed1 https://mikelittle.org/

450 views • 5 slides
Dealing with IoT Security- Do nothing, Do simple things, or Do it RIGHT Sameer Dixit, Sr.Director

Dealing with IoT Security- Do nothing, Do simple things, or Do it RIGHT Sameer Dixit, Sr.Director

Dealing with IoT Security- Do nothing, Do simple things, or Do it RIGHT Sameer Dixit, Sr.Director Security Consulting IoT on A Rise IoT Security Frameworks and Standards NIST - International Cybersecurity Standardization for the Internet of

437 views • 11 slides
Wordpress Workshop From Zero to Hero (September 2018) Contents 1. Admin 2. Wordpress Basics

Wordpress Workshop From Zero to Hero (September 2018) Contents 1. Admin 2. Wordpress Basics

Wordpress Workshop From Zero to Hero (September 2018) Contents 1. Admin 2. Wordpress Basics 3. Create a Basic Wordpress Website 4. Using Oxygen 5. Website Design 6. Client Portal Course contents 1. Admin and Set up a. (Give

641 views • 39 slides
WORDPRESS Lesson 10.01 Administration Administration Maintaining your WordPress site is easy,

WORDPRESS Lesson 10.01 Administration Administration Maintaining your WordPress site is easy,

WORDPRESS Lesson 10.01 Administration Administration Maintaining your WordPress site is easy, and doesnt require a lot of time. In the next several slides, well discuss the various chores that are important in maintaining an error free

239 views • 10 slides
WordPress 101 Mercer Public Library January 24, 2019 A little planning... What do I need for a

WordPress 101 Mercer Public Library January 24, 2019 A little planning... What do I need for a

WordPress 101 Mercer Public Library January 24, 2019 A little planning... What do I need for a website? Host (Server) Domain name Website design Why WordPress? Stable, reliable platform 60% of sites using a CMS use WordPress

564 views • 8 slides

More recommend