head slapping wordpress security
TRANSCRIPT
![Page 1: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/1.jpg)
Head Slapping WordPress Security
Chris Burgess - @chrisburgess - chrisburgess.com.au
![Page 2: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/2.jpg)
#BigDigitalADL
![Page 3: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/3.jpg)
Is this how you feel about the topic of security?
![Page 4: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/4.jpg)
Not everyone loves security J But everyone should care about it.
![Page 5: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/5.jpg)
Security is CRITICAL for business and marketing operations.
![Page 6: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/6.jpg)
Security is not absolute. It’s about risks and managing
the risks.
![Page 7: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/7.jpg)
Security is not a Product. Security is a Process.
![Page 8: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/8.jpg)
Don’t wait to see something like this before you care about it.
![Page 9: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/9.jpg)
Try and be proactive, not just reactive.
• xxx
http://www.dailymail.co.uk/news/article-1388660/Mississippi-River-flooding-Residents-build-homemade-dams-saves-houses.html
![Page 10: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/10.jpg)
What we’ll cover…
• Common myths and misconceptions
• Why is WordPress a popular target?
• Who is an attacker?
• What motivates them?
• How do they do it?
• What can they do?
• What is the impact?
• What can you do?
• Common mistakes and how to avoid them
![Page 11: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/11.jpg)
A little about me…
• Co-founder Clickify – Digital Marketing Agency
• Editor for SitePoint WordPress Channel
• Help organise a few Meetups (Melbourne WordPress User Meetup and Melbourne SEO Meetup)
@chrisburgess
![Page 12: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/12.jpg)
Let’s get started…
http://www.humoar.com/wp-content/uploads/2014/08/dude-let-me-in-its-me-mittens.jpg
![Page 13: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/13.jpg)
http://www.humoar.com/wp-content/uploads/2014/08/dude-let-me-in-its-me-mittens.jpg
![Page 14: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/14.jpg)
There is no such thing as absolute security.
![Page 15: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/15.jpg)
Nothing is 100% secure.
![Page 16: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/16.jpg)
The good news – there are many things we can do to
drastically reduce the risks.
![Page 17: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/17.jpg)
Myths and misconceptions
![Page 18: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/18.jpg)
Common myths and misconceptions
“WordPress sites always get hacked.”
“No one is interested in attacking my site.”
“I’ve got nothing valuable for anyone to steal.”
“Security is not my problem, my host/developer/plugin takes care of security for me.”
![Page 19: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/19.jpg)
Why is WordPress a popular target?
![Page 20: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/20.jpg)
WordPress powers 38% of the top 10k sites
http://trends.builtwith.com/cms/
![Page 21: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/21.jpg)
WordPress powers 55% of .au sites
http://trends.builtwith.com/cms/country/Australia
![Page 22: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/22.jpg)
Example of WordPress vulnerabilities
Source: http://wptavern.com
![Page 23: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/23.jpg)
“Most successful WordPress hack attacks are typically the result of
human error, be it a configuration error or failing to maintain WordPress,
such as keeping core and all plugins up to date, or installing insecure
plugins etc.”
- Robert Abela (@robertabela)
![Page 24: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/24.jpg)
Who is an attacker?
![Page 25: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/25.jpg)
According to stock photography...
![Page 26: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/26.jpg)
Who is an attacker?
A person or group who’s trying to attack your site.
It may personal, but most often you’re just a victim of opportunity.
Typically, your website is just one faceless entity on a massive list of sites being scanned and probed.
![Page 27: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/27.jpg)
What motivates them?
![Page 28: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/28.jpg)
They can be motivated by…
• Economic gain
• Theft
• Political awareness
• Just for kicks, or a challenge
![Page 29: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/29.jpg)
How do they do it?
![Page 30: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/30.jpg)
Defense in depth
https://technet.microsoft.com/en-us/library/cc512681.aspx
![Page 31: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/31.jpg)
There are approximately 1500 files in a default WordPress installation – not including
themes and plugins.
![Page 32: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/32.jpg)
What’s under the hood
• WordPress relies on a many popular Open Source libraries (as does most software).
• Here are a few of the most common ones: – jQuery – jQuery Masonry – jQuery Hotkeys – jQuery Suggest – jQuery Form – jQuery Color – jQuery Migrate – jQuery Schedule – jQuery UI – Backbone – colorpicker – hoverIntent – SWFObject – TinyMCE
– Atom Lib – Text Diff – SimplePie – Pomo – ID3 – Snoopy – PHPMailer – POP3 Class – PHPass – PemFTP
https://www.sitepoint.com/javascript-and-php-libraries-used-by-wordpress/
![Page 33: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/33.jpg)
They can do it via…
OUT OF DATE OR VULNERABLE THEMES
OUT OF DATE OR VULNERABLE PLUGINS
OUT OF DATE VERSION OF WORDPRESS
INTEGRATIONS
POOR PROCESSES
BAD PASSWORDS AND PASSWORD MANAGEMENT MISCONFIGURATION
HUMAN ERROR
![Page 34: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/34.jpg)
What can they do?
![Page 35: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/35.jpg)
Sucuri Website Hacked Trend Report 2016
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
![Page 36: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/36.jpg)
What is the impact?
![Page 37: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/37.jpg)
https://www.google.com/webmasters/hacked/
![Page 38: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/38.jpg)
https://www.google.com/webmasters/hacked/
![Page 39: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/39.jpg)
Real example of a compromised site in Google search results
![Page 40: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/40.jpg)
Real example of a compromised site in Google search results
![Page 41: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/41.jpg)
Example of Resources Consumed
![Page 42: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/42.jpg)
Google Search Console
![Page 43: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/43.jpg)
Netregistry email about compromised site
![Page 44: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/44.jpg)
Real example of a malicious plugin
![Page 45: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/45.jpg)
Real example of a malicious file
![Page 46: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/46.jpg)
Google Search Console
![Page 47: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/47.jpg)
Google AdWords
![Page 48: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/48.jpg)
![Page 49: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/49.jpg)
Ahrefs and Google Search Console
![Page 50: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/50.jpg)
Real example of anchor text from ahrefs.
![Page 51: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/51.jpg)
Real example of links in Google Search Console
![Page 52: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/52.jpg)
Real example of a malicious plugin.
![Page 53: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/53.jpg)
Real example of a malicious plugin.
![Page 54: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/54.jpg)
Real example of black hat SEO.
![Page 55: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/55.jpg)
Impacts your bottom line
• Loss in revenue
• Lose customers
• Cost of professional help
• Cost of your time
• Cost of your resources
• Potential legal and compliance issues
$
![Page 56: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/56.jpg)
Damage to reputation
• Affects brand reputation
• Can compromise visitor systems or data
• Loss of trust and confidence amongst customers or clients
• Negative publicity
L
![Page 57: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/57.jpg)
STRESS!
• Causes you unnecessary stress dealing with the security breach
• Can even cause stress to your staff, colleagues and customers
!
![Page 58: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/58.jpg)
Technical issues
• Blacklisting
• Email deliverability
• SEO and SEM impacts
• Domain and IP reputation
• Downtime and outages
![Page 59: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/59.jpg)
What Can You Do?
![Page 60: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/60.jpg)
Be practically paranoid.
![Page 61: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/61.jpg)
http://favoritememes.com/_nw/37/42148895.jpg
![Page 62: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/62.jpg)
Give your team basic security awareness training.
![Page 63: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/63.jpg)
Practice principle of least privilege.
![Page 64: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/64.jpg)
Use Google Search Console
![Page 65: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/65.jpg)
Do regular backups and store offsite
• Server Level Backups – cPanel/Plesk – Replication – Snapshots
• Backup Services • Backup Plugins
– Updraft Plus – WordPress Backup to Dropbox – VaultPress – Backup Buddy – Duplicator
• Manual Backups • Exports
![Page 66: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/66.jpg)
Maintenance
“Patch early and patch often”
![Page 67: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/67.jpg)
Use a security plugin (or manually harden)
https://www.wordfence.com/
https://sucuri.net/
https://ithemes.com/security/
![Page 68: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/68.jpg)
Use password management
Personal • LastPass
• Dashlane
• 1Password
• KeePass
• Passwordsafe
• Roboform
• Browser Password Manager
• Native OS
Teams • LastPass Enterprise
• Bitium
• 1Password for Teams
• Secret Server
• PassPack
![Page 69: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/69.jpg)
Monitor your Sitemap XML, robots.txt and .htaccess files.
![Page 70: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/70.jpg)
Use two-factor authentication
![Page 71: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/71.jpg)
Server security
• System Monitoring
• Integrity Monitoring
• Firewalls
• IDS/IPS
• Logging
![Page 72: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/72.jpg)
Use strong encryption
• Avoid plain text protocols
• Everyone should use SSL (and make sure it’s configured correctly)
![Page 73: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/73.jpg)
WPScan WordPress Scanner
![Page 74: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/74.jpg)
Other resources
• WordPress.org – wordpress.org/about/security – wordpress.org/news/category/security
• Codex.WordPress.org – codex.wordpress.org/hardening_wordpress – codex.wordpress.org/brute_force_attacks#protect_your_server
• Verizon DBIR - http://www.verizonenterprise.com/verizon-insights-lab/dbir/
• Sucuri - https://sucuri.net/ • OWASP - http://owasp.org/ • WP White Security - https://www.wpwhitesecurity.com/ • Google Safe Browsing - https://www.google.com/
transparencyreport/safebrowsing/diagnostic/
![Page 75: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/75.jpg)
Common mistakes and how to avoid them
![Page 76: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/76.jpg)
1. Don’t use weak user names and passwords (admin:password123).
![Page 77: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/77.jpg)
2. Don’t have publically accessible backups (e.g /backup.zip).
![Page 78: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/78.jpg)
3. Don’t have publically accessible config files (wp-config.php.old).
![Page 79: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/79.jpg)
4. Don’t forget to backup your site regularly. Store offsite.
![Page 80: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/80.jpg)
5. Don’t forget to regularly update your WordPress site.
![Page 81: Head Slapping WordPress Security](https://reader035.vdocuments.net/reader035/viewer/2022081401/58705b881a28aba2118b6925/html5/thumbnails/81.jpg)
6. Take advantage of the plugins, tools and services available to
protect your site.