secure from the start
DESCRIPTION
Want to keep your WordPress site safe from hackers? This session is for you. A security orientated talk covering; Risks and Pitfalls, WordPress configuration, Hosting considerations, Must have plugins & Additional config optionsTRANSCRIPT
Welcome
"Want to keep your WordPress site safe from hackers? This session is for you"
Kieran O'SheaSecure from the Start
Secure from the Start
Kieran O'Shea
[email protected] • @kieranoshea • http://www.kieranoshea.com/
About me
Kieran O'SheaSecure from the Start
Day job in the finance industry
Open Source Work RouterTech
Firmware for home routers WordPress Plugins
Calendar
Introduction
Kieran O'SheaSecure from the Start
Origin of this session Security home truths Attack Vectors & Advice Plugins Server config Something extra Questions
Security Home Truths
Kieran O'SheaSecure from the Start
Insecure passwords cracked in seconds Average of 156 days before victims realise hacking has taken place 90% of all businesses have been hacking victims in the last 12 months More than 30,000 websites infected with malware
Attack Vectors
Kieran O'SheaSecure from the Start
Passwords & Persistence External applications Rogue code
Passwords
Kieran O'SheaSecure from the Start
Secure passwords
Avoid re-use between systems
Passwords
Kieran O'SheaSecure from the Start
Risks of re-use
Is this your password?
Passwords
Kieran O'SheaSecure from the Start
Secure password storage
Single, secure, master password
External Applications
Kieran O'SheaSecure from the Start
Shared servers externalise risk Protect users from users
Don't chmod 777 Your host should run suPHP Watch home directory changes
Rogue Code
Kieran O'SheaSecure from the Start
Does your theme footer look like this?
Rogue Code
Kieran O'SheaSecure from the Start
Hackers & spammers team up
Rogue Code
Kieran O'SheaSecure from the Start
It can get worse.... much worse
Plugins
Kieran O'SheaSecure from the Start
Modifcations to files✔ "WordPress File Monitor Plus" (Scott Cariss)
Login attempts✔ "Limit Login Attempts" (Johan Eenfeldt)
Action logging✔ "Audit Trail" (John Godley)
Server config
Kieran O'SheaSecure from the Start
Use fail2ban Block access at an IP level
# Define specific rules for the blog admin panel <Directory /home/kieran/public_html/wp-admin> Order Deny,Allow Deny from all Allow from 95.172.226.96/27 </Directory>
Something extra
Kieran O'SheaSecure from the Start
Demos in this session powered by...
Something extra
Kieran O'SheaSecure from the Start
Demos in this session powered by...
… the Raspberry Pi
Questions?
Kieran O'SheaSecure from the Start
Kieran O'Shea • [email protected] @kieranoshea • http://www.kieranoshea.com/
Remember, WordCamp tweets archived here: https://wcuk.kieranoshea.com/tweets/