why security matters
TRANSCRIPT
Who are we?
● Globally distributed website security team
● Website Antivirus + Firewall
● Clean hundreds of websites per day
● Protect against countless attacks
● Not just Wordpress but any other platform too
Who am I?● Ben Martin @rngdmstrben
● Security Analyst at Sucuri
● Hails from Victoria BC
● 1.5 years at the company cleaning websites
● Security / online privacy geek
● Certified Music Producer
Why does security matter?
● All websites get attacked
● Responsibility & safety
● Attackers go after low hanging fruit
● Peace of Mind
Common Myth!
● “Bob must have gone to some website that he shouldn't have!”
● All types of websites get attacked/compromised regardless of content
● You don't have to go to “sketchy” websites to find malware
Be Proactive Not Reactive
● “We are intuitive. We drink water before we become dehydrated. We sleep before we become overtired. Most of the time, we automatically defend ourselves from germs and viruses, because we have consciously (and unconsciously) focused on preventative maintenance for our bodies and minds...Spend more time preventing problems and less time fixing issues that result from a compromise”
David L. Prowse
Responsibility
● Responsibility to protect your site visitors & yourself
● Protect your reputation! “Is this site safe?”
● Consider security a priority from day one
● Your visitors trust you & your website
Why would someone want to hack ME!?● Automation – targeted attacks are usually
reserved for big companies
● Same thing that motivates most bad behaviour: Money! $$$
● Phishing, drive by downloads, blackhat SEO
● Defacements / Hacktivism
Popular CMS = Targeted CMS
● WP is more than 20% of the Internet!
● Common targets for attackers
● Vulnerable plugins + themes are a big problem
Plugins● Out of date / vulnerable software is leading
cause of website infection
● Less is more
● Decrease the attack surface
● Avoid old plugins and update update update!!!
● Also helps speed/memory of site
Passwords
● Other leading cause of infection
● Pass123 = no bueno
● Automated password attacks
● 'admin' Wordpress account name
● Reusing passwords = no buneo
Protection
● UPDATE UPDATE UPDATE!!!
● /back /old software hoarding = no bueno
● Use a security plugin!
● Consider a firewall – paid & free options available
Detection● Keep an eye on things
● Administrators – exercise least privilege, less is more
● Learn your environment, knowledge is power
● Learn to recognize when something is out of place
Response
● This is when you really appreciate being proactive
● Website compromises are stressful but don't panic!
● Every problem has a solution
● Not a bad idea to disclose to your visitors
Backups
● Backup your website. Always. ALWAYS.
● Your best friend on a rainy day
● Store them offline in a safe place
● Learn how to restore via FTP & database – this goes a long way
Hosting Providers
● Read reviews online
● Is security a priority for your hosting provider?
● What will they do if you get hacked?
● Shared – Managed – Dedicated - VPS
Multiple Sites
● Compartmentalize, separate, mitigate risk
● Own one, own them all
● FTP accounts – file ownership, privileges
● Avoid shared hosting if possible
Protect Yourself Online● All this talk about malware, how do I stay safe!?
● Antivirus obviously (yes even if you have a Mac)
● Practice good / responsible browsing habits
● Security browser extensions – NoScript, AdBlock, HTTPS Everywhere
● Web browser security is can be annoying & inconvenient but is very important