wordpress security basics - melbourne wordpress user meetup
TRANSCRIPT
WordPressSecurityBasics
ChrisBurgess@chrisburgess
BadNews
Thereisnosuchthingasabsolutesecurity.Nothingis100%secure.
GoodNews
Therearemanythingswecandotodrasticallyreducetherisks.
Contextiseverything…
“MostsuccessfulWordPresshackattacksaretypicallytheresultof
humanerror,beitaconfigurationerrororfailingtomaintainWordPress,suchaskeepingcoreandallpluginsupto
date,orinstallinginsecurepluginsetc.”-RobertAbela(@robertabela)
Source:http://www.wpwhitesecurity.com/wordpress-security/statistics-highlight-main-source-wordpress-vulnerabilities/
OverviewTakeSecuritySeriouslyUpdatesThemesandPluginsPasswordsBackupsandMaintenanceHardeningWordPressandSSLwillbecoveredinthefollowingpresentations
TakeSecuritySeriously
DefenseinDepth
Source:http://wptavern.com/
KeepWordPressUpdated
Updates
• “Patchearlyandpatchoften”• Thisisanothergoodreasontohaveatesting/stagingenvironment
UseReputablePlugins
UseReputableThemes
Trust
TheWeakestLink
PasswordManagement
• LastPass,1Password,Roboform,KeePass,Dashlane
• SecretServer,LastPassEnterprise,PassPack• UseTwo-factorauthenticationwhereverpossible
PerformRegularBackupsandMaintenance
PrepareforProblems
BackupOptions
• ServerLevelBackups– cPanel/Plesk– Replication– Snapshots
• BackupServices• BackupPlugins• ManualBackups• Exports
HardeningWordPress
HardeningWordPress
• Allinoneplugins:Sucuri,Wordfence,iThemesSecurity
• Oryoucantakeamoremodularapproach,butchoosewisely
• SecurityServices• ManualHardening
GoogleSearchConsole(formerlyWebmasterTools)
HowcanIlearnmore?
VerizonDBIR
http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/
Resources
• https://wordpress.org/about/security/• https://wordpress.org/news/category/security/
• http://codex.wordpress.org/Hardening_WordPress
• http://codex.wordpress.org/Brute_Force_Attacks#Protect_Your_Server
Thanks!
ChrisBurgess@chrisburgess