simple wordpress security
play

Simple WordPress Security Barry Gould, BlogSec.net - PowerPoint PPT Presentation

Jan 13, 2023 •112 likes •326 views

Simple WordPress Security Barry Gould, BlogSec.net Barry@blogsec.net Why should we worry? Hacked site = Loss of business / reputation from loss of customer trust. Cleanup costs. Even small sites are at risk; bots dont discriminate!

  1. Simple WordPress Security Barry Gould, BlogSec.net Barry@blogsec.net

  2. Why should we worry? Hacked site = Loss of business / reputation from loss of customer trust. Cleanup costs. Even ‘small’ sites are at risk; bots don’t discriminate! Threats: ● BotNets - password guessing or exploitation ● Spammers / Spambots ● Black Hat Hackers & Script Kiddies

  3. Why should we worry? Ars Technica reports a BotNet with 90,000 IP addresses is trying to brute-force WordPress installs via password guessing.

  4. Why should we worry? What are they after: ● admin accounts & user accounts ○ admin access ○ email addresses & passwords ● hack your site to direct traffic to another site ○ fake Viagra, etc. ● grow their botnets - use your servers to: ○ send spam / malware ○ hack other sites ● defacement of popular sites

  5. How can I protect myself? Password Security Passwords should be UNIQUE, esp. for your own sites and your email. If you re-use passwords, when LinkedIn or Adobe gets hacked, now someone can login to your: ● email ● Facebook ● WP ● Bank Accounts

  6. Password Complexity Use Strong passwords on Important sites: ● at least 8 characters (letters + numbers/sym) ● mix upper & lower case ● best not to use words or names ● but make it easy to remember PassPhrases: long but easy to remember ● AllRoadsLeadtoRom3. (19ch) ● movie quotes, song lyrics, jingles, etc. ● random words: CorrectHorseBatteryStaple

  7. Passwords cont. Or, take a phrase & make a shorter password: ● All Roads Lead to Rome -> ArltR2013 (9ch) ● CorrectHorseBatteryStaple -> CoHoBaSt.

  8. WordPress Accounts Separate Admin account; restrict use. Delete the default ‘admin’ account! Use Editor / Author / contributor account(s) instead of using Admin all the time. Only use Admin when needed. Each account should have a different password. (at least) 1 acct. for each human; don’t share!

  9. Password guesser protection Plugin: “ Limit Login Attempts ” ● blocks attempts after 5 failed logins ● configurable # and timeout

  10. Plugins & Themes Choose your plugins carefully. "7 out of top 10 most popular e-commerce plugins are vulnerable to common Web attacks "20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks" - CheckMarx, June 2013 Many WP Themes have vulnerabilities as well.

  11. Plugins & Themes Make sure all plugins & themes are safe & maintained / actively developed: ● get plugins/themes from well-known sites ● skip ones that haven’t been updated in years ● skip ones that don’t seem to have any community (forums, bug trackers, etc.) Make sure to keep everything updated! Delete themes & plugins you’re no longer using

  12. Application Security Make sure to keep everything updated! ● WP + Themes & Plugins ● OS + Apache, PHP, etc. If using managed / shared hosting, make sure host keeps things updated, or reminds you to. Check regularly.

  13. Operational Security Don’t login from shared computers, ever. (unless you’re using 2-factor auth) ● If you had to, change your password when you get to the office or home. Don’t login to anything from public networks / WiFi without SSL, SSH, SFTP ● sniffers can easily steal your password

  14. Operational Security, cont. Run Anti-Virus software on your PCs & Macs. Use secure protocols, esp. on public networks: ● HTTPS / SSL instead of HTTP for admin ● SFTP / SCP instead of FTP ● SSH instead of Telnet Applies to Phones / Tablets too. Pay attention to browser/app certificate warnings.

  15. Example Certificate Warning

  16. Operational Security, cont. Backup regularly - Data + code ● Don’t leave backup files on the server ● code backups allow reference / diff in case of hack Don’t leave sensitive info on the server or in WP: ● inactive email lists ● billing info

  17. Advanced Security Topics ● Don’t expose the database to internet ● change permissions on .htaccess! ● use a separate Dev/Staging site ○ or your PC - Desktop Server, XAMPP, Local WP... ● 2-Factor authentication ○ Google Authenticator on phone + WP plugin ● use Version Control software ● Firewalls ● WAFs (ModSecurity, etc.) ● IPS (Intrusion Protection System) ● VPNs

  18. Advanced Security Topics Network / Vulnerability Scanning: Scan yourself, using Web Application Vulnerability Scanner(s): ● Nessus ● Nikto ● Acunetix ● OpenVAS Get familiar, then watch for changes

  19. Further learning Books: WordPress 3 Ultimate Security (2011) Google is your Friend. Meetups - participate / ask questions!

  20. Questions? Questions? Future Presentations?: ● eCommerce security / PCI DSS ● Advanced WP security / lockdown Contact me : Barry@BlogSec.net http://BlogSec.net

Download Presentation
Download Policy: The content available on the website is offered to you 'AS IS' for your personal information and use only. It cannot be commercialized, licensed, or distributed on other websites without prior consent from the author. To download a presentation, simply click this link. If you encounter any difficulties during the download process, it's possible that the publisher has removed the file from their server.

Recommend

WORDPRESS Lesson 02.02 WordPress Editor WordPress Editor WordPress uses a simple HTML editor

WORDPRESS Lesson 02.02 WordPress Editor WordPress Editor WordPress uses a simple HTML editor

WORDPRESS Lesson 02.02 WordPress Editor WordPress Editor WordPress uses a simple HTML editor that allows users to create and update content for blog posts, pages, comments, and other content types that require a rich editing environment.

766 views • 17 slides
Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a

Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a

Wordpress Security GIMPA, November 2018 By: @niiankrah What is Wordpress? WordPress is a free and open-source content management system based on PHP and MySQL. It uses a plugin architecture and a template system. It is most

367 views • 17 slides
WordPress Security Dont Be a Mark (with apologies to anyone named Mark) Will Chatham @willc

WordPress Security Dont Be a Mark (with apologies to anyone named Mark) Will Chatham @willc

WordPress Security Dont Be a Mark (with apologies to anyone named Mark) Will Chatham @willc www.willchatham.com Asheville Area WordPress Group, August 17, 2016 Overview Security Threats: Why & Who How WordPress Gets Hacked

376 views • 18 slides
Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot

Hardening WordPress (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot gray inc. @dotgray Sunday, March 15, 15 Resources Codex.WordPress.org / Hardening_WordPress Blog.Sucuri.net / WordPress Security WPSecure.net /

608 views • 32 slides
WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next

WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next

WORDPRESS Lesson 01.01 Introduction to WordPress Welcome Welcome to WordPress! Over the next set of sessions we're going to cover a lot of different topics, techniques, and technologies, all of which are going to help you better manage and

410 views • 13 slides
BEGINNER AND ADVANCED STEPS FOR WP SECURITY GEORGETOWN WORDPRESS MEETUP 03 APR 2019 @ GEORGETOWN

BEGINNER AND ADVANCED STEPS FOR WP SECURITY GEORGETOWN WORDPRESS MEETUP 03 APR 2019 @ GEORGETOWN

BEGINNER AND ADVANCED STEPS FOR WP SECURITY GEORGETOWN WORDPRESS MEETUP 03 APR 2019 @ GEORGETOWN LIBRARY www.BEACON.agency SCHEDULE AGENDA Why WordPress Security is Important 6:00p NETWORKING The Role of Web Hosting The Role of

448 views • 29 slides
BEGINNER AND ADVANCED STEPS FOR WP SECURITY RHODE ISLAND WORDPRESS MEETUP 11 Sept. 2018 @

BEGINNER AND ADVANCED STEPS FOR WP SECURITY RHODE ISLAND WORDPRESS MEETUP 11 Sept. 2018 @

BEGINNER AND ADVANCED STEPS FOR WP SECURITY RHODE ISLAND WORDPRESS MEETUP 11 Sept. 2018 @ Stillwater Books www.BEACON.agency SCHEDULE AGENDA Why WordPress Security is Important 6:00p NETWORKING The Role of Web Hosting The Role

509 views • 29 slides
WPCall Mesut Can Gurle Keerthana Krishnan WPCall Why WordPress ? WordPress powers > 24%

WPCall Mesut Can Gurle Keerthana Krishnan WPCall Why WordPress ? WordPress powers > 24%

WPCall Mesut Can Gurle Keerthana Krishnan WPCall Why WordPress ? WordPress powers > 24% of the web and rising Everything from simple websites, to blogs Complex portals and enterprise websites and even applications, are

556 views • 16 slides
Doing More with Simple Learning Platforms Brian Dusablon Traditional Delivery Mechanisms Other

Doing More with Simple Learning Platforms Brian Dusablon Traditional Delivery Mechanisms Other

Doing More with Simple Learning Platforms Brian Dusablon Traditional Delivery Mechanisms Other issues to consider: Accessibility Responsive Design Measurement Global Audience Option 1: WordPress 1: WordPress Social

352 views • 18 slides
Contributing to WordPress Sam Sidler @samuelsidler samuelsidler.com sam@wordpress.org Why

Contributing to WordPress Sam Sidler @samuelsidler samuelsidler.com sam@wordpress.org Why

Contributing to WordPress Sam Sidler @samuelsidler samuelsidler.com sam@wordpress.org Why Contribute to WordPress? Learn from the best developers Gain experience in the codebase Influence the direction of the project Make valuable

265 views • 25 slides
A Month of WordPress Plugins 2007 Ask and You May

A Month of WordPress Plugins 2007 Ask and You May

WordPress Plugins Lorelle VanFossen File Gallery WordPress Plugin A Month of WordPress Plugins 2007 Ask and You May Change WordPress Open Camp

542 views • 32 slides
Make a Simple WordPress Website wifi: MigHelp password: james2009 Photo by Christin Hume on

Make a Simple WordPress Website wifi: MigHelp password: james2009 Photo by Christin Hume on

Make a Simple WordPress Website wifi: MigHelp password: james2009 Photo by Christin Hume on Unsplash About me // Krisztina Kun Vancouver Canada (Hungarian born in Romania) started making websites in the late 1990s worked in

689 views • 19 slides
WordPress Day 8 - Underscores 1 What is underscores? _s, or underscores , is a WordPress

WordPress Day 8 - Underscores 1 What is underscores? _s, or underscores , is a WordPress

TWD 25 WordPress Day 8 - Underscores 1 What is underscores? _s, or underscores , is a WordPress starter theme. It is a code base for building custom themes. 2 Why use underscores? Maintained by Automattic developers. This is the

821 views • 47 slides
HOW YOU CAN GET INVOLVED WITH THE WORDPRESS COMMUNITY WHO WE ARE JOHN HAWKINS - WordPress

HOW YOU CAN GET INVOLVED WITH THE WORDPRESS COMMUNITY WHO WE ARE JOHN HAWKINS - WordPress

HOW YOU CAN GET INVOLVED WITH THE WORDPRESS COMMUNITY WHO WE ARE JOHN HAWKINS - WordPress developer - WordPress user for 15+ years - Owned a WP Agency for 5+ years - Organized first WordCamp in Vegas (2009) - Founded the WP Vegas

684 views • 35 slides
wordpress masterclass how to set up your own wordpress website I'm a web designer whos

wordpress masterclass how to set up your own wordpress website I'm a web designer whos

wordpress masterclass how to set up your own wordpress website I'm a web designer whos passionate about helping small businesses create a professional online brand personality that stands out from the crowd and generates an income that gives

786 views • 37 slides
WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013)

WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013)

TWD 25 WordPress Day 1 1 About Me Jonathon Leathers - WordPress Developer TWD 4 Student (2013) weCreate Design (2014 - now) Vancouver WordPress Meetup Organizer (2017 - now) WordCamp Vancouver Lead Organizer (2018 & 2019) TWD

1.52k views • 119 slides
Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA

Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA

Fast and Generic Malware Triage Using openioc_scan Volatility Plugin TAKAHIRO HARUYAMA (@CCI_FORENSICS) INTERNET INITIATIVE JAPAN INC. Digital Forensics Research Conference Europe 2015 Who am I? 2 Forensic Investigator & Malware

796 views • 27 slides
Hillgrove Hotel Ltd UNIFORM, WORKWEAR & PERSONAL PRESENTATION (i) Why we have a uniform

Hillgrove Hotel Ltd UNIFORM, WORKWEAR & PERSONAL PRESENTATION (i) Why we have a uniform

Hillgrove Hotel Ltd UNIFORM, WORKWEAR & PERSONAL PRESENTATION (i) Why we have a uniform Customers make judgments on our business on the basis of a number of factors, including the image conveyed by the look of our premises, the quality

397 views • 7 slides
New Approach Recovering to Internet Security damage due to a cyber attack costs from Hacktrophy

New Approach Recovering to Internet Security damage due to a cyber attack costs from Hacktrophy

New Approach Recovering to Internet Security damage due to a cyber attack costs from Hacktrophy is a modern way to test the https://hacktrophy.com/en/internet-security/ 31 000 to 9.5 mil.

157 views • 15 slides
1 Caring Hands Hospital System A Unit of CH Healthcare, Inc. Caring Hands Tour The New ED

1 Caring Hands Hospital System A Unit of CH Healthcare, Inc. Caring Hands Tour The New ED

W ho Needs Cyber I nsurance? A Review of I nsurable Privacy Exposures Today George N. Allport Chubb Specialty I nsurance And Steven H. Anderson XL I nsurance Antitrust Notice The Casualty Actuarial Society is com m itted to adhering

407 views • 11 slides
Vajra Cyber Threat Mitigation Service (Vajra CTMS) A Military Grade Cyber Threat Mitigation

Vajra Cyber Threat Mitigation Service (Vajra CTMS) A Military Grade Cyber Threat Mitigation

Vajra Cyber Threat Mitigation Service (Vajra CTMS) A Military Grade Cyber Threat Mitigation Service for Businesses and Governments Cyber Security & Privacy Foundation Pte. Ltd., Singapore Cyber Security & Privacy Foundation (CSPF)

369 views • 21 slides
Best Practices on Methodologies & Techniques to Assess the Effectiveness of Physical

Best Practices on Methodologies & Techniques to Assess the Effectiveness of Physical

Best Practices on Methodologies & Techniques to Assess the Effectiveness of Physical Protection Measures & Systems Meghann Parrilla Vulnerability Assessment Analyst v Amanda Friend Physical Security Systems Performance Testing

230 views • 11 slides
Conceptualizing Road Safety Principles in the IoT era Joint meeting Global Forum for Road

Conceptualizing Road Safety Principles in the IoT era Joint meeting Global Forum for Road

Conceptualizing Road Safety Principles in the IoT era Joint meeting Global Forum for Road Traffic Safety ( WP1) GRRF / WP29 20 September 2017 WP1 Chair Ms. Luciana Iorio Road Traffic Safety Driver Users VRU Principles -

1.19k views • 7 slides
Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook

Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook

SNCAK2MJZOH7 > Kindle \ Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook Windows Presentation Foundation 4.5 Cookbook Filesize: 5.41 MB Reviews Reviews These kinds of pdf is every thing and helped me

434 views • 4 slides

More recommend