During this presentation, we'll discuss the ins and outs of website security. Using good security practices as a website owner helps keep the entire web environment as clean and safe as possible.
Expect to learn about:
- What website security is and how to approach the subject when making your own plan.
- The various access points and attack surfaces of a website.
- Simple ways to increase security for all website owners.
- Intermediate ways to further secure websites.
- General online security practices and preparedness.
3. Tweet #AskSucuri to @SucuriSecurity
In this webinar you will learn:
• What website security is and how to approach the subject when
making your own plan
• The various access points that most websites have
• Simple ways to approach website security security
• Intermediate ways to approach security
• A few ways to increase your general security online
4. Why is website security important?
Accounted for 90%
of all websites
cleaned by Sucuri
in 2018.
Authorities detected
only 11% of infected
sites in 2018, a 6%
drop from 2017.
Increased by 14%
to 51.3%, from
37% in Q3 2016.
Increased to 56.4%,
from 47% in 2017.
WordPress Blacklist SEO Spam General Malware Ecommerce
Outdated software
continues to be the
greatest vulnerability
to these targets.
5. What is website security?
• Applied: to content via restrictions
• Environmental: linked to security of hardware and work environments
• Tangential: related to all accounts and individuals who may interact
with content
• Flexible: a compromise between existing risks and the level of time
and interaction that you want to have
• Active: Security is also a practice!
6. Tweet #AskSucuri to @SucuriSecurity
Can’t I just buy a service?
Tweet #AskSucuri to @SucuriSecurity
7. Tweet #AskSucuri to @SucuriSecurity
Direct Points
of Access
What do we need to secure?
Clients with hacked sites frequently ask "how did the
intruder get in?“ Most sites can be accessed:
• Via the hosting account
• Via the control panel
• Via an FTP, SFTP, or SSH connection
• Via your CMS management panel, such as WP Admin
• Via the database
• Via the internet, publicly
8. Tweet #AskSucuri to @SucuriSecurity
Direct Points
of Access
How they do they get in?
Tangentially, we also need to consider the ways that
these elements can be accessed:
• Email, for password recovery purposes
• Your computer or device and the security there
• The browser used on your computer or device
• The way your data is being sent (HTTPS)
• The security of the server on which your content
is stored
9. Tweet #AskSucuri to @SucuriSecurity
Update,
Update, Update
Preventing the #1 cause of hacks
As we mentioned earlier, outdated site elements are
the number one cause of website infections.
Updating your CMS isn’t the only thing you can do to
avoid risks, however! Updates can be applied to:
• Content Management Systems
• Plugins
• Themes
• Extensions
• Server-side platforms and security
10. Tweet #AskSucuri to @SucuriSecurity
Protecting Your
Website
Applying updates is helpful, but a fully updated site may still
be at risk. Consider:
• Avoiding pirated plugins & themes
• Removing content that isn't in use
• Limiting, monitoring, and auditing access regularly
• Using 2FA wherever possible
• Using strong random passwords (password managers)
• Using only one security plugin
• Using non-standard usernames
• Applying an SSL
11. Tweet #AskSucuri to @SucuriSecurity
Have a “Plan B”
Website security plan
If your site is compromised, how can you most
effectively react to mitigate the issue? Consider in
advance of a compromise:
• Points of access
• Individuals with access
• How you will update all passwords
• How updated access can be sent securely
• Will a backup save the day?
• Assistance resources available to you
12. Tweet #AskSucuri to @SucuriSecurity
Intermediate
options
• Disallow PHP execution via .htaccess
• Disallow file editing in wp-config.php via .htaccess
(Sucuri plugin is a good free option)
• IP-based limitations to WP-Admin pages
• Limited access to wp_includes, images, and uploads
folders
• Restrict upload capabilities
• Avoid renaming file extensions (ie:
wp_config.php.bak), voiding restrictions
13. Tweet #AskSucuri to @SucuriSecurity
Fun security for
fun internet users!
• Use a script blocker
• Antivirus programs with active protection
• 2-factor authentication
• Password managers
• Be aware of social engineering & phishing risks
• Discuss security requirements
• Send sensitive info securely
If you’re ever unsure, ask! Most online service
providers will have documentation related to security,
and the best of those will help formulate a security
plan.
14. Submit your questions to us at any time by tweeting us
@SucuriSecurity using the hashtag #AskSucuri
Editor's Notes
During this presentation, we'll discuss the ins and outs of website security! Using good security practices whether you're an internet user or a website owner is a great way to do your part to keep the entire web environment as clean and safe as possible.
There are quite a few ways to increase your site’s security that are free, and relatively simple for anyone to apply
These are blatantly Tony’s stats.
- Roughly 33% of all sites on the internet use Wordpress as a CMS
- In 2018, 90% of all sites cleaned by Sucuri were Wordpress sites
- Can't rely on blacklisting - in 2018 blakclisting authorities detected only 11% of infected sites
Rates of infection are on the rise
You may be wondering….
* here, we’ll fix the common malware definition
* I’ll show you three common ways where malware hides
* I’ll try to deobfuscate this magic word little bit
And in the end of this webinar I’ll tell you something about…
*
*
So what is malware >
A lot of people buy a security solution and think they have mitigated *all* risks. When asking the question "is my site secure" please consider the subject to be a gradient rather than a simple "yes" or "no" question!
A paid security service may be for you if:
- Security isn't something you can find much time for
- Site availability & brand reputation is of the utmost importance
- You're new to the subject of security, and would like support to account for potentials as you learn
Most paid services will not be able to address *all* security potentials, so it's important to also consider some basic security questions even if you have services through Sucuri or another website security service provider.
On to the real content!
Now that we've generally outlined what website security is, how do we begin to make things more secure?
Outline the ways in which your site be accessed. What do we need to secure?
When clients come to us with hacked sites, a frequent question that we see is "how did the intruder get in?"
Most sites have multiple points of access, so we typically can't pinpoint a single security flaw. When thinking about security, it can be helpful to begin by listing all of the ways that your site files can be reached!
Most sites can be accessed:
- Via the hosting account
- Via the control panel
- Via an FTP, SFTP, or SSH connectiom
- Via your CMS management panel, such as WP Admin
- Via the database* This gets a little more in-depth, and we'll talk about this and public access security after we cover some basics
- Publicly, via the internet
Tangentially, we also need to consider the ways that *these* elements can be accessed:
- Email, for password recovery purposes
- Your computer or device and the security there
- The browser used on your computer or device
- The way your data is being sent (HTTPS)
- The security of the server on which your content is stored
As we mentioned earlier, outdated site elements are the number one cause of website infections. Updating your CMS isn’t the only thing you can do to avoid risks, however!
Updates can be applied to:
Content Management Systems
Plugins
Themes
Extensions
Server-side platforms and security
Applying updates is helpful, but a fully updated site may still be at risk. Consider:
Avoiding pirated plugins & themes
Removing content that isn't in use
Limiting, monitoring, and auditing access regularly
Using 2FA wherever possible
Using strong random passwords (password managers)
Using only one security plugin
Using non-standard usernames
Applying an SSL. This won’t impact the security of your site, but it will increase safety for your visitors
If your site is compromised, how can you most effectively react to mitigate the issue? This may vary from site to site, but often your host or developer can help to implement a plan for the worst-case scenario.
- Keep backups! Outside of your hosting environment, if possible
- Use an access management system (such as a password manager) to easily track access, update passwords easily, and share and revoke access securely
***beef these out a bit***
-Disallow file editing in WP-Config *
- .htaccess limitations*
- disable PHP execution in Uploads, WP-Includes (Plugin is a good free option: https://wordpress.org/plugins/sucuri-scanner/)
- Avoid renaming wp-config to remove the file extension. (solidify details from Ben)
- Put htaccess in wp includes, images, uploads folders.
- No upload capabilities unless theyre secured (certain extensions)
Script blockers
Antivirus programs with active protection
Be aware of and discuss the risks of social engineering or phishing
* email addresses
* links
*phone and email requests
-Discuss your security requirements
Send information in secure ways
If you’re ever unsure, ask! Most online service providers will have documentation related to security, and the best of those will be able to discuss security with you directly to help formulate a plan