SlideShare une entreprise Scribd logo

Beefy WordPress Security Wordcamp 2012 by Tammy Lee

Top Draw Inc.
Top Draw Inc.

This document discusses securing a WordPress installation. It begins by explaining that simply installing WordPress is not enough and leaves the site vulnerable to attacks. It discusses threats like brute force attacks, malware infections, and how passwords and administrative users need to be properly secured. The document provides tips on creating strong passwords, using different passwords for all accounts, and updating WordPress and plugins regularly to prevent security issues. It emphasizes the importance of security for a WordPress site.

Technologie
1  sur  42
Télécharger pour lire hors ligne
WHERE’S THE BEEF? Beefing Up Your WordPress Installation Tammy Valgardson – Senior Web Developer @tammalee
INTRODUCTION Introduction Absolutely true! It will only take five minutes to download and install WordPress. But then what?
INTRODUCTION Introduction If you set up your blog and walk away, you leave yourself vulnerable to malicious activity! Further Reading WordPress Codex – Hardening WordPress http://codex.wordpress.org/Hardening_WordPress How To: Stop The Hacker By Hardening WordPress http://blog.sucuri.net/2012/06/how-to-stop-the- hacker-by-hardening-wordpress.html
INTRODUCTION What’s at Stake? If you don’t follow password best practices your hacked WordPress account could lead to other compromised accounts!
INTRODUCTION What’s at Stake? Shared hosting means more than just sharing a server. If one site gets hacked there is a chance malware infecting one site can spread to others on the same shared hosting space!
INTRODUCTION What’s at Stake? If your site is compromised, and hackers get their way, your site will now serve a nefarious purpose such as: Redirect visitors to a web site that will attempt to install malicious software. Compromise a shared hosting (soup kitchen) server and infect other web sites. Phish for sensitive information. Display spam to your visitors that you can’t see. Hijack links to other sections of your web site, such as ‘Contact’, and send visitors to an entirely different site.
INTRODUCTION What’s at Stake? If your WordPress site is infected with malware it could be blacklisted by Google and other search engines! [ Source: http://www.malware-info.com/mal_faq_inject.html ]
THREATS EXPLAINED – BRUTE FORCE ATTACKS a.k.a. When bored hackers with password cracking programs decide to cruise for fun on a Friday night.
THREATS EXPLAINED – BRUTE FORCE ATTACKS What is a brute force attack? [ Source: http://www.inmotionhosting.com/support/website/wordpress/wordpress-security-preventing-brute-force-attacks-on-admin- login ]
THREATS EXPLAINED – BRUTE FORCE ATTACKS How often do brute force attacks happen? Brute force attacks happen all the time! Peter Abraham over at DNI Dynamic Net, Inc. wrote on October 15, 2012 “If you asked me from September 2012 forward, the answer would change dramatically with WordPress Brute Force Attacks now exceeding 50% of all attacks being reported.” [source: http://www.dynamicnet.net/2012/10/wordpress-brute-force-attacks/] [ Source: http://freethegnu.wordpress.com/2010/09/22/yet-another-ssh-brute-force-attack-and-how-to-protect-against-it-with-iptables-and-sshguard/ ]
THREATS EXPLAINED – BRUTE FORCE ATTACKS What’s the purpose of a brute force attack? If your account has administrator permissions they can do all sorts of ‘fun’ things to your site. One of the most common reasons for a brute force attack is to inject malware into your files or database.
THREATS EXPLAINED - MALWARE Not Firefly-related. Not that I’d mind Captain Malcolm Reynolds getting into my WordPress installation. #fullfrontalnerdity
THREATS EXPLAINED - MALWARE What is Malware? Malware is software designed to harvest sensitive information or gain access to computer systems. On a WordPress installation malware can be injected into your source code, database, .htaccess files etc. Malware hijacks the purpose of visiting your site for its programmed agenda. Who Creates Malware? Why? What sort of person creates malware? Why do people create malware? • Young programmers with something • Petty theft to prove • Cybercrime • Older, more experienced, virus • Support for spammers writers who write malware • Distributed network attacks professionally • Stealing electronic currency • ‘Researchers’ who create malware as proof of concept projects • ...and many more. [Source: http://www.securelist.com/en/threats/detect?chapter=72 ]
THREATS EXPLAINED - MALWARE Malware - Backdoors Malware - Drive-by Downloads “A backdoor lets an attacker gain access to “The point of a drive-by download is often to your environment via what you would download a payload onto your user’s local consider to be abnormal methods — FTP, machine. One of the most common payloads SFTP, WP-ADMIN, etc…” informs the user that their website has been [ Source: infected and that they need to install an anti- http://wp.smashingmagazine.com/2012/10/09/four- virus product...” malware-infections-wordpress/ ] [ Source: http://wp.smashingmagazine.com/2012/10/09/four- malware-infections-wordpress/ ] Malware – Malicious Redirects “When a visitor is redirected to a website other than the main one, the website may or may not contain a malicious payload. Suppose you have a website at myhappysite.com; when someone visits it, the website could take the visitor to meansite.com/stats.php, where the malicious payload is in that website’s stats.php file. Or it could be a harmless website with just ads and no malicious payload.” [ Source: http://wp.smashingmagazine.com/2012/10/09/four- malware-infections-wordpress/ ]
THREATS EXPLAINED - MALWARE Malware – Pharma Hacks “Pharma hack is one of the most prevalent infections around. It should not be confused with malware; it’s actually categorized as SPAM — “stupid pointless annoying messages.” If you’re found to be distributing SPAM, you run the risk of being flagged by Google…” [ Source: http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/ ] [ Source: http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php ]
THREATS EXPLAINED - MALWARE How does malware infect WordPress? Old and outdated plugins, themes, and WordPress installations may have holes in their security that can be exploited. Malware is injected into a file or your database where it hijacks your visitors experience when they visit your web site. It's written using a Web 2.0 language, usually PHP, Javascript, Ruby, Perl, etc. Because WordPress is so widely distributed and open-source there is not only an excellent chance there are outdated installations with security holes but the code of those installations is free for a hacker to study. Third-party plugins and themes may have backdoors coded into them that allow access to hackers. (eg. Tim Thumb hack) [ Source: http://www.intechgrity.com/timthumb-vulerability-how-it-got-hacked-how-to-recover/# ]
THREATS EXPLAINED - MALWARE How do I know I’m infected? Plugins that help scan your site • Formatting/theme is altered Sucuri Sitecheck Malware Scaner • You run a plugin that tells you http://wordpress.org/extend/plugins/sucuri- • Links/text have been inserted at the scanner/ bottom of the website • Warning in search results WordFence Security • Browsing the website with Google http://wordpress.org/extend/plugins/wordfe Chrome results in a warning nce/ (Multi-site support in beta!)
THREATS EXPLAINED - MALWARE How do I know I’m infected? • Google Webmaster Tools messages [ www.google.com/webmasters/tools/ ] • Google’s pretty good about notifying webmasters when it sees weird stuff going on. Example: Notice of Suspected Hacking on http://www.yourwebsite.com/ May 17, 2012 Dear owner or webmaster of http://www.yourwebsite.com/, We are writing to let you know that some pages from http://www.yourwebsite.com/ will be labeled as potentially compromised in our search results. This is because some of your pages contain content which may harm the quality and relevance of our search results. It appears that these pages were created or modified by a third party, who may have hacked all or part of your site. Many times, they will upload files or modify existing ones, which then show up as spam in our index. The following are some example URLs which exhibit this behavior:
THREATS EXPLAINED - MALWARE How do I get rid of Malware? Scan your Web site for possible infections by using the free service below: sitecheck.sucuri.net/scanner If you have an infection, I highly recommend hiring Sucuri.net to clean it up for you. They specialize in removing malware infections and they’re quick, specialized, and inexpensive. You could hire a developer to comb through your infected code, database, and .htaccess files. However, most developers don’t specialize in malware removal and when you pay an hourly rate for that inexperience you may be better off hiring a specialist.
PASSWORDS & ADMINISTRATIVE USERS If you’re starting to fall asleep, wake up! This is the most important section I’ll be talking about today.
YOUR PASSWORD & ADMINISTRATIVE USERS Creating your Password Further Reading When creating a password, do NOT use: Common passwords to avoid • Your birthdate, wedding http://www.labnol.org/internet/common- anniversary, or dates of birth of your passwords-to-avoid/14136/ children or spouse • Your name, username, company Avoiding Common Passwords name, names of your children or http://www.passworddragon.com/avoid- spouse common-passwords • Your SIN number • Only numbers or only letters • A short, easy to remember, password • The word, ‘password’. No, not even ‘password01’ or ‘password2012’ • No words found in a dictionary of any language (BUT WAIT! We’ll talk about multi-word passwords very soon!)
YOUR PASSWORD & ADMINISTRATIVE USERS Creating your Password When creating a password, do use: • At least 10 characters • A mix of numbers, upper and lower case letters, and special characters • A password you have never used before • Have a system or mnemonic Password Generatorwww.StrongPasswordGenerator.com Got to Password Meter to test the strength of your new password - www.PasswordMeter.com Brute Force calculator: https://www.grc.com/haystack.htm Further Reading Salting Passwords http://www.onextrapixel.com/2011/11/02/w ordpress-security-how-to-secure-wordpress- thoroughly/
YOUR PASSWORD & ADMINISTRATIVE USERS Creating your Password – Multi-word combo passwords [ Source: http://xkcd.com/936/ ]
YOUR PASSWORD & ADMINISTRATIVE USERS Multi-word combo passwords Test your password out Multi-word combo passwords are more likely https://www.grc.com/haystack.htm to be remembered but there are a few things to consider: My coworker came up with and tested: • The words must be random Staple2Deers@dawn • The words must not relate And found it would take 1.34 billion trillion • Throw in upper & lower cases centuries to crack using brute force. • Throw in numbers • Throw in special characters Further Reading “Numbers substituted for letters is really, Which are more secure, multi-word really bad. Most password applications will passwords or passwords made using a try that before they do plain English,...” combination of letters, numbers and [ Source: http://www.nettechblog.com/yes-your- symbols? passwords-suck-hints-on-creating-solid-passwords/ ] http://www.quora.com/Which-are-more- secure-multi-word-passwords-or-passwords- made-using-a-combination-of-letters- numbers-and-symbols
YOUR PASSWORD & ADMINISTRATIVE USERS Remembering your Password DO NOT store it in an obvious place! • NOT on a sticky note on your monitor • NOT in your daily planner Use a Password Keeper • www.keepass.info • https://agilebits.com/OnePassword • http://www.lastpass.com Don’t Panic! Password recovery is built into WordPress!
YOUR PASSWORD & ADMINISTRATIVE USERS Password Recovery Always keep your email up to date on your WordPress site!
YOUR PASSWORD & ADMINISTRATIVE USERS Strong, Unique Passwords aren’t just for WordPress The way you communicate with your web host should also be secure. You want strong passwords for: • Your cPanel user • Your FTP user (which you should make different from your cPanel user) • Your MySQL database user • Your PHPMyAdmin user Use SFTP to move files to your hosting space Every password should be different! Try to use SFTP for your file transfers. SFTP If you use a different password for stands for Secure File Transfer Protocol and it every service you have accounts for, uses encrypted SSH transport for it’s operations. you minimize the amount of damage a hacker can do! http://filezilla-project.org/
YOUR PASSWORD & ADMINISTRATIVE USERS Administration Users If you have an administrator-level user named ‘Admin’ or ‘Administrator’ get rid of it! Create a new administrator user Remove your old administrator user 1. Log into WordPress as your current 1. Log into WordPress as your new admin admin user 2. Create a new user 2. Go to Users and delete your old admin 3. Give it a name other than Admin or user Administrator 3. Or, set your old Admin user’s role to 4. Assign your new user an ‘administrator’ ‘subscriber’ and change the password to role something ridiculously long and complex
YOUR PASSWORD & ADMINISTRATIVE USERS Administration Users You don’t need to write posts as an administrator! Keep your administrator user separate from your blog-writing user. Hackers can find your username from your posts If you go to Your Profile you can change what your name is displayed as. I recommend changing this from the default of your username to something else. Clean up old admin accounts PASSWORD STRENGTH IS KEY! If you’ve got old admin accounts sitting The best security for your administration user around – like ones that you’ve created for is having a strong password developers to work on your site with, remove them. Make sure you reset your admin passwords Not all of your users need to be on a regular basis and make sure you haven't administrators, either. If you have used that password elsewhere before! contributors to your site, test out various settings to see how much access they really need.
UPDATES & HOUSEKEEPING If only my condo was as clean as my server.
UPDATES & HOUSEKEEPING Updates The majority of hacked WordPress sites are not updated! Updates include: • Core WordPress files • Themes • Plugins Outdated WordPress files, themes, and plugins can have holes in security that can be exploited by malware! [ Source: WPbeginner.com ]
UPDATES & HOUSEKEEPING Challenges to Updating Recommended Reading Theme hasn’t been coded according to WP WordPress Codex: Updating WordPress best guidelines and the site breaks if you http://codex.wordpress.org/Updating_Word upgrade. Press Plug-in has been abandoned by the developer and you’re afraid to update your core files or you continue using the plugin years after it’s been abandoned. You’re afraid to update because you’re not very web-savvy. Abandoned Plugin Suggestion Matt Jones (http://pluginchief.com/) suggests a plugin adoption program: http://digwp.com/2012/10/abandoned- plugin-adoption-program/
UPDATES & HOUSEKEEPING Backing up before updating Using an SFTP program (filezilla-project.org), back up all your web files to your Computer. Using PHPMyAdmin or cPanel to back your database up. Never leave .sql or other database backup files on your server! http://vaultpress.com/ Update Now! It’s not free but it’s highly recommended. WordPress Codex: WordPressBackups http://codex.wordpress.org/WordPress_Back ups
UPDATES & HOUSEKEEPING Safety First! Safe themes and plugins Curtis McHale, who spoke at WordCamp Edmonton 2011 (you can view his slide show here: http://www.slideshare.net/curtismchale) is part of a team that checks themes submitted to the WordPrss.org repository to make sure they are secure and well-formed. If you are interested in joining the WordPress Theme Review Team: http://make.wordpress.org/themes/about/how-to-join-wptrt/ This page has a list of useful plugins that they use to examine a theme and may be useful for anyone developing their own theme. http://www.woothemes.com/ http://wordpress.org/extend/themes/ Has a good reputation for paid themes. Themes are vetted by teams of Volunteers and are free. Nothing is 100% un-hackable!
UPDATES & HOUSEKEEPING Housekeeping Removing WordPress Version Don't leave files on your server that may give Altering your functions.php file: hackers information about yours site or old http://www.wpbeginner.com/wp- code that may be exploitable: tutorials/the-right-way-to-remove- • .sql backups wordpress-version-number/ • readme files • inactive plugins and themes • Phpinfo.php Further Reading http://resources.infosecinstitute.com/harden ing-wordpress/ http://wiki.dreamhost.com/Harden_WordPre ss How to: Stop the Hacker by Hardening WP http://blog.sucuri.net/2012/06/how-to-stop- the-hacker-by-hardening-wordpress.html
UPDATES & HOUSEKEEPING Use a plugin to change your database prefix Manually change your database prefix Also this plugin can help you change your Change your database prefix database prefix: http://digwp.com/2010/10/change- http://wordpress.org/extend/plugins/wp- database-prefix/ security-scan/ If you are setting up a new WordPress site I use this plugin to scan my site on a regular the option is there to change your database basis. prefix when you first set it up. WP Security Scan
UPDATES & HOUSEKEEPING The scary world of CHMOD Equally scary .htaccess! Check permissions of upload, upgrade, and .htaccess is a powerful file when used backup directories correctly! You can use it to secure: • wp-config.php WordPress Codex – Changing File • set up admin access from your IP only Permissions: • ban bad users http://codex.wordpress.org/Changing_File_P • stop directory browsing ermissions • prevent access to /wp-content/ • protect your .htaccess file! Protect Your WordPress Site with .htaccess http://www.netmagazine.com/tutorials/prot If you change your permalink ect-your-wordpress-site-htaccess structure any customization Securing directories with .htaccess: on your .htaccess file may be http://digwp.com/2012/09/secure-media- overwritten! uploads/ How to Password Protect your WP Admin http://www.wpbeginner.com/wp- tutorials/how-to-password-protect-your- wordpress-admin-wp-admin-directory/
HOSTING Hosting Good Hosts (caveat emptor) When it comes to hosting, you get what you Recommended on WordPress.org pay for. $5/month hosting is cheap but it’s Bluehost: http://www.bluehost.com/ not terribly secure. You take your chances with shared hosting. DreamHost: http://www.dreamhost.com/ Laughing Squid: http://laughingsquid.us/ How to identify a good WordPress host? A good WordPress host will mention what Recommended by WooThemes steps they take to provide you with a secure WPEngine: http://wpengine.com/ hosting environment or how they cater specifically to WordPress installations. Examples of good hosts Sadly, many bloggers are paid to shill for Hardening WordPress on Dreamhost hosting companies so you have to do your http://wiki.dreamhost.com/Harden_WordPre due diligence when it comes to picking a ss host. WP Engine’s list of disallowed plugins http://support.wpengine.com/disallowed- plugins/
PLUG-INS Plugins Brute Force Blocking Plugins are not the be all and end all when it User Locker: comes to security. http://wordpress.org/extend/plugins/user- locker/ That being said, here are some plugins you may find useful. Don’t use them all at once! Limit Login Attempts: http://wordpress.org/extend/plugins/limit- login-attempts/ Malware Scanning / Blocking General Security Sucuri Sitecheck Malware Scanner Wordfence Security: http://wordpress.org/extend/plugins/sucuri- http://wordpress.org/extend/plugins/wordfe scanner/ nce/ Block Bad Queries: WP Security Scan: http://wordpress.org/extend/plugins/block- http://wordpress.org/extend/plugins/wp- bad-queries/ security-scan/
CONCLUSION In Conclusion Recommended Reading There are many more tips and tricks than http://my.safaribooksonline.com/book/- what I’ve covered here but I’m trying to keep /9781849512107 things simple. http://blog.sucuri.net/category/wordpress Try as you might your security will never be perfect but the good news is you can easily http://codex.wordpress.org/Hardening_Wor make yourself less of a target by taking a few, dPress simple, security precautions. http://blogvault.net/wordpress-security-1- securing-wp-config-php/ Knowing how to protect yourself is the first step towards a safe, secure WordPress site. http://www.copyblogger.com/wordpress- website-security/ (The second step is to actually implement some of this advice.) http://www.wpsecuritylock.com/dreamhost- one-click-wordpress-installed-timthumb- vulnerability-and-security-risks/ http://www.instantfundas.com/2011/12/qui ck-guide-to-secure-wordpress-setup.html
CREDIT WHERE CREDIT IS DUE Credits: Cow hide photo in title graphic by Sherrie Thai of ShaireProductions http://www.flickr.com/photos/shaireproductions/3766840922/ Bashful Cow purchased from istockphoto.com “Let’s have fun” scary graphic purchased from istockphoto.com Herd Infection photo purchased from istockphoto.com Social Media icons from respective social media web sites ‘Common passwords to avoid’ poster http://www.etsy.com/listing/52531459/500-worst-passwords-poster-fold-down Special thanks to: Adriel Michaud @ TopDraw.com for his input Sarah Sinfield @ KickPoint.ca for encouraging me Curtis McHale @ CurtisMcHale.com for inspiring me My partner who makes sure my fuzzy blanket supply never runs out
Beefy WordPress Security Wordcamp 2012 by Tammy Lee

Recommandé

Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Nicholas Batik
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDStuartJDavidson.com
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupOyster Bay Marauders LLC
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupAngela Bowman
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetJeremiah Grossman
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir Goldshlager
 
Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityStopTheHacker
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 

Recommandé

Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Nicholas Batik
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDStuartJDavidson.com
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupOyster Bay Marauders LLC
 
Security Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupSecurity Presentation for Boulder WordPress Meetup
Security Presentation for Boulder WordPress MeetupAngela Bowman
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser BotnetJeremiah Grossman
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir Goldshlager
 
Webinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityWebinar - Tips and Tricks on Website Security
Webinar - Tips and Tricks on Website SecurityStopTheHacker
 
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011
CROSS-SITE REQUEST FORGERY - IN-DEPTH ANALYSIS 2011Samvel Gevorgyan
 
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
Overview of information security
Overview of information securityOverview of information security
Overview of information securityAskao Ahmed Saad
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
Sucuri Webinar: Impacts of a website compromise
Sucuri Webinar: Impacts of a website compromiseSucuri Webinar: Impacts of a website compromise
Sucuri Webinar: Impacts of a website compromiseSucuri
 
Staying Safe on the Computer and Online
Staying Safe on the Computer and OnlineStaying Safe on the Computer and Online
Staying Safe on the Computer and Onlinecat509
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008Caleb Sima
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014sabinovates
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbasEmilio Casbas
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupJohn Carcutt
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror StoriesEC-Council
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developersRan Bar-Zik
 
Types of Security Threats WordPress Websites Face - Part 2
Types of Security Threats WordPress Websites Face - Part 2Types of Security Threats WordPress Websites Face - Part 2
Types of Security Threats WordPress Websites Face - Part 2WPWhiteBoard
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfHost It Smart
 

Contenu connexe

Tendances

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionWayne Huang
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANSamvel Gevorgyan
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
Overview of information security
Overview of information securityOverview of information security
Overview of information securityAskao Ahmed Saad
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers JobArbin Godar
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
Sucuri Webinar: Impacts of a website compromise
Sucuri Webinar: Impacts of a website compromiseSucuri Webinar: Impacts of a website compromise
Sucuri Webinar: Impacts of a website compromiseSucuri
 
Staying Safe on the Computer and Online
Staying Safe on the Computer and OnlineStaying Safe on the Computer and Online
Staying Safe on the Computer and Onlinecat509
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeJeremiah Grossman
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014sabinovates
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbasEmilio Casbas
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupJohn Carcutt
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror StoriesEC-Council
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developersRan Bar-Zik
 

Tendances (20)

Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download DetectionDrivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
Drivesploit: Circumventing Both Automated AND Manual Drive-By-Download Detection
 
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYANBEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
BEST PRACTICES OF WEB APPLICATION SECURITY By SAMVEL GEVORGYAN
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get Hacked
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press website
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
 
Overview of information security
Overview of information securityOverview of information security
Overview of information security
 
Bug Bounty - Hackers Job
Bug Bounty - Hackers JobBug Bounty - Hackers Job
Bug Bounty - Hackers Job
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for Sitecore
 
Sucuri Webinar: Impacts of a website compromise
Sucuri Webinar: Impacts of a website compromiseSucuri Webinar: Impacts of a website compromise
Sucuri Webinar: Impacts of a website compromise
 
Staying Safe on the Computer and Online
Staying Safe on the Computer and OnlineStaying Safe on the Computer and Online
Staying Safe on the Computer and Online
 
Rich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safeRich Web App Security - Keeping your application safe
Rich Web App Security - Keeping your application safe
 
Starwest 2008
Starwest 2008Starwest 2008
Starwest 2008
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014
 
Hack miami emiliocasbas
Hack miami emiliocasbasHack miami emiliocasbas
Hack miami emiliocasbas
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! website
 
Browser Horror Stories
Browser Horror StoriesBrowser Horror Stories
Browser Horror Stories
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developers
 

Similaire à Beefy WordPress Security Wordcamp 2012 by Tammy Lee

Types of Security Threats WordPress Websites Face - Part 2
Types of Security Threats WordPress Websites Face - Part 2Types of Security Threats WordPress Websites Face - Part 2
Types of Security Threats WordPress Websites Face - Part 2WPWhiteBoard
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfHost It Smart
 
The Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityThe Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityAidanChard
 
Learn How to Detect Malware On WordPress Websites.docx
Learn How to Detect Malware On WordPress Websites.docxLearn How to Detect Malware On WordPress Websites.docx
Learn How to Detect Malware On WordPress Websites.docxIndysideITSolutions
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
Wordpress malware - What is it and how to protect your website.
Wordpress malware - What is it and how to protect your website.Wordpress malware - What is it and how to protect your website.
Wordpress malware - What is it and how to protect your website.Owen Cutajar
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSElsner Technologies Pvt Ltd
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server SecurityJITENDRA KUMAR PATEL
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
What is Wordpress Malware Infection.pdf
What is Wordpress Malware Infection.pdfWhat is Wordpress Malware Infection.pdf
What is Wordpress Malware Infection.pdfMindfire LLC
 
"><h1>muthu</h1>
"><h1>muthu</h1>"><h1>muthu</h1>
"><h1>muthu</h1>muthu muthu
 
Simple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteSimple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteRich Plakas
 
Your WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkYour WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkAngela Bowman
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES Sagilasagi1
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITEAcodez IT Solutions
 
Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1WPWhiteBoard
 

Similaire à Beefy WordPress Security Wordcamp 2012 by Tammy Lee (20)

Types of Security Threats WordPress Websites Face - Part 2
Types of Security Threats WordPress Websites Face - Part 2Types of Security Threats WordPress Websites Face - Part 2
Types of Security Threats WordPress Websites Face - Part 2
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdf
 
The Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityThe Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress Security
 
Learn How to Detect Malware On WordPress Websites.docx
Learn How to Detect Malware On WordPress Websites.docxLearn How to Detect Malware On WordPress Websites.docx
Learn How to Detect Malware On WordPress Websites.docx
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
 
Wordpress malware - What is it and how to protect your website.
Wordpress malware - What is it and how to protect your website.Wordpress malware - What is it and how to protect your website.
Wordpress malware - What is it and how to protect your website.
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
 
Introduction to Web Server Security
Introduction to Web Server SecurityIntroduction to Web Server Security
Introduction to Web Server Security
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
 
What is Wordpress Malware Infection.pdf
What is Wordpress Malware Infection.pdfWhat is Wordpress Malware Infection.pdf
What is Wordpress Malware Infection.pdf
 
"><h1>muthu</h1>
"><h1>muthu</h1>"><h1>muthu</h1>
"><h1>muthu</h1>
 
MALWARES.pptx
MALWARES.pptxMALWARES.pptx
MALWARES.pptx
 
Simple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteSimple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress Website
 
Your WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you checkYour WordPress Site is and is not Hacked - You don't know until you check
Your WordPress Site is and is not Hacked - You don't know until you check
 
MALWARE AND ITS TYPES
MALWARE AND ITS TYPES MALWARE AND ITS TYPES
MALWARE AND ITS TYPES
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
 
WordPress security
WordPress securityWordPress security
WordPress security
 
Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1
 

Plus de Top Draw Inc.

The Darkside of Social Media Marketing
The Darkside of Social Media MarketingThe Darkside of Social Media Marketing
The Darkside of Social Media MarketingTop Draw Inc.
 
General business presentation
General business presentationGeneral business presentation
General business presentationTop Draw Inc.
 
Social Media Isn't About You
Social Media Isn't About YouSocial Media Isn't About You
Social Media Isn't About YouTop Draw Inc.
 
Online Marketing 101
Online Marketing 101Online Marketing 101
Online Marketing 101Top Draw Inc.
 
Signals Based Online Marketing
Signals Based Online MarketingSignals Based Online Marketing
Signals Based Online MarketingTop Draw Inc.
 
Digital Marketing 101
Digital Marketing 101Digital Marketing 101
Digital Marketing 101Top Draw Inc.
 
Social Media in Times of Crisis
Social Media in Times of Crisis Social Media in Times of Crisis
Social Media in Times of Crisis Top Draw Inc.
 
YouTube on a Shoestring Budget
YouTube on a Shoestring BudgetYouTube on a Shoestring Budget
YouTube on a Shoestring BudgetTop Draw Inc.
 
Keyword research Pubcon 2013
Keyword research Pubcon 2013Keyword research Pubcon 2013
Keyword research Pubcon 2013Top Draw Inc.
 
Ken Jurina - Keyword Research - PubCon 2012
Ken Jurina - Keyword Research - PubCon 2012Ken Jurina - Keyword Research - PubCon 2012
Ken Jurina - Keyword Research - PubCon 2012Top Draw Inc.
 
Internet Marketing, EO Accelerator Presentation
Internet Marketing, EO Accelerator PresentationInternet Marketing, EO Accelerator Presentation
Internet Marketing, EO Accelerator PresentationTop Draw Inc.
 

Plus de Top Draw Inc. (11)

The Darkside of Social Media Marketing
The Darkside of Social Media MarketingThe Darkside of Social Media Marketing
The Darkside of Social Media Marketing
 
General business presentation
General business presentationGeneral business presentation
General business presentation
 
Social Media Isn't About You
Social Media Isn't About YouSocial Media Isn't About You
Social Media Isn't About You
 
Online Marketing 101
Online Marketing 101Online Marketing 101
Online Marketing 101
 
Signals Based Online Marketing
Signals Based Online MarketingSignals Based Online Marketing
Signals Based Online Marketing
 
Digital Marketing 101
Digital Marketing 101Digital Marketing 101
Digital Marketing 101
 
Social Media in Times of Crisis
Social Media in Times of Crisis Social Media in Times of Crisis
Social Media in Times of Crisis
 
YouTube on a Shoestring Budget
YouTube on a Shoestring BudgetYouTube on a Shoestring Budget
YouTube on a Shoestring Budget
 
Keyword research Pubcon 2013
Keyword research Pubcon 2013Keyword research Pubcon 2013
Keyword research Pubcon 2013
 
Ken Jurina - Keyword Research - PubCon 2012
Ken Jurina - Keyword Research - PubCon 2012Ken Jurina - Keyword Research - PubCon 2012
Ken Jurina - Keyword Research - PubCon 2012
 
Internet Marketing, EO Accelerator Presentation
Internet Marketing, EO Accelerator PresentationInternet Marketing, EO Accelerator Presentation
Internet Marketing, EO Accelerator Presentation
 

Dernier

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitecturePixlogix Infotech
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?XfilesPro
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksSoftradix Technologies
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024BookNet Canada
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 

Dernier (20)

My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Understanding the Laravel MVC Architecture
Understanding the Laravel MVC ArchitectureUnderstanding the Laravel MVC Architecture
Understanding the Laravel MVC Architecture
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?How to Remove Document Management Hurdles with X-Docs?
How to Remove Document Management Hurdles with X-Docs?
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Benefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other FrameworksBenefits Of Flutter Compared To Other Frameworks
Benefits Of Flutter Compared To Other Frameworks
 
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
#StandardsGoals for 2024: What’s new for BISAC - Tech Forum 2024
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 

Beefy WordPress Security Wordcamp 2012 by Tammy Lee

  • 1. WHERE’S THE BEEF? Beefing Up Your WordPress Installation Tammy Valgardson – Senior Web Developer @tammalee
  • 2. INTRODUCTION Introduction Absolutely true! It will only take five minutes to download and install WordPress. But then what?
  • 3. INTRODUCTION Introduction If you set up your blog and walk away, you leave yourself vulnerable to malicious activity! Further Reading WordPress Codex – Hardening WordPress http://codex.wordpress.org/Hardening_WordPress How To: Stop The Hacker By Hardening WordPress http://blog.sucuri.net/2012/06/how-to-stop-the- hacker-by-hardening-wordpress.html
  • 4. INTRODUCTION What’s at Stake? If you don’t follow password best practices your hacked WordPress account could lead to other compromised accounts!
  • 5. INTRODUCTION What’s at Stake? Shared hosting means more than just sharing a server. If one site gets hacked there is a chance malware infecting one site can spread to others on the same shared hosting space!
  • 6. INTRODUCTION What’s at Stake? If your site is compromised, and hackers get their way, your site will now serve a nefarious purpose such as: Redirect visitors to a web site that will attempt to install malicious software. Compromise a shared hosting (soup kitchen) server and infect other web sites. Phish for sensitive information. Display spam to your visitors that you can’t see. Hijack links to other sections of your web site, such as ‘Contact’, and send visitors to an entirely different site.
  • 7. INTRODUCTION What’s at Stake? If your WordPress site is infected with malware it could be blacklisted by Google and other search engines! [ Source: http://www.malware-info.com/mal_faq_inject.html ]
  • 8. THREATS EXPLAINED – BRUTE FORCE ATTACKS a.k.a. When bored hackers with password cracking programs decide to cruise for fun on a Friday night.
  • 9. THREATS EXPLAINED – BRUTE FORCE ATTACKS What is a brute force attack? [ Source: http://www.inmotionhosting.com/support/website/wordpress/wordpress-security-preventing-brute-force-attacks-on-admin- login ]
  • 10. THREATS EXPLAINED – BRUTE FORCE ATTACKS How often do brute force attacks happen? Brute force attacks happen all the time! Peter Abraham over at DNI Dynamic Net, Inc. wrote on October 15, 2012 “If you asked me from September 2012 forward, the answer would change dramatically with WordPress Brute Force Attacks now exceeding 50% of all attacks being reported.” [source: http://www.dynamicnet.net/2012/10/wordpress-brute-force-attacks/] [ Source: http://freethegnu.wordpress.com/2010/09/22/yet-another-ssh-brute-force-attack-and-how-to-protect-against-it-with-iptables-and-sshguard/ ]
  • 11. THREATS EXPLAINED – BRUTE FORCE ATTACKS What’s the purpose of a brute force attack? If your account has administrator permissions they can do all sorts of ‘fun’ things to your site. One of the most common reasons for a brute force attack is to inject malware into your files or database.
  • 12. THREATS EXPLAINED - MALWARE Not Firefly-related. Not that I’d mind Captain Malcolm Reynolds getting into my WordPress installation. #fullfrontalnerdity
  • 13. THREATS EXPLAINED - MALWARE What is Malware? Malware is software designed to harvest sensitive information or gain access to computer systems. On a WordPress installation malware can be injected into your source code, database, .htaccess files etc. Malware hijacks the purpose of visiting your site for its programmed agenda. Who Creates Malware? Why? What sort of person creates malware? Why do people create malware? • Young programmers with something • Petty theft to prove • Cybercrime • Older, more experienced, virus • Support for spammers writers who write malware • Distributed network attacks professionally • Stealing electronic currency • ‘Researchers’ who create malware as proof of concept projects • ...and many more. [Source: http://www.securelist.com/en/threats/detect?chapter=72 ]
  • 14. THREATS EXPLAINED - MALWARE Malware - Backdoors Malware - Drive-by Downloads “A backdoor lets an attacker gain access to “The point of a drive-by download is often to your environment via what you would download a payload onto your user’s local consider to be abnormal methods — FTP, machine. One of the most common payloads SFTP, WP-ADMIN, etc…” informs the user that their website has been [ Source: infected and that they need to install an anti- http://wp.smashingmagazine.com/2012/10/09/four- virus product...” malware-infections-wordpress/ ] [ Source: http://wp.smashingmagazine.com/2012/10/09/four- malware-infections-wordpress/ ] Malware – Malicious Redirects “When a visitor is redirected to a website other than the main one, the website may or may not contain a malicious payload. Suppose you have a website at myhappysite.com; when someone visits it, the website could take the visitor to meansite.com/stats.php, where the malicious payload is in that website’s stats.php file. Or it could be a harmless website with just ads and no malicious payload.” [ Source: http://wp.smashingmagazine.com/2012/10/09/four- malware-infections-wordpress/ ]
  • 15. THREATS EXPLAINED - MALWARE Malware – Pharma Hacks “Pharma hack is one of the most prevalent infections around. It should not be confused with malware; it’s actually categorized as SPAM — “stupid pointless annoying messages.” If you’re found to be distributing SPAM, you run the risk of being flagged by Google…” [ Source: http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/ ] [ Source: http://www.pearsonified.com/2010/04/wordpress-pharma-hack.php ]
  • 16. THREATS EXPLAINED - MALWARE How does malware infect WordPress? Old and outdated plugins, themes, and WordPress installations may have holes in their security that can be exploited. Malware is injected into a file or your database where it hijacks your visitors experience when they visit your web site. It's written using a Web 2.0 language, usually PHP, Javascript, Ruby, Perl, etc. Because WordPress is so widely distributed and open-source there is not only an excellent chance there are outdated installations with security holes but the code of those installations is free for a hacker to study. Third-party plugins and themes may have backdoors coded into them that allow access to hackers. (eg. Tim Thumb hack) [ Source: http://www.intechgrity.com/timthumb-vulerability-how-it-got-hacked-how-to-recover/# ]
  • 17. THREATS EXPLAINED - MALWARE How do I know I’m infected? Plugins that help scan your site • Formatting/theme is altered Sucuri Sitecheck Malware Scaner • You run a plugin that tells you http://wordpress.org/extend/plugins/sucuri- • Links/text have been inserted at the scanner/ bottom of the website • Warning in search results WordFence Security • Browsing the website with Google http://wordpress.org/extend/plugins/wordfe Chrome results in a warning nce/ (Multi-site support in beta!)
  • 18. THREATS EXPLAINED - MALWARE How do I know I’m infected? • Google Webmaster Tools messages [ www.google.com/webmasters/tools/ ] • Google’s pretty good about notifying webmasters when it sees weird stuff going on. Example: Notice of Suspected Hacking on http://www.yourwebsite.com/ May 17, 2012 Dear owner or webmaster of http://www.yourwebsite.com/, We are writing to let you know that some pages from http://www.yourwebsite.com/ will be labeled as potentially compromised in our search results. This is because some of your pages contain content which may harm the quality and relevance of our search results. It appears that these pages were created or modified by a third party, who may have hacked all or part of your site. Many times, they will upload files or modify existing ones, which then show up as spam in our index. The following are some example URLs which exhibit this behavior:
  • 19. THREATS EXPLAINED - MALWARE How do I get rid of Malware? Scan your Web site for possible infections by using the free service below: sitecheck.sucuri.net/scanner If you have an infection, I highly recommend hiring Sucuri.net to clean it up for you. They specialize in removing malware infections and they’re quick, specialized, and inexpensive. You could hire a developer to comb through your infected code, database, and .htaccess files. However, most developers don’t specialize in malware removal and when you pay an hourly rate for that inexperience you may be better off hiring a specialist.
  • 20. PASSWORDS & ADMINISTRATIVE USERS If you’re starting to fall asleep, wake up! This is the most important section I’ll be talking about today.
  • 21. YOUR PASSWORD & ADMINISTRATIVE USERS Creating your Password Further Reading When creating a password, do NOT use: Common passwords to avoid • Your birthdate, wedding http://www.labnol.org/internet/common- anniversary, or dates of birth of your passwords-to-avoid/14136/ children or spouse • Your name, username, company Avoiding Common Passwords name, names of your children or http://www.passworddragon.com/avoid- spouse common-passwords • Your SIN number • Only numbers or only letters • A short, easy to remember, password • The word, ‘password’. No, not even ‘password01’ or ‘password2012’ • No words found in a dictionary of any language (BUT WAIT! We’ll talk about multi-word passwords very soon!)
  • 22. YOUR PASSWORD & ADMINISTRATIVE USERS Creating your Password When creating a password, do use: • At least 10 characters • A mix of numbers, upper and lower case letters, and special characters • A password you have never used before • Have a system or mnemonic Password Generatorwww.StrongPasswordGenerator.com Got to Password Meter to test the strength of your new password - www.PasswordMeter.com Brute Force calculator: https://www.grc.com/haystack.htm Further Reading Salting Passwords http://www.onextrapixel.com/2011/11/02/w ordpress-security-how-to-secure-wordpress- thoroughly/
  • 23. YOUR PASSWORD & ADMINISTRATIVE USERS Creating your Password – Multi-word combo passwords [ Source: http://xkcd.com/936/ ]
  • 24. YOUR PASSWORD & ADMINISTRATIVE USERS Multi-word combo passwords Test your password out Multi-word combo passwords are more likely https://www.grc.com/haystack.htm to be remembered but there are a few things to consider: My coworker came up with and tested: • The words must be random Staple2Deers@dawn • The words must not relate And found it would take 1.34 billion trillion • Throw in upper & lower cases centuries to crack using brute force. • Throw in numbers • Throw in special characters Further Reading “Numbers substituted for letters is really, Which are more secure, multi-word really bad. Most password applications will passwords or passwords made using a try that before they do plain English,...” combination of letters, numbers and [ Source: http://www.nettechblog.com/yes-your- symbols? passwords-suck-hints-on-creating-solid-passwords/ ] http://www.quora.com/Which-are-more- secure-multi-word-passwords-or-passwords- made-using-a-combination-of-letters- numbers-and-symbols
  • 25. YOUR PASSWORD & ADMINISTRATIVE USERS Remembering your Password DO NOT store it in an obvious place! • NOT on a sticky note on your monitor • NOT in your daily planner Use a Password Keeper • www.keepass.info • https://agilebits.com/OnePassword • http://www.lastpass.com Don’t Panic! Password recovery is built into WordPress!
  • 26. YOUR PASSWORD & ADMINISTRATIVE USERS Password Recovery Always keep your email up to date on your WordPress site!
  • 27. YOUR PASSWORD & ADMINISTRATIVE USERS Strong, Unique Passwords aren’t just for WordPress The way you communicate with your web host should also be secure. You want strong passwords for: • Your cPanel user • Your FTP user (which you should make different from your cPanel user) • Your MySQL database user • Your PHPMyAdmin user Use SFTP to move files to your hosting space Every password should be different! Try to use SFTP for your file transfers. SFTP If you use a different password for stands for Secure File Transfer Protocol and it every service you have accounts for, uses encrypted SSH transport for it’s operations. you minimize the amount of damage a hacker can do! http://filezilla-project.org/
  • 28. YOUR PASSWORD & ADMINISTRATIVE USERS Administration Users If you have an administrator-level user named ‘Admin’ or ‘Administrator’ get rid of it! Create a new administrator user Remove your old administrator user 1. Log into WordPress as your current 1. Log into WordPress as your new admin admin user 2. Create a new user 2. Go to Users and delete your old admin 3. Give it a name other than Admin or user Administrator 3. Or, set your old Admin user’s role to 4. Assign your new user an ‘administrator’ ‘subscriber’ and change the password to role something ridiculously long and complex
  • 29. YOUR PASSWORD & ADMINISTRATIVE USERS Administration Users You don’t need to write posts as an administrator! Keep your administrator user separate from your blog-writing user. Hackers can find your username from your posts If you go to Your Profile you can change what your name is displayed as. I recommend changing this from the default of your username to something else. Clean up old admin accounts PASSWORD STRENGTH IS KEY! If you’ve got old admin accounts sitting The best security for your administration user around – like ones that you’ve created for is having a strong password developers to work on your site with, remove them. Make sure you reset your admin passwords Not all of your users need to be on a regular basis and make sure you haven't administrators, either. If you have used that password elsewhere before! contributors to your site, test out various settings to see how much access they really need.
  • 30. UPDATES & HOUSEKEEPING If only my condo was as clean as my server.
  • 31. UPDATES & HOUSEKEEPING Updates The majority of hacked WordPress sites are not updated! Updates include: • Core WordPress files • Themes • Plugins Outdated WordPress files, themes, and plugins can have holes in security that can be exploited by malware! [ Source: WPbeginner.com ]
  • 32. UPDATES & HOUSEKEEPING Challenges to Updating Recommended Reading Theme hasn’t been coded according to WP WordPress Codex: Updating WordPress best guidelines and the site breaks if you http://codex.wordpress.org/Updating_Word upgrade. Press Plug-in has been abandoned by the developer and you’re afraid to update your core files or you continue using the plugin years after it’s been abandoned. You’re afraid to update because you’re not very web-savvy. Abandoned Plugin Suggestion Matt Jones (http://pluginchief.com/) suggests a plugin adoption program: http://digwp.com/2012/10/abandoned- plugin-adoption-program/
  • 33. UPDATES & HOUSEKEEPING Backing up before updating Using an SFTP program (filezilla-project.org), back up all your web files to your Computer. Using PHPMyAdmin or cPanel to back your database up. Never leave .sql or other database backup files on your server! http://vaultpress.com/ Update Now! It’s not free but it’s highly recommended. WordPress Codex: WordPressBackups http://codex.wordpress.org/WordPress_Back ups
  • 34. UPDATES & HOUSEKEEPING Safety First! Safe themes and plugins Curtis McHale, who spoke at WordCamp Edmonton 2011 (you can view his slide show here: http://www.slideshare.net/curtismchale) is part of a team that checks themes submitted to the WordPrss.org repository to make sure they are secure and well-formed. If you are interested in joining the WordPress Theme Review Team: http://make.wordpress.org/themes/about/how-to-join-wptrt/ This page has a list of useful plugins that they use to examine a theme and may be useful for anyone developing their own theme. http://www.woothemes.com/ http://wordpress.org/extend/themes/ Has a good reputation for paid themes. Themes are vetted by teams of Volunteers and are free. Nothing is 100% un-hackable!
  • 35. UPDATES & HOUSEKEEPING Housekeeping Removing WordPress Version Don't leave files on your server that may give Altering your functions.php file: hackers information about yours site or old http://www.wpbeginner.com/wp- code that may be exploitable: tutorials/the-right-way-to-remove- • .sql backups wordpress-version-number/ • readme files • inactive plugins and themes • Phpinfo.php Further Reading http://resources.infosecinstitute.com/harden ing-wordpress/ http://wiki.dreamhost.com/Harden_WordPre ss How to: Stop the Hacker by Hardening WP http://blog.sucuri.net/2012/06/how-to-stop- the-hacker-by-hardening-wordpress.html
  • 36. UPDATES & HOUSEKEEPING Use a plugin to change your database prefix Manually change your database prefix Also this plugin can help you change your Change your database prefix database prefix: http://digwp.com/2010/10/change- http://wordpress.org/extend/plugins/wp- database-prefix/ security-scan/ If you are setting up a new WordPress site I use this plugin to scan my site on a regular the option is there to change your database basis. prefix when you first set it up. WP Security Scan
  • 37. UPDATES & HOUSEKEEPING The scary world of CHMOD Equally scary .htaccess! Check permissions of upload, upgrade, and .htaccess is a powerful file when used backup directories correctly! You can use it to secure: • wp-config.php WordPress Codex – Changing File • set up admin access from your IP only Permissions: • ban bad users http://codex.wordpress.org/Changing_File_P • stop directory browsing ermissions • prevent access to /wp-content/ • protect your .htaccess file! Protect Your WordPress Site with .htaccess http://www.netmagazine.com/tutorials/prot If you change your permalink ect-your-wordpress-site-htaccess structure any customization Securing directories with .htaccess: on your .htaccess file may be http://digwp.com/2012/09/secure-media- overwritten! uploads/ How to Password Protect your WP Admin http://www.wpbeginner.com/wp- tutorials/how-to-password-protect-your- wordpress-admin-wp-admin-directory/
  • 38. HOSTING Hosting Good Hosts (caveat emptor) When it comes to hosting, you get what you Recommended on WordPress.org pay for. $5/month hosting is cheap but it’s Bluehost: http://www.bluehost.com/ not terribly secure. You take your chances with shared hosting. DreamHost: http://www.dreamhost.com/ Laughing Squid: http://laughingsquid.us/ How to identify a good WordPress host? A good WordPress host will mention what Recommended by WooThemes steps they take to provide you with a secure WPEngine: http://wpengine.com/ hosting environment or how they cater specifically to WordPress installations. Examples of good hosts Sadly, many bloggers are paid to shill for Hardening WordPress on Dreamhost hosting companies so you have to do your http://wiki.dreamhost.com/Harden_WordPre due diligence when it comes to picking a ss host. WP Engine’s list of disallowed plugins http://support.wpengine.com/disallowed- plugins/
  • 39. PLUG-INS Plugins Brute Force Blocking Plugins are not the be all and end all when it User Locker: comes to security. http://wordpress.org/extend/plugins/user- locker/ That being said, here are some plugins you may find useful. Don’t use them all at once! Limit Login Attempts: http://wordpress.org/extend/plugins/limit- login-attempts/ Malware Scanning / Blocking General Security Sucuri Sitecheck Malware Scanner Wordfence Security: http://wordpress.org/extend/plugins/sucuri- http://wordpress.org/extend/plugins/wordfe scanner/ nce/ Block Bad Queries: WP Security Scan: http://wordpress.org/extend/plugins/block- http://wordpress.org/extend/plugins/wp- bad-queries/ security-scan/
  • 40. CONCLUSION In Conclusion Recommended Reading There are many more tips and tricks than http://my.safaribooksonline.com/book/- what I’ve covered here but I’m trying to keep /9781849512107 things simple. http://blog.sucuri.net/category/wordpress Try as you might your security will never be perfect but the good news is you can easily http://codex.wordpress.org/Hardening_Wor make yourself less of a target by taking a few, dPress simple, security precautions. http://blogvault.net/wordpress-security-1- securing-wp-config-php/ Knowing how to protect yourself is the first step towards a safe, secure WordPress site. http://www.copyblogger.com/wordpress- website-security/ (The second step is to actually implement some of this advice.) http://www.wpsecuritylock.com/dreamhost- one-click-wordpress-installed-timthumb- vulnerability-and-security-risks/ http://www.instantfundas.com/2011/12/qui ck-guide-to-secure-wordpress-setup.html
  • 41. CREDIT WHERE CREDIT IS DUE Credits: Cow hide photo in title graphic by Sherrie Thai of ShaireProductions http://www.flickr.com/photos/shaireproductions/3766840922/ Bashful Cow purchased from istockphoto.com “Let’s have fun” scary graphic purchased from istockphoto.com Herd Infection photo purchased from istockphoto.com Social Media icons from respective social media web sites ‘Common passwords to avoid’ poster http://www.etsy.com/listing/52531459/500-worst-passwords-poster-fold-down Special thanks to: Adriel Michaud @ TopDraw.com for his input Sarah Sinfield @ KickPoint.ca for encouraging me Curtis McHale @ CurtisMcHale.com for inspiring me My partner who makes sure my fuzzy blanket supply never runs out