the 7 deadly sins of wordpress security
DESCRIPTION
Website security is important to everyone who has a website, as well as everyone who uses a website. Whether it gets five visitors a day or five-thousand, hackers are looking to compromise, break, infect and virtually own every website that they can for monetary and social purposes. While the topic seems mysterious to most users, website security is actually a set of simple principles that everyone can adopt to keep their risk at the absolute lowest. Be on the lookout for pitfalls, keep malicious users out, and avoid The 7 Deadly Sins of WordPress Security.TRANSCRIPT
![Page 1: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/1.jpg)
![Page 2: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/2.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
WEB DESIGN AND INFORMATION SECURITY
Committed to WordPress since 2008.
SUCURI – Researcher and Account Manager
Removing malware and protecting websites.
Personally cleaned over 5,000 websites
SUCURI.NET
Twitter: @JHerbrandson
ABOUT ME
![Page 3: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/3.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
SECURITY SCANNING & ANALYSIS
Checking the health over 3 Million websites every month through our free Sitecheck Scanner: http://sitecheck.sucuri.net
MALWARE CLEANUP
Cleaning and remediating 300 – 400 hacked or infected websites everyday.
ATTACK PROTECTION
Blocking over 33 million attacks and instances of malicious traffic every month
EDUCATION
Providing detailed and actionable security information through our blog at http://blog.sucuri.net
ABOUT SUCURI Over 45 Security Professionals Making a Safer Web
!
H
G
"
![Page 4: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/4.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
ATTACK TRAFFIC ORIGINS Map.Ipviking.com
![Page 5: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/5.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
A QUICK DEMO Attack in Progress:
https://www.youtube.com/watch?v=v4Xr3LrixVg
![Page 6: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/6.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
Sooo… WHY? It’s Just Business…probably
- The Short Answer: Fame and Fortune
- $BILLION Spam – Generic Pharmaceuticals, Payday Loans, Gambling, Designed Brand Knock Offs
- Hacktivism – Politics and religion at the speed of download
- Immaturity – Kids being kids
![Page 7: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/7.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
the 7 deadly sins of WordPress security
THREE THRILL SEEKING
FOUR
ACCESS ALOOFNESS
TWO PROTECTION LUST
FIVE
SERVICE GREED
SIX
PRINCIPLE PRIDE
SEVEN
VULNERABILITY WRATH
c K
w t
c
ONE
SECURITY APATHY
![Page 8: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/8.jpg)
sin #1 Security Apathy
#
I
Ignoring the Requirements
![Page 9: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/9.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
THE NEED FOR SECURITY THE STATE OF THE INTERNET
www.internetlivestats.com
![Page 10: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/10.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
Shared Hosting Dedicated Hosting
Managed Hosting
HOSTING OPTIONS Choose wisely
Done for you
All yours Cheap
![Page 11: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/11.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
MANAGED-HOSTING PROVIDERS WordPress Experts for Everyone!
![Page 12: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/12.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
SPEAKING OF ENVIRONMENT… Who is using the Public Wifi?
![Page 13: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/13.jpg)
sin #2 Protection Lust
( II
Searching for the Security Holygrail
![Page 14: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/14.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
WORD of WARNING No chance of 0% risk.
The next ‘0-Day’ attack is always around the corner…
![Page 15: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/15.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
SECURITY HEADLINES Proof: Seen the news lately?
![Page 16: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/16.jpg)
sin #3 Thrill Seeking
c III
Skydiving is a safer thrill than going without backups
![Page 17: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/17.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
Have a low profile, non-threatening site? You are still getting attention
BUT I’VE NEVER HAD A PROBLEM BEFORE…
s
![Page 18: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/18.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
HACKERS HARD AT WORK
PHARMACEUTICAL SPAM MAKES HACKERS TWO BILLION DOLLARS/YEAR
SOLUTION: OFFSITE BACKUPS
RESULT: CLEAN SITE IMMEDIATELY
FREE WEBSITE REBRAND
K
$
j
å
![Page 19: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/19.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
AUTOMATED BACKUPS Know you have a backup plan
ithemes.com/backupbuddy/
Vaultpress.com Sucuri.net Your hosting company
$
backup buddy vaultpress sucuri backups webhosting backups
![Page 20: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/20.jpg)
sin #4 Access Aloofness
t IV
Sticky Notes: No longer Best for Password Management!!
![Page 21: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/21.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
Password Last Year’s Rank
‘123456’ 2
‘PASSWORD’ 1
‘12345678’ 3
top 3 passwords used in 2013 Seriously….
credit: SplashData.com
![Page 22: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/22.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
PASSWORD MANAGER Remembers your passwords so you don’t have to
lastpass.com agilebits.com keepass.info dashlane.com
lastpass 1password keypass dashlane
![Page 23: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/23.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
LEAST PRIVILEGE Does your user setup look like this?
Hosting/ control panel Administrator FTP/SFTP
root access Editor/
contributer
Actual Admin
1 !Potential Hackers
7 !
Friends
12 !
Writers 2 !
Seo Guys 4 !
Analysts
2 !
Editors
1 !
Random People
10 !
5 !Hackers
3 !Friends Again…
![Page 24: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/24.jpg)
sin #5
Service Greed
w
V
No such thing as Something for nothing on the front page of Google
![Page 25: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/25.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
This probably shouldn’t be in your theme:
if(isset($_GET['pwd'])) {
eval(base64_decode("CiRhdXRoX3Bhc3MgPSAiN2U5NBhY3RpdmF0ZXMsIGNoYW5nZWQgZWxlbWVudHMgaW4gdGhlIG9yaWdpbmFsIHBsdWdpbiwgZGVzaWduZWQgdG8gYmVoYXZlIGxpa2UgY2xlYW4gY29kZSwgc2lnbmFsIHRoZSBoYWNrZXIgdG8gbGV0IGl0IGtub3cgdGhhdCBpdOKAmXMgaW4uIEEgY2xlYW4gYmFjayBkb29yIGhhcyBiZWVuIG9wZW5lZCwgYW5kIHlvdXIgc2l0ZSBpcyBub3cgb24gYW4gYXV0b21hdGVkIGF0dGFjayBsaXN0LCBtZWFudCB0byBxdWlldGx5IGluZmVjdCBhbmQgcmVpbmZlY3QgeW91ciBzaXRlIGFnYWluIGFuZCBhZw==“)); }
NOT THE CODE YOU’RE LOOKING FOR… Assisting the enemy
!
![Page 27: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/27.jpg)
sin #6
PRINCIPLE PRIDE
K VI
Keep to the code.
![Page 28: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/28.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
A SYSTEM TO LIVE BY
1. Protect! – Your computer has a firewall, why doesn’t your website? 2. Detect! – The same goes for AntiVirus. 3. Respond! – Clean up the mess. You have a backup right?
Encompassing Actions: - Know the best practices - Mind your maintenance
![Page 30: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/30.jpg)
Opening doors you never knew existed
sin #7
c Wrath of Vulnerabilities
VII
![Page 31: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/31.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
WORDPRESS CORE Strong and Secure
Dedicated Creators
Making WordPress Solid and Secure
Auto-Updates
Get important patches right away.
Support
Everything you need at WordPress.org
( j Ñ
![Page 32: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/32.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
WordPress Version Distribution 3.0 – 4.0 (wordpress.org/about/stats/)
![Page 33: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/33.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
3rd Party VULNERABILITIES Keep watch
Vulnerabilities disclosed at http://blog.sucuri.net
All-In-One SEO – 20 Million Downloads WPtouch – 6 Million Downloads MailPoet - 2.7 Million Downloads Custom Contact Forms – 640k Downloads Slider Revolution – Hundreds of Thousands (themeforest/codecanyon)
![Page 34: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/34.jpg)
Going further Transition from Mark to Master
Z X
Tips, Tools, and Services
![Page 35: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/35.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
Don’t be the mark! Understand the changes you are implementing
“AntiVirus” “Firewall”
WEBSITE ANTIVIRUS & FIREWALL Protection and Detection
WordFence Sucuri Website Antivirus
CloudFlare Sucuri Website Firewall
“Utilities” iThemes Security BruteProtect Sucuri Security Plugin
![Page 36: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/36.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
RESOURCES Because you don’t know what you don’t know
General WordPress Security: https://codex.wordpress.org/Hardening_WordPress https://blog.sucuri.net Hacking and General Security: http://www.securityfocus.com/ http://blogs.sophos.com/ Facebook Groups: WordPress Security Advanced WordPress
SubReddits: Reddit.com/r/Hacking Reddit.com/r/WordPress
![Page 37: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/37.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
EASY PATH TO CLEANUP
NEED: Releases of WordPress at: https://wordpress.org/download/release-archive/ Clean backup of active theme and required plugins New Passwords (WordPress, FTP, Hosting Control Panel, Everything Else)
Response
![Page 38: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/38.jpg)
joseph herbrandson | www.sucuri.net 1-888-873-0817| [email protected]
![Page 39: The 7 Deadly Sins of WordPress Security](https://reader034.vdocument.in/reader034/viewer/2022052619/5558cc0fd8b42a235c8b4d50/html5/thumbnails/39.jpg)
YOU! THANK
%