word press security 101
DESCRIPTION
Word press security 101 Hackers, Scoundrels, and Villains oh my...TRANSCRIPT
![Page 1: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/1.jpg)
WORDPRESS SECURITY 101
HACKERS, SCOUNDRELS, AND VILLAINS, OH MY.
PRESENTED BY: GARRY MCNEILLY KOJAC CONSULTING
![Page 2: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/2.jpg)
PRESENTATION OVERVIEW
You will learn how to secure
your desktops & servers
Secure Word Press Websites
Basic of Themes & plugins
Develop and test is a local
environment
Basic Of MySQL and XAMPP
Best Practices for securing your
email using Server Policy Frame Work
![Page 3: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/3.jpg)
SECURE YOUR LOCAL WORKING ENVIRONMENT
Keep your software up to date – windows update on a regular basisInstall antivirus on all computers & servers keep antivirus up to date Implement a hardware or software firewall solution when ever
possible
![Page 4: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/4.jpg)
ANTI VIRUS, FIREWALLS, MALWARE
Free solutions www.comodo.com – Firewall and internet security remove GeekBuddy 24/7 up sell
www.zonealarm.com – Free firewall http://www.avast.com – Basic antivirus http://www.avg.com Basic free antivirus
![Page 5: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/5.jpg)
ANTI VIRUS, FIREWALLS, MALWARE
Malware is the concealment of
Virus
Trojan Horses
Rootkits
Backdoors
Malware Byteshttp://www.malwarebytes.org
What Is It…
“Today, malware is used primarily to steal sensitive information of personal, financial, or business importance by black hat hackers with harmful intentions”
![Page 6: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/6.jpg)
SECURE YOUR LOCAL WORKING ENVIRONMENT
Lock Down your Browser
HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure. https://www.eff.org/https-everywhere-node
No Mention of IE…
Keep your Browsers up to date
![Page 7: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/7.jpg)
SECURE YOUR LOCAL WORKING ENVIRONMENT
Firefox add on - NoScript Security Suite 2.6.8.5
The best security you can get in a web browser!
Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks.
https://addons.mozilla.org/en-US/firefox/addon/noscript/
Note It take a little while to configure your sites
![Page 8: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/8.jpg)
WHAT HAS MY ISP DONE FOR ME LATELY
Does my ISP notify me of server / database upgrades
Do they lock me out if there are too many login attempts - and if so do they let you know
Are you on a shared server or dedicated server (Cross Contamination)
![Page 9: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/9.jpg)
WHAT HAS MY ISP DONE FOR ME LATELY
Are your sites segmented
Do you have one master account for access to all accounts
Own one Own All
![Page 10: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/10.jpg)
WHAT HAS MY ISP DONE FOR ME LATELY
Do you have a limitation on your MSQL data base (how many records can you have) how big can your Database be !!!
Do they offer a Sender Policy Framework for Email
What’s Technical like Phone | Email | 24/7 or when ever we decide to get back to you
![Page 11: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/11.jpg)
WHAT HAS MY ISP DONE FOR ME LATELY
What’s there Service Level Agreement like (SLA)
Do they offer backup services
What's there data retention policy like
![Page 12: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/12.jpg)
TWO STEP AUTHENTICATION 3RD PARTY APPS
![Page 13: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/13.jpg)
TWO STEP AUTHENTICATION – DROP BOX3RD PARTY APPS
1. Sign in to the Dropbox website.
2. Click on your name from the upper-right of any page to open your account menu.
3. Click Settings from the account menu and select the Security tab,
4. Under the Account sign in section, next to Two-step verification, click Enable.
![Page 14: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/14.jpg)
TWO STEP AUTHENTICATION 3RD PARTY APPS
Just a few more account that have two step authentication.
LinkedIn – New after they were hacked nearly 6.5 million user
Microsoft Accounts
Wordpress.com
Godaddy.com
![Page 15: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/15.jpg)
FTP – DON’T GET ME STARTED !!!
File Transfer Protocol – FTPIt’s Not Secure and has no encryption of data
Stop Using It Right Now
The SSH File Transfer Protocol (also known as Secure FTP and SFTP)
is a better solution.
![Page 16: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/16.jpg)
FTP – DON’T GET ME STARTED !!!
You may need to contact your ISP / hosting provider to activate or install. You may also need to use different port numbers 21 or 22
Secure FTP also gives you root access to directories and subdirectories to all account – So be carful when transferring files or accessing accounts
![Page 17: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/17.jpg)
PASSWORDS MANAGEMENT PASSWORDS VS. PASS PHRASES
Passwords
Passwords tend to be really common Dictionary words.
Easy to guess / crack
Password is a bad password
Pass Phrases
Phase Phrases tend to be much longer and hander to guess / crack
Longer character set with special characters
![Page 18: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/18.jpg)
PASSWORDS MANAGEMENT
Password Example
Your wife name is: Tonya changed O to zero T0nya
Passphrase Example MyWifeT0nyaCant_Cook(Still common but a little
harder to crack)
![Page 19: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/19.jpg)
PASSWORDS MANAGEMENT
Add Upper and lower case as well as special characters
MyW1feT0nyaCant_Cook#@!
And if for some reason your wife needs your password…..Change it QUICK
MyW1fe_T0nyaIs_A_GrateC00k
![Page 20: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/20.jpg)
PASSWORDS MANAGEMENT
www.lastpass.com can be used on all devices
Auto fill users names & passwords
![Page 21: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/21.jpg)
PASSWORDS MANAGEMENT
www.RoboForm.com
https://www.passpack.comhttp://keepass.info/
These programs have the ability to generate complex passwords that are hard to remember unless you are using a password manager
![Page 22: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/22.jpg)
WORDPRESS SECURITY
Themes WordPress Install
Plugins Internet Service
Providers
Users / Privilege
s
Databases
![Page 23: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/23.jpg)
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!!
$$$ Financial gain $$$
Hackers make money in a few ways’
Affiliate marking referrals – pay per click
Zero Day exploitations
![Page 24: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/24.jpg)
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!!
Phama hacks (Viagra) counterfeit drugs,
Change DB | insert Spam | add a backdoor, Redirect URL
![Page 25: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/25.jpg)
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!!
Site redirections
SEO Poison of your keywords
Access to members ship lists
Ecommerce theft – such as Infusion soft and PayPal
Credit cards information
![Page 26: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/26.jpg)
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!!
Defacement of site – Script kids just #being shit heads
Install backdoor software – own one own all
Malicious redirect – they make money from Pay Per Click
Injections – Iframe specifically
Identity Theft #juststeelingyourshit
![Page 27: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/27.jpg)
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!!
• Email compromise allowing for Phishing attacks
• CryptoLocker ransomware attacks
‘The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment’
![Page 28: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/28.jpg)
HOW DOES THIS AFFECT ME & MY BUSINESS
• Loss of trust with clients
• Loss of business
• Loss of time effort and lots of money to fix your website
• Tarnish your online reputation
![Page 29: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/29.jpg)
THIS THREAT IS NOT REAL IS IT
Just a few stats to scare the crap out of you
• 12,000 to 14,000 site per day are blacklisted
• Google documents and issues 5 Million warring's per week
![Page 30: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/30.jpg)
DOMAIN NAME MANAGEMENT
Make sure you or your clients own there Domain Name
Setup Auto renewal
Add Privacy to your domain if possible – making it harder to steal
*Domain Name Extortion
Example: www.sitedudes.comNo long term contracts my ass !!!
They did offer a complementary ass kicking…though
![Page 31: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/31.jpg)
WORDPRESS SECURITY INSTALL REVIEW
Most WP setup out of the box are configured with
-admin (username)
-password (you create)
You have just help a hacker with ½ the answers to your login by using admin as a user name
![Page 32: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/32.jpg)
WORDPRESS SECURITY
Install Google Authenticator Plugin for WordPress.
Hackers Now Need
- Your long user name - Long complex password - TXT sent to your phone
![Page 33: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/33.jpg)
WORDPRESS SECURITY
Create A User name that is at least 15 characters including Upper and Lower case including special characters
Passworduse a program such at Lastpass to create a long and complex password
![Page 34: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/34.jpg)
WORDPRESS SECURITY
Limit login attempts plugins will help to stop Brute Force attacks by locking your site after a specific amount of attempts.
![Page 35: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/35.jpg)
WORDPRESS SECURITY
Example – Brute Force Attack
![Page 36: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/36.jpg)
SO WHAT CAN I DO TO REDUCE MY RISK
• Remove all unused Themes & Plugins
• Monitor your website on a regular basis
• Keep you site up to date
• Change file permission from standard defaults
• Remove user and roles if they are not being used
• Keep your production server tidy – It not a backup server or file server
![Page 37: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/37.jpg)
WP USERS & THERE ROLES
Administrator
Editor
Author
Contributor
Subscriber
![Page 38: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/38.jpg)
SO IS YOUR SITE UP TO DATE MAJOR RELEASE VS. POINT RELEASE
WP 3.6 – 3.7 Major Release
Old calls & functionsCore Security flaws Performance Issues Core related issues
![Page 39: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/39.jpg)
SO IS YOUR SITE UP TO DATE WP 3.7.1 POINT RELEASE
WP 3.7.1 Point Release
Bug Fix
Security Updates
Images with caption fixed
visual editor fixed
NOTE:
Major and Minor updates still have the ability to bring your site down or cause issues.
This is why you should always backup your production site.
Replicate your site in a test environment and make sure that there are no errors and issues.
![Page 40: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/40.jpg)
TOOLS TO TEST YOUR SITE
http://sucuri.net/
Software version
Blacklisted
Malware
Malicious javascript
Malicious Iframes
Drive By Downloads
Anomaly detection
IE – only attacks
Suspicious redirects
Spam
![Page 41: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/41.jpg)
WORDPRESS SECURITY
So what’s a Theme ???
Themes will define the look and feel of your siteTheme is a theme that inherits the functionality of another theme, called the parent theme. Child theme allows you to modify, or add to the functionality of that parent theme.
![Page 42: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/42.jpg)
WORDPRESS SECURITY
A child theme is the safest and easiest way to modify an existing theme, whether you want to make a few tiny changes or extensive changes. Instead of modifying the theme files directly, you can create a child theme and override within.
![Page 43: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/43.jpg)
WORDPRESS SECURITY
Responsive Design - Will resize the look and feel for Mobile devices such as smart phones, tables, netbooks,
Note: when purchasing themes look at the Developers upgrade statusIf the theme has not been updates in a while keep looking
![Page 44: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/44.jpg)
TIMTHUMB COMMERCIAL THEMES EXPLOITATION
An image resizing utility called timthumb.php
Bundled in some commercial /free Themes
Remote Code Execution
![Page 45: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/45.jpg)
TIMTHUMB COMMERCIAL THEMES EXPLOITATION
SQL Injection Vulnerability
Google shows over 39 million results for the script name
If you find it fix it right away
This Themes is still active and a huge problem in the WP community
![Page 46: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/46.jpg)
CREATE A TEST ENVIORNMENT
Used to develop or replicate a website in a local environment
Test themes / plugins / applications before they go live
Use a staging environment for testing for virus / defects
![Page 47: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/47.jpg)
PLUGINS EXPLAINED
What's a WP Plugging ???WP plugins are used to add additional functionality to your site.
Including; security, performance, calendars, social media,
Fonts, custom features, site backups,
Before install a plug in make sure its compatible with your version of WP review the author and make sure they keep up to date with current WP versions and standards and best practices
![Page 48: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/48.jpg)
SOME KICK ASS PLUGINS
Limit login attempts
WP security
Google authentication
DEVEOLPMENT TOOLS
Notepad Plus
Asana.com – used for project management
![Page 49: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/49.jpg)
CREATE A TEST ENVIRONMENT
Microsoft Webmatrix BitNami WordPress
local install
![Page 50: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/50.jpg)
CREATE A TEST ENVIORNMENT TOOLS FOR CREATING A LOCAL TEST ENVIORNMENT
Microsoft Webmatrix
http://www.microsoft.com/web/webmatrix/Installing Webmatrix may not work correctly if you have Skype installed that also used port 80 or any other program that used port 80
It also requires some file modification to move it from test environment to production
![Page 51: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/51.jpg)
CREATE A TEST ENVIORNMENT
Bitnami.com
Simple application deployment from development to production
Bitnami supports Windows, Mac OS X and Linux operating systems, VMware virtualized environments
You can also use a sub direct on your production website
![Page 52: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/52.jpg)
CREATE A TEST ENVIRONMENT
Local development also required software to run the local database.
Xampp - http://www.apachefriends.org/en/xampp.html
Wamp - http://sourceforge.net/projects/wampserver/
The following two software use localhost for development The package includes the Apache web server, MySQL, SQLite, PHP, Perl, a FTP
![Page 53: Word press security 101](https://reader037.vdocument.in/reader037/viewer/2022103016/55525e3eb4c905d41d8b4ae9/html5/thumbnails/53.jpg)
CONCLUSION TO THE PRESENTATION
Question & Answers Contact Info
Garry McNeilly
Kojac Consulting
www.kojac-consulting.com
Phone: 416-898-9084
WordPress Security 101Hackers, Scoundrels, and Villains, Oh
my.