WordPresssecurityfundamentals

aboutmeSomething

Joseph Herbrandson

Web design and infosec Committed to WordPress and website security since 2008

sucuri security Security Analyst - Cleaning up malware and protecting websites from infection everyday

Website sucuri.net

twitter.com/sucuri_security

facebook.com/SucuriSec

sucuri.net

sucuri.net

Sucurisecurity• Website security Company

• Operate internationally

• platform agnostic (wordpress, joomla, drupal, etc…)

• scan 2 million websites per month

• block 4 million attacks per month

• remediate 400-500 sites per day

• 24/7 operations

The state of…

theInternet

sucuri.net

2.9 Billion Internet Users world wide

About 950 million active sites

internetlivestats.com

!

20% are wordpress…

No 0% Threat Rule No such thing as perfect security. If someone REALLY wants in, they will find a way.

0- Day Attacks Brand new attacks using different methods make these impossible to plan for. 0-Day attacks are resolved once it has been studied, and fix has been published.

Not just Wordpress! Security starts with everyday practices. All the wrong moves made off of your website, will still affect things on your website!

sucuri.net

securewpNotes On

Who Are They?

Hackersidentities

sucuri.net

Who are these Guys? - It can be anyone good with computers.

- Intelligent and Mischievous; Enterprising and Effective.

Where are they from? Most attacks come from Turkey, Syria, Tunisia, Brazil, Russia, China, and even the United States.

!

Brute Force sql injection ddos social engineering

sucuri.net

what’s going on here…

commonattacktypes

Hacked?

WhyyouIt’s nothing Personal Most attacks are automated and done on many websites at a time

You're on the list Once you’re a target, you stay a target. Increasing your security is the best way to ask them to LEAVE YOU ALONE

sucuri.net

The

$Billionspam!

Pharma and spam attacks Viagra, Cialis, and Levitra ads, make marketers over 2 BILLION dollars every year from blackhat methods of infecting websites, and redirecting users to websites selling prescription drugs.

!

sucuri.net

sucuri.net

Sending a Message

Hacktivists!

The hacktivists Turning your site into a billboard for anarchy and mayhem

PillarsofsecurityYour Security

Frontline Disaster Preventionbackups

Basic Website MaintenanceStaying current

Common Sense PoliciesAccess control

WordPress Intrusion Preparation

sucuri.net

securedbackupsDisaster Prevention

Have a backup plan Playing defensively from the back is your best first line defense.

Stored Remotely Away from your live server, and the clutches of an intruder.

…more than one if possible! The more layers of your backup plan, the less likely it is to fail.

Scheduled and Automated Don’t rely on yourself.

sucuri.net

backupSolutionsOptions for

Vault PressWeb hosting Sucuri Backups

sucuri.net

wordpressUpdatesThe Importance of

Your version is your level of security !

Major versus Maintenance releases !

Worried About upgrading? fear not! downgrading is a simple task !

Have an upgrade path

sucuri.net

As of June 2014: http://w3techs.com/technologies/details/cm-wordpress/3/all

36%

29%

6%

7%

11%

11%

3.0-3.4 3.5 3.6 3.7 3.8 3.9

sucuri.net

allinoneSEo

recent vulnerability disclosure: Update!! !

no plugin is SAFE! !

educate yourself http://blog.sucuri.net/2014/05/vulnerability-found-in-the-all-in-one-seo-pack-wordpress-plugin.html

Public Service Announcemnt…

A little bit about

passwordsecurityThe tactics Sophisticated Password Guessing

easier to crack than you think… !

Password Crack Times:

- 8 letters = 52 seconds

- 8 nums/letters = 11 minutes

- with caps/!@#$… = 3 hours

- 12 letters/nums/caps/!@#$ =

2 Thousand years

sucuri.net

mostusedpassWordsThe web’s

No. Title Ranking Last Year

1 123456 2

2 password 1

3 12345678 3

4 qwerty 5

5 abc123 4

6 123456789 New

7 111111 9

sucuri.net

The following are statistics showing the most used passwords in 2013, documented from lists stolen in major organization security breaches.

(SplashData.com)

passwordmanagersTools of the trade:

Lastpass keePass DashLane

sucuri.net

1Password

Case study

cleanupFtp/sftp File Management Basic file cleanup with FileZilla

WordPress Version Archives https://codex.wordpress.org/WordPress_Versions (Google “WordPress versions”)

Theme Backups Always know where to find a clean copy of your theme

sucuri.net

Infectedsiteinfection: blackhat seo spam injection

Spam is displayed with Javascript turned off. Otherwise it’s hidden!

Infection confirmed at the free Sucuri website scanner: http://sitecheck.sucuri.net

Cleanup

sucuri.net

Cleanup

removeandreplacewp-admin and wp-includes These directories are replaceable for cleanup and downgrading versions

Replace other core files The other core files outside of these two directories can be uploaded to directly replace their counterparts

do not delete wp-config.php or wp-content! These are vital to the functionality of your blog, and cannot be replaced easily, or without a backup.

sucuri.net

Cleanup

removeandreplace pt.2

find your theme Your theme is replaceable if youhaven’t made customchanges

delete your old theme This is the most common placefor infected WordPress files

replace with clean copy Good as new!

sucuri.net

Cleanup

cleansite

cleanup accomplished: Your WordPress site is now spam free!

!

sucuri.net

sucuri.net

A healthy dose of…

paranoia

worry about the right things: - Passwords versus Usernames

- Web hosting

- Plugin/Theme origin

- Patching/Updating

- Who your friends are

anyquestions?