Security Best Practices

@V

icDrover

Panama Papers

@V

icDrover

Panama Papers

@V

icDrover

Infected Websites by Platform

Hacked Website Report - Sucuri

@V

icDrover

% Out-of-Date CMS

Hacked Website Report - Sucuri

@V

icDrover

Is YOUR website is vulnerable?

@V

icDrover

Top 3 WordPress causing hacks

Hacked Website Report - Sucuri

@V

icDrover

RevSlider < 3.0.95 = vulnerable

https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/

@V

icDrover

WordPress host for Ransomware

http://www.tomsguide.com/us/wordpress-ransomware-epidemic,news-22219.html

@V

icDrover

Levels of website security

@V

icDrover

Levels of website security

Client Passwords

@V

icDrover

Password Managers

@V

icDrover

Agency Passwords

@V

icDrover

Trust extends to your team

@V

icDrover

Email security

@V

icDrover

Staff

Staff

@V

icDrover

Disaster Response Plan

@V

icDrover

Initial response

→ Who, What, When→ Emergency contact info→ Service provider info

◆ DNS, Server/Host, Data Center, Backups→ 1-time use passwords

Agency 7

Agency 7

@V

icDrover

Security policy

→ Email usage→ Resource access→ Password strength→ Password duration

→ Account sharing→ Team composition→ Disaster planning→ Ongoing Education

@V

icDrover

Levels of website security

Local

Remote

@V

icDrover

Local Resources

@V

icDrover

PHP Usage (Joomla 3.5)

PHP 5.5

PHP 5.2

PHP 5.3

PHP 5.6

PHP 7.x

PHP 5.4

@V

icDrover

Webserver security

@V

icDrover

Heartbleed

@V

icDrover

filippo.io/Heartbleed/

@V

icDrover

Other local issues

→ SSH on non-default port, encryption keys→ Disable FTP (vs. secure FTP)→ Strong database password + table prefix→ Enable logging (usually off by default) → Disable magic_quotes

@V

icDrover

Levels of website security

Local

Remote

@V

icDrover

Remote services - email

@V

icDrover

Remote services - DNS

@V

icDrover

Remote services - reverse proxy

@V

icDrover

Managed Hosting

@V

icDrover

Levels of website security

@V

icDrover

Update all the things

@V

icDrover

Well-known WordPress best-practices

→ Unique administrator account → Disable file editing, PHP Execution→ Limit Login Attempts→ Remove unused themes + plugins→ Block editing of config file

@V

icDrover

Enforce stronger passwords

@V

icDrover

Control New Users

@V

icDrover

Secure failed login message

function wrong_login() { return 'Wrong username or password.';}add_filter('login_errors', 'wrong_login');

functions.php

http://geckogullywebsites.com/wordpress-security-tips-check-for-display-of-unnecessary-information-on-failed-login-attempts/

@V

icDrover

Backup your site + test

@V

icDrover

Akeeba Backup

https://www.akeebabackup.com/

@V

icDrover

Use Redundant firewalls

@V

icDrover

Use Redundant firewalls

@V

icDrover

Use Redundant firewalls

@V

icDrover

Use Redundant firewalls

@V

icDrover

Use Redundant firewalls

Security Best Practices