SlideShare una empresa de Scribd logo

Word press security 101

Descargar como PPTX, PDF
K
Kojac801

Word press security 101 Hackers, Scoundrels, and Villains oh my...

Tecnología
1 de 53
WORDPRESS SECURITY 101 HACKERS, SCOUNDRELS, AND VILLAINS, OH MY PRESENTED BY: GARRY MCNEILLY KOJAC CONSULTING .
PRESENTATION OVERVIEW You will learn how to secure your desktops & servers Secure Word Press Websites Basic of Themes & plugins Develop and test is a local environment Basic Of MySQL and XAMPP Best Practices for securing your email using Server Policy Frame Work
SECURE YOUR LOCAL WORKING ENVIRONMENT Keep your software up to date – windows update on a regular basis Install antivirus on all computers & servers keep antivirus up to date Implement a hardware or software firewall solution when ever possible
ANTI VIRUS, FIREWALLS, MALWARE Free solutions www.comodo.com – Firewall and internet security remove GeekBuddy 24/7 up sell www.zonealarm.com – Free firewall http://www.avast.com – Basic antivirus http://www.avg.com Basic free antivirus
ANTI VIRUS, FIREWALLS, MALWARE Malware is the concealment of Virus Trojan Horses Rootkits Backdoors Malware Bytes http://www.malwarebytes.org What Is It… ―Today, malware is used primarily to steal sensitive information of personal, financial, or business importance by black hat hackers with harmful intentions‖
SECURE YOUR LOCAL WORKING ENVIRONMENT Lock Down your Browser HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure. https://www.eff.org/https-everywhere-node No Mention of IE… Keep your Browsers up to date
SECURE YOUR LOCAL WORKING ENVIRONMENT Firefox add on - NoScript Security Suite 2.6.8.5 The best security you can get in a web browser! Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks. https://addons.mozilla.org/en-US/firefox/addon/noscript/ Note It take a little while to configure your sites
WHAT HAS MY ISP DONE FOR ME LATELY Does my ISP notify me of server / database upgrades Do they lock me out if there are too many login attempts do they let you know Are you on a shared server or dedicated server (Cross Contamination) - and if so
WHAT HAS MY ISP DONE FOR ME LATELY Are your sites segmented Do you have one master account for access to all accounts Own one Own All
WHAT HAS MY ISP DONE FOR ME LATELY Do you have a limitation on your MSQL data base (how many records can you have) how big can your Database be !!! Do they offer a Sender Policy Framework for Email What‘s Technical like Phone | Email | 24/7 or when ever we decide to get back to you
WHAT HAS MY ISP DONE FOR ME LATELY What‘s there Service Level Agreement like (SLA) Do they offer backup services What's there data retention policy like
TWO STEP AUTHENTICATION 3RD PARTY APPS
TWO STEP AUTHENTICATION – DROP BOX 3RD PARTY APPS 1. Sign in to the Dropbox website. 2. Click on your name from the upperright of any page to open your account menu. 3. Click Settings from the account menu and select the Security tab, 4. Under the Account sign in section, next to Two-step verification, click Enable.
TWO STEP AUTHENTICATION 3RD PARTY APPS Just a few more account that have two step authentication. LinkedIn – New after they were hacked nearly 6.5 million user Microsoft Accounts Wordpress.com Godaddy.com
FTP – DON’T GET ME STARTED !!! File Transfer Protocol – FTP It‘s Not Secure and has no encryption of data Stop Using It Right Now The SSH File Transfer Protocol (also known as Secure FTP and SFTP) is a better solution.
FTP – DON’T GET ME STARTED !!! You may need to contact your ISP / hosting provider to activate or install. You may also need to use different port numbers 21 or 22 Secure FTP also gives you root access to directories and subdirectories to all account – So be carful when transferring files or accessing accounts
PASSWORDS MANAGEMENT PASSWORDS VS. PASS PHRASES Passwords Pass Phrases Passwords tend to be really Phase Phrases tend to be much common Dictionary words. Easy to guess / crack longer and hander to guess / crack Longer character set with Password is a bad password special characters
PASSWORDS MANAGEMENT Password Example Your wife name is: Tonya changed O to zero T0nya Passphrase Example MyWifeT0nyaCant_Cook (Still common but a little harder to crack)
PASSWORDS MANAGEMENT Add Upper and lower case as well as special characters MyW1feT0nyaCant_Cook#@! And if for some reason your wife needs your password…..Change it QUICK MyW1fe_T0nyaIs_A_GrateC00k
PASSWORDS MANAGEMENT www.lastpass.com can be used on all devices Auto fill users names & passwords
PASSWORDS MANAGEMENT www.RoboForm.com https://www.passpack.com http://keepass.info/ These programs have the ability to generate complex passwords that are hard to remember unless you are using a password manager
WORDPRESS SECURITY
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! $$$ Financial gain $$$ Hackers make money in a few ways‘ Affiliate marking referrals – pay per click Zero Day exploitations
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Phama hacks (Viagra) counterfeit drugs, Change DB | insert Spam | add a backdoor, Redirect URL
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Site redirections SEO Poison of your keywords Access to members ship lists Ecommerce theft – such as Infusion soft and PayPal Credit cards information
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Defacement of site – Script kids just #being shit heads Install backdoor software – own one own all Malicious redirect – they make money from Pay Per Click Injections – Iframe specifically Identity Theft #juststeelingyourshit
WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! • Email compromise allowing for Phishing attacks • CryptoLocker ransomware attacks ‗The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment‘
HOW DOES THIS AFFECT ME & MY BUSINESS • Loss of trust with clients • Loss of business • Loss of time effort and lots of money to fix your website • Tarnish your online reputation
THIS THREAT IS NOT REAL IS IT Just a few stats to scare the crap out of you • 12,000 to 14,000 site per day are blacklisted • Google documents and issues 5 Million warring's per week
DOMAIN NAME MANAGEMENT Make sure you or your clients *Domain Name Extortion own there Domain Name Setup Auto renewal Example: www.sitedudes.com No long term contracts my ass !!! Add Privacy to your domain if They did offer a complementary ass kicking…though possible – making it harder to steal
WORDPRESS SECURITY INSTALL REVIEW Most WP setup out of the box are configured with -admin (username) -password (you create) You have just help a hacker with ½ the answers to your login by using admin as a user name
WORDPRESS SECURITY Install Google Authenticator Plugin for WordPress. Hackers Now Need - Your long user name - Long complex password - TXT sent to your phone
WORDPRESS SECURITY Create A User name that is at least 15 characters including Upper and Lower case including special characters Password use a program such at Lastpass to create a long and complex password
WORDPRESS SECURITY Limit login attempts plugins will help to stop Brute Force attacks by locking your site after a specific amount of attempts.
WORDPRESS SECURITY Example – Brute Force Attack
SO WHAT CAN I DO TO REDUCE MY RISK • Remove all unused Themes & Plugins • Monitor your website on a regular basis • Keep you site up to date • Change file permission from standard defaults • Remove user and roles if they are not being used • Keep your production server tidy – It not a backup server or file server
WP USERS & THERE ROLES Administrator Editor Author Contributor Subscriber
SO IS YOUR SITE UP TO DATE MAJOR RELEASE VS. POINT RELEASE WP 3.6 – 3.7 Major Release Old calls & functions Core Security flaws Performance Issues Core related issues
SO IS YOUR SITE UP TO DATE WP 3.7.1 POINT RELEASE WP 3.7.1 Point Release Bug Fix Security Updates Images with caption fixed visual editor fixed NOTE: Major and Minor updates still have the ability to bring your site down or cause issues. This is why you should always backup your production site. Replicate your site in a test environment and make sure that there are no errors and issues.
TOOLS TO TEST YOUR SITE http://sucuri.net/ Software version Blacklisted Malware Malicious javascript Malicious Iframes Drive By Downloads Anomaly detection IE – only attacks Suspicious redirects Spam
WORDPRESS SECURITY So what‘s a Theme ??? Themes will define the look and feel of your site Theme is a theme that inherits the functionality of another theme, called the parent theme. Child theme allows you to modify, or add to the functionality of that parent theme.
WORDPRESS SECURITY A child theme is the safest and easiest way to modify an existing theme, whether you want to make a few tiny changes or extensive changes. Instead of modifying the theme files directly, you can create a child theme and override within.
WORDPRESS SECURITY Responsive Design - Will resize the look and feel for Mobile devices such as smart phones, tables, netbooks, Note: when purchasing themes look at the Developers upgrade status If the theme has not been updates in a while keep looking
TIMTHUMB COMMERCIAL THEMES EXPLOITATION An image resizing utility called timthumb.php Bundled in some commercial /free Remote Code Execution Themes
TIMTHUMB COMMERCIAL THEMES EXPLOITATION SQL Injection Vulnerability Google shows over 39 million results for the script name If you find it fix it right away This Themes is still active and a huge problem in the WP community
CREATE A TEST ENVIORNMENT Used to develop or replicate a website in a local environment Test themes / plugins / applications before they go live Use a staging environment for testing for virus / defects
PLUGINS EXPLAINED What's a WP Plugging ??? WP plugins are used to add additional functionality to your site. Including; security, performance, calendars, social media, Fonts, custom features, site backups, Before install a plug in make sure its compatible with your version of WP review the author and make sure they keep up to date with current WP versions and standards and best practices
SOME KICK ASS PLUGINS Limit login attempts WP security Google authentication DEVEOLPMENT TOOLS Notepad Plus Asana.com – used for project management
CREATE A TEST ENVIRONMENT Microsoft Webmatrix BitNami WordPress local install
CREATE A TEST ENVIORNMENT TOOLS FOR CREATING A LOCAL TEST ENVIORNMENT Microsoft Webmatrix http://www.microsoft.com/web/webmatrix/ Installing Webmatrix may not work correctly if you have Skype installed that also used port 80 or any other program that used port 80 It also requires some file modification to move it from test environment to production
CREATE A TEST ENVIORNMENT Bitnami.com Simple application deployment from development to production Bitnami supports Windows, Mac OS X and Linux operating systems, VMware virtualized environments You can also use a sub direct on your production website
CREATE A TEST ENVIRONMENT Local development also required software to run the local database. Xampp - http://www.apachefriends.org/en/xampp.html Wamp - http://sourceforge.net/projects/wampserver/ The following two software use localhost for development The package includes the Apache web server, MySQL, SQLite, PHP, Perl, a FTP
CONCLUSION TO THE PRESENTATION Question & Answers Contact Info Garry McNeilly Kojac Consulting www.kojac-consulting.com garry@kojac-consulting.com Phone: 416-898-9084 WordPress Security 101 . Hackers, Scoundrels, and Villains, Oh my

Recomendados

Wordpress 101 Guide Ebook Free
Wordpress 101 Guide Ebook FreeWordpress 101 Guide Ebook Free
Wordpress 101 Guide Ebook Freehuutienmmo
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014Judy Wilson
 
WordCamp Nashville 2015 From Zero to WordPress Publish (Beginner's WordPress)
WordCamp Nashville 2015 From Zero to WordPress Publish (Beginner's WordPress)WordCamp Nashville 2015 From Zero to WordPress Publish (Beginner's WordPress)
WordCamp Nashville 2015 From Zero to WordPress Publish (Beginner's WordPress)Michele Butcher-Jones
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Vlad Lasky
 
Migrating from WordPress.com
Migrating from WordPress.comMigrating from WordPress.com
Migrating from WordPress.comAndrew Epperson
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 

Recomendados

Wordpress 101 Guide Ebook Free
Wordpress 101 Guide Ebook FreeWordpress 101 Guide Ebook Free
Wordpress 101 Guide Ebook Freehuutienmmo
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014Judy Wilson
 
WordCamp Nashville 2015 From Zero to WordPress Publish (Beginner's WordPress)
WordCamp Nashville 2015 From Zero to WordPress Publish (Beginner's WordPress)WordCamp Nashville 2015 From Zero to WordPress Publish (Beginner's WordPress)
WordCamp Nashville 2015 From Zero to WordPress Publish (Beginner's WordPress)Michele Butcher-Jones
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Vlad Lasky
 
Migrating from WordPress.com
Migrating from WordPress.comMigrating from WordPress.com
Migrating from WordPress.comAndrew Epperson
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPressDre Armeda
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011Dre Armeda
 
7. mastering wordpress
7. mastering wordpress7. mastering wordpress
7. mastering wordpressMoreNiche
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 
WordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCWordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCMichele Butcher-Jones
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityBrad Williams
 
Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Michele Butcher-Jones
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 
Securing Your Joomla website
Securing Your Joomla websiteSecuring Your Joomla website
Securing Your Joomla websiteMike Carson
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop Ella J Designs
 
Optimize wordpress
Optimize wordpressOptimize wordpress
Optimize wordpressDavid Parsons
 
PHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projectsPHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projectsxsist10
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityShawn Hooper
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Сказка о Фролке
Сказка о ФролкеСказка о Фролке
Сказка о ФролкеNataliya Shylo
 
бляхарский
бляхарскийбляхарский
бляхарскийInterExpo Geo-siberia
 

Más contenido relacionado

La actualidad más candente

Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPressDre Armeda
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011Dre Armeda
 
7. mastering wordpress
7. mastering wordpress7. mastering wordpress
7. mastering wordpressMoreNiche
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 
WordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCWordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCMichele Butcher-Jones
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 
Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Michele Butcher-Jones
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 
Securing Your Joomla website
Securing Your Joomla websiteSecuring Your Joomla website
Securing Your Joomla websiteMike Carson
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop Ella J Designs
 
PHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projectsPHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projectsxsist10
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security PresentationAndrew Paton
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityShawn Hooper
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 

La actualidad más candente (20)

Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011
 
7. mastering wordpress
7. mastering wordpress7. mastering wordpress
7. mastering wordpress
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
 
WordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALCWordPress for beginners lesson 4 fall2015 JALC
WordPress for beginners lesson 4 fall2015 JALC
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009
 
Securing Your Joomla website
Securing Your Joomla websiteSecuring Your Joomla website
Securing Your Joomla website
 
Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff Hoffman
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop WordCamp RI 2015 - Beginner WordPress Workshop
WordCamp RI 2015 - Beginner WordPress Workshop
 
Optimize wordpress
Optimize wordpressOptimize wordpress
Optimize wordpress
 
PHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projectsPHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projects
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 

Destacado

Сказка о Фролке
Сказка о ФролкеСказка о Фролке
Сказка о ФролкеNataliya Shylo
 
Snapshot on the French Oncology Market March 2010
Snapshot on the French Oncology Market March 2010Snapshot on the French Oncology Market March 2010
Snapshot on the French Oncology Market March 2010thomasmartinelli94
 
Cоздаем пробки или тюнинг postgresql для расчетных задач
Cоздаем пробки или тюнинг postgresql для расчетных задачCоздаем пробки или тюнинг postgresql для расчетных задач
Cоздаем пробки или тюнинг postgresql для расчетных задачDevDay
 
infokrant Nevele februari 2014
infokrant Nevele februari 2014infokrant Nevele februari 2014
infokrant Nevele februari 2014Regina De Meyer
 

Destacado (7)

Сказка о Фролке
Сказка о ФролкеСказка о Фролке
Сказка о Фролке
 
бляхарский
бляхарскийбляхарский
бляхарский
 
La fraternidad del libro, 1
La fraternidad del libro, 1La fraternidad del libro, 1
La fraternidad del libro, 1
 
Menen stedelijke infogids_2014
Menen stedelijke infogids_2014Menen stedelijke infogids_2014
Menen stedelijke infogids_2014
 
Snapshot on the French Oncology Market March 2010
Snapshot on the French Oncology Market March 2010Snapshot on the French Oncology Market March 2010
Snapshot on the French Oncology Market March 2010
 
Cоздаем пробки или тюнинг postgresql для расчетных задач
Cоздаем пробки или тюнинг postgresql для расчетных задачCоздаем пробки или тюнинг postgresql для расчетных задач
Cоздаем пробки или тюнинг postgresql для расчетных задач
 
infokrant Nevele februari 2014
infokrant Nevele februari 2014infokrant Nevele februari 2014
infokrant Nevele februari 2014
 

Similar a Word press security 101

RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITEAcodez IT Solutions
 
WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)Michael Carnell
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignJudy Wilson
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!Marko Heijnen
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Michele Butcher-Jones
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
BA 65 - Getting Your Site Online
BA 65 - Getting Your Site OnlineBA 65 - Getting Your Site Online
BA 65 - Getting Your Site Onlinedpd
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityNile Flores
 
BA 65 Hour 3 - Getting Your Site Online
BA 65 Hour 3 - Getting Your Site OnlineBA 65 Hour 3 - Getting Your Site Online
BA 65 Hour 3 - Getting Your Site Onlinedpd
 
How to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureHow to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureIIMBNSRCEL
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreWilliam Mann
 
Watch Your Back: Let’s Talk Web Safety and Personal Identity Theft
Watch Your Back: Let’s Talk Web Safety and Personal Identity TheftWatch Your Back: Let’s Talk Web Safety and Personal Identity Theft
Watch Your Back: Let’s Talk Web Safety and Personal Identity TheftSchipul - The Web Marketing Company
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksFaraz Ahmed
 
2014 WordCamp Columbus - Dealing with a lockout
2014 WordCamp Columbus - Dealing with a lockout2014 WordCamp Columbus - Dealing with a lockout
2014 WordCamp Columbus - Dealing with a lockoutJohn Parkinson
 
Cyber Security Magazine
Cyber Security MagazineCyber Security Magazine
Cyber Security MagazineQuentin Brown
 

Similar a Word press security 101 (20)

RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
 
WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!
 
WordPress security
WordPress securityWordPress security
WordPress security
 
Protect your website
Protect your websiteProtect your website
Protect your website
 
Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015Beginning WordPress Security WordCamp North Canton 2015
Beginning WordPress Security WordCamp North Canton 2015
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
BA 65 - Getting Your Site Online
BA 65 - Getting Your Site OnlineBA 65 - Getting Your Site Online
BA 65 - Getting Your Site Online
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
BA 65 Hour 3 - Getting Your Site Online
BA 65 Hour 3 - Getting Your Site OnlineBA 65 Hour 3 - Getting Your Site Online
BA 65 Hour 3 - Getting Your Site Online
 
How to-become-secure-and-stay-secure
How to-become-secure-and-stay-secureHow to-become-secure-and-stay-secure
How to-become-secure-and-stay-secure
 
Technology Training - Security, Passwords & More
Technology Training - Security, Passwords & MoreTechnology Training - Security, Passwords & More
Technology Training - Security, Passwords & More
 
Using Wireframes
Using WireframesUsing Wireframes
Using Wireframes
 
WordPress Security Guide
WordPress Security GuideWordPress Security Guide
WordPress Security Guide
 
Watch Your Back: Let’s Talk Web Safety and Personal Identity Theft
Watch Your Back: Let’s Talk Web Safety and Personal Identity TheftWatch Your Back: Let’s Talk Web Safety and Personal Identity Theft
Watch Your Back: Let’s Talk Web Safety and Personal Identity Theft
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & Tricks
 
2014 WordCamp Columbus - Dealing with a lockout
2014 WordCamp Columbus - Dealing with a lockout2014 WordCamp Columbus - Dealing with a lockout
2014 WordCamp Columbus - Dealing with a lockout
 
Cyber Security Magazine
Cyber Security MagazineCyber Security Magazine
Cyber Security Magazine
 

Último

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfhans926745
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 

Último (20)

Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 
Tech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdfTech Trends Report 2024 Future Today Institute.pdf
Tech Trends Report 2024 Future Today Institute.pdf
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 

Word press security 101

  • 1. WORDPRESS SECURITY 101 HACKERS, SCOUNDRELS, AND VILLAINS, OH MY PRESENTED BY: GARRY MCNEILLY KOJAC CONSULTING .
  • 2. PRESENTATION OVERVIEW You will learn how to secure your desktops & servers Secure Word Press Websites Basic of Themes & plugins Develop and test is a local environment Basic Of MySQL and XAMPP Best Practices for securing your email using Server Policy Frame Work
  • 3. SECURE YOUR LOCAL WORKING ENVIRONMENT Keep your software up to date – windows update on a regular basis Install antivirus on all computers & servers keep antivirus up to date Implement a hardware or software firewall solution when ever possible
  • 4. ANTI VIRUS, FIREWALLS, MALWARE Free solutions www.comodo.com – Firewall and internet security remove GeekBuddy 24/7 up sell www.zonealarm.com – Free firewall http://www.avast.com – Basic antivirus http://www.avg.com Basic free antivirus
  • 5. ANTI VIRUS, FIREWALLS, MALWARE Malware is the concealment of Virus Trojan Horses Rootkits Backdoors Malware Bytes http://www.malwarebytes.org What Is It… ―Today, malware is used primarily to steal sensitive information of personal, financial, or business importance by black hat hackers with harmful intentions‖
  • 6. SECURE YOUR LOCAL WORKING ENVIRONMENT Lock Down your Browser HTTPS Everywhere is a Firefox and Chrome extension that encrypts your communications with many major websites, making your browsing more secure. https://www.eff.org/https-everywhere-node No Mention of IE… Keep your Browsers up to date
  • 7. SECURE YOUR LOCAL WORKING ENVIRONMENT Firefox add on - NoScript Security Suite 2.6.8.5 The best security you can get in a web browser! Allow active content to run only from sites you trust, and protect yourself against XSS and Clickjacking attacks. https://addons.mozilla.org/en-US/firefox/addon/noscript/ Note It take a little while to configure your sites
  • 8. WHAT HAS MY ISP DONE FOR ME LATELY Does my ISP notify me of server / database upgrades Do they lock me out if there are too many login attempts do they let you know Are you on a shared server or dedicated server (Cross Contamination) - and if so
  • 9. WHAT HAS MY ISP DONE FOR ME LATELY Are your sites segmented Do you have one master account for access to all accounts Own one Own All
  • 10. WHAT HAS MY ISP DONE FOR ME LATELY Do you have a limitation on your MSQL data base (how many records can you have) how big can your Database be !!! Do they offer a Sender Policy Framework for Email What‘s Technical like Phone | Email | 24/7 or when ever we decide to get back to you
  • 11. WHAT HAS MY ISP DONE FOR ME LATELY What‘s there Service Level Agreement like (SLA) Do they offer backup services What's there data retention policy like
  • 13. TWO STEP AUTHENTICATION – DROP BOX 3RD PARTY APPS 1. Sign in to the Dropbox website. 2. Click on your name from the upperright of any page to open your account menu. 3. Click Settings from the account menu and select the Security tab, 4. Under the Account sign in section, next to Two-step verification, click Enable.
  • 14. TWO STEP AUTHENTICATION 3RD PARTY APPS Just a few more account that have two step authentication. LinkedIn – New after they were hacked nearly 6.5 million user Microsoft Accounts Wordpress.com Godaddy.com
  • 15. FTP – DON’T GET ME STARTED !!! File Transfer Protocol – FTP It‘s Not Secure and has no encryption of data Stop Using It Right Now The SSH File Transfer Protocol (also known as Secure FTP and SFTP) is a better solution.
  • 16. FTP – DON’T GET ME STARTED !!! You may need to contact your ISP / hosting provider to activate or install. You may also need to use different port numbers 21 or 22 Secure FTP also gives you root access to directories and subdirectories to all account – So be carful when transferring files or accessing accounts
  • 17. PASSWORDS MANAGEMENT PASSWORDS VS. PASS PHRASES Passwords Pass Phrases Passwords tend to be really Phase Phrases tend to be much common Dictionary words. Easy to guess / crack longer and hander to guess / crack Longer character set with Password is a bad password special characters
  • 18. PASSWORDS MANAGEMENT Password Example Your wife name is: Tonya changed O to zero T0nya Passphrase Example MyWifeT0nyaCant_Cook (Still common but a little harder to crack)
  • 19. PASSWORDS MANAGEMENT Add Upper and lower case as well as special characters MyW1feT0nyaCant_Cook#@! And if for some reason your wife needs your password…..Change it QUICK MyW1fe_T0nyaIs_A_GrateC00k
  • 20. PASSWORDS MANAGEMENT www.lastpass.com can be used on all devices Auto fill users names & passwords
  • 21. PASSWORDS MANAGEMENT www.RoboForm.com https://www.passpack.com http://keepass.info/ These programs have the ability to generate complex passwords that are hard to remember unless you are using a password manager
  • 23. WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! $$$ Financial gain $$$ Hackers make money in a few ways‘ Affiliate marking referrals – pay per click Zero Day exploitations
  • 24. WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Phama hacks (Viagra) counterfeit drugs, Change DB | insert Spam | add a backdoor, Redirect URL
  • 25. WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Site redirections SEO Poison of your keywords Access to members ship lists Ecommerce theft – such as Infusion soft and PayPal Credit cards information
  • 26. WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! Defacement of site – Script kids just #being shit heads Install backdoor software – own one own all Malicious redirect – they make money from Pay Per Click Injections – Iframe specifically Identity Theft #juststeelingyourshit
  • 27. WHAT WILL A HACKER GAIN FROM MESSING WITH MY SITE !!! • Email compromise allowing for Phishing attacks • CryptoLocker ransomware attacks ‗The malware encrypts all of the most important files on a victim PC — pictures, movie and music files, documents, etc. — as well as any files on attached or networked storage media. CryptoLocker then demands payment‘
  • 28. HOW DOES THIS AFFECT ME & MY BUSINESS • Loss of trust with clients • Loss of business • Loss of time effort and lots of money to fix your website • Tarnish your online reputation
  • 29. THIS THREAT IS NOT REAL IS IT Just a few stats to scare the crap out of you • 12,000 to 14,000 site per day are blacklisted • Google documents and issues 5 Million warring's per week
  • 30. DOMAIN NAME MANAGEMENT Make sure you or your clients *Domain Name Extortion own there Domain Name Setup Auto renewal Example: www.sitedudes.com No long term contracts my ass !!! Add Privacy to your domain if They did offer a complementary ass kicking…though possible – making it harder to steal
  • 31. WORDPRESS SECURITY INSTALL REVIEW Most WP setup out of the box are configured with -admin (username) -password (you create) You have just help a hacker with ½ the answers to your login by using admin as a user name
  • 32. WORDPRESS SECURITY Install Google Authenticator Plugin for WordPress. Hackers Now Need - Your long user name - Long complex password - TXT sent to your phone
  • 33. WORDPRESS SECURITY Create A User name that is at least 15 characters including Upper and Lower case including special characters Password use a program such at Lastpass to create a long and complex password
  • 34. WORDPRESS SECURITY Limit login attempts plugins will help to stop Brute Force attacks by locking your site after a specific amount of attempts.
  • 35. WORDPRESS SECURITY Example – Brute Force Attack
  • 36. SO WHAT CAN I DO TO REDUCE MY RISK • Remove all unused Themes & Plugins • Monitor your website on a regular basis • Keep you site up to date • Change file permission from standard defaults • Remove user and roles if they are not being used • Keep your production server tidy – It not a backup server or file server
  • 37. WP USERS & THERE ROLES Administrator Editor Author Contributor Subscriber
  • 38. SO IS YOUR SITE UP TO DATE MAJOR RELEASE VS. POINT RELEASE WP 3.6 – 3.7 Major Release Old calls & functions Core Security flaws Performance Issues Core related issues
  • 39. SO IS YOUR SITE UP TO DATE WP 3.7.1 POINT RELEASE WP 3.7.1 Point Release Bug Fix Security Updates Images with caption fixed visual editor fixed NOTE: Major and Minor updates still have the ability to bring your site down or cause issues. This is why you should always backup your production site. Replicate your site in a test environment and make sure that there are no errors and issues.
  • 40. TOOLS TO TEST YOUR SITE http://sucuri.net/ Software version Blacklisted Malware Malicious javascript Malicious Iframes Drive By Downloads Anomaly detection IE – only attacks Suspicious redirects Spam
  • 41. WORDPRESS SECURITY So what‘s a Theme ??? Themes will define the look and feel of your site Theme is a theme that inherits the functionality of another theme, called the parent theme. Child theme allows you to modify, or add to the functionality of that parent theme.
  • 42. WORDPRESS SECURITY A child theme is the safest and easiest way to modify an existing theme, whether you want to make a few tiny changes or extensive changes. Instead of modifying the theme files directly, you can create a child theme and override within.
  • 43. WORDPRESS SECURITY Responsive Design - Will resize the look and feel for Mobile devices such as smart phones, tables, netbooks, Note: when purchasing themes look at the Developers upgrade status If the theme has not been updates in a while keep looking
  • 44. TIMTHUMB COMMERCIAL THEMES EXPLOITATION An image resizing utility called timthumb.php Bundled in some commercial /free Remote Code Execution Themes
  • 45. TIMTHUMB COMMERCIAL THEMES EXPLOITATION SQL Injection Vulnerability Google shows over 39 million results for the script name If you find it fix it right away This Themes is still active and a huge problem in the WP community
  • 46. CREATE A TEST ENVIORNMENT Used to develop or replicate a website in a local environment Test themes / plugins / applications before they go live Use a staging environment for testing for virus / defects
  • 47. PLUGINS EXPLAINED What's a WP Plugging ??? WP plugins are used to add additional functionality to your site. Including; security, performance, calendars, social media, Fonts, custom features, site backups, Before install a plug in make sure its compatible with your version of WP review the author and make sure they keep up to date with current WP versions and standards and best practices
  • 48. SOME KICK ASS PLUGINS Limit login attempts WP security Google authentication DEVEOLPMENT TOOLS Notepad Plus Asana.com – used for project management
  • 49. CREATE A TEST ENVIRONMENT Microsoft Webmatrix BitNami WordPress local install
  • 50. CREATE A TEST ENVIORNMENT TOOLS FOR CREATING A LOCAL TEST ENVIORNMENT Microsoft Webmatrix http://www.microsoft.com/web/webmatrix/ Installing Webmatrix may not work correctly if you have Skype installed that also used port 80 or any other program that used port 80 It also requires some file modification to move it from test environment to production
  • 51. CREATE A TEST ENVIORNMENT Bitnami.com Simple application deployment from development to production Bitnami supports Windows, Mac OS X and Linux operating systems, VMware virtualized environments You can also use a sub direct on your production website
  • 52. CREATE A TEST ENVIRONMENT Local development also required software to run the local database. Xampp - http://www.apachefriends.org/en/xampp.html Wamp - http://sourceforge.net/projects/wampserver/ The following two software use localhost for development The package includes the Apache web server, MySQL, SQLite, PHP, Perl, a FTP
  • 53. CONCLUSION TO THE PRESENTATION Question & Answers Contact Info Garry McNeilly Kojac Consulting www.kojac-consulting.com garry@kojac-consulting.com Phone: 416-898-9084 WordPress Security 101 . Hackers, Scoundrels, and Villains, Oh my