Real Security for WordPress - Cut through the noise and the false sense of security. Dre Armeda presents a no nonsense approach to reducing risk with WordPress.
Wordpress security best practices - WordCamp Waukesha 2017
Real Security for WordPress
1. Real Security for WordPress
Life, Liberty, and the Pursuit of Risk Reduction
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
2. Dre Armeda
CEO, Co-Founder of Sucuri Inc. – sucuri.net
Co-Host of The DradCast – dradcast.com
@dremeda | dre.im
I wear many hats, and love tacos
Harley enthusiast & Chargers fan
Infatuated with WordPress & web security.
I hope hope to make the internet a safer place!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
3. The Internet Rocks
With adoption and growth comes innovation!
! Over 2 billion internet users today
! 480% growth in the last 11 years (Internet World Stats)
! 100k+ domains gained weekly (Global Domain Registry)
! 2 billion sites in 2015 (Tony Schneider – CEO, Automattic)
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
4. It’s Not All Peachy
Innovative thinking sparks risk
Malware – short for malicious software: A software
designed to disrupt operations, gather information, or
gain unauthorized access.
! Monitor your website browsing & internet usage
! Forced Advertising
! Redirect Affiliate Marketing Revenue
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
5. How Bad is it?
Pretty bad, and getting worse.
! 2 million+ new malware strings monthly (McAfee)
! Costs US consumers over $2bil yearly (Consumer Reports)
! Google issues 3mil+ warnings daily. (Google)
! Google blacklists 10k websites daily on avg. (Google)
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
6. How Does This Happen
A new type of webmaster!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
7. Am I At Risk?
Ever See a Dodo Bird?
The percentage of risk
will never be zero!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
8. What Can We do?
Be smart. Be consistent. Cut out the noise!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
9. Cut Out The Noise
K.I.S.S.
! Keep Software Updated
! No Soup Kitchen Servers
! Reduce Access
! Password Management
! Backup Schedule
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
10. Keep Software Updated
Information Security is everyone’s responsibility
! Leading cause for infection along with passwords
! Scared to upgrade because stuff breaks?
! Major vs. Point Release
! Run upgrade tests
! Do your homework
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
11. No Soup Kitchen Servers
Production is not your archive server!
! WordPressers act like they forgot about DEV
! Cross-contamination is a big deal
! Segment by user and account
! Not active. Not good enough
If it’s not in use, get rid of it
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
12. Reduce Access
Least privilege to some, no privilege for most.
Give people enough access to do their job, nothing
more; remove access when they complete their job!
! User Proper Roles
! This goes for WordPress, FTP, & DB’s, etc.
! Limit failed logins to thwart brute force
! Practice two form auth & layered login
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
13. Lets Hack a Website
All you need is a couple minutes.
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
14. Password Management
Password is a password not to be used as your password, ever!
! Password still top 5 actively used password
! Use unique passphrases
! Use different passwords across accounts
! Password Management Tools
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
15. Backup Schedule
When they hack you, reduce downtime.
! Create a schedule today!
! Backup outside of your production environment
! Multiple backups are awesome
! Talk to your host to see what they offer
! Various tools available
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
16. Tools & Services
Great tools and services to help you reduce risk.
Backups Password Management Malware Scanning
! Backup Buddy ! LastPass ! Sucuri SiteCheck
! VaultPress ! KeyPass Password ! UnMask Parasites
Safe
! 1Password
Malware Cleanup Two Form Auth Limit Failed Logins
! Sucuri ! Google ! Limit Logon
Authenticator Attempts
! Sucuri (WP
Plugin)
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
17. Thank You For Listening
No go, reduce risk. Go!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security