WordPress is used by 25-30% of websites but faces security risks. Hackers target WordPress sites to install malware, spam, or steal information. The top reasons WordPress sites get hacked are outdated software, themes, and plugins. Site owners can reduce risks by limiting access, using security plugins, regularly updating WordPress and plugins, choosing secure hosting, and strengthening login protections.
4. #pubcon @schachin
State of Security
• As of March 2016, Google reports that over 50 million website users
have been greeted with some form of warning that websites visited
were either trying to steal information or install malicious software.
In March 2015, that number was 17 million.
Google currently blacklists close to ~20,000 websites a week for
malware and another ~50,000 a week for phishing. PhishTank alone
flags over 2,000 websites a week for phishing.
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
5. #pubcon @schachin
Word Press is used by between 25-30% of sites
(or 10 million if Gary Ilyes is correct – either or it is a lot! )
6. #pubcon @schachin
“Over a third of the websites online are powered by four key platforms: WordPress, Joomla!, Drupal,
and Magento. WordPress is leading the CMS market with over 60% market share.
This explosion and dominance by WordPress is facilitated by global-user adoption, a highly
extensible platform and focus on end users. Other platform technologies have experienced growth in
more niche markets, like Magento in the online commerce domain with large and enterprise
organizations, and Drupal in large, enterprise, and federal organizations.”
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
WordPress is King!
12. #pubcon @schachin
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
Approximately 31% of all infection cases are misused for SEO Spam campaigns (either
through PHP, Database injections or.htaccess redirections) where the site was infected with spam
content or redirected visitors to spam-specific pages.
The content used is often in the form of Pharmaceutical ad placements (i.e., erectile dysfunction,
Viagra, Cialis, etc...) and includes others injections for industries like Fashion and Entertainment (i.e.,
Casino, Porn).
#1 REASON for Getting Hacked on WordPress – SEO SPAM!
17. #pubcon @schachin
• SEO - multiple uses here including DDOS
• SPAM – site used to send SPAM emails
• MALWARE – hides the origin of the malware
• THEFT – Passwords, credit card information,
banking information, etc.
• ATTACKING OTHER SITES – Sometimes a
hacker’s objective is to make a website
unavailable to users.
Why Would Anyone Want
to Hack Your Word Press Website?
24. #pubcon @schachin
• Secure WPConfig.
Makes accessing specific parts or your Word Press
installation more difficult. Secure your wp-
config.php file by moving it one directory above your
Word Press installation.
• File Editor.
Disable the File Editor in the Word Press Admin
panel which means a hacker will require FTP
access to access core and theme files.
• Limit Roles.
Limiting access also includes the use of
appropriate user roles. Don’t assign an
administrator role unless a person actually
requires admin functionality.
Access – Has it been limited?
25. #pubcon @schachin
State of Security
“… out of the 11,000 + infected websites analyzed, 75% of them were on
the WordPress platform and over 50% of those websites were out of
date. Compare that to other similar platforms that placed less emphasis
on backwards compatability, like Joomla! and Drupal, the percentage of
out-of-date software was above 80%.”
~ Sucuri
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
26. #pubcon @schachin
Update. Update. Update.
Typical biggest hole in a WordPress site.
Update not only only WordPress, but …
- Inactive themes and plugins (better to delete)
- Plugins
- Check that all plugins have updates
- If a plugin has not been updated in some time take it
off the site.
Good example is W3Cache
Security
27. #pubcon @schachin
Two Most Popular Security Tools
• WordFence.
– one of the most popular security plug-ins.
• Sucuri
– step above just a security plug-in with their paid
service you get 24/7 server side monitoring
including databases and file changes
• Here are list of other Malware tools for
Word Press.
Security Plug-Ins
28. #pubcon @schachin
BE VERY CAREFUL TO NEVER use
the ONLY WHITE LIST IPs setting
in any security plug-in.
You can block unknown IPs for search engine crawlers
Security Plug-Ins
30. #pubcon @schachin
Hosting is one of the most important ways to prevent hacking attempts.
What should I look for in a good host?
• Database Support. Besides supporting the latest versions of PHP and MySQL.
• Security & Malware Scanning. They should perform regular scans for malware
• Backups. Company should give perform daily backups.
• Site Support. Helpful to have support to chat with if your site does get hacked
• WordPress Hosting Specific. WordPress has a unique set of issues not only with security, but
with how it loads. WordPress providers have specialized in addressing these issues.
Review of hosting providers. https://fancythemes.com/best-wordpress-hosting-providers/
Hosting
32. #pubcon @schachin
• SSL (HTTPS) is an added layer of security on your site and provides a
slight ranking boost in Google.
• Don’t get FREE Certificates.
Go to a reputable hosting company and purchase one.
• SEO Caveat. There are many SEO issues related to moving from http
to https, so make sure you have checked off those.
– Aleyda Solis has created an excellent checklist.
https://docs.google.com/spreadsheets/d/1XB26X_wFoBBlQEqecj7HB79hQ7DTLIPo97SS5irwsK8/edit#gid=1975121463
Hosting + SSL
34. #pubcon @schachin
Securing your Logins.
• Frequently change your passwords
• Avoid using the admin username
• Create a strong password
• Force users to use strong passwords with Force Strong Passwords
• Store passwords in a secure place like LastPass
You can take it one step further and …
• Limit login attempts. Plugins like Wordfence, Sucuri, Login LockDown and Login Security Solution enable you to
constrain the number of login attempts from a single IP address within a certain amount of time. Perfect for keeping
brute force attacks at bay.
• Employ two-step authentication. Adds a second layer of security that can only be passed by means of your cell phone,
social network account or else. Options include Duo Two-Factor Authentication, OpenID, and Clef.
• Hide your login page. Moving wp-admin and wp-login to non-standard addresses makes it harder for hackers to attack
them. You can do so via Rename wp-login.php, HideLogin+ or Lockdown WP Admin.
http://torquemag.io/2016/03/wordpress-sites-hacked/
Logins
36. #pubcon @schachin
Plugins
These were the top three out of date, vulnerable, plugins at the point in which a website engaged Sucuri for
incident response services
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf
37. #pubcon @schachin
Hosting is one of the most important ways to prevent hacking attempts.
There is …
• Get it from a known source like Yoast, Scuri, Wordfence
– Hackers, SEO, Affiliate Marketers, others create legitimate plugins to get backdoor access to
your site
• Check last update by developer
– If it has not been updated recently, it is likely vulnerable.
• Check reviews sometimes good plugins go bad
• Check number of installations
Plugins
39. #pubcon @schachin
Add SALTs To wp-config.php
• Word Press security keys were introduced in Word Press 2.6.
• SALTs encrypt user cookies and make it more difficult to access this data
The keys go into your wp-config.php file here
http://torquemag.io/2016/03/wordpress-sites-hacked/
Advanced
40. #pubcon @schachin
Add SALTs To wp-config.php cont.
Replace them with code from the Word Press SALT generator and you get something like this ..
http://torquemag.io/2016/03/wordpress-sites-hacked/
Advanced
41. #pubcon @schachin
Hide Your WP Version Number
• Word Press adds a meta tag to your site’s head section that shows off which version of the CMS you are
running. Knowing what version you are using helps hackers know what vulnerabilities are in your site.
Below is a useful piece of code that stops Word Press from doing so:
– remove_action('wp_head', 'wp_generator');
Just add it to your functions.php file and you are done with it.
http://torquemag.io/2016/03/wordpress-sites-hacked/
Advanced