SlideShare una empresa de Scribd logo

Seravo.com: WordPress Security 101

Seravo
Seravo

There are many alternative facts concerning WordPress website security. What is really important and what is not?

Tecnología
1 de 42
Descargar para leer sin conexión
WORDPRESS SECURITY 101 what is important – and what is not © Seravo 2017
DEFINITION OF INFORMATION SECURITY 1. Confidentiality 2. Integrity 3. Availability
You must keep your WordPress site secure.
POTENTIAL CONSEQUENCES ● Corrupted orders database: webshop unable to ship anything or resolve payments ● Leaked customer database: angry customers, lawsuit for neglect of privacy laws ● Visitors get redirected to shady sites: lost reputation, marketing budget goes in vain ● Site spreads malware: Google might detect and ban from showing up in search results ● Site sends spam: could become blacklisted and legit email stops working
“BUT MY SITE IS NOT IMPORTANT!” Your site can be used to mount further attacks! If you have clearly neglected the maintenance of your own site, you could be held partly liable for attacks on other sites.
What is REALLY important in keeping your WordPress site secure?
AVENUES OF UNAUTHORISED ACCESS: 1. Leaked passwords 2. Software vulnerabilities
LEAKED PASSWORDS
Remember password hygiene seravo.fi/2014/password-hygiene-every-mans-responsibility
HTTPS, SFTP, SSH Never submit passwords over an unencrypted connection!
Enforce HTTPS in WordPress 1. Your server needs to support HTTPS 2. Enforce in wp-config.php with: define('FORCE_SSL_ADMIN', true);
Use captcha to avoid robot users Google reCaptcha recommended
SOFTWARE VULNERABILITIES
MINIMIZE VULNERABILITIES 1. Minimize the attack surface by minimizing the amount of software you have 2. For the software you really need, make sure you have updated to latest releases
HOW SECURE IS WORDPRESS CORE? Security bugs per 1000 lines of code written All time: 0,1 (204 CVE entries per 2,1 million lines of code) In 2015: 0,05 (11 CVE entries per 236 000 lines of code)
WORDPRESS CORE IS SECURE.
THE PROBLEM IS THE PLUGINS.
Combined core, plugin and theme vulnerability database: wpvulndb.com
Example case: Mossack Fonseca aka Panama papers ● The site www.mossfon.com was running WordPress ● Unauthorized access of WP lead to unauthorized access of MS Exchange email server on internal network and other sites at *.mossfon.com ● The intruders most likely came through an old and insecure version of the Revolution Slider plugin. ○ Well known vulnerability, WordPress.org even has a patch as a separate plugin (https://wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not available at WordPress.org.
Example case: Mossack Fonseca aka Panama papers ● Case analysis at https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulner able-slider-revolution/
WP PLUGIN REVIEW GUIDELINES FOR CAPITALISTS* If the logo is red and name contains revolution, don’t install it on your system! * a small dose of parody can’t hurt?
PLUGIN SECURITY 1. Minimize the attack surface by minimizing the amount of plugins (and themes) you have 2. For the plugins you really need, make sure you have updated to latest releases You will not minimize vulnerabilities by installing more plugins!
WordPress is insecure! Quickly, install a security plugin!
NO
DON’T WASTE TIME ON ● removing generator meta or hiding version numbers ● hiding login errors ● changing wp-admin location ● disabling xmlrpc ● removing readme.html or other files Only for WP geeks who love to research the pros and cons. For normal users WordPress default settings are secure.
FALSE SENSE OF SECURITY Feels like a lot has been done when really very little has.
Example: useless readme.html blocking = don’t!
Example: useless readme.html blocking Versions leak anyway
Example: useless readme.html blocking Disclaimer: WordFence was used just as an example. It still the best guy in town. Many other security plugins are much worse. ..and other WordPress integrity checks trigger
SECURITY PLUGINS ARE NOT THE SOLUTION Scan results require interpretation. Recommended only for professionals.
The only recommended ones: WPScan and Google Webmaster Tools Almost no false positives and no business model based on spreading fear.
IF YOU RUN YOUR OWN SERVER Also remember to harden and keep updated ● operating system ● web server ● database server ● PHP environment
INSTALL ONLY FROM TRUSTED SOURCES Avoid random 3rd party repositories that don’t have any maintenance policy.
PROTECTION AGAINST DDOS What if the problem is not unauthorized access but the lack of authorized access?
DENIAL OF SERVICE ATTACKS Detect, withstand and block ● high performance servers and good caching ● detect repeated offenders and block at network level ○ e.g. failtoban + iptables ● detect and block at http level ○ e.g. Nginx rate limiting ● If you are trying to block at PHP/WordPress level, you’ve already lost DDOS is a constant race of new techniques of attack and defence. Try to find a good hosting provider that takes care of DDOS at least on the network level.
BACKUP AND RECOVERY Because some day, sooner or later, everything else fails.
BACKUP GUIDELINES 1/2 Make sure your backup system meets these requirements ● automatic: not dependant on human action ● complete: both files and database ● incremental with a history: at least 30 days ● frequent: daily is good
BACKUP GUIDELINES 2/2 ● offsite: in case access to the original site is lost ● pull, not push: original site should not have access to the backups, otherwise an attacker can delete both the original site and all backups Personal favourite: mysqldump + rdiff-backup over SSH
ONCE MORE WITH A FEELING
WORDPRESS SECURITY 101 1. Always follow password hygiene. 2. Use captchas to stall robot users. 3. Use HTTPS (and SFTP and SSH) – never submit passwords in plain text on any network connection. 4. Remove unnecessary software to reduce attack surface. 5. Keep WordPress plugins and all other software too updated to have all known vulnerability fixes installed. 6. Install software and update only from trusted sources. 7. Have a good backups system in place. 8. Choose a good service provider and trust them to take care of the rest.
THANK YOU! SERAVO.COM wordpress@seravo.com Twitter: @Seravocom

Recomendados

Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingOtto Kekäläinen
 
Use Xdebug to profile PHP
Use Xdebug to profile PHPUse Xdebug to profile PHP
Use Xdebug to profile PHPSeravo
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
Less and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developersLess and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developersSeravo
 
Find WordPress performance bottlenecks with XDebug PHP profiling
Find WordPress performance bottlenecks with XDebug PHP profilingFind WordPress performance bottlenecks with XDebug PHP profiling
Find WordPress performance bottlenecks with XDebug PHP profilingOtto Kekäläinen
 
Search in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itSearch in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itOtto Kekäläinen
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...Otto Kekäläinen
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Projectxsist10
 

Recomendados

Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingOtto Kekäläinen
 
Use Xdebug to profile PHP
Use Xdebug to profile PHPUse Xdebug to profile PHP
Use Xdebug to profile PHPSeravo
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
Less and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developersLess and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developersSeravo
 
Find WordPress performance bottlenecks with XDebug PHP profiling
Find WordPress performance bottlenecks with XDebug PHP profilingFind WordPress performance bottlenecks with XDebug PHP profiling
Find WordPress performance bottlenecks with XDebug PHP profilingOtto Kekäläinen
 
Search in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itSearch in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itOtto Kekäläinen
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...Otto Kekäläinen
 
PHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source ProjectPHP SA 2014 - Releasing Your Open Source Project
PHP SA 2014 - Releasing Your Open Source Projectxsist10
 
Automatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesAutomatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesOtto Kekäläinen
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusioncfjedimaster
 
Drupal Development Tips
Drupal Development TipsDrupal Development Tips
Drupal Development TipsChris Tankersley
 
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”Valent Mustamin
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPressJoseph Scott
 
The GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressThe GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressSarah Dutkiewicz
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 
Mastering WordPress Vol.1
Mastering WordPress Vol.1Mastering WordPress Vol.1
Mastering WordPress Vol.1Wataru OKAMOTO
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityDavid Wilemski
 
WordPress Need For Speed
WordPress Need For SpeedWordPress Need For Speed
WordPress Need For Speedpdeschen
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPressvnsavage
 
Introduction to PhoneGap and PhoneGap Build
Introduction to PhoneGap and PhoneGap BuildIntroduction to PhoneGap and PhoneGap Build
Introduction to PhoneGap and PhoneGap BuildMartin de Keijzer
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)WordCamp Cape Town
 
JS digest. Decemebr 2017
JS digest. Decemebr 2017JS digest. Decemebr 2017
JS digest. Decemebr 2017ElifTech
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesGovLoop
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...OVHcloud
 
Why it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do itWhy it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do itOnni Hakala
 
04 web optimization
04 web optimization04 web optimization
04 web optimizationNguyen Duc Phu
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
Testing and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressionsTesting and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressionsOtto Kekäläinen
 

Más contenido relacionado

La actualidad más candente

Automatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesAutomatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesOtto Kekäläinen
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusioncfjedimaster
 
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”Valent Mustamin
 
The GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressThe GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressSarah Dutkiewicz
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 
Mastering WordPress Vol.1
Mastering WordPress Vol.1Mastering WordPress Vol.1
Mastering WordPress Vol.1Wataru OKAMOTO
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityDavid Wilemski
 
WordPress Need For Speed
WordPress Need For SpeedWordPress Need For Speed
WordPress Need For Speedpdeschen
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPressvnsavage
 
Introduction to PhoneGap and PhoneGap Build
Introduction to PhoneGap and PhoneGap BuildIntroduction to PhoneGap and PhoneGap Build
Introduction to PhoneGap and PhoneGap BuildMartin de Keijzer
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)WordCamp Cape Town
 
JS digest. Decemebr 2017
JS digest. Decemebr 2017JS digest. Decemebr 2017
JS digest. Decemebr 2017ElifTech
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringConrad Cruz
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Conrad Cruz
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesGovLoop
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...OVHcloud
 
Why it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do itWhy it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do itOnni Hakala
 

La actualidad más candente (20)

Automatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesAutomatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themes
 
Using WebSockets with ColdFusion
Using WebSockets with ColdFusionUsing WebSockets with ColdFusion
Using WebSockets with ColdFusion
 
Drupal Development Tips
Drupal Development TipsDrupal Development Tips
Drupal Development Tips
 
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
High Performance Wordpress: “Faster, Cheaper, Easier : Pick Three”
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPress
 
The GiveCamp Guide to WordPress
The GiveCamp Guide to WordPressThe GiveCamp Guide to WordPress
The GiveCamp Guide to WordPress
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
 
Mastering WordPress Vol.1
Mastering WordPress Vol.1Mastering WordPress Vol.1
Mastering WordPress Vol.1
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
 
WordPress Need For Speed
WordPress Need For SpeedWordPress Need For Speed
WordPress Need For Speed
 
High Performance WordPress
High Performance WordPressHigh Performance WordPress
High Performance WordPress
 
Introduction to PhoneGap and PhoneGap Build
Introduction to PhoneGap and PhoneGap BuildIntroduction to PhoneGap and PhoneGap Build
Introduction to PhoneGap and PhoneGap Build
 
Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)Roy foubister (hosting high traffic sites on a tight budget)
Roy foubister (hosting high traffic sites on a tight budget)
 
JS digest. Decemebr 2017
JS digest. Decemebr 2017JS digest. Decemebr 2017
JS digest. Decemebr 2017
 
Aeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filteringAeon mike guide transparent ssl filtering
Aeon mike guide transparent ssl filtering
 
Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)Aeon mike guide transparent ssl filtering (1)
Aeon mike guide transparent ssl filtering (1)
 
WordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sitesWordPress.org & Optimizing Security for your WordPress sites
WordPress.org & Optimizing Security for your WordPress sites
 
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
Web agencies: An analysis of the OVH infrastructure to optimise your web proj...
 
Why it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do itWhy it's dangerous to turn off automatic updates and here's how to do it
Why it's dangerous to turn off automatic updates and here's how to do it
 
04 web optimization
04 web optimization04 web optimization
04 web optimization
 

Destacado

WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
Testing and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressionsTesting and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressionsOtto Kekäläinen
 
My Profile ATL,BTL & Digital Marketing
My Profile ATL,BTL & Digital Marketing My Profile ATL,BTL & Digital Marketing
My Profile ATL,BTL & Digital Marketing Nihit Gandhi
 
Richmen BTL Marketing Corporate Profile
Richmen BTL Marketing Corporate ProfileRichmen BTL Marketing Corporate Profile
Richmen BTL Marketing Corporate ProfileMohit Shankhdhar
 
Richmen credentials interactive displays nv
Richmen credentials interactive displays nvRichmen credentials interactive displays nv
Richmen credentials interactive displays nvMohit Shankhdhar
 
Edge marketing profile - BTL and digital
Edge marketing profile - BTL and digitalEdge marketing profile - BTL and digital
Edge marketing profile - BTL and digitalVarun Wahi
 
Experiential Marketing
Experiential MarketingExperiential Marketing
Experiential MarketingChristy Belden
 
Brand activation - Do something awesome with people (English version)
Brand activation - Do something awesome with people (English version)Brand activation - Do something awesome with people (English version)
Brand activation - Do something awesome with people (English version)Pointvoucher
 
Panadol Patch Activation Proposal
Panadol Patch Activation Proposal Panadol Patch Activation Proposal
Panadol Patch Activation Proposal Anto Soeyono
 
Brand Innovation and Activation
Brand Innovation and ActivationBrand Innovation and Activation
Brand Innovation and ActivationYanuar Rahman
 
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...BTL,Onground activation, Offline advertising, Promotion, On ground promotions...
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...Synergy Integrated MarCom India Pvt. Ltd.
 
TimTam Activation Proposal
TimTam Activation ProposalTimTam Activation Proposal
TimTam Activation ProposalAnto Soeyono
 
Brand activation
Brand activationBrand activation
Brand activationAli Hadi
 
Brand activation, BTL Activation, Brand Promotion, Road Shows
Brand activation, BTL Activation, Brand Promotion, Road ShowsBrand activation, BTL Activation, Brand Promotion, Road Shows
Brand activation, BTL Activation, Brand Promotion, Road ShowsGreen Flag Technologies
 
HartmanEvent - Disruptive governance thinking for the masses
HartmanEvent - Disruptive governance thinking for the massesHartmanEvent - Disruptive governance thinking for the masses
HartmanEvent - Disruptive governance thinking for the massesAntony Clay
 
Gardners Mi Overview
Gardners Mi OverviewGardners Mi Overview
Gardners Mi Overviewlancesfa
 
I Primi 100 giorni del governo Prodi
I Primi 100 giorni del governo ProdiI Primi 100 giorni del governo Prodi
I Primi 100 giorni del governo Prodicapitan_jo
 

Destacado (20)

WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
Testing and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressionsTesting and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressions
 
My Profile ATL,BTL & Digital Marketing
My Profile ATL,BTL & Digital Marketing My Profile ATL,BTL & Digital Marketing
My Profile ATL,BTL & Digital Marketing
 
Richmen BTL Marketing Corporate Profile
Richmen BTL Marketing Corporate ProfileRichmen BTL Marketing Corporate Profile
Richmen BTL Marketing Corporate Profile
 
Richmen credentials interactive displays nv
Richmen credentials interactive displays nvRichmen credentials interactive displays nv
Richmen credentials interactive displays nv
 
Edge marketing profile - BTL and digital
Edge marketing profile - BTL and digitalEdge marketing profile - BTL and digital
Edge marketing profile - BTL and digital
 
Marconix BTL
Marconix BTLMarconix BTL
Marconix BTL
 
"Below The Line" Presentation
"Below The Line" Presentation"Below The Line" Presentation
"Below The Line" Presentation
 
Experiential Marketing
Experiential MarketingExperiential Marketing
Experiential Marketing
 
Brand activation - Do something awesome with people (English version)
Brand activation - Do something awesome with people (English version)Brand activation - Do something awesome with people (English version)
Brand activation - Do something awesome with people (English version)
 
Panadol Patch Activation Proposal
Panadol Patch Activation Proposal Panadol Patch Activation Proposal
Panadol Patch Activation Proposal
 
Brand Innovation and Activation
Brand Innovation and ActivationBrand Innovation and Activation
Brand Innovation and Activation
 
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...BTL,Onground activation, Offline advertising, Promotion, On ground promotions...
BTL,Onground activation, Offline advertising, Promotion, On ground promotions...
 
TimTam Activation Proposal
TimTam Activation ProposalTimTam Activation Proposal
TimTam Activation Proposal
 
Brand activation
Brand activationBrand activation
Brand activation
 
Brand activation, BTL Activation, Brand Promotion, Road Shows
Brand activation, BTL Activation, Brand Promotion, Road ShowsBrand activation, BTL Activation, Brand Promotion, Road Shows
Brand activation, BTL Activation, Brand Promotion, Road Shows
 
HartmanEvent - Disruptive governance thinking for the masses
HartmanEvent - Disruptive governance thinking for the massesHartmanEvent - Disruptive governance thinking for the masses
HartmanEvent - Disruptive governance thinking for the masses
 
Gardners Mi Overview
Gardners Mi OverviewGardners Mi Overview
Gardners Mi Overview
 
Sensei kukikan
Sensei kukikanSensei kukikan
Sensei kukikan
 
I Primi 100 giorni del governo Prodi
I Primi 100 giorni del governo ProdiI Primi 100 giorni del governo Prodi
I Primi 100 giorni del governo Prodi
 

Similar a Seravo.com: WordPress Security 101

WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...Otto Kekäläinen
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Nicholas Batik
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your websiteShawn DeWolfe
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!Marko Heijnen
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfHost It Smart
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionPratik Jagdishwala
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupOyster Bay Marauders LLC
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteReliqusConsulting
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 

Similar a Seravo.com: WordPress Security 101 (20)

WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
Care and feeding of your website
Care and feeding of your websiteCare and feeding of your website
Care and feeding of your website
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdf
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
 
ResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security sessionResellerClub Ctrl+F5 - WordPress Security session
ResellerClub Ctrl+F5 - WordPress Security session
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP Meetup
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your Website
 
Secure wordpress
Secure wordpressSecure wordpress
Secure wordpress
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
 

Último

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...apidays
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontologyjohnbeverley2021
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWERMadyBayot
 

Último (20)

WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 

Seravo.com: WordPress Security 101

  • 1. WORDPRESS SECURITY 101 what is important – and what is not © Seravo 2017
  • 2. DEFINITION OF INFORMATION SECURITY 1. Confidentiality 2. Integrity 3. Availability
  • 3. You must keep your WordPress site secure.
  • 4. POTENTIAL CONSEQUENCES ● Corrupted orders database: webshop unable to ship anything or resolve payments ● Leaked customer database: angry customers, lawsuit for neglect of privacy laws ● Visitors get redirected to shady sites: lost reputation, marketing budget goes in vain ● Site spreads malware: Google might detect and ban from showing up in search results ● Site sends spam: could become blacklisted and legit email stops working
  • 5. “BUT MY SITE IS NOT IMPORTANT!” Your site can be used to mount further attacks! If you have clearly neglected the maintenance of your own site, you could be held partly liable for attacks on other sites.
  • 6. What is REALLY important in keeping your WordPress site secure?
  • 7. AVENUES OF UNAUTHORISED ACCESS: 1. Leaked passwords 2. Software vulnerabilities
  • 10. HTTPS, SFTP, SSH Never submit passwords over an unencrypted connection!
  • 11. Enforce HTTPS in WordPress 1. Your server needs to support HTTPS 2. Enforce in wp-config.php with: define('FORCE_SSL_ADMIN', true);
  • 12. Use captcha to avoid robot users Google reCaptcha recommended
  • 14. MINIMIZE VULNERABILITIES 1. Minimize the attack surface by minimizing the amount of software you have 2. For the software you really need, make sure you have updated to latest releases
  • 15. HOW SECURE IS WORDPRESS CORE? Security bugs per 1000 lines of code written All time: 0,1 (204 CVE entries per 2,1 million lines of code) In 2015: 0,05 (11 CVE entries per 236 000 lines of code)
  • 17. THE PROBLEM IS THE PLUGINS.
  • 19. Example case: Mossack Fonseca aka Panama papers ● The site www.mossfon.com was running WordPress ● Unauthorized access of WP lead to unauthorized access of MS Exchange email server on internal network and other sites at *.mossfon.com ● The intruders most likely came through an old and insecure version of the Revolution Slider plugin. ○ Well known vulnerability, WordPress.org even has a patch as a separate plugin (https://wordpress.org/plugins/patch-for-revolution-slider/) as Revolution Slider itself is not available at WordPress.org.
  • 20. Example case: Mossack Fonseca aka Panama papers ● Case analysis at https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulner able-slider-revolution/
  • 21. WP PLUGIN REVIEW GUIDELINES FOR CAPITALISTS* If the logo is red and name contains revolution, don’t install it on your system! * a small dose of parody can’t hurt?
  • 22. PLUGIN SECURITY 1. Minimize the attack surface by minimizing the amount of plugins (and themes) you have 2. For the plugins you really need, make sure you have updated to latest releases You will not minimize vulnerabilities by installing more plugins!
  • 24. NO
  • 25.
  • 26. DON’T WASTE TIME ON ● removing generator meta or hiding version numbers ● hiding login errors ● changing wp-admin location ● disabling xmlrpc ● removing readme.html or other files Only for WP geeks who love to research the pros and cons. For normal users WordPress default settings are secure.
  • 27. FALSE SENSE OF SECURITY Feels like a lot has been done when really very little has.
  • 28. Example: useless readme.html blocking = don’t!
  • 29. Example: useless readme.html blocking Versions leak anyway
  • 30. Example: useless readme.html blocking Disclaimer: WordFence was used just as an example. It still the best guy in town. Many other security plugins are much worse. ..and other WordPress integrity checks trigger
  • 31. SECURITY PLUGINS ARE NOT THE SOLUTION Scan results require interpretation. Recommended only for professionals.
  • 32. The only recommended ones: WPScan and Google Webmaster Tools Almost no false positives and no business model based on spreading fear.
  • 33. IF YOU RUN YOUR OWN SERVER Also remember to harden and keep updated ● operating system ● web server ● database server ● PHP environment
  • 34. INSTALL ONLY FROM TRUSTED SOURCES Avoid random 3rd party repositories that don’t have any maintenance policy.
  • 35. PROTECTION AGAINST DDOS What if the problem is not unauthorized access but the lack of authorized access?
  • 36. DENIAL OF SERVICE ATTACKS Detect, withstand and block ● high performance servers and good caching ● detect repeated offenders and block at network level ○ e.g. failtoban + iptables ● detect and block at http level ○ e.g. Nginx rate limiting ● If you are trying to block at PHP/WordPress level, you’ve already lost DDOS is a constant race of new techniques of attack and defence. Try to find a good hosting provider that takes care of DDOS at least on the network level.
  • 37. BACKUP AND RECOVERY Because some day, sooner or later, everything else fails.
  • 38. BACKUP GUIDELINES 1/2 Make sure your backup system meets these requirements ● automatic: not dependant on human action ● complete: both files and database ● incremental with a history: at least 30 days ● frequent: daily is good
  • 39. BACKUP GUIDELINES 2/2 ● offsite: in case access to the original site is lost ● pull, not push: original site should not have access to the backups, otherwise an attacker can delete both the original site and all backups Personal favourite: mysqldump + rdiff-backup over SSH
  • 40. ONCE MORE WITH A FEELING
  • 41. WORDPRESS SECURITY 101 1. Always follow password hygiene. 2. Use captchas to stall robot users. 3. Use HTTPS (and SFTP and SSH) – never submit passwords in plain text on any network connection. 4. Remove unnecessary software to reduce attack surface. 5. Keep WordPress plugins and all other software too updated to have all known vulnerability fixes installed. 6. Install software and update only from trusted sources. 7. Have a good backups system in place. 8. Choose a good service provider and trust them to take care of the rest.