Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Wordpress security best practices - WordCamp Waukesha 2017

774 visualizaciones

Publicado el

As a popular CMS, WordPress is a common target for hackers and bots alike. In this session, Victor discusses a host of best-practice techniques and corporate security policies that will harden your website against intruders.

Publicado en: Tecnología
  • Inicia sesión para ver los comentarios

Wordpress security best practices - WordCamp Waukesha 2017

  1. 1. Security Best Practices
  2. 2. @VicDrover Panama Papers
  3. 3. @VicDrover Panama Papers
  4. 4. @VicDrover Infected Websites by Platform Hacked Website Report - Sucuri
  5. 5. @VicDrover % Out-of-Date CMS Hacked Website Report - Sucuri
  6. 6. @VicDrover Is YOUR website is vulnerable?
  7. 7. @VicDrover Top 3 WordPress causing hacks Hacked Website Report - Sucuri
  8. 8. @VicDrover RevSlider < 3.0.95 = vulnerable https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/
  9. 9. @VicDrover WordPress host for Ransomware http://www.tomsguide.com/us/wordpress-ransomware-epidemic,news-22219.html
  10. 10. @VicDrover Levels of website security
  11. 11. @VicDrover Levels of website security
  12. 12. Client Passwords
  13. 13. @VicDrover Password Managers
  14. 14. @VicDrover Agency Passwords
  15. 15. @VicDrover Trust extends to your team
  16. 16. @VicDrover Email security
  17. 17. @VicDrover Staff
  18. 18. Staff
  19. 19. @VicDrover Disaster Response Plan
  20. 20. @VicDrover Initial response → Who, What, When → Emergency contact info → Service provider info ◆ DNS, Server/Host, Data Center, Backups → 1-time use passwords
  21. 21. Agency 7
  22. 22. Agency 7
  23. 23. @VicDrover Security policy → Email usage → Resource access → Password strength → Password duration → Account sharing → Team composition → Disaster planning → Ongoing Education
  24. 24. @VicDrover Levels of website security Local Remote
  25. 25. @VicDrover Local Resources
  26. 26. @VicDrover PHP Usage (Joomla 3.5) PHP 5.5 PHP 5.2 PHP 5.3 PHP 5.6 PHP 7.x PHP 5.4
  27. 27. @VicDrover Webserver security
  28. 28. @VicDrover Heartbleed
  29. 29. @VicDrover filippo.io/Heartbleed/
  30. 30. @VicDrover Other local issues → SSH on non-default port, encryption keys → Disable FTP (vs. secure FTP) → Strong database password + table prefix → Enable logging (usually off by default) → Disable magic_quotes
  31. 31. @VicDrover Levels of website security Local Remote
  32. 32. @VicDrover Remote services - email
  33. 33. @VicDrover Remote services - DNS
  34. 34. @VicDrover Remote services - reverse proxy
  35. 35. @VicDrover Managed Hosting
  36. 36. @VicDrover Levels of website security
  37. 37. @VicDrover Update all the things
  38. 38. @VicDrover Well-known WordPress best-practices → Unique administrator account → Disable file editing, PHP Execution → Limit Login Attempts → Remove unused themes + plugins → Block editing of config file
  39. 39. @VicDrover Enforce stronger passwords
  40. 40. @VicDrover Control New Users
  41. 41. @VicDrover Secure failed login message function wrong_login() { return 'Wrong username or password.'; } add_filter('login_errors', 'wrong_login'); functions.php http://geckogullywebsites.com/wordpress-security-tips-check-for-display-of-unnecessary-information-on-failed-login-attempts/
  42. 42. @VicDrover Backup your site + test
  43. 43. @VicDrover Akeeba Backup https://www.akeebabackup.com/
  44. 44. @VicDrover Use Redundant firewalls
  45. 45. @VicDrover Use Redundant firewalls
  46. 46. @VicDrover Use Redundant firewalls
  47. 47. @VicDrover Use Redundant firewalls
  48. 48. @VicDrover Use Redundant firewalls
  49. 49. Security Best Practices

×