real wordpress security - kill the noise
DESCRIPTION
A WordPress presentation that focuses on security principles and not false sense of security through adding 20 plugins. Lets stick to the basics folks! This presentation was given at WordCamp Miami #wcmiaTRANSCRIPT
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Real WordPress Security
Kill the noise!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Dre Armeda
Co-Founder of Sucuri Inc. – Sucuri.netCo-Host of DradCast – DradCast.com
@dremeda | dremeda.com | drejitsu.com
• Softball Dad• Proud Navy Veteran• Brazilian Jiu-Jitsu Player• Chargers & Angels Fan• Harley Enthusiast• Taco Lover
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
The Internet Rocks
With adoption and growth comes innovation!
Over 2 billion internet users today(Internet World Stats)
566% growth in the last 12 years (Internet World Stats)
861,379,000 registered hostnames - Jan14 (Tech Made Easy)
180,000,000 active websites (Tech Made Easy)
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
It’s Not All Peachy
Malware – short for malicious software
DoS/DDoS - Denial of Service
Brute Force
SPAM Links
SEO Poisoning
XSS
SQL Injections
Blacklisting
DNS Poisoning
Innovative thinking sparks risk
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Malware Type Distribution
SiteCheck numbers don’t lie!
Remote iF
rame Inclu
des
Remote Ja
vaScript In
cludes
SPAM In
jections
Obfuscate
d / Enco
ded JavaScri
pt
Conditional Redire
cts
Defacements
Other
26%
19%16%
14%11%
4%
10%
9 Million Unique Domains Scanned19 % Infected
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Trends
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
How Bad is it?
An explosion in web malicious links!
Malicious Links
20112012
600%
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
What Are Malicious Links?
Oh you’ve seen them. You’ve seen them everywhere!
Malicious Links
Social Media
Email Links Website
Text Messages
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Increase in PhishingAll is not what it seems!
55% of Companies have fallen victim
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Search Engine Poisoning (SEP)
Get Payday Loans or Cheap Pills.
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Brute Force
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Denial of Service (DoS)
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Denial of Service (DoS)
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Why Is This Happening?
Awesome spawns not so awesome situations!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Almost always for the $$$
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
How Does This Happen
A new type of webmaster!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
The Worlds Biggest Weakness
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Am I At Risk?
The percentage of risk will never be zero!
Ever See a Dodo Bird?
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Everyone is a Target!
Even you!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
What Can We do?
Be smart. Be consistent. Cut out the noise!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Things You May See
Your users saying they are being redirected
Spam links in your HTML or even visible
Google SERP shows Viagra for your keywords
Google Blacklists you
Sharp traffic decreases for no reason
If your site is infected
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Quick Steps
Scan for malware – http://sitecheck.sucuri.net
Kill WordPress sessions by resetting Salts - http://wordpress.org/support/topic/set-up-a-secret-key-in-wordpress-
25
Reset ALL passwords (WP, FTP, SSH)
Replace WordPress Core
Update ALL Software
Look for out of place files
Hire someone to audit the site and perform full server-side scan & cleanup
If you think your site is infected
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Proactive Defenses!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Keep Software Updated
Leading cause for infection along with passwords
Scared to upgrade because stuff breaks?
Major vs. Point Release
Run upgrade tests
Do your homework
Information Security is everyone’s responsibility
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Use Trusted Sources!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
No Soup Kitchen Servers
WordPressers act like they forgot about DEV
Cross-contamination is a big deal
Segment by user and account
Not active. Not good enough
If it’s not in use, get rid of it
Production is not your archive server!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Reduce Access
Give people enough access to do their job, nothing more; remove access when they complete their job!
User Proper Roles
This goes for WordPress, FTP, & DB’s, etc.
Limit failed logins to thwart brute force
Practice two form auth & layered login
Disable PHP Execution!
Least privilege to some, no privilege for most.
<Files *.php>Deny from all</Files>
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Password Management
Complex – Long - Unique
Password still top 5 actively used password
Use unique passphrases
Use different passwords across accounts
Password Management Tools
Password is a password not to be used as your password, ever!
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Backup Schedule
Create a schedule today!
Backup outside of your production environment
Multiple backups are awesome
Talk to your host to see what they offer
Various tools available
When they hack you, reduce downtime.
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Tools & Services
Website Firewall
Sucuri CloudProxy
Great tools and services to help you reduce risk.
Password ManagementLastPassKeyPass Password Safe1Password
Malware ScanningSucuri SiteCheckUnMask Parasites
Malware CleanupSucuri
BackupsSucuri BackupsVaultPress
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Notable ResourcesName Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
Malware Scanner http://sitecheck.sucuri.net
Malware Scanner http://unmaskparasites.com
Badware Busters https://badwarebusters.org
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites
Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
Joomla! Security and Performance FAQs http://docs.joomla.org/Security_and_Performance_FAQs
Joomla! Security Checklist http://docs.joomla.org/Security_Checklist/Getting_Started
Real Security for WordPress Dre Armeda @dremeda Sucuri.net @sucuri_security
Thank You For Listening
Now go, reduce risk. Go!