SlideShare ist ein Scribd-Unternehmen logo

WordPress Security Strategy for WordPress.org (condensed version)

Judy Wilson
Judy Wilson

Learn the practical steps you'll need to take to safeguard against security hacks on your WordPress website. Too late? Gain valuable information on Clean-up and Remediation. WordPress wizard Judy Wilson provides the information that'll keep you and WordPress site safe and sound.

TechnologieBusiness
1 von 25
Downloaden Sie, um offline zu lesen
________________________________________________ copyright 2013 Site Shack Web Design all rights reserved Monday, June 17, 13
We’ve been designing and developing seo- optimized websites and digital media in Nashville since January, 2004. WordPress too? Yep. And WordPress training, tailored to your exact needs. We are MyEMMA co-agents. We provide customized HTML Email Design and Account Management. Our work is mobile-friendly. Owner, Site Shack Web Design Judy Wilson Monday, June 17, 13
Your WordPress site is living in a high crime neighborhood.* * Doesn’t matter if you’re on WordPress.com or using Wordpress.org. Easy access is the key. Monday, June 17, 13
How do they get in? Hacks are most often delivered through cheesy credentials, old and/or evil software, themes, plugins + old, vulnerable scripts (such as the “timthumb script”) and cheap, poor-security hosting environments. WRONG: Username: admin Password: mypassword Monday, June 17, 13
Backdoors Drive-by Downloads Pharma Hacks Malicious Redirects Main Types of WordPress Hacks Monday, June 17, 13
The Installation: Solid padlocks + lock your doors and windows Advanced Security: Multiple locks,+ burglar bars + alarm systems + guard dog (see Appendix below) Before You Install: Map out your strategy Monday, June 17, 13
2. Good Theme. Do not use any old free theme! Vet your premium theme! (including version appropriate) Run a virus/malware check on the theme after you download/buy it. Stay informed! Before You Install: Map out your Strategy 1. Good Host. Do not use a “soup kitchen” host = high risk of cross contamination. 3. Good Plugins. Highly rated, updated often, check WordPress repository, correspond to your version of WordPress. 4. Backup regularly (your host should of course do this also) See the plugin “Backup Buddy.” Monday, June 17, 13
The Installation: Lock Your Doors and Windows 1. Do NOT use “admin” for your user name. 2. Do NOT use a password that can be found in a dictionary or that you’ve ever used anywhere else at any time. 3. Do NOT use sequential numbers and/or letters. 4. Hire Sucuri to monitor your site: www.sucuri.net 5. Use 2-factor authentication: Already in place at Wordpress.com but you can use Google 2-step Authentication with Wordpress.org. Monday, June 17, 13
The Installation: Lock Your Doors and Windows 3. Stop using FTP. Use SFTP -- call your host if you’re not sure about using SFTP. Note: There are multiple methods for FTP. 1. In your wp-config.php file: Salt your hashes aka use the “secret words.” 2. Do not use “wp” for your table prefix. Make up something non- sequential like “jnm.” Monday, June 17, 13
The Installation: Lock Your Doors and Windows 1. Turn off trackbacks and pingbacks. 2. Comments ONLY when appropriate and always use Akismet. 3. Use your Administrator accounts for Administrator work (like setting up a new user). Use Editor, Author, Contributor and Subscriber for their appropriate tasks. 4. Remove themes and plugins that are not being used. Monday, June 17, 13
The Installation: Lock Your Doors and Windows 2. Do you know where your backup is? Can you restore from it? 1. Confirm the correct folder permissions: Folder permissions: 755 File permissions: 644 index.php: 666 wp-config.php: 600 3. Consider a sandbox site and test your backup and restore procedure -- more than once. Then delete the website before you forget about it. Monday, June 17, 13
Appendix •Before You Install •Recommended Hosts •Advanced Security Techniques •How Can I Tell I’ve Been Hacked? •Cleaning and Remediation •Miscellaneous Help Monday, June 17, 13
Setup Google Webmaster Tools: Google Webmaster tools are an important resource for many reasons. But for site security, one of their best features is their email notifications of malware when it’s found on your site. As the verified site owner, you’ll be notified by email if malware is detected. http://www.wpreads.com/2013/03/protecting-wp-config-and- htaccess-files-for-wordpress.html https://www.google.com/webmasters/tools/home?hl=en http://codex.wordpress.org/Hardening_WordPress BEFORE YOU INSTALL Monday, June 17, 13
http://wpengine.com/ http://websynthesis.com (Yoast hosts here.) http://page.ly Recommended Managed WP Hosts Consider using a “Managed” WordPress host with malware scanning in place. These include curated plugins. Monday, June 17, 13
Advanced Security: WP-app firewall There are many security modifications you can make to your .htaccess file. http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to- boost-your-wordpress-sites-security-1676 The .htaccess file http://wordpress.org/extend/plugins/ose-firewall/ NOTE: .htaccess files (distributed configuration files) are processed first before any other code on your website. http://wordpress.org/extend/plugins/bulletproof-security/ http://wordpress.org/extend/plugins/wordfence/ Multiple locks + burglar bars + alarm system + guard dog Monday, June 17, 13
http://www.wpbeginner.com/plugins/improve-wordpress- security-with-google-authenticator/ Setting up 2-step authentication for Wordpress.org http://codex.wordpress.org/Editing_wp- config.php#Disable_the_Plugin_and_Theme_Editor http://codex.wordpress.org/Editing_wp-config.php http://yoast.com/wordpress-ssl-setup/ SSL setup info and tips from Yoast Modifying the wp-config.file Advanced Security: Multiple locks + burglar bars + alarm system + guard dog Monday, June 17, 13
How Can I Tell I’ve Been Hacked? http://aw-snap.info/file-viewer/ Allows you to scan from different User Agents: Use http://sitecheck.sucuri.net to run a scan to find malware and blacklist info. http://wordpress.org/extend/plugins/sucuri-scanner/ http://wordpress.org/extend/plugins/gotmls/ http://wordpress.org/extend/plugins/wordfence/ WordPress Plugins Do some scanning: Monday, June 17, 13
• Displaying popups that you didn't implement. • Displaying odd text in your footer or in the "View Source." • Links to other sites or auto-linking of keywords that you didn't create links for. • Seeing obfuscated / encoded text in plugins. • Website redirecting (immediately or after a short length of time) to another URL. • A friend calls/texts/emails you that your site is directing users to Dr. Dre’s Headphones, or “performance enhancing” or pain medication drugs etc. • Style sheet formatting has disappeared. • You can’t login to your wp-admin. • New files appearing in themes folder or anywhere else (look for a recent or atypical date via FTP; when you open these pages, they may appear to contain binary code.) Uh oh. I think it’s too late. How Can I Tell I’ve Been Hacked? Monday, June 17, 13
1. Stay calm. You could make it worse by anxiously jumping in and trying to fix the problem. 2. Scan your local machine / hard drive. 3. Scan your site. There are many good tools and WordPress plugins to help with this. This will help identify the infected files and folder etc. 4. Check with your hosting provider. Call them. You can call them, yes? 5. You’ve already updated, changed all passwords? 6. Add new salts or “secret keys.” 7. Check your files. Start with your .htaccess file to being looking for malicious code. WordPress (with some help) suggests: Cleaning & Remediation: Have SSH root access? http://wp.smashingmagazine.com/2012/10/09/four-malware-infections- wordpress/ Monday, June 17, 13
1. Can you identify the type of hack? This may make the cleanup easier. 2. Run a fresh backup and then . . . 3. Backup from an older backup that you believe predates the hack. 4. No backup? Hmm. Seriously consider taking down and trashing the site. 5. Restored from backup? Change passwords again. 6. Secure your site with recommended security measures. 7. Do a post-mortem. How did this happen? 8. Compare your WordPress files to those in a clean install. Open up files. Do you see something that refers to base64_decode? That’s at least one of the hack. 9. Can’t find the malware? Disable your plugins (rename the directory). If the infection is in a plugin, the scan will show as clean. Cleaning & Remediation: Monday, June 17, 13
http://codex.wordpress.org/FAQ_My_site_was_hacked http://www.unmaskparasites.com/ http://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site- part-i-wordpress-and-the-pharma-hack.html Suggestions from Sucuri  http://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips- tricks.html Know command line and have SSH access? Cleaning up your site at Google  http://support.google.com/webmasters/bin/answer.py? hl=en&answer=163634 https://raamdev.com/2013/cleaning-evalbase64_decode-from-a-hacked- wordpress-website-via-ssh/ Cleaning & Remediation: Monday, June 17, 13
Cleaning & Remediation: http://www.stopthehacker.com http://www.sucuri.net http://www.sparktrust.com If all else fails (and before you torch the site): Hire someone: Monday, June 17, 13
http://www.unmaskparasites.com/malware-warning-guide/#request Cleaning & Remediation: Tools http://www.stopbadware.org/request-review StopBadware performs independent reviews of websites that are blacklisted for badware by our data providers. http://wordpress.org/extend/plugins/wordfence/ http://blog.aw-snap.info/2012/07/malware-removal-vendors.html Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups. Wordfence is now Multi-Site compatible. Monday, June 17, 13
Miscellaneous Help http://blog.page.ly http://wp.smashingmagazine.com http://tonyonsecurity.com/ Excellent forum on malware: https://www.badwarebusters.org/ http://aw-snap.info/ Tony Perez’s blog COO/CFO Sucuri Smashing Magazine WordPress site Excellent hacked info and tools https://www.udemy.com/how-to-secure-wordpress-blog-or- website-for-beginners/? http://labs.sucuri.net/?malware See what Sucuri picks up in its malware scans. Monday, June 17, 13
Safe travels and happy trails with WordPress! Judy Wilson www.Site-Shack.com Nashville, TN from site-shack Monday, June 17, 13

Empfohlen

RFID security presentation
RFID security presentationRFID security presentation
RFID security presentation
mdxtech
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
Cyril Soeri
 
Squarespace Site Shack Training -11-05-2015
Squarespace Site Shack Training -11-05-2015Squarespace Site Shack Training -11-05-2015
Squarespace Site Shack Training -11-05-2015
Judy Wilson
 
Squarespace Intro Class - 10082015
Squarespace Intro Class - 10082015Squarespace Intro Class - 10082015
Squarespace Intro Class - 10082015
Judy Wilson
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014
Judy Wilson
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
Judy Wilson
 
Intro to Squarespace - Site Shack Web Design - Nashville, TN
Intro to Squarespace - Site Shack Web Design - Nashville, TNIntro to Squarespace - Site Shack Web Design - Nashville, TN
Intro to Squarespace - Site Shack Web Design - Nashville, TN
Judy Wilson
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 

Empfohlen

RFID security presentation
RFID security presentationRFID security presentation
RFID security presentation
mdxtech
 
Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.Your organization is at risk! Upgrade your IT security & IT governance now.
Your organization is at risk! Upgrade your IT security & IT governance now.
Cyril Soeri
 
Squarespace Site Shack Training -11-05-2015
Squarespace Site Shack Training -11-05-2015Squarespace Site Shack Training -11-05-2015
Squarespace Site Shack Training -11-05-2015
Judy Wilson
 
Squarespace Intro Class - 10082015
Squarespace Intro Class - 10082015Squarespace Intro Class - 10082015
Squarespace Intro Class - 10082015
Judy Wilson
 
WordPress Resources Nov 2014
WordPress Resources Nov 2014WordPress Resources Nov 2014
WordPress Resources Nov 2014
Judy Wilson
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
Judy Wilson
 
Intro to Squarespace - Site Shack Web Design - Nashville, TN
Intro to Squarespace - Site Shack Web Design - Nashville, TNIntro to Squarespace - Site Shack Web Design - Nashville, TN
Intro to Squarespace - Site Shack Web Design - Nashville, TN
Judy Wilson
 
2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot2024 State of Marketing Report – by Hubspot
2024 State of Marketing Report – by Hubspot
Marius Sescu
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
The Digital Insurer
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
The Digital Insurer
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
Radu Cotescu
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
wesley chun
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
Khem
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Neo4j
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
hans926745
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
Michael W. Hawkins
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
sudhanshuwaghmare1
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
The Digital Insurer
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
apidays
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
Martijn de Jong
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
wesley chun
 
Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
Expeed Software
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
Pixeldarts
 

Weitere ähnliche Inhalte

Kürzlich hochgeladen

Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 

Kürzlich hochgeladen (20)

Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 

Empfohlen

How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
ThinkNow
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
Kurio // The Social Media Age(ncy)
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
Search Engine Journal
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
SpeakerHub
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Applitools
 

Empfohlen (20)

Everything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPTEverything You Need To Know About ChatGPT
Everything You Need To Know About ChatGPT
 
Product Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage EngineeringsProduct Design Trends in 2024 | Teenage Engineerings
Product Design Trends in 2024 | Teenage Engineerings
 
How Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental HealthHow Race, Age and Gender Shape Attitudes Towards Mental Health
How Race, Age and Gender Shape Attitudes Towards Mental Health
 
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdfAI Trends in Creative Operations 2024 by Artwork Flow.pdf
AI Trends in Creative Operations 2024 by Artwork Flow.pdf
 
Skeleton Culture Code
Skeleton Culture CodeSkeleton Culture Code
Skeleton Culture Code
 
PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024PEPSICO Presentation to CAGNY Conference Feb 2024
PEPSICO Presentation to CAGNY Conference Feb 2024
 
Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)Content Methodology: A Best Practices Report (Webinar)
Content Methodology: A Best Practices Report (Webinar)
 
How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024How to Prepare For a Successful Job Search for 2024
How to Prepare For a Successful Job Search for 2024
 
Social Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie InsightsSocial Media Marketing Trends 2024 // The Global Indie Insights
Social Media Marketing Trends 2024 // The Global Indie Insights
 
Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024Trends In Paid Search: Navigating The Digital Landscape In 2024
Trends In Paid Search: Navigating The Digital Landscape In 2024
 
5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary5 Public speaking tips from TED - Visualized summary
5 Public speaking tips from TED - Visualized summary
 
ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd ChatGPT and the Future of Work - Clark Boyd
ChatGPT and the Future of Work - Clark Boyd
 
Getting into the tech field. what next
Getting into the tech field. what next Getting into the tech field. what next
Getting into the tech field. what next
 
Google's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search IntentGoogle's Just Not That Into You: Understanding Core Updates & Search Intent
Google's Just Not That Into You: Understanding Core Updates & Search Intent
 
How to have difficult conversations
How to have difficult conversations How to have difficult conversations
How to have difficult conversations
 
Introduction to Data Science
Introduction to Data ScienceIntroduction to Data Science
Introduction to Data Science
 
Time Management & Productivity - Best Practices
Time Management & Productivity - Best PracticesTime Management & Productivity - Best Practices
Time Management & Productivity - Best Practices
 
The six step guide to practical project management
The six step guide to practical project managementThe six step guide to practical project management
The six step guide to practical project management
 
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
Beginners Guide to TikTok for Search - Rachel Pearson - We are Tilt __ Bright...
 
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
Unlocking the Power of ChatGPT and AI in Testing - A Real-World Look, present...
 

WordPress Security Strategy for WordPress.org (condensed version)

  • 1. ________________________________________________ copyright 2013 Site Shack Web Design all rights reserved Monday, June 17, 13
  • 2. We’ve been designing and developing seo- optimized websites and digital media in Nashville since January, 2004. WordPress too? Yep. And WordPress training, tailored to your exact needs. We are MyEMMA co-agents. We provide customized HTML Email Design and Account Management. Our work is mobile-friendly. Owner, Site Shack Web Design Judy Wilson Monday, June 17, 13
  • 3. Your WordPress site is living in a high crime neighborhood.* * Doesn’t matter if you’re on WordPress.com or using Wordpress.org. Easy access is the key. Monday, June 17, 13
  • 4. How do they get in? Hacks are most often delivered through cheesy credentials, old and/or evil software, themes, plugins + old, vulnerable scripts (such as the “timthumb script”) and cheap, poor-security hosting environments. WRONG: Username: admin Password: mypassword Monday, June 17, 13
  • 5. Backdoors Drive-by Downloads Pharma Hacks Malicious Redirects Main Types of WordPress Hacks Monday, June 17, 13
  • 6. The Installation: Solid padlocks + lock your doors and windows Advanced Security: Multiple locks,+ burglar bars + alarm systems + guard dog (see Appendix below) Before You Install: Map out your strategy Monday, June 17, 13
  • 7. 2. Good Theme. Do not use any old free theme! Vet your premium theme! (including version appropriate) Run a virus/malware check on the theme after you download/buy it. Stay informed! Before You Install: Map out your Strategy 1. Good Host. Do not use a “soup kitchen” host = high risk of cross contamination. 3. Good Plugins. Highly rated, updated often, check WordPress repository, correspond to your version of WordPress. 4. Backup regularly (your host should of course do this also) See the plugin “Backup Buddy.” Monday, June 17, 13
  • 8. The Installation: Lock Your Doors and Windows 1. Do NOT use “admin” for your user name. 2. Do NOT use a password that can be found in a dictionary or that you’ve ever used anywhere else at any time. 3. Do NOT use sequential numbers and/or letters. 4. Hire Sucuri to monitor your site: www.sucuri.net 5. Use 2-factor authentication: Already in place at Wordpress.com but you can use Google 2-step Authentication with Wordpress.org. Monday, June 17, 13
  • 9. The Installation: Lock Your Doors and Windows 3. Stop using FTP. Use SFTP -- call your host if you’re not sure about using SFTP. Note: There are multiple methods for FTP. 1. In your wp-config.php file: Salt your hashes aka use the “secret words.” 2. Do not use “wp” for your table prefix. Make up something non- sequential like “jnm.” Monday, June 17, 13
  • 10. The Installation: Lock Your Doors and Windows 1. Turn off trackbacks and pingbacks. 2. Comments ONLY when appropriate and always use Akismet. 3. Use your Administrator accounts for Administrator work (like setting up a new user). Use Editor, Author, Contributor and Subscriber for their appropriate tasks. 4. Remove themes and plugins that are not being used. Monday, June 17, 13
  • 11. The Installation: Lock Your Doors and Windows 2. Do you know where your backup is? Can you restore from it? 1. Confirm the correct folder permissions: Folder permissions: 755 File permissions: 644 index.php: 666 wp-config.php: 600 3. Consider a sandbox site and test your backup and restore procedure -- more than once. Then delete the website before you forget about it. Monday, June 17, 13
  • 12. Appendix •Before You Install •Recommended Hosts •Advanced Security Techniques •How Can I Tell I’ve Been Hacked? •Cleaning and Remediation •Miscellaneous Help Monday, June 17, 13
  • 13. Setup Google Webmaster Tools: Google Webmaster tools are an important resource for many reasons. But for site security, one of their best features is their email notifications of malware when it’s found on your site. As the verified site owner, you’ll be notified by email if malware is detected. http://www.wpreads.com/2013/03/protecting-wp-config-and- htaccess-files-for-wordpress.html https://www.google.com/webmasters/tools/home?hl=en http://codex.wordpress.org/Hardening_WordPress BEFORE YOU INSTALL Monday, June 17, 13
  • 14. http://wpengine.com/ http://websynthesis.com (Yoast hosts here.) http://page.ly Recommended Managed WP Hosts Consider using a “Managed” WordPress host with malware scanning in place. These include curated plugins. Monday, June 17, 13
  • 15. Advanced Security: WP-app firewall There are many security modifications you can make to your .htaccess file. http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to- boost-your-wordpress-sites-security-1676 The .htaccess file http://wordpress.org/extend/plugins/ose-firewall/ NOTE: .htaccess files (distributed configuration files) are processed first before any other code on your website. http://wordpress.org/extend/plugins/bulletproof-security/ http://wordpress.org/extend/plugins/wordfence/ Multiple locks + burglar bars + alarm system + guard dog Monday, June 17, 13
  • 16. http://www.wpbeginner.com/plugins/improve-wordpress- security-with-google-authenticator/ Setting up 2-step authentication for Wordpress.org http://codex.wordpress.org/Editing_wp- config.php#Disable_the_Plugin_and_Theme_Editor http://codex.wordpress.org/Editing_wp-config.php http://yoast.com/wordpress-ssl-setup/ SSL setup info and tips from Yoast Modifying the wp-config.file Advanced Security: Multiple locks + burglar bars + alarm system + guard dog Monday, June 17, 13
  • 17. How Can I Tell I’ve Been Hacked? http://aw-snap.info/file-viewer/ Allows you to scan from different User Agents: Use http://sitecheck.sucuri.net to run a scan to find malware and blacklist info. http://wordpress.org/extend/plugins/sucuri-scanner/ http://wordpress.org/extend/plugins/gotmls/ http://wordpress.org/extend/plugins/wordfence/ WordPress Plugins Do some scanning: Monday, June 17, 13
  • 18. • Displaying popups that you didn't implement. • Displaying odd text in your footer or in the "View Source." • Links to other sites or auto-linking of keywords that you didn't create links for. • Seeing obfuscated / encoded text in plugins. • Website redirecting (immediately or after a short length of time) to another URL. • A friend calls/texts/emails you that your site is directing users to Dr. Dre’s Headphones, or “performance enhancing” or pain medication drugs etc. • Style sheet formatting has disappeared. • You can’t login to your wp-admin. • New files appearing in themes folder or anywhere else (look for a recent or atypical date via FTP; when you open these pages, they may appear to contain binary code.) Uh oh. I think it’s too late. How Can I Tell I’ve Been Hacked? Monday, June 17, 13
  • 19. 1. Stay calm. You could make it worse by anxiously jumping in and trying to fix the problem. 2. Scan your local machine / hard drive. 3. Scan your site. There are many good tools and WordPress plugins to help with this. This will help identify the infected files and folder etc. 4. Check with your hosting provider. Call them. You can call them, yes? 5. You’ve already updated, changed all passwords? 6. Add new salts or “secret keys.” 7. Check your files. Start with your .htaccess file to being looking for malicious code. WordPress (with some help) suggests: Cleaning & Remediation: Have SSH root access? http://wp.smashingmagazine.com/2012/10/09/four-malware-infections- wordpress/ Monday, June 17, 13
  • 20. 1. Can you identify the type of hack? This may make the cleanup easier. 2. Run a fresh backup and then . . . 3. Backup from an older backup that you believe predates the hack. 4. No backup? Hmm. Seriously consider taking down and trashing the site. 5. Restored from backup? Change passwords again. 6. Secure your site with recommended security measures. 7. Do a post-mortem. How did this happen? 8. Compare your WordPress files to those in a clean install. Open up files. Do you see something that refers to base64_decode? That’s at least one of the hack. 9. Can’t find the malware? Disable your plugins (rename the directory). If the infection is in a plugin, the scan will show as clean. Cleaning & Remediation: Monday, June 17, 13
  • 21. http://codex.wordpress.org/FAQ_My_site_was_hacked http://www.unmaskparasites.com/ http://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site- part-i-wordpress-and-the-pharma-hack.html Suggestions from Sucuri  http://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips- tricks.html Know command line and have SSH access? Cleaning up your site at Google  http://support.google.com/webmasters/bin/answer.py? hl=en&answer=163634 https://raamdev.com/2013/cleaning-evalbase64_decode-from-a-hacked- wordpress-website-via-ssh/ Cleaning & Remediation: Monday, June 17, 13
  • 22. Cleaning & Remediation: http://www.stopthehacker.com http://www.sucuri.net http://www.sparktrust.com If all else fails (and before you torch the site): Hire someone: Monday, June 17, 13
  • 23. http://www.unmaskparasites.com/malware-warning-guide/#request Cleaning & Remediation: Tools http://www.stopbadware.org/request-review StopBadware performs independent reviews of websites that are blacklisted for badware by our data providers. http://wordpress.org/extend/plugins/wordfence/ http://blog.aw-snap.info/2012/07/malware-removal-vendors.html Wordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, malicious URL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify and repair your core, theme and plugin files, even if you don't have backups. Wordfence is now Multi-Site compatible. Monday, June 17, 13
  • 24. Miscellaneous Help http://blog.page.ly http://wp.smashingmagazine.com http://tonyonsecurity.com/ Excellent forum on malware: https://www.badwarebusters.org/ http://aw-snap.info/ Tony Perez’s blog COO/CFO Sucuri Smashing Magazine WordPress site Excellent hacked info and tools https://www.udemy.com/how-to-secure-wordpress-blog-or- website-for-beginners/? http://labs.sucuri.net/?malware See what Sucuri picks up in its malware scans. Monday, June 17, 13
  • 25. Safe travels and happy trails with WordPress! Judy Wilson www.Site-Shack.com Nashville, TN from site-shack Monday, June 17, 13