WordPress security tips for marketing operations and developers. Originally delivered at the Big Digital Adelaide 2016 Conference.

1. Head Slapping
WordPress Security
Chris Burgess - @chrisburgess - chrisburgess.com.au

2. #BigDigitalADL

3. Is this how you feel about the topic
of security?

4. Not everyone loves security J
But everyone should care about it.

5. Security is CRITICAL for business
and marketing operations.

6. Security is not absolute.
It’s about risks and managing
the risks.

7. Security is not a Product.
Security is a Process.

8. Don’t wait to see something like this
before you care about it.

9. Try and be proactive, not just reactive.
• xxx
http://www.dailymail.co.uk/news/article-1388660/Mississippi-River-flooding-Residents-build-homemade-dams-saves-houses.html

10. What we’ll cover…
• Common myths and misconceptions
• Why is WordPress a popular target?
• Who is an attacker?
• What motivates them?
• How do they do it?
• What can they do?
• What is the impact?
• What can you do?
• Common mistakes and how to avoid them

11. A little about me…
• Co-founder Clickify – Digital Marketing Agency
• Editor for SitePoint WordPress Channel
• Help organise a few Meetups (Melbourne
WordPress User Meetup and Melbourne SEO
Meetup)
@chrisburgess

12. Let’s get started…
http://www.humoar.com/wp-content/uploads/2014/08/dude-let-me-in-its-me-mittens.jpg

13. http://www.humoar.com/wp-content/uploads/2014/08/dude-let-me-in-its-me-mittens.jpg

14. There is no such thing as
absolute security.

15. Nothing is 100% secure.

16. The good news –
there are many things we can do to
drastically reduce the risks.

17. Myths and misconceptions

18. Common myths and misconceptions
“WordPress sites always get hacked.”
“No one is interested in attacking my site.”
“I’ve got nothing valuable for anyone to steal.”
“Security is not my problem, my host/developer/
plugin takes care of security for me.”

19. Why is WordPress a popular
target?

20. WordPress powers 38% of the
top 10k sites
http://trends.builtwith.com/cms/

21. WordPress powers 55% of .au sites
http://trends.builtwith.com/cms/country/Australia

22. Example of WordPress vulnerabilities
Source: http://wptavern.com

23. “Most successful WordPress hack
attacks are typically the result of
human error, be it a configuration
error or failing to maintain WordPress,
such as keeping core and all plugins
up to date, or installing insecure
plugins etc.”
- Robert Abela (@robertabela)

24. Who is an attacker?

25. According to stock photography...

26. Who is an attacker?
A person or group who’s trying to attack your site.
It may personal, but most often you’re just a victim of
opportunity.
Typically, your website is just one faceless entity on a
massive list of sites being scanned and probed.

27. What motivates them?

28. They can be motivated by…
• Economic gain
• Theft
• Political awareness
• Just for kicks, or a challenge

29. How do they do it?

30. Defense in depth
https://technet.microsoft.com/en-us/library/cc512681.aspx

31. There are approximately 1500
files in a default WordPress
installation – not including
themes and plugins.

32. What’s under the hood
• WordPress relies on a many popular Open Source libraries (as does
most software).
• Here are a few of the most common ones:
– jQuery
– jQuery Masonry
– jQuery Hotkeys
– jQuery Suggest
– jQuery Form
– jQuery Color
– jQuery Migrate
– jQuery Schedule
– jQuery UI
– Backbone
– colorpicker
– hoverIntent
– SWFObject
– TinyMCE
– Atom Lib
– Text Diff
– SimplePie
– Pomo
– ID3
– Snoopy
– PHPMailer
– POP3 Class
– PHPass
– PemFTP
https://www.sitepoint.com/javascript-and-php-libraries-used-by-wordpress/

33. They can do it via…
OUT OF DATE OR VULNERABLE THEMES
OUT OF DATE OR VULNERABLE PLUGINS
OUT OF DATE VERSION OF WORDPRESS
INTEGRATIONS
POOR PROCESSES
BAD PASSWORDS AND
PASSWORD MANAGEMENT
MISCONFIGURATION
HUMAN ERROR

34. What can they do?

35. Sucuri Website Hacked Trend
Report 2016
https://sucuri.net/website-security/Reports/Sucuri-Website-Hacked-Report-2016Q1.pdf

36. What is the impact?

37. https://www.google.com/webmasters/hacked/

38. https://www.google.com/webmasters/hacked/

39. Real example of a compromised site in Google search results

40. Real example of a compromised site in Google search results

41. Example of Resources Consumed

42. Google Search Console

43. Netregistry email about compromised site

44. Real example of a malicious plugin

45. Real example of a malicious file

46. Google Search Console

47. Google AdWords

49. Ahrefs and Google Search Console

50. Real example of anchor text from ahrefs.

51. Real example of links in Google Search Console

52. Real example of a malicious plugin.

53. Real example of a malicious plugin.

54. Real example of black hat SEO.

55. Impacts your bottom line
• Loss in revenue
• Lose customers
• Cost of professional help
• Cost of your time
• Cost of your resources
• Potential legal and compliance issues
$

56. Damage to reputation
• Affects brand reputation
• Can compromise visitor systems or data
• Loss of trust and confidence amongst
customers or clients
• Negative publicity
L

57. STRESS!
• Causes you unnecessary stress dealing with
the security breach
• Can even cause stress to your staff, colleagues
and customers
!

58. Technical issues
• Blacklisting
• Email deliverability
• SEO and SEM impacts
• Domain and IP reputation
• Downtime and outages

59. What Can You Do?

60. Be practically paranoid.

61. http://favoritememes.com/_nw/37/42148895.jpg

62. Give your team basic security
awareness training.

63. Practice principle of least privilege.

64. Use Google Search Console

65. Do regular backups and store offsite
• Server Level Backups
– cPanel/Plesk
– Replication
– Snapshots
• Backup Services
• Backup Plugins
– Updraft Plus
– WordPress Backup to Dropbox
– VaultPress
– Backup Buddy
– Duplicator
• Manual Backups
• Exports

66. Maintenance
“Patch early and patch often”

67. Use a security plugin
(or manually harden)
https://www.wordfence.com/
https://sucuri.net/
https://ithemes.com/security/

68. Use password management
Personal
• LastPass
• Dashlane
• 1Password
• KeePass
• Passwordsafe
• Roboform
• Browser Password Manager
• Native OS
Teams
• LastPass Enterprise
• Bitium
• 1Password for Teams
• Secret Server
• PassPack

69. Monitor your Sitemap XML,
robots.txt and .htaccess files.

70. Use two-factor authentication

71. Server security
• System Monitoring
• Integrity Monitoring
• Firewalls
• IDS/IPS
• Logging

72. Use strong encryption
• Avoid plain text protocols
• Everyone should use SSL (and make sure it’s
configured correctly)

73. WPScan WordPress Scanner

74. Other resources
• WordPress.org
– wordpress.org/about/security
– wordpress.org/news/category/security
• Codex.WordPress.org
– codex.wordpress.org/hardening_wordpress
– codex.wordpress.org/brute_force_attacks#protect_your_server
• Verizon DBIR - http://www.verizonenterprise.com/verizon-insights-
lab/dbir/
• Sucuri - https://sucuri.net/
• OWASP - http://owasp.org/
• WP White Security - https://www.wpwhitesecurity.com/
• Google Safe Browsing - https://www.google.com/
transparencyreport/safebrowsing/diagnostic/

75. Common mistakes and
how to avoid them

76. 1. Don’t use weak user names and
passwords (admin:password123).

77. 2. Don’t have publically accessible
backups (e.g /backup.zip).

78. 3. Don’t have publically accessible
config files (wp-config.php.old).

79. 4. Don’t forget to backup your site
regularly. Store offsite.

80. 5. Don’t forget to regularly update
your WordPress site.

81. 6. Take advantage of the plugins,
tools and services available to
protect your site.

82. Any Questions?
@chrisburgess – chris@chrisburgess.com.au
? ? ?