SlideShare ist ein Scribd-Unternehmen logo

Professional WordPress Security: Beyond Security Plugins

Als PPTX, PDF herunterladen
Chris Burgess
Chris Burgess

The document discusses WordPress security beyond just using security plugins. It emphasizes that WordPress security is often neglected but important, especially for business sites. While security plugins are helpful, a defense-in-depth approach with additional layers of security is recommended. The presentation provides practical advice on prevention, detection of compromises, and steps users can take including regular backups, choosing quality plugins, strong passwords, monitoring, and maintenance. WordPress is a common target because of its popularity and past vulnerabilities. The impacts of breaches on businesses can be significant.

Technologie
1 von 98
Professional WordPress Security: Beyond Security Plugins Chris Burgess ∙ @chrisburgess ∙ https://chrisburgess.com.au/
About This Presentation • WordPress security is an often neglected topic, and with WordPress being used for more complex and business-critical sites, it needs to be treated far more seriously. • It’s not uncommon to hear comments like “just install a security plugin and it’ll be right!“. Security plugins and services are a step in the right direction, but there are many other steps you can take to keep your site secure. • In this presentation, Chris will provide some practical advice on how you can add additional layers of security to your WordPress website. About This Presentation • WordPress security is an often neglected topic, and with WordPress being used for more complex and business- critical sites, it needs to be treated far more seriously. • It’s not uncommon to hear comments like “just install a security plugin and it’ll be right!“. Security plugins and services are a step in the right direction, but there are many other steps you can take to keep your site secure. • In this presentation, Chris will provide some practical advice on how you can add additional layers of security to your WordPress website.
Overview • Who Is This Guy? • Why Should I Care? • How Sites Are Compromised • Prevention • Practical Detection • What Can You Do? • Further Resources
Who Is This Guy? • Chris Burgess • Passionate about web development, security and digital marketing • Passionate about keeping up-to-date with the latest web technologies
Why Should I Care?
Is This How You Feel About The Topic?
Not Everyone Loves Security But Everyone Should Care About It. • Are you a WordPress developer? • Do you have your own WordPress site? • Do you manage WordPress sites for your clients? If you answered ”Yes” to any of the above questions, then you should factor WordPress security practices into your workflow.
Security Is Not Absolute. It’s About Risks And Managing The Risks. It’s all about context…
“Security is not a product, security is a process" Bruce Schneier
Probability vs Severity
Don’t Wait Until You See Something Like This Before You Care. https://www.google.com/webmasters/hacked/
Be Proactive. Not Just Reactive. http://www.dailymail.co.uk/news/article-1388660/Mississippi-River-flooding-Residents-build-homemade-dams-saves-houses.html
There Is No Such Thing As Absolute Security But You Can Reduce Risks
How Sites Are Compromised
Common Myths And Misconceptions “WordPress sites always get hacked.” “No one is interested in attacking my site.” “I’ve got nothing valuable for anyone to steal.” “Security is not my problem, my host/developer/plugin takes care of security for me.”
Attackers • A person or group who’s trying to attack your site • It may personal, but the majority of the time, you’re just a victim of opportunity • Typically, your website is just one faceless entity on a massive list of sites/addresses being scanned and probed. • Mostly motivated by economic gain
They Can Do It Via… OUT OF DATE OR VULNERABLE THEMES OUT OF DATE OR VULNERABLE PLUGINS OUT OF DATE VERSION OF WORDPRESS INTEGRATIONS POOR PROCESSES BAD PASSWORDS AND PASSWORD MANAGEMENT MISCONFIGURATION HUMAN ERROR
Sucuri Website Hacked Trend Report 2018 https://sucuri.net/reports/2018-hacked-website-report/
What Sites Are Mostly Affected? https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf
https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf
https://www.google.com/webmasters/hacked/
Real example of a compromised site in Google search results
Real example of a compromised site in Google search results
Real Example of a DoS attack
Google Search Console
Netregistry email about compromised site
Real example of a malicious plugin
Real example of a malicious file
Google Search Console
Ahrefs and Google Search Console
Real example of black hat SEO
Real example of anchor text from ahrefs.
Real example of links in Google Search Console
Real example of a malicious plugin.
Real example of a malicious plugin.
Real example of black hat SEO.
Why WordPress Is A Popular Target? https://trends.builtwith.com/cms/country/Australiahttps://trends.builtwith.com/cms
Example Of WordPress Vulnerabilities Source: http://wptavern.com
“Most successful WordPress hack attacks are typically the result of human error, be human error, be it a configuration error or configuration error or failing to maintain maintain WordPress, such as keeping keeping core and all plugins up to date, or to date, or installing insecure plugins etc.” plugins etc.” - Robert Abela (@robertabela)
What Are The Impacts On Businesses? • Loss in revenue and customers • Cost of professional help, your time & resources • Potential legal and compliance issues • Affects brand reputation • Compromise to your visitors • Loss of trust and confidence amongst clients IMPACTS BOTTOM LINE DAMAGE TO REPUTATION STRESS ON TEAM TECHNICAL ISSUES • Causes you unnecessary stress dealing with it • Causes stress to your team • Causes stress to colleagues and clients • Domain & IP reputation, website blacklisting & email deliverability • SEO and SEM impacts • Downtime and outages
Prevention
Security Plugins https://www.wordfence.com/ https://sucuri.net/ https://ithemes.com/security/
Defense in depth https://technet.microsoft.com/en-us/library/cc512681.aspx
"Is Penetration Testing Worth it? There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you're going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I'm going to save you a lot of money by giving you this free penetration test: You’re vulnerable. Now, go do something useful about it." -- Bruce Schneier http://www.schneier.com/blog/archives/2007/05/is_penetration.htm l
https://www.edureka.co/blog/what-is-cybersecurity/
Defense In Depth “While we boast the idea of employing a defense in depth strategy in the design of our offering, we can’t say it’s the only defense in depth strategy an organization will need. The strategy involves much more than our tools. Instead, we say that we are a complementary solution to your existing security posture and we encourage you to use any other tools you require to round out your defensive position.” Sucuri
https://bigideatech.com/how-a-defense-in-depth-strategy-protects-businesses-from-ransomware-and-other-cyberattacks/
https://www.slideshare.net/helhum/typo3-develop
https://newsroom.fb.com/news/2019/01/designing-security-for-billions/
Defense In Depth • We can't talk about WordPress security without talking about the other layers. • While more layers help secure our assets, they also introduce other issues such as complacency and a false sense of security. • UX, additional security measures can be cumbersome to manage. (that said, I'd rather manage these issues than deal with a security incident)
Practical Detection
Tools • You can’t rely only on tools, they won’t always detect a compromise. • Most WordPress security tools work by using signatures. • Scanning your site with online tools work only if your site has active malware, is defaced or blacklisted. • If a site has been compromised, it cannot be trusted.
WPScan
Example of WPScan
1500+ Files In A Default WordPress Installation – Excluding Themes & Plugins. • WordPress relies on a many popular Open Source libraries (as does most software). • Here are a few of the most common ones: • jQuery • jQuery Masonry • jQuery Hotkeys • jQuery Suggest • jQuery Form • jQuery Color • jQuery Migrate • jQuery Schedule • jQuery UI • Backbone • colorpicker • hoverIntent • SWFObject • TinyMCE • Atom Lib • Text Diff • SimplePie • Pomo • ID3 • Snoopy • PHPMailer • POP3 Class • PHPass • PemFTP
Isolation • Look out for a shared web root, “addon” domains in cPanel, other web apps in subfolders.
example.com/index.php
example.com/otherapp/
example.com/*
example.com/*
A Word On Staging/Test Environments • While it’s never been easier to clone, copy, spin-up a new instance of an environment, it’s also never been easier to lose track and manage these environments. • In many respects, these are softer targets than your production sites, so make sure they’re protected.
Checking Content • You can check your site from both a back end and front end perspective, this is particularly useful since malware will use measures to hide its existence • Grep for server side • ScreamingFrog for crawling Internet facing (rendered) content
If The Server Has Been Compromised, It Cannot Be Trusted.
System Monitoring • Resources (Bandwidth/CPU/RAM/IO) • Logins • Processes
Integrity Monitoring • Tripwire • git • wp-cli • Any diff tools • Plugins
Firewalls • Network Firewalls • Web Application Firewalls • Security Services • Proxies
IDS/IPS • Typically at the host level • OSSEC
Logging • /var/log (access, error, php) • Centralised Logging or Log Shipping • Audit trails
Places To Check… • Content/files • Running processes • Running scripts, open files (look at full paths in processes) • Memory • Cron jobs • Database • Date and timestamps • Suspicious plugins • Suspicious directories/files • Sitemaps/SERPs • WordPress Admin Users • Other users in GSC • Code audit
What Can You Do?
Image Source: https://twitter.com/sittingduckdev
Security issues typically occur because of certain patterns. Cleaning, restoring or rebuilding doesn’t address that. Compromised sites are much more likely to become compromised again. Get everyone on board to take security seriously.
What Can You Do? • Establish basic processes • Practice the principle of least privilege (POLP) • Take backups seriously • Be ruthless with your Plugin choices • Maintain • Monitor • Choose a good host
Be Practically Paranoid http://favoritememes.com/_nw/37/42148895.jpg
Practice Principle Of Least Privilege
Regular Backups & Offsite Storage • Server Level Backups - cPanel/Plesk, Replication, Snapshots • Backup Services • Backup Plugins - Updraft Plus, WordPress Backup to Dropbox, VaultPress, Backup Buddy, Duplicator etc. • Manual Backups • Exports IMPORTANT: Don’t have publicly accessible backups (e.g /backup.zip) or config files (wp-config.php.old)
Choose Only Quality Plugins
Regular Website Maintenance “Patch early and patch often”
Use Isolation • Separate Users/Servers/Instances • Keeps attacks isolated • Far more advantages than disadvantages
Use SSL • SSL is now free on most good hosts • Make sure it’s configured correctly (or use Really Simple SSL)
Use Strong Encryption Everywhere • SFTP/SCP • SSH • HTTPS • Avoid ”Less Secure” options
Use Google Search Console
Use Password/Key Management • LastPass • Dashlane • 1Password • Browser Password Manager • Native OS • KeePass • Passwordsafe
Use Two Factor Authentication
Maintain Server Security • Monitoring • Integrity Monitoring • Firewalls • IDS/IPS • Logging
Just Because… • We don’t rely ONLY on security plugins doesn’t mean we shouldn’t use them… • Sucuri, Wordfence, iThemes Security etc. are all excellent choices. Learn to use them effectively. • For high value assets, I’d highly recommend paying for a premium licence.
Further Resources
Reading • WordPress Docs/Codex • OWASP • OS/Platform Specific Resources (AWS, Ubuntu, Docker etc.) • Host Management Specific Resources (Plesk, cPanel etc.) • Stay Updated
Other Resources • WordPress.org • https://wordpress.org/about/security/ • https://wordpress.org/news/category/security/ • Google Safe Browsing - https://www.google.com/transparencyreport/safebrowsing/diagnostic/ • OWASP WordPress Security - https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementati on_Guideline
• https://wpvulndb.com/ • https://www.wpsecuritybloggers.com • https://www.wpwhitesecurity.com • https://sucuri.net/ • https://wpscan.org/
Places to Learn about General Web App Security • OWASP (global): https://www.owasp.org/index.php/Main_Page • OWASP Melbourne: https://www.meetup.com/Application-Security-OWASP- Melbourne/
https://www.owasp.org/index.php/Main_Page
https://wpaustralia.org/
Chris Burgess ∙ @chrisburgess ∙ https://chrisburgess.com.au/ Thanks/Questions?

Empfohlen

WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupChris Burgess
 
WordPress and the Enterprise
WordPress and the EnterpriseWordPress and the Enterprise
WordPress and the EnterprisePrasad Ajinkya
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!Marko Heijnen
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Nicholas Batik
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best PracticesZero Point Development
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best PracticesZero Point Development
 
Locking down word press
Locking down word pressLocking down word press
Locking down word pressZachary Russell
 
Managing WordPress
Managing WordPressManaging WordPress
Managing WordPressSteven Watts
 

Empfohlen

WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupChris Burgess
 
WordPress and the Enterprise
WordPress and the EnterpriseWordPress and the Enterprise
WordPress and the EnterprisePrasad Ajinkya
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!Marko Heijnen
 
Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Understanding word press security wwc-4-7-17
Understanding word press security wwc-4-7-17Nicholas Batik
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best PracticesZero Point Development
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best PracticesZero Point Development
 
Locking down word press
Locking down word pressLocking down word press
Locking down word pressZachary Russell
 
Managing WordPress
Managing WordPressManaging WordPress
Managing WordPressSteven Watts
 
Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017vdrover
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?Ken Johnson
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...ThreatReel Podcast
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITEAcodez IT Solutions
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesKevin Koehler
 
Be Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better SecurityBe Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better Securitysecuriously
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
Think Before You Submit Themes on WordPress dot Org
Think Before You Submit Themes on WordPress dot OrgThink Before You Submit Themes on WordPress dot Org
Think Before You Submit Themes on WordPress dot OrgKafle G
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
Website security
Website securityWebsite security
Website securityAkhilesh Kant
 
CSS Secrets - Lea Verou
CSS Secrets - Lea VerouCSS Secrets - Lea Verou
CSS Secrets - Lea VerouPriscila Negreiros
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 
Head Slapping WordPress Security
Head Slapping WordPress SecurityHead Slapping WordPress Security
Head Slapping WordPress SecurityChris Burgess
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteChris Burgess
 

Weitere ähnliche Inhalte

Was ist angesagt?

Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017vdrover
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?Ken Johnson
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...ThreatReel Podcast
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITEAcodez IT Solutions
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecorePINT Inc
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesKevin Koehler
 
Be Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better SecurityBe Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better Securitysecuriously
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
Think Before You Submit Themes on WordPress dot Org
Think Before You Submit Themes on WordPress dot OrgThink Before You Submit Themes on WordPress dot Org
Think Before You Submit Themes on WordPress dot OrgKafle G
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetupkunwaratul hax0r
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon praguehernanibf
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 

Was ist angesagt? (20)

Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017Wordpress security best practices - WordCamp Waukesha 2017
Wordpress security best practices - WordCamp Waukesha 2017
 
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
LASCON 2016 - It's 10PM Do You Know Where Your Access Keys Are?
 
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
NKU Cybersecurity Symposium: Active Defense - Helping threat actors hack them...
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
Thoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for SitecoreThoughts on Defensive Development for Sitecore
Thoughts on Defensive Development for Sitecore
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
 
Securing your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy piecesSecuring your WordPress site in 5 easy pieces
Securing your WordPress site in 5 easy pieces
 
Be Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better SecurityBe Securious – Hack Your Own Site for Better Security
Be Securious – Hack Your Own Site for Better Security
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
Think Before You Submit Themes on WordPress dot Org
Think Before You Submit Themes on WordPress dot OrgThink Before You Submit Themes on WordPress dot Org
Think Before You Submit Themes on WordPress dot Org
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
 
Android pentesting the hackers-meetup
Android pentesting the hackers-meetupAndroid pentesting the hackers-meetup
Android pentesting the hackers-meetup
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla Revealed
 
Website security
Website securityWebsite security
Website security
 
CSS Secrets - Lea Verou
CSS Secrets - Lea VerouCSS Secrets - Lea Verou
CSS Secrets - Lea Verou
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
 

Ähnlich wie Professional WordPress Security: Beyond Security Plugins

Head Slapping WordPress Security
Head Slapping WordPress SecurityHead Slapping WordPress Security
Head Slapping WordPress SecurityChris Burgess
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteChris Burgess
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfHost It Smart
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDStuartJDavidson.com
 
Simple word press security tricks to keep your website secure
Simple word press security tricks to keep your website secureSimple word press security tricks to keep your website secure
Simple word press security tricks to keep your website secureSeo Brainmine
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a DatabaseJohn Ashmead
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldShannon Lietz
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security BasicsRyan Plas
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteReliqusConsulting
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...Dan Vasile
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012Nick Galbreath
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNorth Texas Chapter of the ISSA
 

Ähnlich wie Professional WordPress Security: Beyond Security Plugins (20)

Head Slapping WordPress Security
Head Slapping WordPress SecurityHead Slapping WordPress Security
Head Slapping WordPress Security
 
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress SiteIdentifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdf
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
 
Simple word press security tricks to keep your website secure
Simple word press security tricks to keep your website secureSimple word press security tricks to keep your website secure
Simple word press security tricks to keep your website secure
 
How to Destroy a Database
How to Destroy a DatabaseHow to Destroy a Database
How to Destroy a Database
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Finding Security a Home in a DevOps World
Finding Security a Home in a DevOps WorldFinding Security a Home in a DevOps World
Finding Security a Home in a DevOps World
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security Basics
 
Confidence web
Confidence webConfidence web
Confidence web
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your Website
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
 
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
DevOpsSec: Appling DevOps Principles to Security, DevOpsDays Austin 2012
 
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja WarriorsRyan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
Ryan Elkins - Simple Security Defense to Thwart an Army of Cyber Ninja Warriors
 
WordPress security
WordPress securityWordPress security
WordPress security
 
How secure is WordPress ?
How secure is WordPress ?How secure is WordPress ?
How secure is WordPress ?
 
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin DunnNetworking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
Networking 2016-06-14 - The Dirty Secrets of Enterprise Security by Kevin Dunn
 

Mehr von Chris Burgess

Getting Started with Google Data Studio
Getting Started with Google Data StudioGetting Started with Google Data Studio
Getting Started with Google Data StudioChris Burgess
 
WordPress Hosting Basics
WordPress Hosting BasicsWordPress Hosting Basics
WordPress Hosting BasicsChris Burgess
 
Improving the WordPress Ecosystem with Tide
Improving the WordPress Ecosystem with TideImproving the WordPress Ecosystem with Tide
Improving the WordPress Ecosystem with TideChris Burgess
 
Deep Dive Into Yoast SEO 7
Deep Dive Into Yoast SEO 7Deep Dive Into Yoast SEO 7
Deep Dive Into Yoast SEO 7Chris Burgess
 
Bootstrapping eCommerce with WordPress and WooCommerce
Bootstrapping eCommerce with WordPress and WooCommerceBootstrapping eCommerce with WordPress and WooCommerce
Bootstrapping eCommerce with WordPress and WooCommerceChris Burgess
 
Choosing the Right WordPress Theme
Choosing the Right WordPress ThemeChoosing the Right WordPress Theme
Choosing the Right WordPress ThemeChris Burgess
 
Accelerated Mobile Pages (AMP)
Accelerated Mobile Pages (AMP)Accelerated Mobile Pages (AMP)
Accelerated Mobile Pages (AMP)Chris Burgess
 
40 of the Most Popular WordPress Plugins
40 of the Most Popular WordPress Plugins40 of the Most Popular WordPress Plugins
40 of the Most Popular WordPress PluginsChris Burgess
 
SEO Basics for Bloggers
SEO Basics for BloggersSEO Basics for Bloggers
SEO Basics for BloggersChris Burgess
 
WordPress SEO Basics - Melbourne WordPress Meetup
WordPress SEO Basics - Melbourne WordPress MeetupWordPress SEO Basics - Melbourne WordPress Meetup
WordPress SEO Basics - Melbourne WordPress MeetupChris Burgess
 
SEO Training at Envatotalks
SEO Training at EnvatotalksSEO Training at Envatotalks
SEO Training at EnvatotalksChris Burgess
 
WordPress Menus - Melbourne User Meetup
WordPress Menus - Melbourne User MeetupWordPress Menus - Melbourne User Meetup
WordPress Menus - Melbourne User MeetupChris Burgess
 
WordPress Themes Demystified
WordPress Themes DemystifiedWordPress Themes Demystified
WordPress Themes DemystifiedChris Burgess
 
Installing WordPress The Right Way
Installing WordPress The Right WayInstalling WordPress The Right Way
Installing WordPress The Right WayChris Burgess
 
WordPress, Domain Names and Web Hosting Basics
WordPress, Domain Names and Web Hosting BasicsWordPress, Domain Names and Web Hosting Basics
WordPress, Domain Names and Web Hosting BasicsChris Burgess
 
Web Performance Optimisation
Web Performance OptimisationWeb Performance Optimisation
Web Performance OptimisationChris Burgess
 
Introduction to SEO and SEO for WordPress
Introduction to SEO and SEO for WordPressIntroduction to SEO and SEO for WordPress
Introduction to SEO and SEO for WordPressChris Burgess
 

Mehr von Chris Burgess (19)

Getting Started with Google Data Studio
Getting Started with Google Data StudioGetting Started with Google Data Studio
Getting Started with Google Data Studio
 
WordPress Hosting Basics
WordPress Hosting BasicsWordPress Hosting Basics
WordPress Hosting Basics
 
Improving the WordPress Ecosystem with Tide
Improving the WordPress Ecosystem with TideImproving the WordPress Ecosystem with Tide
Improving the WordPress Ecosystem with Tide
 
Deep Dive Into Yoast SEO 7
Deep Dive Into Yoast SEO 7Deep Dive Into Yoast SEO 7
Deep Dive Into Yoast SEO 7
 
Bootstrapping eCommerce with WordPress and WooCommerce
Bootstrapping eCommerce with WordPress and WooCommerceBootstrapping eCommerce with WordPress and WooCommerce
Bootstrapping eCommerce with WordPress and WooCommerce
 
WordPress and SSL
WordPress and SSLWordPress and SSL
WordPress and SSL
 
Choosing the Right WordPress Theme
Choosing the Right WordPress ThemeChoosing the Right WordPress Theme
Choosing the Right WordPress Theme
 
WordPress SEO Tips
WordPress SEO TipsWordPress SEO Tips
WordPress SEO Tips
 
Accelerated Mobile Pages (AMP)
Accelerated Mobile Pages (AMP)Accelerated Mobile Pages (AMP)
Accelerated Mobile Pages (AMP)
 
40 of the Most Popular WordPress Plugins
40 of the Most Popular WordPress Plugins40 of the Most Popular WordPress Plugins
40 of the Most Popular WordPress Plugins
 
SEO Basics for Bloggers
SEO Basics for BloggersSEO Basics for Bloggers
SEO Basics for Bloggers
 
WordPress SEO Basics - Melbourne WordPress Meetup
WordPress SEO Basics - Melbourne WordPress MeetupWordPress SEO Basics - Melbourne WordPress Meetup
WordPress SEO Basics - Melbourne WordPress Meetup
 
SEO Training at Envatotalks
SEO Training at EnvatotalksSEO Training at Envatotalks
SEO Training at Envatotalks
 
WordPress Menus - Melbourne User Meetup
WordPress Menus - Melbourne User MeetupWordPress Menus - Melbourne User Meetup
WordPress Menus - Melbourne User Meetup
 
WordPress Themes Demystified
WordPress Themes DemystifiedWordPress Themes Demystified
WordPress Themes Demystified
 
Installing WordPress The Right Way
Installing WordPress The Right WayInstalling WordPress The Right Way
Installing WordPress The Right Way
 
WordPress, Domain Names and Web Hosting Basics
WordPress, Domain Names and Web Hosting BasicsWordPress, Domain Names and Web Hosting Basics
WordPress, Domain Names and Web Hosting Basics
 
Web Performance Optimisation
Web Performance OptimisationWeb Performance Optimisation
Web Performance Optimisation
 
Introduction to SEO and SEO for WordPress
Introduction to SEO and SEO for WordPressIntroduction to SEO and SEO for WordPress
Introduction to SEO and SEO for WordPress
 

Kürzlich hochgeladen

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProduct Anonymous
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxRemote DBA Services
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfOrbitshub
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 

Kürzlich hochgeladen (20)

Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 

Professional WordPress Security: Beyond Security Plugins

  • 1. Professional WordPress Security: Beyond Security Plugins Chris Burgess ∙ @chrisburgess ∙ https://chrisburgess.com.au/
  • 2. About This Presentation • WordPress security is an often neglected topic, and with WordPress being used for more complex and business-critical sites, it needs to be treated far more seriously. • It’s not uncommon to hear comments like “just install a security plugin and it’ll be right!“. Security plugins and services are a step in the right direction, but there are many other steps you can take to keep your site secure. • In this presentation, Chris will provide some practical advice on how you can add additional layers of security to your WordPress website. About This Presentation • WordPress security is an often neglected topic, and with WordPress being used for more complex and business- critical sites, it needs to be treated far more seriously. • It’s not uncommon to hear comments like “just install a security plugin and it’ll be right!“. Security plugins and services are a step in the right direction, but there are many other steps you can take to keep your site secure. • In this presentation, Chris will provide some practical advice on how you can add additional layers of security to your WordPress website.
  • 3. Overview • Who Is This Guy? • Why Should I Care? • How Sites Are Compromised • Prevention • Practical Detection • What Can You Do? • Further Resources
  • 4. Who Is This Guy? • Chris Burgess • Passionate about web development, security and digital marketing • Passionate about keeping up-to-date with the latest web technologies
  • 5. Why Should I Care?
  • 6. Is This How You Feel About The Topic?
  • 7. Not Everyone Loves Security But Everyone Should Care About It. • Are you a WordPress developer? • Do you have your own WordPress site? • Do you manage WordPress sites for your clients? If you answered ”Yes” to any of the above questions, then you should factor WordPress security practices into your workflow.
  • 8. Security Is Not Absolute. It’s About Risks And Managing The Risks. It’s all about context…
  • 9. “Security is not a product, security is a process" Bruce Schneier
  • 11. Don’t Wait Until You See Something Like This Before You Care. https://www.google.com/webmasters/hacked/
  • 12. Be Proactive. Not Just Reactive. http://www.dailymail.co.uk/news/article-1388660/Mississippi-River-flooding-Residents-build-homemade-dams-saves-houses.html
  • 13. There Is No Such Thing As Absolute Security But You Can Reduce Risks
  • 14. How Sites Are Compromised
  • 15. Common Myths And Misconceptions “WordPress sites always get hacked.” “No one is interested in attacking my site.” “I’ve got nothing valuable for anyone to steal.” “Security is not my problem, my host/developer/plugin takes care of security for me.”
  • 16.
  • 17. Attackers • A person or group who’s trying to attack your site • It may personal, but the majority of the time, you’re just a victim of opportunity • Typically, your website is just one faceless entity on a massive list of sites/addresses being scanned and probed. • Mostly motivated by economic gain
  • 18. They Can Do It Via… OUT OF DATE OR VULNERABLE THEMES OUT OF DATE OR VULNERABLE PLUGINS OUT OF DATE VERSION OF WORDPRESS INTEGRATIONS POOR PROCESSES BAD PASSWORDS AND PASSWORD MANAGEMENT MISCONFIGURATION HUMAN ERROR
  • 19. Sucuri Website Hacked Trend Report 2018 https://sucuri.net/reports/2018-hacked-website-report/
  • 20. What Sites Are Mostly Affected? https://enterprise.verizon.com/resources/executivebriefs/2019-dbir-executive-brief.pdf
  • 23. Real example of a compromised site in Google search results
  • 24. Real example of a compromised site in Google search results
  • 25. Real Example of a DoS attack
  • 27. Netregistry email about compromised site
  • 28. Real example of a malicious plugin
  • 29. Real example of a malicious file
  • 31. Ahrefs and Google Search Console
  • 32. Real example of black hat SEO
  • 33. Real example of anchor text from ahrefs.
  • 34. Real example of links in Google Search Console
  • 35.
  • 36. Real example of a malicious plugin.
  • 37. Real example of a malicious plugin.
  • 38. Real example of black hat SEO.
  • 39. Why WordPress Is A Popular Target? https://trends.builtwith.com/cms/country/Australiahttps://trends.builtwith.com/cms
  • 40. Example Of WordPress Vulnerabilities Source: http://wptavern.com
  • 41. “Most successful WordPress hack attacks are typically the result of human error, be human error, be it a configuration error or configuration error or failing to maintain maintain WordPress, such as keeping keeping core and all plugins up to date, or to date, or installing insecure plugins etc.” plugins etc.” - Robert Abela (@robertabela)
  • 42. What Are The Impacts On Businesses? • Loss in revenue and customers • Cost of professional help, your time & resources • Potential legal and compliance issues • Affects brand reputation • Compromise to your visitors • Loss of trust and confidence amongst clients IMPACTS BOTTOM LINE DAMAGE TO REPUTATION STRESS ON TEAM TECHNICAL ISSUES • Causes you unnecessary stress dealing with it • Causes stress to your team • Causes stress to colleagues and clients • Domain & IP reputation, website blacklisting & email deliverability • SEO and SEM impacts • Downtime and outages
  • 46. "Is Penetration Testing Worth it? There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you're going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I'm going to save you a lot of money by giving you this free penetration test: You’re vulnerable. Now, go do something useful about it." -- Bruce Schneier http://www.schneier.com/blog/archives/2007/05/is_penetration.htm l
  • 48. Defense In Depth “While we boast the idea of employing a defense in depth strategy in the design of our offering, we can’t say it’s the only defense in depth strategy an organization will need. The strategy involves much more than our tools. Instead, we say that we are a complementary solution to your existing security posture and we encourage you to use any other tools you require to round out your defensive position.” Sucuri
  • 52. Defense In Depth • We can't talk about WordPress security without talking about the other layers. • While more layers help secure our assets, they also introduce other issues such as complacency and a false sense of security. • UX, additional security measures can be cumbersome to manage. (that said, I'd rather manage these issues than deal with a security incident)
  • 54. Tools • You can’t rely only on tools, they won’t always detect a compromise. • Most WordPress security tools work by using signatures. • Scanning your site with online tools work only if your site has active malware, is defaced or blacklisted. • If a site has been compromised, it cannot be trusted.
  • 57.
  • 58. 1500+ Files In A Default WordPress Installation – Excluding Themes & Plugins. • WordPress relies on a many popular Open Source libraries (as does most software). • Here are a few of the most common ones: • jQuery • jQuery Masonry • jQuery Hotkeys • jQuery Suggest • jQuery Form • jQuery Color • jQuery Migrate • jQuery Schedule • jQuery UI • Backbone • colorpicker • hoverIntent • SWFObject • TinyMCE • Atom Lib • Text Diff • SimplePie • Pomo • ID3 • Snoopy • PHPMailer • POP3 Class • PHPass • PemFTP
  • 59. Isolation • Look out for a shared web root, “addon” domains in cPanel, other web apps in subfolders.
  • 64. A Word On Staging/Test Environments • While it’s never been easier to clone, copy, spin-up a new instance of an environment, it’s also never been easier to lose track and manage these environments. • In many respects, these are softer targets than your production sites, so make sure they’re protected.
  • 65. Checking Content • You can check your site from both a back end and front end perspective, this is particularly useful since malware will use measures to hide its existence • Grep for server side • ScreamingFrog for crawling Internet facing (rendered) content
  • 66. If The Server Has Been Compromised, It Cannot Be Trusted.
  • 67. System Monitoring • Resources (Bandwidth/CPU/RAM/IO) • Logins • Processes
  • 68. Integrity Monitoring • Tripwire • git • wp-cli • Any diff tools • Plugins
  • 69. Firewalls • Network Firewalls • Web Application Firewalls • Security Services • Proxies
  • 70. IDS/IPS • Typically at the host level • OSSEC
  • 71. Logging • /var/log (access, error, php) • Centralised Logging or Log Shipping • Audit trails
  • 72. Places To Check… • Content/files • Running processes • Running scripts, open files (look at full paths in processes) • Memory • Cron jobs • Database • Date and timestamps • Suspicious plugins • Suspicious directories/files • Sitemaps/SERPs • WordPress Admin Users • Other users in GSC • Code audit
  • 75. Security issues typically occur because of certain patterns. Cleaning, restoring or rebuilding doesn’t address that. Compromised sites are much more likely to become compromised again. Get everyone on board to take security seriously.
  • 76. What Can You Do? • Establish basic processes • Practice the principle of least privilege (POLP) • Take backups seriously • Be ruthless with your Plugin choices • Maintain • Monitor • Choose a good host
  • 78. Practice Principle Of Least Privilege
  • 79. Regular Backups & Offsite Storage • Server Level Backups - cPanel/Plesk, Replication, Snapshots • Backup Services • Backup Plugins - Updraft Plus, WordPress Backup to Dropbox, VaultPress, Backup Buddy, Duplicator etc. • Manual Backups • Exports IMPORTANT: Don’t have publicly accessible backups (e.g /backup.zip) or config files (wp-config.php.old)
  • 81.
  • 82. Regular Website Maintenance “Patch early and patch often”
  • 83. Use Isolation • Separate Users/Servers/Instances • Keeps attacks isolated • Far more advantages than disadvantages
  • 84. Use SSL • SSL is now free on most good hosts • Make sure it’s configured correctly (or use Really Simple SSL)
  • 85. Use Strong Encryption Everywhere • SFTP/SCP • SSH • HTTPS • Avoid ”Less Secure” options
  • 86. Use Google Search Console
  • 87. Use Password/Key Management • LastPass • Dashlane • 1Password • Browser Password Manager • Native OS • KeePass • Passwordsafe
  • 88. Use Two Factor Authentication
  • 89. Maintain Server Security • Monitoring • Integrity Monitoring • Firewalls • IDS/IPS • Logging
  • 90. Just Because… • We don’t rely ONLY on security plugins doesn’t mean we shouldn’t use them… • Sucuri, Wordfence, iThemes Security etc. are all excellent choices. Learn to use them effectively. • For high value assets, I’d highly recommend paying for a premium licence.
  • 92. Reading • WordPress Docs/Codex • OWASP • OS/Platform Specific Resources (AWS, Ubuntu, Docker etc.) • Host Management Specific Resources (Plesk, cPanel etc.) • Stay Updated
  • 93. Other Resources • WordPress.org • https://wordpress.org/about/security/ • https://wordpress.org/news/category/security/ • Google Safe Browsing - https://www.google.com/transparencyreport/safebrowsing/diagnostic/ • OWASP WordPress Security - https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementati on_Guideline
  • 94. • https://wpvulndb.com/ • https://www.wpsecuritybloggers.com • https://www.wpwhitesecurity.com • https://sucuri.net/ • https://wpscan.org/
  • 95. Places to Learn about General Web App Security • OWASP (global): https://www.owasp.org/index.php/Main_Page • OWASP Melbourne: https://www.meetup.com/Application-Security-OWASP- Melbourne/
  • 98. Chris Burgess ∙ @chrisburgess ∙ https://chrisburgess.com.au/ Thanks/Questions?

Hinweis der Redaktion

  1. Malware Family Backdoor - Files used to reinfect and retain access. Malware - Generic term used for browser-side code used to create drive by downloads. SPAM-SEO - Compromise that targets a website’s SEO. HackTool - Exploit or DDOS tools used to attack other sites. Defaced - Hacks that leave a website’s homepage unusable and promoting an unrelated subject (i.e., Hacktavism). Phishing - Used in phishing lures in which attackers attempt to trick users into sharing sensitive information (i.e., log in information, credit card data, etc..).
  2. Malware Family Backdoor - Files used to reinfect and retain access. Malware - Generic term used for browser-side code used to create drive by downloads. SPAM-SEO - Compromise that targets a website’s SEO. HackTool - Exploit or DDOS tools used to attack other sites. Defaced - Hacks that leave a website’s homepage unusable and promoting an unrelated subject (i.e., Hacktavism). Phishing - Used in phishing lures in which attackers attempt to trick users into sharing sensitive information (i.e., log in information, credit card data, etc..).