5. WHY DO HACKERS HACK?
• Make bank
• Build a zombie site army
• Share their nasty malware with the world
• Get your information
• They are bored
• They want to see if they can do it
@michele_butcher
6. WHY ARETHESE PEOPLE
ATTACKING ME?
Anymore, it is not people but bots attacking your site. Hackers have programs that do the work for them.
Rarely is it people doing the hacking unless it is targeted. Strong opinion sites are a good example.
@michele_butcher
7. HOW DOTHEY GET IN?
• Guess your login. If you know it so can someone else. (Brute
force attack or man in the middle)
• Denial of Service attack (DDoS) flood your site with more
traffic than it can handle
• Through a theme, file or plugin
• Through your FTP or CPanel. (Files set to read, write,execute.
Brute force, anonymous login, shared hosting infection)
@michele_butcher
8. AND NOW FORTHE ONLY
THING SCARYTHAT I AM
GOINGTO SAY.
@michele_butcher
10. EVEN ATEST SITE OR A
KNITTING SITE WITH ONLY 2
VISITORS CAN BE HACKED. IT
CAN HAPPENTOYOUR SITE.
@michele_butcher
It has happened to me, it can happen to you.
14. NEVER EVER EVER USE ADMIN AS
USER NAME OR PASSWORD AS
PASSWORD.
NEVER!
@michele_butcher
Got it?
15. ALWAYS CHANGEYOUR PREFIX NAME
FROM WP_ LET IT BE ANYTHING
OTHERTHAN WP_
FDHSFJKHS_ IS ALWAYS GOOD
I typically do not even look at what I am typing anymore
when I make the WP prefix.The random the better.
@michele_butcher
16. WHAT TO DO WHEN
YOU HAVETEMPORARY
PEOPLE INYOUR
DASHBOARD
@michele_butcher
17. ALWAYS USE SFTP
Regular FTP is not secure. Do not use it unless the
server is only set up for FTP.
18. Only give them access to what they NEED not what
they want.
Just because they want to be an admin does not
automatically make them one.
Guest bloggers should not be anymore than a contributor.
19. If it is only a temporary login, delete their login when
they have completed their job.
If they have posts on your site, you can knock them down to
subscribers so they can not change anything on your site.
If they are only doing work, delete them when their job is done.
20. Set up a file change detection
notification to know what they are
changing in your site.
iThemes Security and other security plugins
give you the option to see what all users are
doing when logged into the dashboard.
22. ITHEMES SECURITY PRO
Great all encompassing best practices WordPress security
plugin.
Two versions a free and a premium.
http://ithemes.com/security
@michele_butcher
23. BRUTE PROTECT
If you are mainly worried about DDoS attacks, Brute Protect has you covered.
http://bruteprotect.com
@michele_butcher
24. WHO CAN SCAN MY SITE
FOR MALWARE?
Google Webmaster Tools http://google.com/webmaster
VirusTotal https://virustotal.com
iThemes Security Pro htttp://ithemes.com/security
@michele_butcher
25. NEED AN EXTRA EYE ON
YOUR SITE?
CloudFlare has a free and premium version.
http://cloudflare.com
@michele_butcher
27. UPDATE!
UPDATE!
UPDATE!
Update core, update plugins, update themes, update
content, update everything and update often!
The biggest source of nearly all hacks as once
something is patched, it is trivial to get into the old
stuff.
@michele_butcher
28. IFYOU USETHEMES OR PLUGINS AT ANY OFTHE
ENVATO (THEMEFOREST, CODE CANYON)
ALWAYS CHECKTHE BOXTO BE NOTIFIED OF
UPDATES.THEY WILL NOTTELLYOU OTHERWISE
This is why the RevSlider SoakSoak infection was so widespread.
Many didn't know the plugin was built within the theme.
29. HAVE A MINIMALIST APPROACH
TO PLUGINS ANDTHEMES.
• Only have the plugins you are using at that time
on your site.You can always upload them again
later.
• Only have your theme you are using on your site.
• If something is not active, delete it.
@michele_butcher
30. BACK UPYOUR SITE!
SOMEWHERE,ANYWHERE, JUST HAVE A
BACKUP COPY.
BackupBuddy from iThemes is a great choice.
iThemes Security will do a database backup for you.
http://ithemes.com/backupbuddy
@michele_butcher
31. ALWAYS BACK UPTO SOMEPLACE OTHERTHANYOUR
SERVER. IFTHE SERVER GETS HACKED, SO DOESYOUR
BACKUP.
EVEN BACKING A COPYTO DROPBOX ORYOUR
COMPUTER IS A BETTER OPTION.
@michele_butcher
32. DON’T LETYOUR SITE GET
LONELY.
Lonely sites can turn into zombie sites and nobody
wants a zombie
@michele_butcher
33. IFYOUR WEBSITE GET HACKED IT IS
NOTTHE END OFTHE WORLD.
IT CAN AND WILL BE FIXED.
@michele_butcher
34. WHO CLEANS HACKED
WEBSITES?
Well I do over at WP Security Lock ~Smile~
http://wpsecuritylock.com
I apologize… had to do one shameful plug.
@michele_butcher
35. WHAT ARE OTHER WAYS I
CAN BE MORE SECURE?
@michele_butcher
40. IFTHE LOGIN HAS A
TWO-FACTOR
AUTHENTICATION,
USE IT!
@michele_butcher
41. ANTI-VIRUS
PROTECTYOUR UNIT!
Yes I even have an anti-virus on my Mac!
AVG and Avast have free versions as well as paid.
Kaspersky is great with Windows and Macs.
@michele_butcher
45. BACK UP EVERYTHING AND
BACK IT UP OFTEN.
IFYOU FEARYOU MIGHT LOSE
INFORMATION, SAVE IT IN MORETHAN
ONE SPOT. BITCASA, CARBONITE,AND
EXTERNAL HARD DRIVES ARE GREAT
OPTIONS OF BACKING UP DATA.
@michele_butcher
47. THANKYOU FOR ATTENDING!
Slides can be found at http://mlb.pw/wcstl2015
Michele Butcher
@michele_butcher
http://wpsecuritylock.com
http://cantspeakgeek.com