Securing your WordPress website - New Port Richey WP Meetup
1.
2. Presenter:
Tom Townsend
Tom is a Cloud Technical Manager for a
Fortune Global Company and also owns and
operates SMBsocial.com a local WordPress
Agency.
Has been using WordPress since 2007
Co-Organizer of Tampa Bay WordPress Meetup
Co-Organizer – New Port Richey WordPress Meetup
Co-Organizer WordCamp Tampa 2014,2015,2016
Contact:
Email: tom@smbsocial.com
SMBsocial
https://www.linkedin.com/in/thomastownsend/
3. • Welcome to the first 2017 Newport Richey WordPress meetup.
• Were 1 of 6 Regional Meetups that make up the Eco System of the
Tampa Bay WordPress Network /Community
4.
5. SecuriCyber security is the Hot Topic in 2017
ng your WordPress website• Cyber Attack
• Phishing
• Malicious Websites
• Ransomware: WannaCry, Petya
• Malware: GhostHook, PowerPoint
Social Engineering Attack,
downloader - hyperlink - subtitles
in Free Movies (video players like
Popcorn Time & VLC)
6. Where does YOUR website fit in?
ng your WordPress website• WordPress – Good and bad
• What do you need to watch out for and how can you ensure your site is secure.
• From Hosting to WordPress Core, Plugins and Themes.
7. A few statistics
• According to a survey of hacked WordPress site owners, brute-force
attacks were the second most popular known method of hacking, with
password theft not too far down the list. These attacks should be a very
real concern for WordPress users.
• July 03, 2017 - SQL injection vulnerability found in popular WordPress
plug in
https://www.scmagazineuk.com/sql-injection-vulnerability-found-in-
popular-wordppress-plug-in-again/article/672839/
• April 2017 Home Routers Used to Hack WordPress Sites -
There's a group of hackers who are hijacking unsecured home routers and
using these devices to launch coordinated brute-force attacks on the
administration panel of WordPress sites. The purpose of these attacks is
for the hackers to guess the password for the admin account and take over
the attacked site.
https://www.bleepingcomputer.com/news/security/home-routers-used-
to-hack-wordpress-sites/
8. It's NOT just WordPress sites getting hacked:
• June 2017
• Year-old vulnerability allowed pro-ISIS hackers to hack US Government websites
• Affected websites reportedly included (amongst others) the Department of Health for the state of
Washington, the Rhode Island Department of Education, the official websites of Ohio Governor
John Kasich and his wife, as well as the Ohio Department of Rehabilitation and Corrections.
• all of the compromised websites were running the same content management system –
DotNetNuke (better known as DNN).
• There’s nothing inherently wrong with running DNN to power your website, but what is a very
bad idea is not keeping your content management system up-to-date. Because the version of
DNN that was being run on the defaced websites was version 7.0, released way back in 2015. The
latest edition of DNN is version 9.01.
https://hotforsecurity.bitdefender.com/blog/year-old-vulnerability-allowed-pro-isis-hackers-to-
hack-us-government-websites-18289.html
9. It's NOT just WordPress sites getting hacked:
April 2017
• Phishing scammers exploit Wix web
hosting
Criminals flock to free web services to
establish their attack infrastructure.
The latest example: A group using free
website host Wix for its phishing
pages
http://www.infoworld.com/article/31
87346/security/phishing-scammers-
exploit-wix-web-hosting.html
10.
11. The BIG 8 Mistakes that “WILL” Co$t YOU
• Mistake #1: Shoddy Hosting **
• Mistake #2: Failing to Keep Up to Date ***
• Mistake #3: Using Insecure Login Information
• Mistake #4: Installing Themes and Plugins from Untrustworthy
Sources
• Mistake #5: Hoarding Unused Plugins, Themes, and User Accounts
• Mistake #6: Failing to Back Up Regularly
• Mistake #7: Not Using WordPress-internal Security Measures
• Mistake #8: Not Using a Security Plugin *
12. Mistake #1: Shoddy Hosting
Unmasked: What 10 million passwords reveal about the people who
choose them
DISCLAIMER: WPEngine Affiliate Link:
13. Mistake #2: Failing to Keep Up to Date
Security updates and supports installing major releases, plugins, themes, or even
regular SVN checkouts!
• Automatic background updates were introduced in WordPress 3.7 in an effort to
promote better security, and to streamline the update experience overall. By
default, only minor releases – such as for maintenance and security purposes –
and translation file updates are enabled on most sites. In special cases, plugins
and themes may be updated.
• In WordPress, there are four types of automatic background updates:
• Core updates
• Plugin updates
• Theme updates
• Translation file updates
14. Mistake #3: Using Insecure Login Information
https://www.entrepreneur.com/article/296269
15. Mistake #4: Installing Themes and Plugins from
Untrustworthy Sources
• Only Install Themes, Plugins and Scripts From Their
Official Source
• Using any software from a “FREE” Pirate site is NEVER
a good idea!
• Many of these “Free Download” pirated themes have
maliciously tweaked scripts that install a back door
which allows your site to be remotely controlled by
hackers.
16. Mistake #5: Hoarding Unused Plugins, Themes, and User
Accounts
Inactive Plugins: Use em or loose em
http://www.wpbeginner.com/beginners-guide/will-inactive-plugins-slow-down-wordpress-
should-you-delete-inactive-plugins/
20. References
Steps to help secure your WordPress website
Strengthen your password
Use email in place of a username (Don't use yahoo, aol gmail ets if you can avoid)
Introduce two-factor authentication
Backup your WordPress site regularly
Secure wp-config.php file
Firewall Plugins (Security)
http://www.wpbeginner.com/plugins/best-wordpress-firewall-plugins-compared/
21. References
Use 2 Factor Authentication for WP Sites
https://torquemag.io/2016/04/5-two-factor-authentication-plugins-wordpress/
NOTE: Clef is no longer available - Launch-key is replacement
https://updraftplus.com/launch-keyy-simple-secure-logins-wave-phone/
https://getkeyy.com/faqs/
https://wordpress.org/plugins/miniorange-2-factor-authentication/#description
https://wordpress.org/plugins/google-authenticator/
Also Consider:
• Google Authenticator or Authy
• Jetpack.com two factor through WordPress.com
Mobile Apps: iPhone /Android:
Google Authenticator App.
Authy 2-Factor Authentication App.
22. References
Manage your plugins and themes yourself or use a service provider to do this for you.
Look out for Bad Plugins:
Fake SEO plugin backdoors WordPress installation
Utilize a Managed Service Provider to Secure your websites
http://www.wp-servicemanager.com
23. References
Check out my personal curated WordPress resources.
Flipboard https://flipboard.com
Check out WordPress Toolkit by Tom Townsend
http://flip.it/EzcxyN
Check out CYBER SECURITY FOR ALL by Tom Townsend
http://flip.it/vByNn6
24. References
New Port Richey and Tampa Bay WordPress Meetup links.
https://www.meetup.com/New-Port-Richey-WordPress/
https://www.meetup.com/Tampa-Bay-WordPress/
https://tampabaywp.org/
https://www.facebook.com/groups/wptpa/
Slack – (Chat for Tampa Bay WordPress and associated Meetups)
tampabaywp.slack.com (This is by invite only so you need to request through the meetup either on Tampa
Bay WordPress or New Port Richey WordPress Meetup. All we need is an email to send you an invite.)