Mindfulness – “The quality or state of being conscious or aware of something.” Security can seem intimidating and complex for many, but we shouldn’t (can’t) let that stop us from doing everything we can to secure our WordPress sites and ourselves. After all, our websites are often part of our livelihood. In this session Adam addresses the “big picture” of personal and website security and breaks down the fundamental tasks needed for a strong security plan online. He provides an actionable checklist on what audience members can implement immediately to better secure themselves online in addition to their WordPress websites. After attending this session, audience members will have a better understanding of personal security online and how it affects website security as a whole, as well as steps they can take to mitigate risk in the future.
4. Did You Know?
$16 billion was stolen from 15.4 million U.S.
consumers in 2016
5. Did You Also Know?
• There are 3.26 billion internet users as of
December 2015; that’s over 40% of the world
population.
• Only 44% of web traffic is from humans; 56% of
web traffic is from bots, impersonators, hacking
tools, scrapers and spammers.
6. What We’ll Cover Today
Personal
Offline
Security
1
Why and
How
Websites
Get Hacked
2
What We All
Should Be
Doing
3
Going
Above and
Beyond
4
After the
Hack
5
7. Adam W.
Warner
• O p e n S o u r c e C o m m u n i t y
M a n a g e r
• C o - F o u n d e r a t
F o o P l u g i n s
• D i s c o v e r e d Wo r d P r e s s
i n 2 0 0 5
• Wo r d P r e s s C o m m u n i t y
A d d i c t
• F a n o f F r a c t a l s
• L o v e r o f M e a t b a l l s
• P r o u d D a d !
21. Pathways to a Successful Hack
• 41% get hacked through vulnerabilities in their
hosting platform
• 29% by means of an insecure theme
• 22% via a vulnerable plugin
• 8% because of weak passwords
54. How to Detect a Hacked Site
• Visit your site often
• Search for your site
• Unexplained spikes in traffic
• Investigate customer/visitor reports
• continued…
55. Detect a Hacked Site (con’t…)
• Google Search Console (email alerts)
• Remote scanner
• Malware scanner
• Source code scanner
• Service that detects site changes
58. Use a Service
• Security is their core business
• Cleans files, databases, backdoors, etc.
• Remove malware warnings
• Remove from blacklists
• Helps services learn for the benefit of all
59. What To Do After Cleanup
• Change ALL passwords
• Read this again:
h t t p s : / / c o d e x . wo r d p r e s s . o r g / H a r d e n i n g _ W o r d P r e s s
61. Thank You – Questions?
• Follow at:
• @WPDistrict
• @wpmodder
• My Blog Posts:
• http://wpdistrict.sitelock.com
• http://succeedwithwp.com
• https://fooplugins.com
Hinweis der Redaktion
Security can seem intimidating and complex for many of us, but we shouldn’t (can’t) let that stop us from making sure we’re doing everything we can to secure our WordPress sites. After all, our websites are often part of our livelihood.
In this session Adam will discuss the “big picture” of website security and break down the fundamental tasks needed for a strong security plan, in order of importance. Adam will provide an actionable checklist on what you can start doing today to better secure your WordPress websites.
After attending this session, audience members will have a better understanding of website security as a whole and what steps they can take to mitigate risk. Attendees will be able to start building their WordPress security master plan immediately.
Personal and Website security all start with being aware and mindful.
Show ATM video
Personal and Website security all start with being aware and mindful.
Show ATM video
Being mindful of your surroundings can help you avoid being included in these stats
So let's talk about that shall we?
WP Evangelist means that I attend WordCamps and other events and listen to the community.
Be aware of your surroundings.
Trust your intuition.
Chicago 2005 - followed
Lock your financial documents and records in a safe place at home
lock your wallet or purse in a safe place at work.
Keep your information secure from roommates or workers who come into your home.
When you go out, take only the identification, credit, and debit cards you need.
Leave your Social Security card at home.
Before you share information at a business, your child's school, or a doctor's office, ask why they need it
how they will safeguard it
and the consequences of not sharing.
Shred receipts, credit offers, credit applications, insurance forms, physician statements, checks, bank statements, expired charge cards, and similar documents when you don’t need them any longer.
Destroy the labels on prescription bottles before you throw them out.
Don’t share your health plan information with anyone who offers free health services or products.
You can opt out for 5 years or permanently.
Caution – Grain of salt because - The 3 nationwide credit reporting companies operate the phone number and website
Vulnerability Scanning
Used to identify security weaknesses in a computer system and code.
Often used by network administrators for obvious security purposes.
Hackers can also infiltrate this security tactic to gain unauthorized access.
Vulnerability Scanning is essentially the gateway to additional attacks.
Server Disruption
Usually one goal: shut down or render a particular website useless.
Known as Distributed Denial of Service or DDoS.
DDoS attacks are when a hacker seizes control over a network of zombie computers called a botnet. The botnet is then deployed to ping a certain web server to overload a website and ultimately, shut it down.
Monetary Loss –
This type of motivation for hackers is what everyone is most fearful about. Credit card data, etc. Not just websites: ATM Skimmer story.
Information Leakage –
Hackers get personal and private information.
Identify theft, Social Security Numbers, usernames/passwords.
Ashley Madison hack that occurred in the summer of 2015. Once hackers were able to infiltrate its customer database, they essentially had the entire company (and its fearful users) at its mercy. When hackers finally posted the Ashley Madison data, it sent the Earth rattling shock waves throughout the internet and society.
Website Vandalism
Vandalism inspired attacks are often done more for a shock factor and to grab people’s attention.
Politically driven, such as to deface a certain candidate’s website, or could simply be used just as a source of fun.
Unauthorized Code Execution –
Want to infect a user with malware in order to ultimately take control of user’s computer through the execution of commands or code.
This is a powerful form of hacking that allows hackers to take complete control of the victim’s computer.
When hackers run unauthorized code, this can be one of the first steps of turning a user’s computer into a zombie or bot.
What’s In It for Them?
Still, the question remains: Why would anyone put in that effort? What do they get out of it?
Drive-by-downloads — Hackers can use your site to infect your visitors’ computers with malware like back doors, key trackers, ransomware, viruses, or other malicious software in order to capture information they can use for their own gain.
Redirections — Sometimes hackers will redirect visitors from your site to other websites that generate affiliate income for them.
System resources — Another possibility is that they take over your server and use the hardware for sending out spam emails, performing denial of service or brute force attacks and more. Of course, this will easily get your server — and your site — put on a blacklist or jack up your hosting cost if it is based on usage.
Don’t Like You – Most Uncommon
Don’t accept credit cards?
Sensitive data?
Website traffic is low?
Avoided controversial topics?
Only serve a local customer base?
Especially owners of smaller websites often think themselves an unlikely target for hackers.
After all, why would anyone care about your tiny blog? What could hackers possibly have to gain from compromising it?
Traffic size, or popularity are not the deciding factors.
Hacking Attempts Are A Matter Of Opportunity
Most sites get hacked merely because it’s possible.
It’s rare that hackers have a specific reason to go for a particular site.
Most of the time hackers go for our sites because we give them an opening, unknowingly.
Most Hacking Attacks Are Automated
Hackers use bots to crawl the net. Bots sniff out known vulnerabilities
One of the main reasons hackers don’t differentiate between the sites of different sizes is that attacks are almost always done automatically.
If you think someone typed your site address into a browser bar and had a good snoop around til they found something, you’d be dead wrong.
Automating the process allows hackers to attack many sites at once and thus increase their odds of success dramatically.
If your site gets hacked, it’s probably because it popped up on the radar of an automated script, not because someone consciously decided to target you.
WHAT!? Doesn’t mean your host is bad!. Likely that another site in a shared hosting environment got hacked and took the others down in the process.
More than half of all successful hacks come through WordPress themes and plugins.
The rest of the sites suffer from insufficient password protection, making them vulnerable to brute force attacks.
8 percent doesn’t seem like a lot, be aware that we are talking about hundreds of thousands of websites here.
Really comes down to two categories of security.
Access control speaks specifically to the process of authentication and authorization; simply put, how you log in. When I say log in, I mean more than just your website.
Here are a few areas to think about when assessing access control:
How do you log into your hosting panel?
How do you log into your server? (i.e., FTP, SFTP, SSH)
How do you log into your website? (i.e., WordPress, Dreamweaver, Joomla!)
How do you log into your computer?
How do you log into your social media forums?
Not just applications like WordPress, plugins, themes or other software you might be running on your server. But also your local computer, browsers, etc.
Even the most experienced developers can’t always account for the threats their own code might introduce.
The problem is the way we think about security from beginning to end. Most of us use things as they are designed.
Not just applications like WordPress, plugins, themes or other software you might be running on your server. But also your local computer, browsers, etc.
Even the most experienced developers can’t always account for the threats their own code might introduce.
The problem is the way we think about security from beginning to end. Most of us use things as they are designed.
Trump - Defacement
Real Estate to Adult Site - Redirection
Google does a good job of letting people know. You don’t want your potential visitors/customers to see this.
Be security-minded daily. Be vigilant.
It’s not paranoia, it’s best practice for life.
Gas station readers, etc. IoT hack that took down East Coast
https://krebsonsecurity.com/2016/10/hacked-cameras-dvrs-powered-todays-massive-internet-outage/
Fortunately, we can all do a lot to mitigate our chances of being hacked.
It’s starts with closing those openings we’ve been leaving.
Home WIFI
Computer login
At every step of the website creation process! Remember the Access Control I talked about?
Hosting account
FTP, SFTP, SSH
Website login
Social Media Accounts
3rd Party services you might use: Dropbox, Amazon, Instagram, Google, and others.
Even IoT devices (refrigerators, tvs, etc.)
Don’t!
Plain-text transmission
Has anyone sent a username/password combo in an email?
Don’t send passwords over email, chat, social networks or other unencrypted forms of transmission
Of course, passwords should not be shared between users or stored in plain-text anywhere no matter how convenient this may be. The practice of sharing logins and passwords flies in the face of security and accountability.
Local Anti-virus
How many of you are on the open network right now? Airports, coffee shops, even your neighbors (just noticed wife was on neighbors open network yesterday!)
True story: Betsy Davis. 7 years old. watched YouTube video on how to set up a fake Wifi access point. Only took her 11 minutes to set it up and start getting access to computers.
Virtual private network (VPN): A VPN is a way of using the public internet like a secure private network. It encrypts data and routes it through remote servers, keeping the activity and location private and secure.
Getting a little old school
There was a time when plugins didn't exist. If you wanted to change something, you edited core files.
If any developer you work with suggests making any such changes, run a mile.
Explain what a backup is.
Search the plugin repo for “backup”
Core, plugins, themes
you hear of people who disable WordPress core updates because “an update might break one of my plugins.”
If you had to choose between a hacked site and a temporarily broken plugin, which would you choose?
Plugins that are incompatible with the latest versions of WordPress are only going to stay that way for a very short time. A hacked site, on the other hand, is a far bigger problem.
Plugins and themes and anything else
Sometimes we install plugins to test their functionality and then forget to remove them from our site. If a vulnerability is discovered in these plugins, your site becomes a sitting duck (especially if you don’t follow the advice above and always update the plugins).
Your website is still vulnerable even if that plugin is installed on your website and not being used.
The safest way to minimize the risks is to completely uninstall any plugins you are not using. There is a very easy way to know which plugins are not being used. They are marked as Inactive in the Plugin section of the WordPress admin.
Delete them.
Some people might get tempted to “bypass” the payment of a good theme or plugin, by getting it from *cough* less than reputable sites.
Or maybe they don’t know that it’s not the official site.
The pirated themes and plugins you download for free have been maliciously tweaked. Most times a back door has been installed in the script. This allows the site where the theme or plugin is used to be remotely controlled by hackers for nefarious reasons.
Would you trust your money to a known scam artist? I wouldn’t think so. Same thing for your website. Don’t trust “free” WordPress scripts coming from people whose business is stealing other people’s work.
Security conscious hosting services will have a dedicated security team who monitor the latest vulnerabilities (even 0-day hacks, i.e. those for which there is no remedy yet) and preemptively apply rules on their network firewalls to mitigate any hack attacks on your site.
WordPress hosting is a bit of a hot topic, so I won’t be making recommendations here, but the WordPress hosting page does make a few suggestions. These are by no means the only security conscious hosting companies out there.
SSL (Secure Sockets Layer
Encrypted links between a web server and a browser. This link ensures that all data passed between the web server and browsers remains encrypted.
Many are free with Let’s Encrypt and many hosts are including this option.
Google is (or will be) using this as a ranking factor
What is PHP?
PHP (recursive acronym for PHP: Hypertext Preprocessor) is a widely-used open source general-purpose scripting language that is especially suited for web development and can be embedded into HTML.
Code is executed on the server, generating HTML which is then sent to the client (the browser).
Pie Chart: Only 3.5% of WordPress installations run on the latest version of PHP (7.0), whilst about 26.9% run version 5.6, which is still supported.
The rest of the WordPress installations (close to 80%) run on versions that are no longer supported or updated for security patches.
I recommended using mix of security plugins AND cloud-based security and malware scanner options.
Many decent solutions found by searching Security tag on repo
By default, WordPress allows users to enter passwords as many times as they want.
Helps prevent brute force attacks on your login page
To prevent this, you can limit the number of failed login attempts per user.
For example, you can say after 5 failed attempts, lock the user out temporarily.
If someone has more than 5 failed attempts, then your site block their IP for a temporary period of time based on your settings. You can make it 5 minutes, 15 minutes, 24 hours, and even longer.
A CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) is a program that can tell whether its user is a human or a computer.The process involves a computer asking a user to complete a simple test which generated by computer.
One way of quickly and very easily securing your WordPress logins is by enabling Two Factor Authentication, also known as 2FA.
2FA creates a system to log in to your WordPress backend, besides your regular password, you will also need a time-based security token that is unique to each user. This token also expires after a period of time usually 60 seconds.
Google Authenticator.
Jetpack 2FA
Two Factor Authentication by the makers of UpdraftPlus
Authy
Duo
When you are in the initial phases of creating a website, you’ll probably need to tinker around with themes and plugin files.
By default, WordPress administrators have the rights to edit PHP files.
Once your website has been developed and is live, you’ll have much less need to edit these files.
However, allowing administrators to edit files is a security issue. This is because if a hacker manages to login to your site, they’ll immediately have edit privileges and they’ll be able to change files to suit their malicious needs.
You can (and should) disable file editing for WordPress administrators after your website goes live through
the following command in the wp-config.php file:
define('DISALLOW_FILE_EDIT', true);
XML: EXtensible Markup Language
RPC: Remote Procedure Call
WordPress provides the ability for an application to access it remotely via what is known as an Application Programming Interface (or API). This means that applications can access your site (for benign reasons). A typical example of usage of the XML-RPC is if you are using a mobile or desktop application to update your site.
There are also some plugins, which use XML-RPC. For example, Jetpack uses XML-RPC functionality.
However, the XML-RPC can also be used to perform hack attempts on your website.
Many believe that XML-RPC is as secure as the rest of the WordPress core, but you can rest assured that XML-RPC is something that hacking scripts are going to be probing. You’ll probably find plenty of hits to XML-RPC if you have enabled logging on your site.
If you are sure that you don’t have any third party applications or no WordPress plugins are using your WordPress website via XML-RPC, you can choose to disable it using a WordPress plugin.
XML: EXtensible Markup Language
RPC: Remote Procedure Call
WordPress provides the ability for an application to access it remotely via what is known as an Application Programming Interface (or API). This means that applications can access your site (for benign reasons). A typical example of usage of the XML-RPC is if you are using a mobile or desktop application to update your site.
There are also some plugins, which use XML-RPC. For example, Jetpack uses XML-RPC functionality.
However, the XML-RPC can also be used to perform hack attempts on your website.
Many believe that XML-RPC is as secure as the rest of the WordPress core, but you can rest assured that XML-RPC is something that hacking scripts are going to be probing. You’ll probably find plenty of hits to XML-RPC if you have enabled logging on your site.
If you are sure that you don’t have any third party applications or no WordPress plugins are using your WordPress website via XML-RPC, you can choose to disable it using a WordPress plugin.
There are two main types of firewalls, or uses for firewalls.
Network Firewalls: used to segregate different types of networks. Either keeping things from getting in, or things from getting out.
Web Application Firewall: (WAF) used to secure the WordPress application itself.
Hardware and software that “learns” and accepts rules.
Example: Intranet – only allow traffic from certain IP range (only from company network)
There are a number of WAF firewalls, some with free plans.
A Content Delivery Network’s primary use is typically to optimize the performance of your site by serving heavy resources fast.
CDNs, however, provide another secondary feature: most CDNs are able to protect against a number of WordPress security issues.
If you are using a CDN (and you should), make sure you are also enabling the security rules provided to improve the protection of your WordPress website.
Summary of this image
https://www.wordfence.com/wp-content/uploads/2015/12/TipsforDetectingHackedWebsiteEarly_1340px.png
Tinkerer
Wasted time
In their best interest to keep your safe as safe as possible.
Local machine password, WP users, hosting account, FTP/SFTP.
If you categorize all these in LastPass, it will be easy to know what needs to be changed and where.