SlideShare a Scribd company logo

Robert Vidal WordPress Security Best Practices

Download as PPTX, PDF
R
Robert Vidal

Robert Vidal is an information security professional who specializes in WordPress security. He outlines several recommendations for securing a WordPress site, including changing default usernames and passwords, removing WordPress version information, keeping software updated, using strong security plugins, limiting comments and user input, regularly backing up the site, and scanning for vulnerabilities, malware and unauthorized changes. Vidal emphasizes that there is no single solution and site owners must take an active, ongoing approach to security through multiple methods like plugins, backups and monitoring.

Internet
1 of 25
Robert Vidal, ABCP OSCP OSWP robert.vidal@infotransec.com http://www.infotransec.com WordPress Security and Best Practices
• Robert Vidal, ABCP OSCP OSWP Cert. IS-CF • Associate Business Continuity Professional (ABCP) • Certified Vulnerability and Penetration Testing Professional (OSCP) • Certified Wireless Security Professional (OSWP) • Certificate Information Security and Computer Forensics (Cert. IS-CF) • Information Security Analyst – InfoTransec (Hamilton) • Specializing in Network and Application Security • Industry Compliance and Governance • IT Industry since 2005 • Focused on Security since 2008 • Working with WordPress since 2011 About Me:
• Our focus is always on delivering high quality solutions to our clients through current industry standards and recognized frameworks and benchmarks. • Services include: • Network and Web Application Vulnerability Assessments and Penetration Testing • Information Security Services • Managed IT • Computer Forensics • Data Recovery • eDiscovery • CyberStalking / CyberBullying About InfoTransec:
• WordPress is an open-source application so anyone is able to download the application and view the system defaults and file structure. • Once a hacker has this knowledge or map of your site they can then plan an attack in attempts to exploit the site. • What this means: • Default username is known • File Structure is known • Database structure is known • Location of usernames and passwords and configuration files are known • Location of plugins, themes, and file uploads is known • WordPress version can be enumerated WordPress Defaults
• Do not use ‘admin’ as default Administrator username • Change to a complex username – similar to a complex password (Upper Case letter, lower case letter, number, and special character i.e: R0b3rtV!d@l) • Remove Author name from pages and posts • Account names are exposed when content is published • Plugin “WP Author, Date and Meta Remover” https://wordpress.org/plugins/wp-author-date-and-meta- remover/ • Use non-default database table prefixes • Upon installation – specify a unique table prefix (non wp_) • Modify WP after installation • Manually via PHP Admin & wp-config.php • Plugins “Change DB Prefix” https://wordpress.org/plugins/db-prefix-change/ • Remove WordPress version from source code • Add to functions.php “remove_action('wp_head', 'wp_generator');” • Plugins “Remove Version” https://wordpress.org/plugins/remove-version-remver/ • Delete unused themes and plugins • Hello Dolly / Akismit / Jet Pack, etc….. Recommendations:
Q: Who is Hacking your site?
A: Everyone
• Everyone from your competitors, to Black Hat SEO enthusiasts, to hackers and script kiddies. • Hackers use automated scanners and GoogleDork search techniques to locate vulnerable WordPress installations, plugins or themes, which they can exploit. • Google Dork : Search techniques used to locate websites or information that is not intended to be indexed by google • inurl:wp-content/” • inurl:"/wp-content/plugins/wp-shopping-cart/” • inurl:”wp-content/plugins/wp-dbmanager/” • What this means: • Malware can be injected into the site • Brute force login attempts can be done over time • Your site may become slow or unresponsive due to handling the excessive requests • Tools can be used to scan your site and enumerate information about your site and what is installed. • WPScan • Nmap (http-wordpress-enum - nmap plugin)
• Think Like a Hacker • Limit search exposure and restrict access to foreign visitors • If you are offering products and services to people or businesses in the Hamilton area why do you need to allow visitors from Russia, Ukraine, China? • via webmaster tools to set a preferred location • Use IP Blocker plugins to restrict access • Block information your visitors do not need to see • Modify the robot.txt file of the webpage to prevent bots from accessing sensitive information • Modify the htaccess file to ensure secure file and folder permissions are set • Take Pro-active measures: • Installed lockout plugins to lock a user out after a number of failed attempts • Scan site regularly for Malware • Sucuri site check • Use WPScan and nmap to identify what hackers can enumerate. Recommendations
• Identify Vulnerable Plugins and themes and update • http://www.wordpressexploit.com/ (WordPress Exploits) • https://wpvulndb.com/ (WordPress Vulnerability DataBase) • http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/ (Common Vulnerability Exploit – Details) • Security Plug-ins: • https://wordpress.org/plugins/wordfence/ (WordFence) • Blocking Features, Login Security, Security Scanning, Firewall, Monitoring • https://wordpress.org/plugins/sucuri-scanner/ (Sucuri Scanner) • Security Activity Auditing, File Integrity Monitoring, Remote Malware Scanning, Blacklist Monitoring, Effective Security Hardening, Post-Hack Security Actions, Security Notifications, Website Firewall • https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ (All-In-One) • User Accounts Security, Login, Registration, Database, File System Security, IP Blocking, Firewall and more…
Q: If a hacker gains access to your site, what can they do?
A: Anything they want
• Files can be added or modified without you knowing • Google may flag your site as Hacked resulting in a lower Google ranking • Your site may be filled with Spam links resulting in a lower Google ranking • May unknowingly be infecting your visitors with virus’ or malicious code. • Visitors may be immediately redirected off your site. • Website can be defaced. • Backdoors can be added which may lead to future problems. • Users can be lock you out. • Anything else they wish. What does this mean?
• Backup your files and DataBase regularly!!! Its easier to compare files or even revert to a known good build or even compare files • Use plugins that detect file changes and alerts via email. • https://wordpress.org/plugins/wordfence/ (WordFence) • Limit the number of registered users on the site, and ensure accounts have appropriate permissions. • Scan your site for malware regularly • Securi Site Check https://sitecheck.sucuri.net/ (FREE) • Google search the site regularly. • FTP into your hosting account and look for: • Files that end with xxxx_old.php • Files with unexpected extensions (image files with a .php file extension) • Look at the modification dates of your files. If all files in a directory have the same modified date and there is 1 with a different modified date – Probaly Malware or a backdoor • Look for unexpected files in your directories. (If there is a PHP files in an images directory) • Install a Web Application Firewall plugin to prevent malicious activity. • https://en-ca.wordpress.org/plugins/wp-simple-firewall/ (Simple Security Firewall) What to do:
Q: Comments – Good or Bad ?
A: Good - Comments are great for allowing interactivity with your visitors. But...
You are also allowing user input into your site. What does this mean? • A visitor can instead of a text comment inject malicious script or links into your site. • <script type="text/javascript">alert("Hello");</script> • I love your site I also found <a href=“http://badwebsite.com”> this link </a> for more information. • Visitors can promote their own site or links that may go against the reputation of your site • Online Pharmacy’s, Adult content, Profanity • This can lower your Google Ranking and SEO Reputation • This can also cause your site to be flagged by google as hacked
• Disable Comments on all pages and posts • If you wish to allow comments on your site manually approve them or only allow them on certain pages • Modify functions.php to NOT allow HTML based comments. • Review the front end of your site regularly • Google search your site regularly to ensure Google has not flagged your site due to malicious comments. • Install plugins • That allow users / visitors to report malicious or offensive comments • Block all comments • Do not allow HTML comments What to do:
Q: What is the best method to protect my site?
A1: Keep the WordPress Core, Themes and Plugins up to date. And…
A2: Backup, Backup Backup
• As components are updates Hackers are able to identify the weaknesses of previous versions. • Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages. • Hackers prey on those that are slow to update. Code is always evolving, improved and updated. What does this mean?
• Regular backups at multiple layers • MySQL • Wordpress Pages and Posts • FTP files • Update the WordPress core when updates are available • Use a Host that offers automatic updates • Update plugins and themes regularly • Delete unused plugins and themes • Install plugins that manage updates • Themes and plugins • WordPress Core What to do:
• There is no one-stop solution to secure your site. • There is no single way to recover / restore a website. • Use multiple tools and tactics to protect your site. • Ensure you know what is going on in your site. • “DON’T SET IT AND FORGET IT” • Setup email alerts • Visit and test your own site regularly • Use Google regularly to search your own site In Closing:
• Phone: +1 855-INFOSEC (463 6732) • Email: infosec@infotransec.com • Web: https://www.infotransec.com Social Media: • Twitter: @InfoTransec • Linkedin: https://www.linkedin.com/company/infotransec • Facebook: https://www.facebook.com/infotransec/ • Google+: https://plus.google.com/113904412258542168822/ Office Location: • The Atrium @ McMaster Innovation Park • 175 Longwood Road South, Suite 416A-8 • Hamilton, Ontario • L8P 0A1 Connect with InfoTransec:

Recommended

Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a pluginBrian Layman
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 stk_jj
 
WordPress Fav Plugins & Security
WordPress Fav Plugins & SecurityWordPress Fav Plugins & Security
WordPress Fav Plugins & SecurityThe Toolbox, Inc.
 
WordPress Intermediate Workshop
WordPress Intermediate WorkshopWordPress Intermediate Workshop
WordPress Intermediate WorkshopThe Toolbox, Inc.
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014The Toolbox, Inc.
 

Recommended

Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Let’s write a plugin
Let’s write a pluginLet’s write a plugin
Let’s write a pluginBrian Layman
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 stk_jj
 
WordPress Fav Plugins & Security
WordPress Fav Plugins & SecurityWordPress Fav Plugins & Security
WordPress Fav Plugins & SecurityThe Toolbox, Inc.
 
WordPress Intermediate Workshop
WordPress Intermediate WorkshopWordPress Intermediate Workshop
WordPress Intermediate WorkshopThe Toolbox, Inc.
 
Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Essential security measures in ASP.NET MVC
Essential security measures in ASP.NET MVC Rafał Hryniewski
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014The Toolbox, Inc.
 
Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemColdFusionConference
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityNathan Platt
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomationLinkesh Kanna Velu
 
Automated testing 101
Automated testing 101Automated testing 101
Automated testing 101Tabitha Chapman
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps nowStephan Steynfaardt
 
What you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat APIWhat you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat APITabitha Chapman
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIsmdawaffe
 
Wordpress Tech Talk at Atlogys
Wordpress Tech Talk at AtlogysWordpress Tech Talk at Atlogys
Wordpress Tech Talk at AtlogysRitika Garga
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_supportJoe Slowik
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterpriseTaylor Lovett
 
Beyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconBeyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconNino Ho
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Denim Group
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 
From WordPress With Love
From WordPress With LoveFrom WordPress With Love
From WordPress With LoveUp2 Technology
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security EssentialsAngela Bowman
 

More Related Content

What's hot

Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemColdFusionConference
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?Tiago Mendo
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityNathan Platt
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...Denim Group
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersLewis Ardern
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers Lewis Ardern
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugLewis Ardern
 
What you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat APIWhat you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat APITabitha Chapman
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIsmdawaffe
 
Wordpress Tech Talk at Atlogys
Wordpress Tech Talk at AtlogysWordpress Tech Talk at Atlogys
Wordpress Tech Talk at AtlogysRitika Garga
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...Abhay Bhargav
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_supportJoe Slowik
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with ZapSoluto
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterpriseTaylor Lovett
 
Beyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconBeyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconNino Ho
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Denim Group
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Christian Schneider
 

What's hot (20)

Hey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the ProblemHey My Web App is Slow Where is the Problem
Hey My Web App is Slow Where is the Problem
 
Is code review the solution?
Is code review the solution?Is code review the solution?
Is code review the solution?
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
The ABCs of Source-Assisted Web Application Penetration Testing With OWASP ZA...
 
OWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript DevelopersOWASP Portland - OWASP Top 10 For JavaScript Developers
OWASP Portland - OWASP Top 10 For JavaScript Developers
 
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
AppSec Tel Aviv - OWASP Top 10 For JavaScript Developers
 
Manual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A BugManual JavaScript Analysis Is A Bug
Manual JavaScript Analysis Is A Bug
 
Security testautomation
Security testautomationSecurity testautomation
Security testautomation
 
Automated testing 101
Automated testing 101Automated testing 101
Automated testing 101
 
Securing your web apps now
Securing your web apps nowSecuring your web apps now
Securing your web apps now
 
What you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat APIWhat you can do with WordPress Heartbeat API
What you can do with WordPress Heartbeat API
 
WordPress APIs
WordPress APIsWordPress APIs
WordPress APIs
 
Wordpress Tech Talk at Atlogys
Wordpress Tech Talk at AtlogysWordpress Tech Talk at Atlogys
Wordpress Tech Talk at Atlogys
 
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
An Attacker's View of Serverless and GraphQL Apps - Abhay Bhargav - AppSec Ca...
 
EASE spectre meltdown_support
EASE spectre meltdown_supportEASE spectre meltdown_support
EASE spectre meltdown_support
 
Security Testing with Zap
Security Testing with ZapSecurity Testing with Zap
Security Testing with Zap
 
Best practices-wordpress-enterprise
Best practices-wordpress-enterpriseBest practices-wordpress-enterprise
Best practices-wordpress-enterprise
 
Beyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lasconBeyond the 'cript practical i os reverse engineering lascon
Beyond the 'cript practical i os reverse engineering lascon
 
Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix Elevate Your Application Security Program with Burp Suite and ThreadFix
Elevate Your Application Security Program with Burp Suite and ThreadFix
 
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
Security DevOps - Free pentesters' time to focus on high-hanging fruits // Ha...
 

Similar to Robert Vidal WordPress Security Best Practices

From WordPress With Love
From WordPress With LoveFrom WordPress With Love
From WordPress With LoveUp2 Technology
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security EssentialsAngela Bowman
 
Emergency WordPress Troubleshooting
Emergency WordPress TroubleshootingEmergency WordPress Troubleshooting
Emergency WordPress TroubleshootingTiffany Bridge
 
Website essentials things every library website should have
Website essentials things every library website should haveWebsite essentials things every library website should have
Website essentials things every library website should haveBrian Pichman
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshopBoston WordPress
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkWilliam Earnhardt
 
Demystifying WordPress
Demystifying WordPressDemystifying WordPress
Demystifying WordPressMykl Roventine
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...Dan Vasile
 
NEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & SecurityNEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & SecurityMichelle Davies (Hryvnak)
 
WordPress Customization and Security
WordPress Customization and SecurityWordPress Customization and Security
WordPress Customization and SecurityJoe Casabona
 
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress MultisiteWPMU DEV
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 
Week6 office-hours
Week6 office-hoursWeek6 office-hours
Week6 office-hoursRandall Rode
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityIvan Storck
 
How to create a WordPress Site
How to create a WordPress Site How to create a WordPress Site
How to create a WordPress Site MuhammadUsaid2
 
WordPress Theme Reviewers Team
WordPress Theme Reviewers TeamWordPress Theme Reviewers Team
WordPress Theme Reviewers TeamMario Peshev
 
Best Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsBest Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsTaylor Lovett
 

Similar to Robert Vidal WordPress Security Best Practices (20)

From WordPress With Love
From WordPress With LoveFrom WordPress With Love
From WordPress With Love
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security Essentials
 
Emergency WordPress Troubleshooting
Emergency WordPress TroubleshootingEmergency WordPress Troubleshooting
Emergency WordPress Troubleshooting
 
Website essentials things every library website should have
Website essentials things every library website should haveWebsite essentials things every library website should have
Website essentials things every library website should have
 
WCBos13 intermediate workshop
WCBos13 intermediate workshopWCBos13 intermediate workshop
WCBos13 intermediate workshop
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
 
Demystifying WordPress
Demystifying WordPressDemystifying WordPress
Demystifying WordPress
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
 
NEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & SecurityNEPA BlogCon 2013 - WordPress Customization & Security
NEPA BlogCon 2013 - WordPress Customization & Security
 
WordPress Customization and Security
WordPress Customization and SecurityWordPress Customization and Security
WordPress Customization and Security
 
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
 
Week6 office-hours
Week6 office-hoursWeek6 office-hours
Week6 office-hours
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
How to create a WordPress Site
How to create a WordPress Site How to create a WordPress Site
How to create a WordPress Site
 
WordPress Theme Reviewers Team
WordPress Theme Reviewers TeamWordPress Theme Reviewers Team
WordPress Theme Reviewers Team
 
Best Practices for Building WordPress Applications
Best Practices for Building WordPress ApplicationsBest Practices for Building WordPress Applications
Best Practices for Building WordPress Applications
 
Security for devs
Security for devsSecurity for devs
Security for devs
 

Recently uploaded

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书rnrncn29
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa494f574xmv
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxBipin Adhikari
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012rehmti665
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作ys8omjxb
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Sonam Pathan
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleanscorenetworkseo
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一Fs
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Excelmac1
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxDyna Gilbert
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一Fs
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书rnrncn29
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predieusebiomeyer
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一Fs
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一Fs
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书zdzoqco
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Paul Calvano
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationLinaWolf1
 

Recently uploaded (20)

『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
『澳洲文凭』买拉筹伯大学毕业证书成绩单办理澳洲LTU文凭学位证书
 
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Rk Puram 🔝 9953056974 🔝 Delhi escort Service
 
Film cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasaFilm cover research (1).pptxsdasdasdasdasdasa
Film cover research (1).pptxsdasdasdasdasdasa
 
Intellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptxIntellectual property rightsand its types.pptx
Intellectual property rightsand its types.pptx
 
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
Call Girls South Delhi Delhi reach out to us at ☎ 9711199012
 
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
Potsdam FH学位证,波茨坦应用技术大学毕业证书1:1制作
 
Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170Call Girls Near The Suryaa Hotel New Delhi 9873777170
Call Girls Near The Suryaa Hotel New Delhi 9873777170
 
Elevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New OrleansElevate Your Business with Our IT Expertise in New Orleans
Elevate Your Business with Our IT Expertise in New Orleans
 
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
定制(Management毕业证书)新加坡管理大学毕业证成绩单原版一比一
 
Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...Blepharitis inflammation of eyelid symptoms cause everything included along w...
Blepharitis inflammation of eyelid symptoms cause everything included along w...
 
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
 
Top 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptxTop 10 Interactive Website Design Trends in 2024.pptx
Top 10 Interactive Website Design Trends in 2024.pptx
 
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
定制(Lincoln毕业证书)新西兰林肯大学毕业证成绩单原版一比一
 
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
『澳洲文凭』买詹姆士库克大学毕业证书成绩单办理澳洲JCU文凭学位证书
 
SCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is prediSCM Symposium PPT Format Customer loyalty is predi
SCM Symposium PPT Format Customer loyalty is predi
 
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
定制(AUT毕业证书)新西兰奥克兰理工大学毕业证成绩单原版一比一
 
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
定制(UAL学位证)英国伦敦艺术大学毕业证成绩单原版一比一
 
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
办理多伦多大学毕业证成绩单|购买加拿大UTSG文凭证书
 
Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24Font Performance - NYC WebPerf Meetup April '24
Font Performance - NYC WebPerf Meetup April '24
 
PHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 DocumentationPHP-based rendering of TYPO3 Documentation
PHP-based rendering of TYPO3 Documentation
 

Robert Vidal WordPress Security Best Practices

  • 1. Robert Vidal, ABCP OSCP OSWP robert.vidal@infotransec.com http://www.infotransec.com WordPress Security and Best Practices
  • 2. • Robert Vidal, ABCP OSCP OSWP Cert. IS-CF • Associate Business Continuity Professional (ABCP) • Certified Vulnerability and Penetration Testing Professional (OSCP) • Certified Wireless Security Professional (OSWP) • Certificate Information Security and Computer Forensics (Cert. IS-CF) • Information Security Analyst – InfoTransec (Hamilton) • Specializing in Network and Application Security • Industry Compliance and Governance • IT Industry since 2005 • Focused on Security since 2008 • Working with WordPress since 2011 About Me:
  • 3. • Our focus is always on delivering high quality solutions to our clients through current industry standards and recognized frameworks and benchmarks. • Services include: • Network and Web Application Vulnerability Assessments and Penetration Testing • Information Security Services • Managed IT • Computer Forensics • Data Recovery • eDiscovery • CyberStalking / CyberBullying About InfoTransec:
  • 4. • WordPress is an open-source application so anyone is able to download the application and view the system defaults and file structure. • Once a hacker has this knowledge or map of your site they can then plan an attack in attempts to exploit the site. • What this means: • Default username is known • File Structure is known • Database structure is known • Location of usernames and passwords and configuration files are known • Location of plugins, themes, and file uploads is known • WordPress version can be enumerated WordPress Defaults
  • 5. • Do not use ‘admin’ as default Administrator username • Change to a complex username – similar to a complex password (Upper Case letter, lower case letter, number, and special character i.e: R0b3rtV!d@l) • Remove Author name from pages and posts • Account names are exposed when content is published • Plugin “WP Author, Date and Meta Remover” https://wordpress.org/plugins/wp-author-date-and-meta- remover/ • Use non-default database table prefixes • Upon installation – specify a unique table prefix (non wp_) • Modify WP after installation • Manually via PHP Admin & wp-config.php • Plugins “Change DB Prefix” https://wordpress.org/plugins/db-prefix-change/ • Remove WordPress version from source code • Add to functions.php “remove_action('wp_head', 'wp_generator');” • Plugins “Remove Version” https://wordpress.org/plugins/remove-version-remver/ • Delete unused themes and plugins • Hello Dolly / Akismit / Jet Pack, etc….. Recommendations:
  • 6. Q: Who is Hacking your site?
  • 8. • Everyone from your competitors, to Black Hat SEO enthusiasts, to hackers and script kiddies. • Hackers use automated scanners and GoogleDork search techniques to locate vulnerable WordPress installations, plugins or themes, which they can exploit. • Google Dork : Search techniques used to locate websites or information that is not intended to be indexed by google • inurl:wp-content/” • inurl:"/wp-content/plugins/wp-shopping-cart/” • inurl:”wp-content/plugins/wp-dbmanager/” • What this means: • Malware can be injected into the site • Brute force login attempts can be done over time • Your site may become slow or unresponsive due to handling the excessive requests • Tools can be used to scan your site and enumerate information about your site and what is installed. • WPScan • Nmap (http-wordpress-enum - nmap plugin)
  • 9. • Think Like a Hacker • Limit search exposure and restrict access to foreign visitors • If you are offering products and services to people or businesses in the Hamilton area why do you need to allow visitors from Russia, Ukraine, China? • via webmaster tools to set a preferred location • Use IP Blocker plugins to restrict access • Block information your visitors do not need to see • Modify the robot.txt file of the webpage to prevent bots from accessing sensitive information • Modify the htaccess file to ensure secure file and folder permissions are set • Take Pro-active measures: • Installed lockout plugins to lock a user out after a number of failed attempts • Scan site regularly for Malware • Sucuri site check • Use WPScan and nmap to identify what hackers can enumerate. Recommendations
  • 10. • Identify Vulnerable Plugins and themes and update • http://www.wordpressexploit.com/ (WordPress Exploits) • https://wpvulndb.com/ (WordPress Vulnerability DataBase) • http://www.cvedetails.com/vulnerability-list/vendor_id-2337/product_id-4096/ (Common Vulnerability Exploit – Details) • Security Plug-ins: • https://wordpress.org/plugins/wordfence/ (WordFence) • Blocking Features, Login Security, Security Scanning, Firewall, Monitoring • https://wordpress.org/plugins/sucuri-scanner/ (Sucuri Scanner) • Security Activity Auditing, File Integrity Monitoring, Remote Malware Scanning, Blacklist Monitoring, Effective Security Hardening, Post-Hack Security Actions, Security Notifications, Website Firewall • https://wordpress.org/plugins/all-in-one-wp-security-and-firewall/ (All-In-One) • User Accounts Security, Login, Registration, Database, File System Security, IP Blocking, Firewall and more…
  • 11. Q: If a hacker gains access to your site, what can they do?
  • 13. • Files can be added or modified without you knowing • Google may flag your site as Hacked resulting in a lower Google ranking • Your site may be filled with Spam links resulting in a lower Google ranking • May unknowingly be infecting your visitors with virus’ or malicious code. • Visitors may be immediately redirected off your site. • Website can be defaced. • Backdoors can be added which may lead to future problems. • Users can be lock you out. • Anything else they wish. What does this mean?
  • 14. • Backup your files and DataBase regularly!!! Its easier to compare files or even revert to a known good build or even compare files • Use plugins that detect file changes and alerts via email. • https://wordpress.org/plugins/wordfence/ (WordFence) • Limit the number of registered users on the site, and ensure accounts have appropriate permissions. • Scan your site for malware regularly • Securi Site Check https://sitecheck.sucuri.net/ (FREE) • Google search the site regularly. • FTP into your hosting account and look for: • Files that end with xxxx_old.php • Files with unexpected extensions (image files with a .php file extension) • Look at the modification dates of your files. If all files in a directory have the same modified date and there is 1 with a different modified date – Probaly Malware or a backdoor • Look for unexpected files in your directories. (If there is a PHP files in an images directory) • Install a Web Application Firewall plugin to prevent malicious activity. • https://en-ca.wordpress.org/plugins/wp-simple-firewall/ (Simple Security Firewall) What to do:
  • 15. Q: Comments – Good or Bad ?
  • 16. A: Good - Comments are great for allowing interactivity with your visitors. But...
  • 17. You are also allowing user input into your site. What does this mean? • A visitor can instead of a text comment inject malicious script or links into your site. • <script type="text/javascript">alert("Hello");</script> • I love your site I also found <a href=“http://badwebsite.com”> this link </a> for more information. • Visitors can promote their own site or links that may go against the reputation of your site • Online Pharmacy’s, Adult content, Profanity • This can lower your Google Ranking and SEO Reputation • This can also cause your site to be flagged by google as hacked
  • 18. • Disable Comments on all pages and posts • If you wish to allow comments on your site manually approve them or only allow them on certain pages • Modify functions.php to NOT allow HTML based comments. • Review the front end of your site regularly • Google search your site regularly to ensure Google has not flagged your site due to malicious comments. • Install plugins • That allow users / visitors to report malicious or offensive comments • Block all comments • Do not allow HTML comments What to do:
  • 19. Q: What is the best method to protect my site?
  • 20. A1: Keep the WordPress Core, Themes and Plugins up to date. And…
  • 22. • As components are updates Hackers are able to identify the weaknesses of previous versions. • Many hackers will intentionally target older versions of WordPress with known security issues, so keep an eye on your Dashboard notification area and don’t ignore those ‘Please update now’ messages. • Hackers prey on those that are slow to update. Code is always evolving, improved and updated. What does this mean?
  • 23. • Regular backups at multiple layers • MySQL • Wordpress Pages and Posts • FTP files • Update the WordPress core when updates are available • Use a Host that offers automatic updates • Update plugins and themes regularly • Delete unused plugins and themes • Install plugins that manage updates • Themes and plugins • WordPress Core What to do:
  • 24. • There is no one-stop solution to secure your site. • There is no single way to recover / restore a website. • Use multiple tools and tactics to protect your site. • Ensure you know what is going on in your site. • “DON’T SET IT AND FORGET IT” • Setup email alerts • Visit and test your own site regularly • Use Google regularly to search your own site In Closing:
  • 25. • Phone: +1 855-INFOSEC (463 6732) • Email: infosec@infotransec.com • Web: https://www.infotransec.com Social Media: • Twitter: @InfoTransec • Linkedin: https://www.linkedin.com/company/infotransec • Facebook: https://www.facebook.com/infotransec/ • Google+: https://plus.google.com/113904412258542168822/ Office Location: • The Atrium @ McMaster Innovation Park • 175 Longwood Road South, Suite 416A-8 • Hamilton, Ontario • L8P 0A1 Connect with InfoTransec: