Don't Get Hacked: WordPress Security Best Practices

GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED:
WORDPRESS SECURITY BEST PRACTICES
GEOFF MYERS PRESENTS

BEFORE WE BEGIN…
THIS PRESENTATION IS AVAILABLE ONLINE:
simdex.org/security
Get In Touch: 
geoff@simdex.org 
simdex.org 
414.455.6675

BEFORE WE BEGIN…
ANNOUNCEMENTS
▸ WordPress Page Builders for Non-Developers (Create Visual
Layouts Without Code) 
Tuesday, August 30 @ 9:00am — 11:00am 
C2 Graphics Productivity Solutions
▸ WordCamp Milwaukee 
Saturday, September 17 — Sunday, September 18 
UW-Milwaukee School of Continuing Education
▸ Looking for additional speakers, venues, topics, ideas, etc. 
Share your ideas on Meetup, email geoff@simdex.org, or call
414.455.6675

BEFORE WE BEGIN…
ABOUT GEOFF MYERS
▸ Founded SimDex Consulting, Inc. in 2004
▸ Web Solutions for Small + Medium Sized Businesses
▸ Digital Marketing Consultant + Strategist
▸ 10+ Years as Full Stack Web Designer + Developer
▸ 5+ Years of WordPress Development Experience
▸ 50+ WordPress Sites Built, Maintained + Marketed
▸ Academic Background in Computer Science
▸ Get In Touch: geoff@simdex.org or simdex.org or 414.455.6675

BEFORE WE BEGIN…
WORDPRESS MAINTENANCE PLAN FROM SIMDEX
How You Beneﬁt:
▸ We Do Everything For You
▸ Unlimited Minor Changes + Revisions
▸ 24 Hour Response Time Guaranteed
▸ Your Total Peace of Mind
▸ Monthly Phone Consultations
▸ No Hourly Fees or Additional Costs

BEFORE WE BEGIN…
WORDPRESS MAINTENANCE PLAN FROM SIMDEX
Features + Services Included:
▸ Backups
▸ Monitoring
▸ Speed
▸ Changes
▸ Reports
▸ Support
▸ Consulting
▸ Security
▸ Updates

DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 1)
▸ Low security = high risk
▸ Financial loss, debt, bankruptcy
▸ Legal liability, personal liability
▸ Privacy breach, violation
▸ Data theft, loss, corruption
▸ Damage to professional brand,
reputation, customer trust
▸ Bad for business, bad for customers,
bad for everyone

▸ 86% of all websites tested by WhiteHat Sentinel had at least one serious*
vulnerability, and most of the time, far more than one – 56% to be precise.
▸ On average, 61% of these vulnerabilities were resolved, but doing so
required an average of 193 days from the first customer notification.
▸ Insufficient transport layer protection is the most likely vulnerability across
vertical industries including retail trade, health care/social assistance,
information technology and financial/insurance, with a range of 65-76%
likelihood.
▸ Source: WhiteHat Security 2015 Website Security Statistics Report Reveals
the Need to Identify Security Metrics Most Important for Vulnerability
Remediation

▸ Organizations that are compliance-driven to remediate vulnerabilities have
the lowest average number of vulnerabilities (12 per website) and the highest
remediation rate (86%).
▸ Organizations that have made the vulnerability feed-to-development process
connection, exhibited roughly 40% less vulnerabilities, ﬁxed issues nearly a
month faster on average and increased remediation rates by 15%.
▸ Considering sites in health care, retail trade and ﬁnance were found to be
“always vulnerable,” their remediation rates are relatively low at 20%, 21%,
and 27% respectively.
▸ Source: WhiteHat Security 2015 Website Security Statistics Report Reveals the
Need to Identify Security Metrics Most Important for Vulnerability Remediation

USEFUL DEFINITIONS (PART 1)
‣ Apache + NGINX = Web Server Software
‣ CDN = Content Delivery / Distribution Network
‣ DNS = Domain Name System
‣ DoS = Denial of Service Attack
‣ DDoS = Distributed DoS Attack
‣ Freemium = Free + Premium (Paid)
‣ HTTPS = Hyper Text Transfer 
Protocol Secure

USEFUL DEFINITIONS (PART 2)
‣ MySQL = Relational Database Management System (RDBMS)
‣ OWASP = Open Web Application Security Project
‣ PHP = Server-Side Scripting Language
‣ SSL = Secure Sockets Layer
‣ TLS = Transport Layer Security
‣ WAF = Web Application Firewall

WHAT AFFECTS WEBSITE SECURITY?
‣ Network Infrastructure (Everything Between Client + Server)
‣ Web Browser / Client (Chrome, Firefox, Safari)
‣ Web Application (WordPress, etc.) ★
‣ Web Server (Conﬁguration) ★
‣ Apache, NGINX, PHP, MySQL
‣ TLS / SSL Certiﬁcate
‣ Web Application Firewall (WAF)

GENERAL WORDPRESS SECURITY ADVICE + BEST PRACTICES
‣ Keep Software Updated (Use Latest Versions) ★
‣ WordPress Core + Themes + Plugins
‣ Apache / NGINX + PHP + MySQL
‣ Regularly Save Backups ★
‣ Harden Software Conﬁguration
‣ Use HTTPS + TLS / SSL Certiﬁcate
‣ Use Web Application Firewall (WAF)

FREE(MIUM) WEBSITE SECURITY RESOURCES (PART 1)
▸ CloudFlare 
(DNS + CDN + TLS / SSL certificates + WAF) ★
▸ Let’s Encrypt 
(TLS / SSL certificates)
▸ Qualys SSL Labs 
(checks TLS / SSL certificates) ★
▸ Quttera 
(scans for malware)

FREE(MIUM) WEBSITE SECURITY RESOURCES (PART 2)
▸ StatusCake 
(monitors uptime) ★
▸ Sucuri SiteCheck 
(scans for malware) ★
▸ Uptime Robot 
(monitors uptime)
▸ VirusTotal 
(checks blacklists)

FREE(MIUM) WORDPRESS SECURITY PLUGINS (PART 1)
▸ Better Search Replace 
(global database search + replace)
▸ CloudFlare ★ 
(DNS, CDN, TLS/SSL, ﬁrewall, etc.)
▸ Easy Updates Manager ★ 
(automatic updates)
▸ iThemes Security ★ 
(many, many features)

FREE(MIUM) WORDPRESS SECURITY PLUGINS (PART 2)
▸ Jetpack by WordPress.com 
(automatic updates, ﬁrewall, uptime monitoring)
▸ Sucuri Security 
(malware scanner)
▸ UpdraftPlus ★ 
(automatic backup + restore)
▸ Wordfence Security 
(malware scanner, etc.)

CLOUDFLARE SECURITY FEATURES (PART 1)
▸ Reputation-based threat protection
▸ Comment spam protection
▸ Content scraping protection
▸ Block visitors by IP range
▸ Block visitors by country 💵
▸ Deploy collective intelligence 
to identify new threats
▸ Notify visitors on how to 
clean their infected machine
▸ Basic DDoS protection

CLOUDFLARE SECURITY FEATURES (PART 2)
▸ Web application ﬁrewall (WAF) 💵
▸ Built-in CloudFlare rule set 💵
▸ OWASP ModSecurity Core rule set 💵
▸ 3rd Party WAF rule sets 💵
▸ Custom WAF rule support 💵
▸ Advanced DDoS protection 💵
▸ Advanced DDoS support 💵
▸ BGP origin protection 💵

iTHEMES SECURITY PLUGIN FEATURES (PART 1)
▸ Prevents brute force attacks by banning
hosts and users with too many invalid login
attempts
▸ Scans your site to instantly report where
vulnerabilities exist and ﬁxes them in
seconds
▸ Bans troublesome user agents, bots and
other hosts
▸ Strengthens server security
▸ Enforces strong passwords for all accounts
of a conﬁgurable minimum role

▸ Forces SSL for admin pages (on
supporting servers)
▸ Forces SSL for any page or post (on
supporting servers)
▸ Turns off ﬁle editing from within
WordPress admin area
▸ Detects and blocks numerous attacks to
your ﬁlesystem and database
▸ Detects bots and other attempts to
search for vulnerabilities.

▸ Monitors filesystem for unauthorized changes.
▸ Run a scan for malware and blacklists on the
homepage of your site.
▸ Receive email notifications when someone
gets locked out after too many failed login
attempts or when a file on your site has been
changed.
▸ Changes the URLs for WordPress dashboard
areas including login, admin and more
▸ Completely turns off the ability to login for a
given time period (away mode)

▸ Removes theme, plugin, and core
update notiﬁcations from users who
do not have permission to update
them
▸ Removes Windows Live Write
header information
▸ Removes RSD header information
▸ Renames "admin" account
▸ Changes the ID on the user with ID 1

▸ Changes the WordPress database table
preﬁx
▸ Changes wp-content path
▸ Removes login error messages
▸ Makes it easier for users not accustomed to
WordPress to remember login and admin
URLs by customizing default admin URLs
▸ Detects hidden 404 errors on your site that
can affect your SEO such as bad links and
missing images

WORDFENCE SECURITY PLUGIN FEATURES (PART 1)
▸ Web Application Firewall stops you from getting hacked
by identifying malicious traffic, blocking attackers before
they can access your website.
▸ Threat Defense Feed automatically updates firewall rules
that protect you from the latest threats. Premium
members receive the real-time version.
▸ Block common security threats like fake Googlebots,
malicious scans from hackers and botnets.
▸ Real-time blocking of known attackers. If another site
using Wordfence is attacked and blocks the attacker,
your site is automatically protected.
▸ Block entire malicious networks. Includes advanced IP
and Domain WHOIS to report malicious IP's or networks
and block entire networks using the firewall. Report
security threats to network owner.

▸ Rate limit or block security threats like aggressive
crawlers, scrapers and bots doing security scans for
vulnerabilities in your site.
▸ Choose whether you want to block or throttle users
and robots who break your security rules.
▸ Premium users can also block countries and schedule
scans for speciﬁc times and a higher frequency.
▸ Sign-in using your password and your cellphone to
vastly improve login security. This is called Two Factor
Authentication and is used by banks, government
agencies and military world-wide for highest security
authentication.
▸ Includes two-factor authentication, also referred to as
cellphone sign-in.

▸ Enforce strong passwords among your
administrators, publishers and users. Improve
login security.
▸ Checks the strength of all user and admin
passwords to enhance login security.
▸ Includes login security to lock out brute force
hacks and to stop WordPress from revealing info
that will compromise security.
▸ Scans for the HeartBleed vulnerability - included
in the free scan for all users.
▸ Scans core ﬁles, themes and plugins against
WordPress.org repository versions to check their
integrity. Verify security of your source.

▸ See how files have changed. Optionally repair
changed files that are security threats.
▸ Scans for signatures of over 44,000 known malware
variants that are known security threats.
▸ Scans for many known backdoors that create security
holes including C99, R57, RootShell, Crystal Shell,
Matamu, Cybershell, W4cking, Sniper, Predator, Jackal,
Phantasma, GFS, Dive, Dx and many many more.
▸ Continuously scans for malware and phishing URL's
including all URL's on the Google Safe Browsing List in
all your comments, posts and files that are security
threats.
▸ Scans for heuristics of backdoors, trojans, suspicious
code and other security issues.

▸ Includes a firewall to block common security threats like
fake Googlebots, malicious scans from hackers and
botnets.
▸ See all your traffic in real-time, including robots, humans,
404 errors, logins and logouts and who is consuming
most of your content. Enhances your situational
awareness of which security threats your site is facing.
▸ A real-time view of all traffic including automated bots
that often constitute security threats that Javascript
analytics packages never show you.
▸ Real-time traffic includes reverse DNS and city-level
geolocation. Know which geographic area security
threats originate from.
▸ Monitor your DNS security for unauthorized DNS
changes.

▸ Monitors disk space which is related to security
because many DDoS attacks attempt to consume all
disk space to create denial of service.
▸ Wordfence Security for multi-site also scans all posts
and comments across all blogs from one admin panel.
▸ WordPress Multi-Site (or WordPress MU in the older
parlance) compatible.
▸ Includes Falcon Engine, the fastest WordPress caching
engine available today. Falcon is faster because it
reduces your web server disk and database activity to
a minimum.
▸ Wordfence includes two caching modes for
compatability and has cache management features like
the ability to clear the cache and monitor cache usage.

▸ Fully IPv6 compatible including all
whois lookup, location, blocking
and security functions.
▸ Includes support for other major
plugins and themes like
WooCommerce.
▸ The Wordfence website includes an
in-depth WordPress Security
Learning Center.

GEOFF’S WEBSITE SECURITY CHECKLIST (PART 1)
‣ Set up automated backups for
WordPress ﬁles + database using
UpdraftPlus
‣ Set up automated updates for
WordPress core + themes + plugins
using Easy Updates Manager
‣ Sign up for and enable CloudFlare
‣ Install free SSL certiﬁcate from
CloudFlare or Let’s Encrypt

GEOFF’S WEBSITE SECURITY CHECKLIST (PART 2)
‣ Change both URLs in WordPress Settings →
General to use HTTPS instead of HTTP
‣ Force HTTPS on all web server resources
using .htaccess
‣ Replace all website URL instances of HTTP
with HTTPS using Better Search Replace
plugin
‣ Install and conﬁgure iThemes Security plugin
‣ Install and conﬁgure Wordfence Security 
plugin OR sign up for Sucuri Security

HELP! I’VE BEEN HACKED… NOW WHAT?!
▸ Post-Hack Cleanup Options (easiest to hardest):
1. Restore Pre-Hack Backup
2. Sign Up for Sucuri
3. Pay a Professional like SimDex
4. Scan + Clean It Yourself

ADDITIONAL ARTICLES + RESOURCES (PART 1)
▸ Hardening WordPress 
(from WordPress.org)
▸ Hardening WordPress Security: 
25 Essential Plugins + Tips 
(from Hongkiat)
▸ The WordPress Security Learning Center 
(from Wordfence)
▸ WordPress Security 
(from iThemes)

ADDITIONAL ARTICLES + RESOURCES (PART 2)
▸ WordPress Security 
(from Yoast)
▸ WordPress Security: The Ultimate Guide 
(from WPMU DEV)
▸ WordPress Security Tutorial 
(from SiteGround)

THAT’S IT FOR NOW…
THANK YOU!
Questions?
Get In Touch: 
geoff@simdex.org 
simdex.org 
414.455.6675

THAT’S IT FOR NOW…
THIS PRESENTATION IS AVAILABLE ONLINE:
simdex.org/security
Get In Touch: 
geoff@simdex.org 
simdex.org 
414.455.6675

Don't Get Hacked: WordPress Security Best Practices

Recommended

Recommended

More Related Content

Recently uploaded

Recently uploaded (20)

Featured

Featured (20)

Don't Get Hacked: WordPress Security Best Practices