SlideShare a Scribd company logo

WordPress Security Basics and Challenges

Download as PPTX, PDF
Tony Perez
Tony Perez
Technology
1 of 27
It‟s all about the Basics!! WORDPRESS SECURITY
SUCURI# WHOIS PEREZBOX • Name: Tony Perez • Twitter: @perezbox • Company: Sucuri, Inc. • Insight: Information Technology • Passion: Brazilian Jiu Jitsu 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCATL 2
TODAY‟S 5 CHALLENGES • Knowledge / Awareness • Administration • Extensibility • Credentials • End-users 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 3
KNOWLEDGE Check yourself before you wreck yourself 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 4 “The user’s going to pick dancing pigs over security every time.” - Bruce Schneider
IT‟S ABOUT RISK REDUCTION!!! 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 5 • Forget the “Why” • Why is this happening to me? • Focus on the “How” • How do I protect myself? Your risk will never be 0%
DEFENSE IN DEPTH 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 6 • Layered Defenses “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…”
KNOW THE ENVIRONMENTLAMPSTACK LINUX Apache MySQL PHP • This is what it takes to run WordPress • Each contains its own laundry list of known vulnerabilities • .org Implementations not .com 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 7
REALISTIC ENVIRONMENT 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 8 Linux Operating System Apache WordPress CPANEL Plesk MySQL myLittleAdmin PHPMyAdmin Etc.. PHP Modules
ASK QUESTIONS… 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 9 • Host: • What happens if I get hacked and you detect it before I do? • What backup solution do you offer me? • What security protocols do you have in place to protect me? • Designer / Developer: • Are you following all the appropriate coding best practice guidelines found in the codex? • Has your code ever been independently reviewed? • How will my website be maintained after the project completion? • Who will be responsible for updating my theme / plugin / core when the project is complete? • Are my files being backed up in the event of a catastrophe?
TODAY‟S RELEVANT ATTACK VECTORS 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 10 • Access Control • Brute Force • Software Vulnerabilities • Vulnerability Scanners • Denial of Service (DoS) • Distributed / Non-Distributed
• Two factor / Multi-Factor Authentication • IP White Listing • Throttling Access Attempts • Access is King for attackers and website owners make it too easy • Facilitated through Poor Passwords • Little Attention to Access Control‟s • Applies to all entry points – email, cpanel, FTP / SFTP, etc… ACCESS CONTROL Challenges Solutions 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 11
• Website Firewall – SaaS based • Stay current with the latest vulnerability releases • Apply updates to entire stack when available • Keep Only What you need on the server (production) • Very difficult for non technical people • Users refuse to update, some cannot • Soup Kitchen Servers • Too many attackers with too much time • Zero Days SOFTWARE VULNERABILITIES Challenges Solutions 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 12
DENIAL OF SERVICE VS BRUTE FORCE 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 13 • Educational Post: http://blog.sucuri.net/2014/03/understanding-denial-of-service-and- brute-force-attacks-wordpress-joomla-drupal-vbulletin.html • Differentiating Factor = Intent • Disruption of Services vs Gaining Access • Both important in their own Righ Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute More than 162,000 WordPress Sites Used for Distributed Denial of Service Attack (DDOS)
CONNECTING • If you don‟t need it, disable it • SFTP / SSH is preferred • FTP works fine – disable if you‟re not using, don‟t talk to me if you are • FTP/SFTP != WP-ADMIN • Least Privileged • You don‟t have to log in FTP / SFTP with full root access • Everyone doesn‟t need to be an admin • You don‟t need to log in as admin • The focus is on the role, not the name of the user • Accountability – kill generic accounts – who is doing what? 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 14
THE PASSWORD GAME 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 15
• Big enterprises with large followings • Big Name • Worth Investing time and energy to compromise, bigger return • Trolling the web looking for known vulnerabilities • Ability for mass exposure • Think “TimThumb” ATTACK TYPE Opportunistic Targeted 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 16
BRAND REPUTATION 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 17 • Blacklisting • Dirty Search Engine Result Pages (SERP)
THE HOW Nothing fancy here.. The facts 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 18 “Own one Own them All”
TOP SECURITY ISSUES TODAY • Backdoors • Injections • Pharma Hack • SEO SPAM • Malicious Redirects • Defacements • Form Abuse • SPAM Emails • Compromised web servers 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 19
1. Employ Website Firewall 2. Don‟t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 1. Kill PHP Execution 2. Disable Theme / Plugin Editing via Admin 3. Connect Securely – SFTP / SSH 4. Use Authentication Keys in wp-config 5. Use Trusted Sources 6. Use a local Antivirus – Yes, MAC‟s need one 7. Verify your permissions - D 755 | F 644 8. Least Privileged 9. Kill generic accounts - Accountability 10. Backup your site – yes, Database too THINGS YOU CAN DO TO REDUCE RISK The Bare Minimum: Ideal implementations: 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 20
KILL PHP EXECUTION • The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation: • WP-INCLUDES • UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files> 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 21
DISABLE PLUGIN/THEME EDITOR • Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true); 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 22
• Limit Login Attempts • BackupBuddy • Akismet • Better WP Security • WP Security Audit Log • Google Authenticator • WordFence • Detection – Monitoring / Remediation • Protection – Website Firewall • Auditing – Sucuri Premium Plugin • BackupBuddy Read about how I set things up here: http://wpengine.com/2013/04/24/how-tony- perez-of-sucuri-sets-up-his-own-security/ SECURITY CONFIGURATIONS My Setup Alternatives 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 23
IMPORTANT SERVICES (PAID) 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 24 • Managed Hosting • WPEngine - http://wpengine.com/ • Page.ly - http://page.ly/ • WebSynthesis - http://websynthesis.com/ • Maintenance Services • Maintainn - http://maintainn.com/ • Security • Sucuri – http://sucuri.net
• Sucuri Blog: http://blog.sucuri.net • SiteCheck Scanner: http://sitecheck.sucuri.net • Unmask Parasites: http://unmaskparasites.com • Secunia Security Advisories: http://secunia.com/community/advisories/ search/?search=wordpress • Hacked – http://wordpress.org/tags/hacked • Malware – http://wordpress.org/tags/malware • BadwareBusters – https://badwarebusters.org • WordPress Hardening • http://codex.wordpress.org/Hardeni ng_WordPress KNOW WHERE TO GO Support Forums Online Resources 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 25
BLACKLIST SOURCES 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 26 • Google • Search Engine Results Page (SERP) • http://www.google.com/webmaster/tools • http://www.google.com/safebrowsing/diagnostic?site=[your site] • Bing • Internet Explorer | Yahoo • http://www.bing.com/toolbox/webmaster/ • Norton • SafeWeb Browsing | Facebook • http://safeweb.norton.com/ • AVG • Opera • http://www.avgthreatlabs.com/sitereports/
Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net http://perezbox.com | @perezbox 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 27

Recommended

WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site CleanSucuri
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 

Recommended

WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From HacksTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site CleanSucuri
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightMaurizio Pelizzone
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
WordPress Hardening v4
WordPress Hardening v4WordPress Hardening v4
WordPress Hardening v4Maurizio Pelizzone
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress sitefirojkhansahu
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014sabinovates
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecuritySucuri
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?Sucuri
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?Casey Ellis
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?Sucuri
 
TechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupTechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupCasey Ellis
 
NetVU Tech-4290/4390
NetVU Tech-4290/4390NetVU Tech-4290/4390
NetVU Tech-4290/4390jreverri
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for WebsitesTony Perez
 
Beyonce
BeyonceBeyonce
BeyoncePRESENTATIONSFORESL
 

More Related Content

What's hot

Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightMaurizio Pelizzone
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress sitefirojkhansahu
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014sabinovates
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecuritySucuri
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?Sucuri
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?Casey Ellis
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?Sucuri
 
TechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupTechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupCasey Ellis
 
NetVU Tech-4290/4390
NetVU Tech-4290/4390NetVU Tech-4290/4390
NetVU Tech-4290/4390jreverri
 

What's hot (20)

Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's API
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at night
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get Hacked
 
WordPress Hardening v4
WordPress Hardening v4WordPress Hardening v4
WordPress Hardening v4
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good Posture
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight It
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital Marketers
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sites
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press website
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress site
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website Owners
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri Security
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?
 
Bug bounty or beg bounty?
Bug bounty or beg bounty?Bug bounty or beg bounty?
Bug bounty or beg bounty?
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?
 
TechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startupTechCrunch Early Stage 2020 - How to prioritize security at your startup
TechCrunch Early Stage 2020 - How to prioritize security at your startup
 
NetVU Tech-4290/4390
NetVU Tech-4290/4390NetVU Tech-4290/4390
NetVU Tech-4290/4390
 

Viewers also liked

Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for WebsitesTony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesTony Perez
 
Information security
Information securityInformation security
Information securityLJ PROJECTS
 
Facebook Security SMCMIDMO
Facebook Security SMCMIDMOFacebook Security SMCMIDMO
Facebook Security SMCMIDMOJerry Gamblin
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.pptAeman Khan
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security pptLipsita Behera
 

Viewers also liked (8)

Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
 
Beyonce
BeyonceBeyonce
Beyonce
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, Defenses
 
Facebook security
Facebook securityFacebook security
Facebook security
 
Information security
Information securityInformation security
Information security
 
Facebook Security SMCMIDMO
Facebook Security SMCMIDMOFacebook Security SMCMIDMO
Facebook Security SMCMIDMO
 
Cybercrime.ppt
Cybercrime.pptCybercrime.ppt
Cybercrime.ppt
 
Cyber crime and security ppt
Cyber crime and security pptCyber crime and security ppt
Cyber crime and security ppt
 

Similar to WordPress Security Basics and Challenges

WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionTony Perez
 
KoprowskiT-Difinify2017-SQL_Security_In_The_Cloud
KoprowskiT-Difinify2017-SQL_Security_In_The_CloudKoprowskiT-Difinify2017-SQL_Security_In_The_Cloud
KoprowskiT-Difinify2017-SQL_Security_In_The_CloudTobias Koprowski
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Michael Pirnat
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...Otto Kekäläinen
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress MultisiteWPMU DEV
 
USG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 DaysUSG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 DaysEric Sembrat
 
We4IT lcty 2013 - keynote - worst practices - the best of the worst
We4IT lcty 2013 - keynote - worst practices - the best of the worstWe4IT lcty 2013 - keynote - worst practices - the best of the worst
We4IT lcty 2013 - keynote - worst practices - the best of the worstWe4IT Group
 
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12Getting Down and Dirty with Accessibility and Usability workshop at TCUK12
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12Karen Mardahl
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 stk_jj
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security EssentialsAngela Bowman
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 

Similar to WordPress Security Basics and Challenges (20)

WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 
KoprowskiT-Difinify2017-SQL_Security_In_The_Cloud
KoprowskiT-Difinify2017-SQL_Security_In_The_CloudKoprowskiT-Difinify2017-SQL_Security_In_The_Cloud
KoprowskiT-Difinify2017-SQL_Security_In_The_Cloud
 
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
Shiny, Let’s Be Bad Guys: Exploiting and Mitigating the Top 10 Web App Vulner...
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
2014 WordCamp Austin: Do's and Don'ts of WordPress Multisite
 
USG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 DaysUSG Rock Eagle 2017 - PWP at 1000 Days
USG Rock Eagle 2017 - PWP at 1000 Days
 
We4IT lcty 2013 - keynote - worst practices - the best of the worst
We4IT lcty 2013 - keynote - worst practices - the best of the worstWe4IT lcty 2013 - keynote - worst practices - the best of the worst
We4IT lcty 2013 - keynote - worst practices - the best of the worst
 
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12Getting Down and Dirty with Accessibility and Usability workshop at TCUK12
Getting Down and Dirty with Accessibility and Usability workshop at TCUK12
 
WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020 WordPress Security 101 - Meetup Nairobi March 2020
WordPress Security 101 - Meetup Nairobi March 2020
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security Essentials
 
Dakotacon 2017
Dakotacon 2017Dakotacon 2017
Dakotacon 2017
 
Adminblast 2013
Adminblast 2013Adminblast 2013
Adminblast 2013
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
 

More from Tony Perez

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationTony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsTony Perez
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Tony Perez
 
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityTony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
 
Word press website security
Word press website securityWord press website security
Word press website securityTony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityTony Perez
 

More from Tony Perez (11)

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the Basics
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)
 
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
 
Word press website security
Word press website securityWord press website security
Word press website security
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser security
 

Recently uploaded

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity PlanDatabarracks
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .Alan Dix
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 

Recently uploaded (20)

Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
How to write a Business Continuity Plan
How to write a Business Continuity PlanHow to write a Business Continuity Plan
How to write a Business Continuity Plan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .From Family Reminiscence to Scholarly Archive .
From Family Reminiscence to Scholarly Archive .
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 

WordPress Security Basics and Challenges

  • 1. It‟s all about the Basics!! WORDPRESS SECURITY
  • 2. SUCURI# WHOIS PEREZBOX • Name: Tony Perez • Twitter: @perezbox • Company: Sucuri, Inc. • Insight: Information Technology • Passion: Brazilian Jiu Jitsu 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCATL 2
  • 3. TODAY‟S 5 CHALLENGES • Knowledge / Awareness • Administration • Extensibility • Credentials • End-users 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 3
  • 4. KNOWLEDGE Check yourself before you wreck yourself 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 4 “The user’s going to pick dancing pigs over security every time.” - Bruce Schneider
  • 5. IT‟S ABOUT RISK REDUCTION!!! 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 5 • Forget the “Why” • Why is this happening to me? • Focus on the “How” • How do I protect myself? Your risk will never be 0%
  • 6. DEFENSE IN DEPTH 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 6 • Layered Defenses “…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…”
  • 7. KNOW THE ENVIRONMENTLAMPSTACK LINUX Apache MySQL PHP • This is what it takes to run WordPress • Each contains its own laundry list of known vulnerabilities • .org Implementations not .com 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 7
  • 8. REALISTIC ENVIRONMENT 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 8 Linux Operating System Apache WordPress CPANEL Plesk MySQL myLittleAdmin PHPMyAdmin Etc.. PHP Modules
  • 9. ASK QUESTIONS… 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 9 • Host: • What happens if I get hacked and you detect it before I do? • What backup solution do you offer me? • What security protocols do you have in place to protect me? • Designer / Developer: • Are you following all the appropriate coding best practice guidelines found in the codex? • Has your code ever been independently reviewed? • How will my website be maintained after the project completion? • Who will be responsible for updating my theme / plugin / core when the project is complete? • Are my files being backed up in the event of a catastrophe?
  • 10. TODAY‟S RELEVANT ATTACK VECTORS 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 10 • Access Control • Brute Force • Software Vulnerabilities • Vulnerability Scanners • Denial of Service (DoS) • Distributed / Non-Distributed
  • 11. • Two factor / Multi-Factor Authentication • IP White Listing • Throttling Access Attempts • Access is King for attackers and website owners make it too easy • Facilitated through Poor Passwords • Little Attention to Access Control‟s • Applies to all entry points – email, cpanel, FTP / SFTP, etc… ACCESS CONTROL Challenges Solutions 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 11
  • 12. • Website Firewall – SaaS based • Stay current with the latest vulnerability releases • Apply updates to entire stack when available • Keep Only What you need on the server (production) • Very difficult for non technical people • Users refuse to update, some cannot • Soup Kitchen Servers • Too many attackers with too much time • Zero Days SOFTWARE VULNERABILITIES Challenges Solutions 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 12
  • 13. DENIAL OF SERVICE VS BRUTE FORCE 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 13 • Educational Post: http://blog.sucuri.net/2014/03/understanding-denial-of-service-and- brute-force-attacks-wordpress-joomla-drupal-vbulletin.html • Differentiating Factor = Intent • Disruption of Services vs Gaining Access • Both important in their own Righ Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute More than 162,000 WordPress Sites Used for Distributed Denial of Service Attack (DDOS)
  • 14. CONNECTING • If you don‟t need it, disable it • SFTP / SSH is preferred • FTP works fine – disable if you‟re not using, don‟t talk to me if you are • FTP/SFTP != WP-ADMIN • Least Privileged • You don‟t have to log in FTP / SFTP with full root access • Everyone doesn‟t need to be an admin • You don‟t need to log in as admin • The focus is on the role, not the name of the user • Accountability – kill generic accounts – who is doing what? 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 14
  • 15. THE PASSWORD GAME 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 15
  • 16. • Big enterprises with large followings • Big Name • Worth Investing time and energy to compromise, bigger return • Trolling the web looking for known vulnerabilities • Ability for mass exposure • Think “TimThumb” ATTACK TYPE Opportunistic Targeted 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 16
  • 17. BRAND REPUTATION 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 17 • Blacklisting • Dirty Search Engine Result Pages (SERP)
  • 18. THE HOW Nothing fancy here.. The facts 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 18 “Own one Own them All”
  • 19. TOP SECURITY ISSUES TODAY • Backdoors • Injections • Pharma Hack • SEO SPAM • Malicious Redirects • Defacements • Form Abuse • SPAM Emails • Compromised web servers 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 19
  • 20. 1. Employ Website Firewall 2. Don‟t let WordPress write to itself 3. Filter Access by IP 4. Use a dedicated server / VPS 5. Monitor all Activity (Logging) 6. Enable SSL for transactions 7. Keep environment current (patched) 8. No Soup Kitchen Servers 1. Kill PHP Execution 2. Disable Theme / Plugin Editing via Admin 3. Connect Securely – SFTP / SSH 4. Use Authentication Keys in wp-config 5. Use Trusted Sources 6. Use a local Antivirus – Yes, MAC‟s need one 7. Verify your permissions - D 755 | F 644 8. Least Privileged 9. Kill generic accounts - Accountability 10. Backup your site – yes, Database too THINGS YOU CAN DO TO REDUCE RISK The Bare Minimum: Ideal implementations: 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 20
  • 21. KILL PHP EXECUTION • The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation: • WP-INCLUDES • UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files> 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 21
  • 22. DISABLE PLUGIN/THEME EDITOR • Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true); 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 22
  • 23. • Limit Login Attempts • BackupBuddy • Akismet • Better WP Security • WP Security Audit Log • Google Authenticator • WordFence • Detection – Monitoring / Remediation • Protection – Website Firewall • Auditing – Sucuri Premium Plugin • BackupBuddy Read about how I set things up here: http://wpengine.com/2013/04/24/how-tony- perez-of-sucuri-sets-up-his-own-security/ SECURITY CONFIGURATIONS My Setup Alternatives 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 23
  • 24. IMPORTANT SERVICES (PAID) 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 24 • Managed Hosting • WPEngine - http://wpengine.com/ • Page.ly - http://page.ly/ • WebSynthesis - http://websynthesis.com/ • Maintenance Services • Maintainn - http://maintainn.com/ • Security • Sucuri – http://sucuri.net
  • 25. • Sucuri Blog: http://blog.sucuri.net • SiteCheck Scanner: http://sitecheck.sucuri.net • Unmask Parasites: http://unmaskparasites.com • Secunia Security Advisories: http://secunia.com/community/advisories/ search/?search=wordpress • Hacked – http://wordpress.org/tags/hacked • Malware – http://wordpress.org/tags/malware • BadwareBusters – https://badwarebusters.org • WordPress Hardening • http://codex.wordpress.org/Hardeni ng_WordPress KNOW WHERE TO GO Support Forums Online Resources 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 25
  • 26. BLACKLIST SOURCES 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 26 • Google • Search Engine Results Page (SERP) • http://www.google.com/webmaster/tools • http://www.google.com/safebrowsing/diagnostic?site=[your site] • Bing • Internet Explorer | Yahoo • http://www.bing.com/toolbox/webmaster/ • Norton • SafeWeb Browsing | Facebook • http://safeweb.norton.com/ • AVG • Opera • http://www.avgthreatlabs.com/sitereports/
  • 27. Sucuri, Inc. Tony Perez http://sucuri.net http://blog.sucuri.net http://perezbox.com | @perezbox 3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 27

Editor's Notes

  1. As humans we like to focus too much on the “Why me? Why would they do this? Why my site?” but the reality is that we rarely do what we have to from the get go. How many of those same people asking the “Why” spent the time asking the “How” before they got a website.I know I didn’t….By How I mean, how do I protect myself? This ofcourse is not fault to you as website owners. It just hasn’t been instilled in our brains yet. When you buy a car, before you get off the lot the sales person is telling you about insurance and things like GAP. When you buy a computer, they come with builtinAntiVirus, offering 6 months free, and making it difficult for you to get rid of later. The reality, these are very annoying pesky examples but it puts it in our minds. We need insurance. We need an antivirus. Can we say the same for when we are building a website or when we’re requesting it? Can we say that we’re asking our developers and maintainers the right questions?