Keeping Your WordPress Safe

5a4758faa5ba6c1322bdfb0f6ebcf56c?s=47 Carl Alexander
February 26, 2015

Keeping Your WordPress Safe

The Montréal WordPress community held an event on WordPress security. The event had a talk followed by a "show and tell" segment. This is the talk that was given.

It's an important topic for everyone. Not just for WordPress experts.

The goal of the talk was to give everyone an overview of WordPress security. That includes basic concepts and some recommendations. The recommendations themselves target WordPress users of all skill levels. If you're an advanced WordPress user, you might not learn as much.

You can read the companion article at: http://carlalexander.ca/keeping-your-wordpress-safe/

5a4758faa5ba6c1322bdfb0f6ebcf56c?s=128

Carl Alexander

February 26, 2015
Tweet

Transcript

  1. KEEPING YOUR WORDPRESS SAFE

  2. Carl Alexander

  3. @twigpress

  4. carlalexander.ca

  5. None
  6. Concepts

  7. Attack Types

  8. Generalized

  9. Generalized attacks are

  10. Generalized attacks are OPPORTUNISTIC

  11. Generalized attacks are AUTOMATED

  12. Generalized attacks are “OMG I GOT HACKED”

  13. Targeted

  14. Do you have…

  15. Do you have… a large site?

  16. Do you have… a lot of traffic?

  17. Do you have… someone you pissed off!?

  18. Of course not! You’re a nice person.

  19. You’re safe then. (sweet!)

  20. Vectors

  21. Vulnerable Software

  22. Vulnerable ≠ Out-of-date

  23. What makes out-of-date software vulnerable?

  24. It’s also where you get your software

  25. Compromised Credentials

  26. Fact:

  27. Fact: Most of us hate passwords

  28. Assume your credentials are out there

  29. It’s your WordPress credentials

  30. It’s your FTP credentials

  31. It’s your database credentials

  32. It’s your cPanel credentials

  33. It’s your [insert service here] credentials

  34. Contaminated Servers

  35. It’s not just WordPress

  36. Servers also get infected (shit!)

  37. Say hello to cross-contamination

  38. Say goodbye to your security precautions

  39. It’s a #@!*$ to clean up

  40. Infections

  41. Backdoors

  42. Gives access to your site

  43. Doesn’t do damage

  44. Used to do damage

  45. Injections

  46. Like unwanted content?

  47. Here are some unwanted links

  48. Here are some unwanted iFrames

  49. Here are some unwanted SEO spam campaigns

  50. Here are some unwanted redirects

  51. Here are some unwanted malicious scripts

  52. It’s all for the $$$

  53. Disfigurement

  54. Your site for bengal kitten enthusiasts

  55. becomes a site for PETA activists

  56. About sending a message

  57. Concepts ~ recap ~

  58. Attack Types Vectors Infections

  59. Questions?

  60. Recommendations

  61. Configuration

  62. Don’t use defaults

  63. Story time!

  64. Don’t use “admin”

  65. Don’t use “wp_” prefix

  66. Strong (unique) passwords

  67. The dead horse of security

  68. A strong password has more than 12 characters

  69. A strong password has upper and lower cased characters

  70. A strong password has special characters

  71. A strong password has numerical characters

  72. You could use a passphrase

  73. Instead invest in a password manager

  74. Always make two accounts

  75. Principle of least privilege

  76. You’re publishing content

  77. Not installing plugins

  78. Get off that administrator account!

  79. Disable file editing

  80. “God mode” capability

  81. You shouldn’t edit files

  82. Don’t let attackers either

  83. Maintenance

  84. Use trusted sources

  85. Like candy from strangers

  86. Don’t trust them

  87. Stay with known sources

  88. That means WordPress.org

  89. That means ThemeForest

  90. That means CodeCanyon

  91. Keep everything up to date

  92. Another dead horse!

  93. Easy targets for attackers

  94. Stay off their radar

  95. Maintain regular backups

  96. Doesn’t improve security

  97. Minimizes damage

  98. Repair things in no time

  99. Remove unused themes / plugins

  100. You try… and forget

  101. Just remove them

  102. Keep only what you use

  103. Hosting

  104. Avoid shared servers

  105. Breeding ground for cross-contamination

  106. Pray for your security

  107. Near impossible clean up

  108. One install per server

  109. Taking it one step further

  110. “But I want multiple sites”

  111. Use multisite like “.com”

  112. Use SSL encryption

  113. Almost mandatory

  114. Makes everyone safer

  115. Scared? Use CloudFlare

  116. Recommendations ~ recap ~

  117. Configuration Maintenance Hosting

  118. Questions?

  119. @twigpress Thank You!