WordPress Security

Transcript

1. http://quadshot.com [email protected] @quadshotdev WordPress Security 101 - (or, how to

   avoid having a really, really, REALLY bad day) Michael Cremean, Founder & CEO, Quadshot Digital Founder and Co-Host, Las Vegas WooCommerce Meetup Wordcamp Cincinnati 2017

2. http://quadshot.com [email protected] @quadshotdev About Quadshot Digital • WordPress & WooCommerce

   Developers • Since 2009 deployed 100+ client projects • Our customers serve over a Billion pageviews a month • We <3 LAMP and AWS • Michael founded and co-hosts the Las Vegas WooCommerce Meetup • Our devs contribute to WP, WC and plugin code • We’ve built many WP and WC plugins • We support EFF https://eff.org. And you should too! • We also advocate https://letsencrypt.org - Free SSL Certs! Win...

3. http://quadshot.com [email protected] @quadshotdev About Michael Cremean • Founded Quadshot in

   2009 in Las Vegas • Previous 17 years as Director/CTO, worked on major worldwide projects • Several awards & 6 patents • Loves working with Nonprofits • Has super cute dogs (Maggie and Sally are customer service) • Loves WordPress, WooCommerce and Coffee (Company named for his favorite coffee drink) • Musician (Drummer, Guitar, Bass) Did you say ‘treat’?

4. http://quadshot.com [email protected] @quadshotdev Security - Am I a target? Why

   do I need security? Is someone trying to hack me? YES! They might not succeed, but every website has been targeted at one time. Maybe right now! Real hackers wear suits and balaclavas. Posers.

5. http://quadshot.com [email protected] @quadshotdev Security Ecosystem • FIREWALL - 1st line

   of defence ◦ Only open ports you need (ex. 80, 443, 22) ◦ Avoid FTP, limit ssh by IPs • SERVER - 2nd line ◦ fail2ban and iptables preventing brute force before it even hits your app level http://www.fail2ban.org/ ◦ CPHulk (if you use cpanel - more brute force) ◦ File permissions - 0400 (except uploads, etc) • WEBSITE - 3rd line ◦ Security Plugins - iThemes, Wordfence, Security ◦ HTTPS All - Free Certificate from letsencrypt.org Today we’re focused on WordPress websites, but there is more to security than just the website. hw firewall Server Application WordPress + Plugins The Internet aka Hackerspace

6. http://quadshot.com [email protected] @quadshotdev Why do people hack websites? There are

   many reasons, but they group into 3 categories: • Stealing ◦ User Information (ex. Names, Emails, Passwords, etc) ◦ Credit Card info • Hijacking your website ◦ Use your server as a remailer ◦ Use your server as part of a Zombie Net • For fun ◦ Because I can. Sometimes defacing. New Home Page!!!

7. http://quadshot.com [email protected] @quadshotdev How do WP sites get hacked? According

   to WP Template • 41% get hacked through vulnerabilities in their hosting platform • 29% by means of an insecure theme • 22% via a vulnerable plugin • 8% because of weak passwords Article: https://goo.gl/iMecwH Make sure to leave a post-it to make social engineering hacks easier!

8. http://quadshot.com [email protected] @quadshotdev How real is the hacking trend? REAL

   and happening NOW. Here’s a real screenshot from a customer. Who tried? China, Russia, Pakistan, Qatar, United Arab Emirates, Nigeria

9. http://quadshot.com [email protected] @quadshotdev Security Basics - Go to the PUB

   To Protect yourself, think simple: 1. Prevent - Reduce ways people can attack you 2. Update - Regular maintenance to keep code up-to-date 3. Backup - Have offsite backups and recovery plan This is simple, and you just need information and tools.

10. http://quadshot.com [email protected] @quadshotdev Security Overview - Why take the time

    & effort to Secure • WordPress is awesome. It’s very popular, so it is a popular target. • Yes, Security and Convenience are opposed. Security isn’t convenient, but much can be automated. • Hackers are generally lazy. Generally, they go after easy targets. Don’t be an easy target. • Mostly, because getting hacked SUCKS. • A little knowledge and a little effort can go a long way

11. http://quadshot.com [email protected] @quadshotdev Simple WordPress Security Steps 1. Install Security

    Plugins a. The Pro Versions are demonstrated b. Both iThemes Security and Wordfence have free versions 2. Updates a. Either Auto-update (plugin can help) b. Manually update on schedule 3. Backups a. UpdraftPlus (Recommended), BackupBuddy, other offsite methods 4. Secure Site with HTTPS a. Free SSL Certs from LetsEncrypt

12. http://quadshot.com [email protected] @quadshotdev Security Basics - Passwords • Enforce Strong

    Passwords • Use Unique Passwords on every website ◦ Why? Keyloggers, Phishing and Social Engineering ◦ People often use the same password everywhere = easy hack ◦ Use a password manager and use unique passwords on each site Ex. 1password 2016 Top 25 Worst Passwords Source: SplashData

13. http://quadshot.com [email protected] @quadshotdev Security Basics - Update your Stuff •

    Update WordPress, Themes, Plugins often ◦ Pay attention to updates that say Security Update ◦ Update on Stage before Live ◦ Try not to update Live ◦ If you can, don’t update Live websites ◦ Updating Live websites is dangerous ◦ Hey, you might not want to update Live websites ◦ Did I mention… could break your site updating live • Keep your code in a repository with a known good version ◦ Git or SVN are your friends Totally secure, SIR!

14. http://quadshot.com [email protected] @quadshotdev Security Basics - Backups • Backup Offsite

    ◦ Why? If you get hacked, and your backups are on your server, your backups could be exploited. • Test your Recovery Process • We use Updraftplus Pro Where is the ‘Any’ key?

15. http://quadshot.com [email protected] @quadshotdev Security Basics - HTTPS Everything Make your

    whole website HTTPS • Can be set using iThemes, or other methods • Really Simple SSL can fix non-secure media • Your web host can often set this for you • Secures your WP-Admin • Google gives a boost ranking to HTTPS websites ◦ https://goo.gl/zD1Gdh • You can also use HTTPS Everywhere to secure your browsing. Chrome Extension from EFF.org

16. http://quadshot.com [email protected] @quadshotdev Security and Backup Plugins Security - There

    are tons of them, but we use iThemes Security Pro ($80) and Wordfence Pro ($99) Backups - We use UpdraftPlus Pro ($70). (Some people like BackupBuddy.) There are FREE versions of all of them. If you use free, very handy but limited features. All 3 Pro would cost $249. There are often coupons available from their/other sites.

17. http://quadshot.com [email protected] @quadshotdev iThemes Security Pro Strengths • One button

    basic security • Lock down WordPress and your server internally to prevent exploits • Very Easy to Use Careful! • Some settings can prevent WooCommerce • Settings can lock you out of WP/Woo

18. http://quadshot.com [email protected] @quadshotdev iThemes Security Pro Setup 1. Install and

    Activate. 2. Click Activate Two Factor Authentication. Enable Mobile App and Email, and Update your Profile. Follow Directions.

19. http://quadshot.com [email protected] @quadshotdev iTheme Security Pro Setup 3. Do the

    ‘Security Check’. Enter your email, and decide if you want on their mailing list. :-) Hit Save. This is basic security DONE.

20. http://quadshot.com [email protected] @quadshotdev iThemes Security Setup Continued 4. Global Settings

    - Check ‘Send Digest Mail’. Reduces volume of alerts. 5. Banned Users - Enable HackRepair. 6. Local Brute Force - lockout ‘Admin’ user. 7. System Tweaks - Enable All and Save. 8. WordPress Tweaks - Enable checkboxes, disable XML-RPC. 9. Change WordPress Salts. (You’ll need to login again)

21. http://quadshot.com [email protected] @quadshotdev iThemes Setup Continued 10. Decide on other

    options. Good news. Once you have setup ONE site, you can Export options (Pro Version) and import them on another site. So you only need to do this once.

22. http://quadshot.com [email protected] @quadshotdev Wordfence Pro Setup 1. Install the free

    version. 2. Enter your Pro license in ‘Options’ and Save 3. Import a token you’ve already setup. (Bottom) …. 5. Profit.

23. http://quadshot.com [email protected] @quadshotdev Wordfence Pro Strengths • Preventing external attack

    vectors and brute force type attacks. • Can block countries that are problematic • Decent WAF - Web Application Firewall • Can import and export configs with tokens for easy setups. Here’s a token for Pro • 772c7779503bc372909679b794949ede540036c f798548a90426a1edaf77f4f2f169ed3c75f54c4d 690eb4ef2c433a806a68b6e4e74c4ff638bf8ba8 83392b6e Careful! • Making settings too paranoid can block legitimate traffic. • Set notifications so you don’t get flooded from non-emergencies “But I was told I need a firewall on my computer…”

24. http://quadshot.com [email protected] @quadshotdev UpdraftPlus Pro • Automated Offsite Backups •

    Easy Installation • Set Offsite Location • Set Retention Policy • Ex. Databases Daily Keep 30, Full Backup Weekly Keep 4 (or whatever your policy)

25. http://quadshot.com [email protected] @quadshotdev Bonus Free Security - Cloudflare Once all

    else is done, consider Cloudflare. Cloudflare is a FREE CDN and Security Layer. You setup your site, and point DNS, and Voila. Your site will be more secure and run faster.

26. http://quadshot.com [email protected] @quadshotdev Summary? Simple Good Practices can prevent you

    from having a really, really, really bad day. • Prevent • Update • Backups I DID backup my files… Yes, onto the same drive. WHAT do you mean ‘bummer’?

27. http://quadshot.com [email protected] @quadshotdev Links fail2ban http://www.fail2ban.org/ iThemes Security https://ithemes.com/security/ Wordfence

    https://www.wordfence.com/ UpdraftPlus https://updraftplus.com EFF http://eff.org LetsEncrypt http://letsencrypt.org WordPress Plugins User: quadshot Contact Michael Cremean [email protected]