Slide 1
Slide 1 text
KEEPING YOUR
WORDPRESS SAFE
Slide 2
Slide 2 text
Carl Alexander
Slide 3
Slide 3 text
@twigpress
Slide 4
Slide 4 text
carlalexander.ca
Slide 5
Slide 5 text
No content
Slide 6
Slide 6 text
Concepts
Slide 7
Slide 7 text
Attack Types
Slide 8
Slide 8 text
Generalized
Slide 9
Slide 9 text
Generalized attacks
are
Slide 10
Slide 10 text
Generalized attacks
are
OPPORTUNISTIC
Slide 11
Slide 11 text
Generalized attacks
are
AUTOMATED
Slide 12
Slide 12 text
Generalized attacks
are
“OMG I GOT HACKED”
Slide 13
Slide 13 text
Targeted
Slide 14
Slide 14 text
Do you have…
Slide 15
Slide 15 text
Do you have…
a large site?
Slide 16
Slide 16 text
Do you have…
a lot of traffic?
Slide 17
Slide 17 text
Do you have…
someone you pissed off!?
Slide 18
Slide 18 text
Of course not!
You’re a nice person.
Slide 19
Slide 19 text
You’re safe then.
(sweet!)
Slide 20
Slide 20 text
Vectors
Slide 21
Slide 21 text
Vulnerable
Software
Slide 22
Slide 22 text
Vulnerable ≠ Out-of-date
Slide 23
Slide 23 text
What makes
out-of-date software
vulnerable?
Slide 24
Slide 24 text
It’s also where you get
your software
Slide 25
Slide 25 text
Compromised
Credentials
Slide 26
Slide 26 text
Fact:
Slide 27
Slide 27 text
Fact:
Most of us hate passwords
Slide 28
Slide 28 text
Assume your credentials
are out there
Slide 29
Slide 29 text
It’s your
WordPress
credentials
Slide 30
Slide 30 text
It’s your
FTP
credentials
Slide 31
Slide 31 text
It’s your
database
credentials
Slide 32
Slide 32 text
It’s your
cPanel
credentials
Slide 33
Slide 33 text
It’s your
[insert service here]
credentials
Slide 34
Slide 34 text
Contaminated
Servers
Slide 35
Slide 35 text
It’s not just WordPress
Slide 36
Slide 36 text
Servers also get infected
(shit!)
Slide 37
Slide 37 text
Say hello to
cross-contamination
Slide 38
Slide 38 text
Say goodbye to
your security precautions
Slide 39
Slide 39 text
It’s a #@!*$ to clean up
Slide 40
Slide 40 text
Infections
Slide 41
Slide 41 text
Backdoors
Slide 42
Slide 42 text
Gives access to your site
Slide 43
Slide 43 text
Doesn’t do damage
Slide 44
Slide 44 text
Used to do damage
Slide 45
Slide 45 text
Injections
Slide 46
Slide 46 text
Like unwanted content?
Slide 47
Slide 47 text
Here are some unwanted
links
Slide 48
Slide 48 text
Here are some unwanted
iFrames
Slide 49
Slide 49 text
Here are some unwanted
SEO spam campaigns
Slide 50
Slide 50 text
Here are some unwanted
redirects
Slide 51
Slide 51 text
Here are some unwanted
malicious scripts
Slide 52
Slide 52 text
It’s all for the $$$
Slide 53
Slide 53 text
Disfigurement
Slide 54
Slide 54 text
Your site for
bengal kitten enthusiasts
Slide 55
Slide 55 text
becomes a site for
PETA activists
Slide 56
Slide 56 text
About sending a message
Slide 57
Slide 57 text
Concepts
~ recap ~
Slide 58
Slide 58 text
Attack Types
Vectors
Infections
Slide 59
Slide 59 text
Questions?
Slide 60
Slide 60 text
Recommendations
Slide 61
Slide 61 text
Configuration
Slide 62
Slide 62 text
Don’t use
defaults
Slide 63
Slide 63 text
Story time!
Slide 64
Slide 64 text
Don’t use “admin”
Slide 65
Slide 65 text
Don’t use “wp_” prefix
Slide 66
Slide 66 text
Strong (unique)
passwords
Slide 67
Slide 67 text
The dead horse of security
Slide 68
Slide 68 text
A strong password has
more than 12
characters
Slide 69
Slide 69 text
A strong password has
upper and lower cased
characters
Slide 70
Slide 70 text
A strong password has
special
characters
Slide 71
Slide 71 text
A strong password has
numerical
characters
Slide 72
Slide 72 text
You could use a
passphrase
Slide 73
Slide 73 text
Instead invest in a
password manager
Slide 74
Slide 74 text
Always make
two accounts
Slide 75
Slide 75 text
Principle of least privilege
Slide 76
Slide 76 text
You’re publishing content
Slide 77
Slide 77 text
Not installing plugins
Slide 78
Slide 78 text
Get off that
administrator account!
Slide 79
Slide 79 text
Disable file
editing
Slide 80
Slide 80 text
“God mode” capability
Slide 81
Slide 81 text
You shouldn’t edit files
Slide 82
Slide 82 text
Don’t let attackers either
Slide 83
Slide 83 text
Maintenance
Slide 84
Slide 84 text
Use trusted
sources
Slide 85
Slide 85 text
Like candy from strangers
Slide 86
Slide 86 text
Don’t trust them
Slide 87
Slide 87 text
Stay with known sources
Slide 88
Slide 88 text
That means
WordPress.org
Slide 89
Slide 89 text
That means
ThemeForest
Slide 90
Slide 90 text
That means
CodeCanyon
Slide 91
Slide 91 text
Keep everything
up to date
Slide 92
Slide 92 text
Another dead horse!
Slide 93
Slide 93 text
Easy targets for attackers
Slide 94
Slide 94 text
Stay off their radar
Slide 95
Slide 95 text
Maintain regular
backups
Slide 96
Slide 96 text
Doesn’t improve security
Slide 97
Slide 97 text
Minimizes damage
Slide 98
Slide 98 text
Repair things in no time
Slide 99
Slide 99 text
Remove unused
themes / plugins
Slide 100
Slide 100 text
You try… and forget
Slide 101
Slide 101 text
Just remove them
Slide 102
Slide 102 text
Keep only what you use
Slide 103
Slide 103 text
Hosting
Slide 104
Slide 104 text
Avoid shared
servers
Slide 105
Slide 105 text
Breeding ground for
cross-contamination
Slide 106
Slide 106 text
Pray for your security
Slide 107
Slide 107 text
Near impossible clean up
Slide 108
Slide 108 text
One install
per server
Slide 109
Slide 109 text
Taking it one step further
Slide 110
Slide 110 text
“But I want multiple sites”
Slide 111
Slide 111 text
Use multisite like “.com”
Slide 112
Slide 112 text
Use SSL
encryption
Slide 113
Slide 113 text
Almost mandatory
Slide 114
Slide 114 text
Makes everyone safer
Slide 115
Slide 115 text
Scared? Use CloudFlare
Slide 116
Slide 116 text
Recommendations
~ recap ~
Slide 117
Slide 117 text
Configuration
Maintenance
Hosting
Slide 118
Slide 118 text
Questions?
Slide 119
Slide 119 text
@twigpress
Thank You!