Introduction to Security: Beginner's Edition

Slide 1

Slide 1 text

INTRO TO SECURITY (BEGINNERS EDITION) Michele Butcher CantSpeakGeek.com WPSecurityLock.com @Michele_Butcher Slides can be found at http://mlb.pw/wcstl2015

Slide 2

Slide 2 text

MICHELE BUTCHER • WordPress Specialist, Site Cleaner, and Trainer for   WP Security Lock • WordPress Specialist for Megabytes Inc • One Woman Wonder at   Can’t Speak Geek @michele_butcher

Slide 3

Slide 3 text

WHY IS SECURITY IMPORTANT? @michele_butcher

Slide 4

Slide 4 text

EVERY DAY HACKERS TRY TO FIND WAYS TO GET YOUR INFORMATION. @michele_butcher

Slide 5

Slide 5 text

WHY DO HACKERS HACK? • Make bank • Build a zombie site army • Share their nasty malware with the world • Get your information • They are bored • They want to see if they can do it @michele_butcher

Slide 6

Slide 6 text

WHY ARE THESE PEOPLE ATTACKING ME? Anymore, it is not people but bots attacking your site. Hackers have programs that do the work for them. Rarely is it people doing the hacking unless it is targeted. Strong opinion sites are a good example. @michele_butcher

Slide 7

Slide 7 text

HOW DO THEY GET IN? • Guess your login. If you know it so can someone else. (Brute force attack or man in the middle) • Denial of Service attack (DDoS) flood your site with more traffic than it can handle • Through a theme, file or plugin • Through your FTP or CPanel. (Files set to read, write,execute. Brute force, anonymous login, shared hosting infection) @michele_butcher

Slide 8

Slide 8 text

AND NOW FOR THE ONLY THING SCARY THAT I AM GOING TO SAY. @michele_butcher

Slide 9

Slide 9 text

YOU ARE NEVER 100% SECURE @michele_butcher

Slide 10

Slide 10 text

EVEN A TEST SITE OR A KNITTING SITE WITH ONLY 2 VISITORS CAN BE HACKED. IT CAN HAPPEN TO YOUR SITE. @michele_butcher It has happened to me, it can happen to you.

Slide 11

Slide 11 text

DON’T LET SECURITY MAKE YOU LIKE THIS GUY. @michele_butcher

Slide 12

Slide 12 text

NEVER FEAR… THERE ARE WAYS TO KEEP THE HACKER ATTACKERS OUT! @michele_butcher I promise it is not all that painful!

Slide 13

Slide 13 text

WORDPRESS SECURITY BASICS @michele_butcher

Slide 14

Slide 14 text

NEVER EVER EVER USE ADMIN AS USER NAME OR PASSWORD AS PASSWORD. NEVER! @michele_butcher Got it?

Slide 15

Slide 15 text

ALWAYS CHANGE YOUR PREFIX NAME FROM WP_ LET IT BE ANYTHING OTHER THAN WP_ FDHSFJKHS_ IS ALWAYS GOOD I typically do not even look at what I am typing anymore when I make the WP preﬁx. The random the better. @michele_butcher

Slide 16

Slide 16 text

WHAT TO DO WHEN YOU HAVE TEMPORARY PEOPLE IN YOUR DASHBOARD @michele_butcher

Slide 17

Slide 17 text

ALWAYS USE SFTP Regular FTP is not secure. Do not use it unless the server is only set up for FTP.

Slide 18

Slide 18 text

Only give them access to what they NEED not what they want. Just because they want to be an admin does not automatically make them one. Guest bloggers should not be anymore than a contributor.

Slide 19

Slide 19 text

If it is only a temporary login, delete their login when they have completed their job. If they have posts on your site, you can knock them down to subscribers so they can not change anything on your site. If they are only doing work, delete them when their job is done.

Slide 20

Slide 20 text

Set up a ﬁle change detection notiﬁcation to know what they are changing in your site. iThemes Security and other security plugins give you the option to see what all users are doing when logged into the dashboard.

Slide 21

Slide 21 text

WHAT ABOUT SECURITY PLUGINS? @michele_butcher

Slide 22

Slide 22 text

ITHEMES SECURITY PRO Great all encompassing best practices WordPress security plugin. Two versions a free and a premium. http://ithemes.com/security @michele_butcher

Slide 23

Slide 23 text

BRUTE PROTECT If you are mainly worried about DDoS attacks, Brute Protect has you covered. http://bruteprotect.com @michele_butcher

Slide 24

Slide 24 text

WHO CAN SCAN MY SITE FOR MALWARE? Google Webmaster Tools http://google.com/webmaster VirusTotal https://virustotal.com iThemes Security Pro htttp://ithemes.com/security @michele_butcher

Slide 25

Slide 25 text

NEED AN EXTRA EYE ON YOUR SITE? CloudFlare has a free and premium version. http://cloudﬂare.com @michele_butcher

Slide 26

Slide 26 text

THINGS YOU CAN DO TO   PROTECT YOUR WEBSITE

Slide 27

Slide 27 text

UPDATE! UPDATE! UPDATE! Update core, update plugins, update themes, update content, update everything and update often! The biggest source of nearly all hacks as once something is patched, it is trivial to get into the old stuff. @michele_butcher

Slide 28

Slide 28 text

IF YOU USE THEMES OR PLUGINS AT ANY OF THE ENVATO (THEMEFOREST, CODE CANYON) ALWAYS CHECK THE BOX TO BE NOTIFIED OF UPDATES. THEY WILL NOT TELL YOU OTHERWISE This is why the RevSlider SoakSoak infection was so widespread. Many didn't know the plugin was built within the theme.

Slide 29

Slide 29 text

HAVE A MINIMALIST APPROACH TO PLUGINS AND THEMES. • Only have the plugins you are using at that time on your site. You can always upload them again later. • Only have your theme you are using on your site. • If something is not active, delete it. @michele_butcher

Slide 30

Slide 30 text

BACK UP YOUR SITE! SOMEWHERE, ANYWHERE, JUST HAVE A BACKUP COPY. BackupBuddy from iThemes is a great choice. iThemes Security will do a database backup for you. http://ithemes.com/backupbuddy @michele_butcher

Slide 31

Slide 31 text

ALWAYS BACK UP TO SOMEPLACE OTHER THAN YOUR SERVER. IF THE SERVER GETS HACKED, SO DOES YOUR BACKUP. EVEN BACKING A COPY TO DROPBOX OR YOUR COMPUTER IS A BETTER OPTION. @michele_butcher

Slide 32

Slide 32 text

DON’T LET YOUR SITE GET LONELY. Lonely sites can turn into zombie sites and nobody wants a zombie @michele_butcher

Slide 33

Slide 33 text

IF YOUR WEBSITE GET HACKED IT IS NOT THE END OF THE WORLD. IT CAN AND WILL BE FIXED. @michele_butcher

Slide 34

Slide 34 text

WHO CLEANS HACKED WEBSITES? Well I do over at WP Security Lock ~Smile~ http://wpsecuritylock.com I apologize… had to do one shameful plug. @michele_butcher

Slide 35

Slide 35 text

WHAT ARE OTHER WAYS I CAN BE MORE SECURE? @michele_butcher

Slide 36

Slide 36 text

ALWAYS USE COMPLEX PASSWORDS. ALWAYS! FOR EVERYTHING! “PASSWORD” IS NEVER A GOOD PASSWORD! @michele_butcher

Slide 37

Slide 37 text

NEVER EMAIL PASSWORDS TO ANYONE. INCLUDING YOURSELF. @michele_butcher

Slide 38

Slide 38 text

USE A DIFFERENT PASSWORD FOR EACH AND EVERY THING YOU LOG INTO.

Slide 39

Slide 39 text

USE SOMETHING LIKE LASTPASS OR ONE PASSWORD TO SAVE YOUR PASSWORDS AND TO SHARE PASSWORDS WITH OTHERS.

Slide 40

Slide 40 text

IF THE LOGIN HAS A TWO-FACTOR AUTHENTICATION, USE IT! @michele_butcher

Slide 41

Slide 41 text

ANTI-VIRUS PROTECT YOUR UNIT! Yes I even have an anti-virus on my Mac! AVG and Avast have free versions as well as paid. Kaspersky is great with Windows and Macs. @michele_butcher

Slide 42

Slide 42 text

BE CONSCIOUS WHEN USING PUBLIC WIFI. @michele_butcher

Slide 43

Slide 43 text

USE A VPN WHEN CONNECTING OUT IN THE WILD. torguard.com @michele_butcher

Slide 44

Slide 44 text

UPDATE! UPDATE! UPDATE! Let me say this again

Slide 45

Slide 45 text

BACK UP EVERYTHING AND BACK IT UP OFTEN. IF YOU FEAR YOU MIGHT LOSE INFORMATION, SAVE IT IN MORE THAN ONE SPOT. BITCASA, CARBONITE, AND EXTERNAL HARD DRIVES ARE GREAT OPTIONS OF BACKING UP DATA. @michele_butcher

Slide 46

Slide 46 text

QUESTIONS? @michele_butcher

Slide 47

Slide 47 text

THANK YOU FOR ATTENDING! Slides can be found at http://mlb.pw/wcstl2015 Michele Butcher @michele_butcher http://wpsecuritylock.com http://cantspeakgeek.com