1.
WordPress
securityfundamentals
WORDCAMPMAINE

2.
aboutme
Something
Joseph Herbrandson
Web design and infosec
Committed to WordPress and website security
since 2008
sucuri security
Technical Account Manager
- Cleaning up malware and protecting websites
from infection everyday
- Cleaned, remediated and secured over 5,000
websites
Website
sucuri.net
twitter.com/sucuri_security
facebook.com/SucuriSec
sucuri.net

3.
sucuri.net
Sucurisecurity
• SCAN: 3 MILLION DOMANS / MONTH:
sitecheck.sucuri.net
• block: 33 million / month
• CLEAN: 300-500 sites / DAY
• Website security:
SERVICING OVER 250 THOUSAND DOMAINS
• platform agnostic
(wordpress, joomla, drupal, etc…)
• GLOBAL OPERATIONS
24/7/365 SUPPORT

4.
The state of…
theInternet
sucuri.net
3 Billion Internet Users world wide
1 billion active sites
internetlivestats.com
!
60% of all CMS sites
and
22% of all websites
are wordpress!

5.
No 0% Threat Rule
No such thing as perfect security. If someone
REALLY wants in, they will find a way.
0- Day Attacks
Brand new attacks using different methods
make these impossible to plan for. 0-Day
attacks are resolved once it has been studied,
and fix has been published.
Not just Wordpress!
Security starts with everyday practices. All
the wrong moves made off of your website,
will still affect things on your website!
sucuri.net
securewp
Notes On

6.
Who Are They?
Hackersidentities
sucuri.net
Who are these Guys?
- It can be anyone good with computers.
- Intelligent and Mischievous; Enterprising and Effective.
Where are they from?
Most attacks come from Turkey, Syria, Tunisia, Brazil, Russia, China, and even the United States.
!

7.
Brute Force sql injection ddos social engineering
sucuri.net
what’s going on here…
commonattacktypes

8.
Hacked?
Whyyou
It’s nothing Personal
Most attacks are automated and done on
many websites at a time
You're on the list
Once you’re a target, you stay a target.
Increasing your security is the best way to
ask them to LEAVE YOU ALONE
sucuri.net

9.
The
$Billionspam
!
Pharma and spam attacks
Viagra, Cialis, and Levitra ads, make
marketers over 2 BILLION dollars every year
from blackhat methods of infecting websites,
and redirecting users to websites selling
prescription drugs.
!
sucuri.net

10.
Pillarsofsecurity
Your Security
Frontline Disaster Prevention
backups
Basic Website Maintenance
Staying current
Common Sense Policies
Access control
WordPress
Preparation
sucuri.net

11.
securedbackups
Disaster Prevention
Have a backup plan
Playing defensively from the back is your best
first line defense.
Stored Remotely
Away from your live server, and the clutches
of an intruder.
…more than one if possible!
The more layers of your backup plan, the less
likely it is to fail.
Scheduled and Automated
Don’t rely on yourself.
sucuri.net

12.
backupSolutions
Options for
Vault Press
Web hosting
Sucuri Backups
sucuri.net
BACKUP BUDDY

13.
A little bit about
passwordsecurity
The tactics
Sophisticated Password Guessing
easier to crack than you think…
!
Password Crack Times:
- 8 letters = 52 seconds
- 8 nums/letters = 11 minutes
- with caps/!@#$… = 3 hours
- 12 letters/nums/caps/!@#$ =
2 Thousand years
sucuri.net

14.
mostusedpassWords
The web’s
No. Title Ranking Last Year
1 123456 2
2 password 1
3 12345678 3
4 qwerty 5
5 abc123 4
6 123456789 New
7 111111 9
sucuri.net
The following are statistics showing the most used passwords in 2013,
documented from lists stolen in major organization security breaches.
(SplashData.com)

15.
passwordmanagers
Tools of the trade:
Lastpass keePass DashLane
sucuri.net
1Password

16.
wordpressUpdates
The Importance of
Your version is your level of security
!
Major versus Maintenance releases
!
Worried About upgrading? fear not!
downgrading is a simple task
!
Have an upgrade path
sucuri.net
As of June 2014: http://w3techs.com/technologies/details/cm-wordpress/3/all
21%
14%
5%
8% 18%
34%
3.0-3.4 3.5 3.6 3.7 3.8 3.9

17.
sucuri.net
KnowyourPlugins
recent vulnerability disclosures: Update!!
All in one SEO
Mailpoet
custom contact forms
wptouch
no plugin is SAFE forever!
developer vigilance is key
keep track of update and change logs
consider plugins secured by Sucuri, or other security authorities
Plug and Play for hackers!

18.
sucuri.net
Server-Side Protection
websiteantivirus
Malware Scanning
SITECHECK: http://sitecheck.sucuri.net
VIRUSTOTAL: http://www.virustotal.com
wordpress security plugins
Sucuri Scanner
iThemes Security (Formerly Better WP Security)
GOTMLS
WEB
premium cleanup services
Sucuri Website Antivirus
Sitelock

19.
Case study
cleanup
Ftp/sftp File Management
Basic file cleanup with FileZilla
WordPress Version Archives
https://codex.wordpress.org/WordPress_Versions
(Google “WordPress versions”)
Theme Backups
Always know where to find a clean copy of your
theme

20.
Infectedsite
infection: blackhat seo spam injection
Spam is displayed with Javascript turned off. Otherwise it’s hidden!
Infection confirmed at the free Sucuri website scanner: http://sitecheck.sucuri.net
Cleanup
sucuri.net

21.
Cleanup
removeandreplace
wp-admin and wp-includes
These directories are replaceable for cleanup
and downgrading versions
Replace other core files
The other core files outside of these two
directories can be uploaded to directly
replace their counterparts
do not delete wp-config.php or
wp-content!
These are vital to the functionality of your
blog, and cannot be replaced easily, or
without a backup.
sucuri.net

22.
Cleanup
removeandreplace pt.2
find your theme
Your theme is replaceable if you
haven’t made custom
changes
delete your old theme
This is the most common place
for infected WordPress files
replace with clean copy
Good as new!
sucuri.net

23.
Cleanup
cleansite
cleanup accomplished:
Your WordPress site is now spam free!
!
sucuri.net

24.
User-Defined Footer Text
Active Defense
websitefirewall
fight back!
-security checkpoint that monitors all
users
- intelligent and decisive: detect attack
patterns and stop them
- software versus hardware
Products:
- Sucuri Website Firewall
- CloudFlare
- Sitelock

25.
sucuri.net
A healthy dose of…
paranoia
worry about the right things:
- Integrating a protection plan
- Passwords versus Usernames
- Hosting: Shared, Managed, Dedicated
- Plugin/Theme origin
- Patching/Updating
- Who your friends are

26.
anyquestions?