SlideShare a Scribd company logo

WordCamp Orange County: WordPress Security Fundamentals

Joseph Herbrandson
Joseph Herbrandson

WordPress is one the most popular website platforms on the Internet, and that makes it a prime target for malicious web users. Learn how to take the basic steps to protect yourself and your online properties.

TechnologyBusiness
1 of 25
Download to read offline
WordPress securityfundamentals
aboutme Something Joseph Herbrandson Web design and infosec Committed to WordPress and website security since 2008 sucuri security Security Analyst - Cleaning up malware and protecting websites from infection everyday Website sucuri.net twitter.com/sucuri_security facebook.com/SucuriSec sucuri.net
sucuri.net Sucurisecurity • Website security Company • Operate internationally • platform agnostic (wordpress, joomla, drupal, etc…) • scan 2 million websites per month • block 4 million attacks per month • remediate 400-500 sites per day • 24/7 operations
The state of… theInternet sucuri.net 2.9 Billion Internet Users world wide About 950 million active sites internetlivestats.com ! 20% are wordpress…
No 0% Threat Rule No such thing as perfect security. If someone REALLY wants in, they will find a way. 0- Day Attacks Brand new attacks using different methods make these impossible to plan for. 0-Day attacks are resolved once it has been studied, and fix has been published. Not just Wordpress! Security starts with everyday practices. All the wrong moves made off of your website, will still affect things on your website! sucuri.net securewp Notes On
Who Are They? Hackersidentities sucuri.net Who are these Guys? - It can be anyone good with computers. - Intelligent and Mischievous; Enterprising and Effective. Where are they from? Most attacks come from Turkey, Syria, Tunisia, Brazil, Russia, China, and even the United States. !
Brute Force sql injection ddos social engineering sucuri.net what’s going on here… commonattacktypes
Hacked? Whyyou It’s nothing Personal Most attacks are automated and done on many websites at a time You're on the list Once you’re a target, you stay a target. Increasing your security is the best way to ask them to LEAVE YOU ALONE sucuri.net
The $Billionspam ! Pharma and spam attacks Viagra, Cialis, and Levitra ads, make marketers over 2 BILLION dollars every year from blackhat methods of infecting websites, and redirecting users to websites selling prescription drugs. ! sucuri.net
sucuri.net Sending a Message Hacktivists ! The hacktivists Turning your site into a billboard for anarchy and mayhem
Pillarsofsecurity Your Security Frontline Disaster Prevention backups Basic Website Maintenance Staying current Common Sense Policies Access control WordPress Intrusion Preparation sucuri.net
securedbackups Disaster Prevention Have a backup plan Playing defensively from the back is your best first line defense. Stored Remotely Away from your live server, and the clutches of an intruder. …more than one if possible! The more layers of your backup plan, the less likely it is to fail. Scheduled and Automated Don’t rely on yourself. sucuri.net
backupSolutions Options for Vault PressWeb hosting Sucuri Backups sucuri.net
wordpressUpdates The Importance of Your version is your level of security ! Major versus Maintenance releases ! Worried About upgrading? fear not! downgrading is a simple task ! Have an upgrade path sucuri.net As of June 2014: http://w3techs.com/technologies/details/cm-wordpress/3/all 36% 29% 6% 7% 11% 11% 3.0-3.4 3.5 3.6 3.7 3.8 3.9
sucuri.net allinoneSEo recent vulnerability disclosure: Update!! ! no plugin is SAFE! ! educate yourself http://blog.sucuri.net/2014/05/vulnerability-found-in-the- all-in-one-seo-pack-wordpress-plugin.html Public Service Announcemnt…
A little bit about passwordsecurity The tactics Sophisticated Password Guessing easier to crack than you think… ! Password Crack Times: - 8 letters = 52 seconds - 8 nums/letters = 11 minutes - with caps/!@#$… = 3 hours - 12 letters/nums/caps/!@#$ = 2 Thousand years sucuri.net
mostusedpassWords The web’s No. Title Ranking Last Year 1 123456 2 2 password 1 3 12345678 3 4 qwerty 5 5 abc123 4 6 123456789 New 7 111111 9 sucuri.net The following are statistics showing the most used passwords in 2013, documented from lists stolen in major organization security breaches. (SplashData.com)
passwordmanagers Tools of the trade: Lastpass keePass DashLane sucuri.net 1Password
Case study cleanup Ftp/sftp File Management Basic file cleanup with FileZilla WordPress Version Archives https://codex.wordpress.org/WordPress_Versions (Google “WordPress versions”) Theme Backups Always know where to find a clean copy of your theme sucuri.net
Infectedsite infection: blackhat seo spam injection Spam is displayed with Javascript turned off. Otherwise it’s hidden! Infection confirmed at the free Sucuri website scanner: http://sitecheck.sucuri.net Cleanup sucuri.net
Cleanup removeandreplace wp-admin and wp-includes These directories are replaceable for cleanup and downgrading versions Replace other core files The other core files outside of these two directories can be uploaded to directly replace their counterparts do not delete wp-config.php or wp-content! These are vital to the functionality of your blog, and cannot be replaced easily, or without a backup. sucuri.net
Cleanup removeandreplace pt.2 find your theme Your theme is replaceable if you
 haven’t made custom
 changes delete your old theme This is the most common place
 for infected WordPress files replace with clean copy Good as new! sucuri.net
Cleanup cleansite cleanup accomplished: Your WordPress site is now spam free! ! sucuri.net
sucuri.net A healthy dose of… paranoia worry about the right things: - Passwords versus Usernames - Web hosting - Plugin/Theme origin - Patching/Updating - Who your friends are
anyquestions?

Recommended

Writing Your First Plugin - WordCamp Milwaukee 2012
Writing Your First Plugin - WordCamp Milwaukee 2012Writing Your First Plugin - WordCamp Milwaukee 2012
Writing Your First Plugin - WordCamp Milwaukee 2012bradparbs
 
Reno-Tahoe WordCamp 2011 - WordPress End User Security - Dre Armeda
Reno-Tahoe WordCamp 2011 - WordPress End User Security - Dre ArmedaReno-Tahoe WordCamp 2011 - WordPress End User Security - Dre Armeda
Reno-Tahoe WordCamp 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 
Caching 101 - WordCamp OC
Caching 101 - WordCamp OCCaching 101 - WordCamp OC
Caching 101 - WordCamp OCEugene Kovshilovsky
 
The Capitalist in the Co-Op: The Art & Science of the Premium WordPress Business
The Capitalist in the Co-Op: The Art & Science of the Premium WordPress BusinessThe Capitalist in the Co-Op: The Art & Science of the Premium WordPress Business
The Capitalist in the Co-Op: The Art & Science of the Premium WordPress BusinessShane Pearlman
 
CSI: WordPress -- Getting Into the Guts
CSI: WordPress -- Getting Into the GutsCSI: WordPress -- Getting Into the Guts
CSI: WordPress -- Getting Into the GutsDougal Campbell
 
Scoping and Estimating WordPress Projects as an Agency
Scoping and Estimating WordPress Projects as an AgencyScoping and Estimating WordPress Projects as an Agency
Scoping and Estimating WordPress Projects as an AgencyKara Hansen
 
Slowcooked wp
Slowcooked wpSlowcooked wp
Slowcooked wpjoshfeck
 
Using Curated Content in WordPress - Why and How
Using Curated Content in WordPress - Why and HowUsing Curated Content in WordPress - Why and How
Using Curated Content in WordPress - Why and HowAdam W. Warner
 

Recommended

Writing Your First Plugin - WordCamp Milwaukee 2012
Writing Your First Plugin - WordCamp Milwaukee 2012Writing Your First Plugin - WordCamp Milwaukee 2012
Writing Your First Plugin - WordCamp Milwaukee 2012bradparbs
 
Reno-Tahoe WordCamp 2011 - WordPress End User Security - Dre Armeda
Reno-Tahoe WordCamp 2011 - WordPress End User Security - Dre ArmedaReno-Tahoe WordCamp 2011 - WordPress End User Security - Dre Armeda
Reno-Tahoe WordCamp 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 
Caching 101 - WordCamp OC
Caching 101 - WordCamp OCCaching 101 - WordCamp OC
Caching 101 - WordCamp OCEugene Kovshilovsky
 
The Capitalist in the Co-Op: The Art & Science of the Premium WordPress Business
The Capitalist in the Co-Op: The Art & Science of the Premium WordPress BusinessThe Capitalist in the Co-Op: The Art & Science of the Premium WordPress Business
The Capitalist in the Co-Op: The Art & Science of the Premium WordPress BusinessShane Pearlman
 
CSI: WordPress -- Getting Into the Guts
CSI: WordPress -- Getting Into the GutsCSI: WordPress -- Getting Into the Guts
CSI: WordPress -- Getting Into the GutsDougal Campbell
 
Scoping and Estimating WordPress Projects as an Agency
Scoping and Estimating WordPress Projects as an AgencyScoping and Estimating WordPress Projects as an Agency
Scoping and Estimating WordPress Projects as an AgencyKara Hansen
 
Slowcooked wp
Slowcooked wpSlowcooked wp
Slowcooked wpjoshfeck
 
Using Curated Content in WordPress - Why and How
Using Curated Content in WordPress - Why and HowUsing Curated Content in WordPress - Why and How
Using Curated Content in WordPress - Why and HowAdam W. Warner
 
Progressively Enhancing WordPress Themes
Progressively Enhancing WordPress ThemesProgressively Enhancing WordPress Themes
Progressively Enhancing WordPress ThemesDigitally
 
Work, Life, Blog Balance
Work, Life, Blog BalanceWork, Life, Blog Balance
Work, Life, Blog BalanceAlicia Murray
 
WordPress Community: Choose your own adventure
WordPress Community: Choose your own adventureWordPress Community: Choose your own adventure
WordPress Community: Choose your own adventureAndrea Middleton
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingWordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingAaron Saray
 
WordPress + OAuth
WordPress + OAuthWordPress + OAuth
WordPress + OAuthWill Norris
 
Design and Development Techniques for Accessibility: WordCamp Tampa 2015
Design and Development Techniques for Accessibility: WordCamp Tampa 2015Design and Development Techniques for Accessibility: WordCamp Tampa 2015
Design and Development Techniques for Accessibility: WordCamp Tampa 2015Robert Jolly
 
BuddyPress @ WordCamp
BuddyPress @ WordCampBuddyPress @ WordCamp
BuddyPress @ WordCampapeatling
 
Global Voices - Democratising the web with Wordpress and Love
Global Voices - Democratising the web with Wordpress and LoveGlobal Voices - Democratising the web with Wordpress and Love
Global Voices - Democratising the web with Wordpress and LoveJer Clarke
 
Developing for Success -or- Any Fool Can Do This
Developing for Success -or- Any Fool Can Do ThisDeveloping for Success -or- Any Fool Can Do This
Developing for Success -or- Any Fool Can Do ThisBrian Richards
 
Using Theme Frameworks for rapid development and sustainability
Using Theme Frameworks for rapid development and sustainabilityUsing Theme Frameworks for rapid development and sustainability
Using Theme Frameworks for rapid development and sustainabilityJoel Norris
 
Getting an eCommerce Site Running in 30 Minutes
Getting an eCommerce Site Running in 30 MinutesGetting an eCommerce Site Running in 30 Minutes
Getting an eCommerce Site Running in 30 MinutesApptivo
 
L’uso di WordPress nella comunicazione corporate di Telecom Italia
L’uso di WordPress nella comunicazione corporate di Telecom Italia L’uso di WordPress nella comunicazione corporate di Telecom Italia
L’uso di WordPress nella comunicazione corporate di Telecom Italia GGDBologna
 
WortdPress Child themes: Why and How
WortdPress Child themes: Why and HowWortdPress Child themes: Why and How
WortdPress Child themes: Why and HowPaul Bearne
 
Breaking up (your code) is hard to do
Breaking up (your code) is hard to doBreaking up (your code) is hard to do
Breaking up (your code) is hard to doDan Beil
 
WordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChi
WordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChiWordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChi
WordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChiShanta Nathwani
 
Por um wordpress mais seguro
Por um wordpress mais seguroPor um wordpress mais seguro
Por um wordpress mais seguroFlávio Silveira
 
Working Off Grid & Remote
Working Off Grid & RemoteWorking Off Grid & Remote
Working Off Grid & Remotetravistotz
 
Wcoc preso
Wcoc presoWcoc preso
Wcoc presoAlex Vasquez
 
Introduction to WordPress Multisite
Introduction to WordPress MultisiteIntroduction to WordPress Multisite
Introduction to WordPress MultisiteCraig Taylor
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 

More Related Content

Viewers also liked

Progressively Enhancing WordPress Themes
Progressively Enhancing WordPress ThemesProgressively Enhancing WordPress Themes
Progressively Enhancing WordPress ThemesDigitally
 
Work, Life, Blog Balance
Work, Life, Blog BalanceWork, Life, Blog Balance
Work, Life, Blog BalanceAlicia Murray
 
WordPress Community: Choose your own adventure
WordPress Community: Choose your own adventureWordPress Community: Choose your own adventure
WordPress Community: Choose your own adventureAndrea Middleton
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingWordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingAaron Saray
 
WordPress + OAuth
WordPress + OAuthWordPress + OAuth
WordPress + OAuthWill Norris
 
Design and Development Techniques for Accessibility: WordCamp Tampa 2015
Design and Development Techniques for Accessibility: WordCamp Tampa 2015Design and Development Techniques for Accessibility: WordCamp Tampa 2015
Design and Development Techniques for Accessibility: WordCamp Tampa 2015Robert Jolly
 
BuddyPress @ WordCamp
BuddyPress @ WordCampBuddyPress @ WordCamp
BuddyPress @ WordCampapeatling
 
Global Voices - Democratising the web with Wordpress and Love
Global Voices - Democratising the web with Wordpress and LoveGlobal Voices - Democratising the web with Wordpress and Love
Global Voices - Democratising the web with Wordpress and LoveJer Clarke
 
Developing for Success -or- Any Fool Can Do This
Developing for Success -or- Any Fool Can Do ThisDeveloping for Success -or- Any Fool Can Do This
Developing for Success -or- Any Fool Can Do ThisBrian Richards
 
Using Theme Frameworks for rapid development and sustainability
Using Theme Frameworks for rapid development and sustainabilityUsing Theme Frameworks for rapid development and sustainability
Using Theme Frameworks for rapid development and sustainabilityJoel Norris
 
Getting an eCommerce Site Running in 30 Minutes
Getting an eCommerce Site Running in 30 MinutesGetting an eCommerce Site Running in 30 Minutes
Getting an eCommerce Site Running in 30 MinutesApptivo
 
L’uso di WordPress nella comunicazione corporate di Telecom Italia
L’uso di WordPress nella comunicazione corporate di Telecom Italia L’uso di WordPress nella comunicazione corporate di Telecom Italia
L’uso di WordPress nella comunicazione corporate di Telecom Italia GGDBologna
 
WortdPress Child themes: Why and How
WortdPress Child themes: Why and HowWortdPress Child themes: Why and How
WortdPress Child themes: Why and HowPaul Bearne
 
Breaking up (your code) is hard to do
Breaking up (your code) is hard to doBreaking up (your code) is hard to do
Breaking up (your code) is hard to doDan Beil
 
WordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChi
WordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChiWordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChi
WordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChiShanta Nathwani
 
Por um wordpress mais seguro
Por um wordpress mais seguroPor um wordpress mais seguro
Por um wordpress mais seguroFlávio Silveira
 
Working Off Grid & Remote
Working Off Grid & RemoteWorking Off Grid & Remote
Working Off Grid & Remotetravistotz
 
Introduction to WordPress Multisite
Introduction to WordPress MultisiteIntroduction to WordPress Multisite
Introduction to WordPress MultisiteCraig Taylor
 

Viewers also liked (19)

Progressively Enhancing WordPress Themes
Progressively Enhancing WordPress ThemesProgressively Enhancing WordPress Themes
Progressively Enhancing WordPress Themes
 
Work, Life, Blog Balance
Work, Life, Blog BalanceWork, Life, Blog Balance
Work, Life, Blog Balance
 
WordPress Community: Choose your own adventure
WordPress Community: Choose your own adventureWordPress Community: Choose your own adventure
WordPress Community: Choose your own adventure
 
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress CodingWordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
WordCamp Milwaukee 2012 - Aaron Saray - Secure Wordpress Coding
 
WordPress + OAuth
WordPress + OAuthWordPress + OAuth
WordPress + OAuth
 
Design and Development Techniques for Accessibility: WordCamp Tampa 2015
Design and Development Techniques for Accessibility: WordCamp Tampa 2015Design and Development Techniques for Accessibility: WordCamp Tampa 2015
Design and Development Techniques for Accessibility: WordCamp Tampa 2015
 
BuddyPress @ WordCamp
BuddyPress @ WordCampBuddyPress @ WordCamp
BuddyPress @ WordCamp
 
Global Voices - Democratising the web with Wordpress and Love
Global Voices - Democratising the web with Wordpress and LoveGlobal Voices - Democratising the web with Wordpress and Love
Global Voices - Democratising the web with Wordpress and Love
 
Developing for Success -or- Any Fool Can Do This
Developing for Success -or- Any Fool Can Do ThisDeveloping for Success -or- Any Fool Can Do This
Developing for Success -or- Any Fool Can Do This
 
Using Theme Frameworks for rapid development and sustainability
Using Theme Frameworks for rapid development and sustainabilityUsing Theme Frameworks for rapid development and sustainability
Using Theme Frameworks for rapid development and sustainability
 
Getting an eCommerce Site Running in 30 Minutes
Getting an eCommerce Site Running in 30 MinutesGetting an eCommerce Site Running in 30 Minutes
Getting an eCommerce Site Running in 30 Minutes
 
L’uso di WordPress nella comunicazione corporate di Telecom Italia
L’uso di WordPress nella comunicazione corporate di Telecom Italia L’uso di WordPress nella comunicazione corporate di Telecom Italia
L’uso di WordPress nella comunicazione corporate di Telecom Italia
 
WortdPress Child themes: Why and How
WortdPress Child themes: Why and HowWortdPress Child themes: Why and How
WortdPress Child themes: Why and How
 
Breaking up (your code) is hard to do
Breaking up (your code) is hard to doBreaking up (your code) is hard to do
Breaking up (your code) is hard to do
 
WordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChi
WordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChiWordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChi
WordPress 101 - Foundation Friday at WordCamp Chicago 2014 #WCChi
 
Por um wordpress mais seguro
Por um wordpress mais seguroPor um wordpress mais seguro
Por um wordpress mais seguro
 
Working Off Grid & Remote
Working Off Grid & RemoteWorking Off Grid & Remote
Working Off Grid & Remote
 
Wcoc preso
Wcoc presoWcoc preso
Wcoc preso
 
Introduction to WordPress Multisite
Introduction to WordPress MultisiteIntroduction to WordPress Multisite
Introduction to WordPress Multisite
 

Recently uploaded

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024Lonnie McRorey
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersRaghuram Pandurangan
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????blackmambaettijean
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionDilum Bandara
 

Recently uploaded (20)

Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024TeamStation AI System Report LATAM IT Salaries 2024
TeamStation AI System Report LATAM IT Salaries 2024
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Generative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information DevelopersGenerative AI for Technical Writer or Information Developers
Generative AI for Technical Writer or Information Developers
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
What is Artificial Intelligence?????????
What is Artificial Intelligence?????????What is Artificial Intelligence?????????
What is Artificial Intelligence?????????
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
Advanced Computer Architecture – An Introduction
Advanced Computer Architecture – An IntroductionAdvanced Computer Architecture – An Introduction
Advanced Computer Architecture – An Introduction
 

WordCamp Orange County: WordPress Security Fundamentals

  • 2. aboutme Something Joseph Herbrandson Web design and infosec Committed to WordPress and website security since 2008 sucuri security Security Analyst - Cleaning up malware and protecting websites from infection everyday Website sucuri.net twitter.com/sucuri_security facebook.com/SucuriSec sucuri.net
  • 3. sucuri.net Sucurisecurity • Website security Company • Operate internationally • platform agnostic (wordpress, joomla, drupal, etc…) • scan 2 million websites per month • block 4 million attacks per month • remediate 400-500 sites per day • 24/7 operations
  • 4. The state of… theInternet sucuri.net 2.9 Billion Internet Users world wide About 950 million active sites internetlivestats.com ! 20% are wordpress…
  • 5. No 0% Threat Rule No such thing as perfect security. If someone REALLY wants in, they will find a way. 0- Day Attacks Brand new attacks using different methods make these impossible to plan for. 0-Day attacks are resolved once it has been studied, and fix has been published. Not just Wordpress! Security starts with everyday practices. All the wrong moves made off of your website, will still affect things on your website! sucuri.net securewp Notes On
  • 6. Who Are They? Hackersidentities sucuri.net Who are these Guys? - It can be anyone good with computers. - Intelligent and Mischievous; Enterprising and Effective. Where are they from? Most attacks come from Turkey, Syria, Tunisia, Brazil, Russia, China, and even the United States. !
  • 7. Brute Force sql injection ddos social engineering sucuri.net what’s going on here… commonattacktypes
  • 8. Hacked? Whyyou It’s nothing Personal Most attacks are automated and done on many websites at a time You're on the list Once you’re a target, you stay a target. Increasing your security is the best way to ask them to LEAVE YOU ALONE sucuri.net
  • 9. The $Billionspam ! Pharma and spam attacks Viagra, Cialis, and Levitra ads, make marketers over 2 BILLION dollars every year from blackhat methods of infecting websites, and redirecting users to websites selling prescription drugs. ! sucuri.net
  • 10. sucuri.net Sending a Message Hacktivists ! The hacktivists Turning your site into a billboard for anarchy and mayhem
  • 11. Pillarsofsecurity Your Security Frontline Disaster Prevention backups Basic Website Maintenance Staying current Common Sense Policies Access control WordPress Intrusion Preparation sucuri.net
  • 12. securedbackups Disaster Prevention Have a backup plan Playing defensively from the back is your best first line defense. Stored Remotely Away from your live server, and the clutches of an intruder. …more than one if possible! The more layers of your backup plan, the less likely it is to fail. Scheduled and Automated Don’t rely on yourself. sucuri.net
  • 13. backupSolutions Options for Vault PressWeb hosting Sucuri Backups sucuri.net
  • 14. wordpressUpdates The Importance of Your version is your level of security ! Major versus Maintenance releases ! Worried About upgrading? fear not! downgrading is a simple task ! Have an upgrade path sucuri.net As of June 2014: http://w3techs.com/technologies/details/cm-wordpress/3/all 36% 29% 6% 7% 11% 11% 3.0-3.4 3.5 3.6 3.7 3.8 3.9
  • 15. sucuri.net allinoneSEo recent vulnerability disclosure: Update!! ! no plugin is SAFE! ! educate yourself http://blog.sucuri.net/2014/05/vulnerability-found-in-the- all-in-one-seo-pack-wordpress-plugin.html Public Service Announcemnt…
  • 16. A little bit about passwordsecurity The tactics Sophisticated Password Guessing easier to crack than you think… ! Password Crack Times: - 8 letters = 52 seconds - 8 nums/letters = 11 minutes - with caps/!@#$… = 3 hours - 12 letters/nums/caps/!@#$ = 2 Thousand years sucuri.net
  • 17. mostusedpassWords The web’s No. Title Ranking Last Year 1 123456 2 2 password 1 3 12345678 3 4 qwerty 5 5 abc123 4 6 123456789 New 7 111111 9 sucuri.net The following are statistics showing the most used passwords in 2013, documented from lists stolen in major organization security breaches. (SplashData.com)
  • 18. passwordmanagers Tools of the trade: Lastpass keePass DashLane sucuri.net 1Password
  • 19. Case study cleanup Ftp/sftp File Management Basic file cleanup with FileZilla WordPress Version Archives https://codex.wordpress.org/WordPress_Versions (Google “WordPress versions”) Theme Backups Always know where to find a clean copy of your theme sucuri.net
  • 20. Infectedsite infection: blackhat seo spam injection Spam is displayed with Javascript turned off. Otherwise it’s hidden! Infection confirmed at the free Sucuri website scanner: http://sitecheck.sucuri.net Cleanup sucuri.net
  • 21. Cleanup removeandreplace wp-admin and wp-includes These directories are replaceable for cleanup and downgrading versions Replace other core files The other core files outside of these two directories can be uploaded to directly replace their counterparts do not delete wp-config.php or wp-content! These are vital to the functionality of your blog, and cannot be replaced easily, or without a backup. sucuri.net
  • 22. Cleanup removeandreplace pt.2 find your theme Your theme is replaceable if you
 haven’t made custom
 changes delete your old theme This is the most common place
 for infected WordPress files replace with clean copy Good as new! sucuri.net
  • 23. Cleanup cleansite cleanup accomplished: Your WordPress site is now spam free! ! sucuri.net
  • 24. sucuri.net A healthy dose of… paranoia worry about the right things: - Passwords versus Usernames - Web hosting - Plugin/Theme origin - Patching/Updating - Who your friends are