Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
0 likes609 views
This document is an introduction to WordPress security presentation by Michele Butcher. It discusses why security is important, how hackers gain access to sites, and basic security measures site owners can take including using strong passwords, updating plugins and themes regularly, using security plugins like iThemes Security, backing up sites frequently, and being aware of security best practices for logging into public WiFi and using VPNs. The presentation provides an overview of common WordPress security threats and mitigation strategies for beginners.
Intro to Security (Beginner's Edition) WordCamp St. Louis 2015
- 1. INTROTO SECURITY (BEGINNERS EDITION) Michele Butcher CantSpeakGeek.com WPSecurityLock.com @Michele_Butcher Slides can be found at http://mlb.pw/wcstl2015
- 2. MICHELE BUTCHER • WordPress Specialist, Site Cleaner, andTrainer for WP Security Lock • WordPress Specialist for Megabytes Inc • One Woman Wonder at Can’t Speak Geek @michele_butcher
- 4. EVERY DAY HACKERSTRYTO FIND WAYSTO GETYOUR INFORMATION. @michele_butcher
- 5. WHY DO HACKERS HACK? • Make bank • Build a zombie site army • Share their nasty malware with the world • Get your information • They are bored • They want to see if they can do it @michele_butcher
- 6. WHY ARETHESE PEOPLE ATTACKING ME? Anymore, it is not people but bots attacking your site. Hackers have programs that do the work for them. Rarely is it people doing the hacking unless it is targeted. Strong opinion sites are a good example. @michele_butcher
- 7. HOW DOTHEY GET IN? • Guess your login. If you know it so can someone else. (Brute force attack or man in the middle) • Denial of Service attack (DDoS) flood your site with more traffic than it can handle • Through a theme, file or plugin • Through your FTP or CPanel. (Files set to read, write,execute. Brute force, anonymous login, shared hosting infection) @michele_butcher
- 8. AND NOW FORTHE ONLY THING SCARYTHAT I AM GOINGTO SAY. @michele_butcher
- 9. YOU ARE NEVER 100% SECURE @michele_butcher
- 10. EVEN ATEST SITE OR A KNITTING SITE WITH ONLY 2 VISITORS CAN BE HACKED. IT CAN HAPPENTOYOUR SITE. @michele_butcher It has happened to me, it can happen to you.
- 11. DON’T LET SECURITY MAKE YOU LIKETHIS GUY. @michele_butcher
- 12. NEVER FEAR… THERE ARE WAYSTO KEEPTHE HACKER ATTACKERS OUT! @michele_butcher I promise it is not all that painful!
- 14. NEVER EVER EVER USE ADMIN AS USER NAME OR PASSWORD AS PASSWORD. NEVER! @michele_butcher Got it?
- 15. ALWAYS CHANGEYOUR PREFIX NAME FROM WP_ LET IT BE ANYTHING OTHERTHAN WP_ FDHSFJKHS_ IS ALWAYS GOOD I typically do not even look at what I am typing anymore when I make the WP prefix.The random the better. @michele_butcher
- 16. WHAT TO DO WHEN YOU HAVETEMPORARY PEOPLE INYOUR DASHBOARD @michele_butcher
- 17. ALWAYS USE SFTP Regular FTP is not secure. Do not use it unless the server is only set up for FTP.
- 18. Only give them access to what they NEED not what they want. Just because they want to be an admin does not automatically make them one. Guest bloggers should not be anymore than a contributor.
- 19. If it is only a temporary login, delete their login when they have completed their job. If they have posts on your site, you can knock them down to subscribers so they can not change anything on your site. If they are only doing work, delete them when their job is done.
- 20. Set up a file change detection notification to know what they are changing in your site. iThemes Security and other security plugins give you the option to see what all users are doing when logged into the dashboard.
- 22. ITHEMES SECURITY PRO Great all encompassing best practices WordPress security plugin. Two versions a free and a premium. http://ithemes.com/security @michele_butcher
- 23. BRUTE PROTECT If you are mainly worried about DDoS attacks, Brute Protect has you covered. http://bruteprotect.com @michele_butcher
- 24. WHO CAN SCAN MY SITE FOR MALWARE? Google Webmaster Tools http://google.com/webmaster VirusTotal https://virustotal.com iThemes Security Pro htttp://ithemes.com/security @michele_butcher
- 25. NEED AN EXTRA EYE ON YOUR SITE? CloudFlare has a free and premium version. http://cloudflare.com @michele_butcher
- 26. THINGSYOU CAN DOTO PROTECTYOUR WEBSITE
- 27. UPDATE! UPDATE! UPDATE! Update core, update plugins, update themes, update content, update everything and update often! The biggest source of nearly all hacks as once something is patched, it is trivial to get into the old stuff. @michele_butcher
- 28. IFYOU USETHEMES OR PLUGINS AT ANY OFTHE ENVATO (THEMEFOREST, CODE CANYON) ALWAYS CHECKTHE BOXTO BE NOTIFIED OF UPDATES.THEY WILL NOTTELLYOU OTHERWISE This is why the RevSlider SoakSoak infection was so widespread. Many didn't know the plugin was built within the theme.
- 29. HAVE A MINIMALIST APPROACH TO PLUGINS ANDTHEMES. • Only have the plugins you are using at that time on your site.You can always upload them again later. • Only have your theme you are using on your site. • If something is not active, delete it. @michele_butcher
- 30. BACK UPYOUR SITE! SOMEWHERE,ANYWHERE, JUST HAVE A BACKUP COPY. BackupBuddy from iThemes is a great choice. iThemes Security will do a database backup for you. http://ithemes.com/backupbuddy @michele_butcher
- 31. ALWAYS BACK UPTO SOMEPLACE OTHERTHANYOUR SERVER. IFTHE SERVER GETS HACKED, SO DOESYOUR BACKUP. EVEN BACKING A COPYTO DROPBOX ORYOUR COMPUTER IS A BETTER OPTION. @michele_butcher
- 32. DON’T LETYOUR SITE GET LONELY. Lonely sites can turn into zombie sites and nobody wants a zombie @michele_butcher
- 33. IFYOUR WEBSITE GET HACKED IT IS NOTTHE END OFTHE WORLD. IT CAN AND WILL BE FIXED. @michele_butcher
- 34. WHO CLEANS HACKED WEBSITES? Well I do over at WP Security Lock ~Smile~ http://wpsecuritylock.com I apologize… had to do one shameful plug. @michele_butcher
- 35. WHAT ARE OTHER WAYS I CAN BE MORE SECURE? @michele_butcher
- 36. ALWAYS USE COMPLEX PASSWORDS.ALWAYS! FOR EVERYTHING! “PASSWORD” IS NEVER A GOOD PASSWORD! @michele_butcher
- 37. NEVER EMAIL PASSWORDSTO ANYONE. INCLUDING YOURSELF. @michele_butcher
- 38. USE A DIFFERENT PASSWORD FOR EACH AND EVERYTHING YOU LOG INTO.
- 39. USE SOMETHING LIKE LASTPASS OR ONE PASSWORDTO SAVEYOUR PASSWORDS ANDTO SHARE PASSWORDS WITH OTHERS.
- 40. IFTHE LOGIN HAS A TWO-FACTOR AUTHENTICATION, USE IT! @michele_butcher
- 41. ANTI-VIRUS PROTECTYOUR UNIT! Yes I even have an anti-virus on my Mac! AVG and Avast have free versions as well as paid. Kaspersky is great with Windows and Macs. @michele_butcher
- 42. BE CONSCIOUS WHEN USING PUBLIC WIFI. @michele_butcher
- 43. USE AVPN WHEN CONNECTING OUT INTHE WILD. torguard.com @michele_butcher
- 44. UPDATE! UPDATE! UPDATE! Let me say this again
- 45. BACK UP EVERYTHING AND BACK IT UP OFTEN. IFYOU FEARYOU MIGHT LOSE INFORMATION, SAVE IT IN MORETHAN ONE SPOT. BITCASA, CARBONITE,AND EXTERNAL HARD DRIVES ARE GREAT OPTIONS OF BACKING UP DATA. @michele_butcher
- 47. THANKYOU FOR ATTENDING! Slides can be found at http://mlb.pw/wcstl2015 Michele Butcher @michele_butcher http://wpsecuritylock.com http://cantspeakgeek.com