Next up, @Dremeda’s talk on WordPress security.
Stay tuned below for live updates.
That’s it folks! Next up will be Michael Bastos, see tuned on the blog.
Two main tools, VaultPress and BackupBuddy (by iThemes)
If you don’t have a backup schedule in place, you’re doing it wrong.
BACKUP BACKUP BACKUP
Make sure you have a incremental backup routine in place in case your site explodes
In the demo, Dre is using LastPass. GREAT TOOL
If you’re using “01” or “password01″ for bankofamerica and on wordpress.com and on aol.com, guess what, access to all the accounts.
USE DIFFERENT PASSWORDS
it’s 2013 and people are still using “password” as their password”
Users on Linkedin are using “linkedin” in their password.
are you kidding me?
* Password still top 5 actively used password
* use unique passphrases
* use different passwords across accounts
* Password management tools
audience question, “the script you ran, is that actually getting the password from the DB or from the text file?”
Dre: “From the txt file, it’s not actually getting into the database”
The video demo is demoing it on his own site, dremeda.com, because if you try it another site, it’s actually a felony.
[demoing a video right now]
Limit failed login attempts, this is a big deal.
This is not part of WordPress natively, a user can just pound your WordPress site and keep trying different passwords.
If a user tries 2 or 3 times, lock them out
Typically, one of the first users will remain as an admin, which means it’s fairly easy to figure out an admin account.
We talked about admin, everyone wants to be an admin.
Get rid of the admin user, that will help you.
It will only help a tiny bit, it’s easy to find an admin user for a WordPress site
Do you remember arbitrary PHP execution? Viva viagra.
If it’s not in use, get rid of it.
“No soup kitchen servers”
* WordPressers act like they forgot about DEV
* Cross-contamination is a big deal
* segment by user and account
* Not active, not good enough.
SEGMENT where you can, different servers is better.
The Codex has a huge write-up on WordPress security
Don’t cowboy code, don’t test in production, always test stuff before going into production.
Do your homework.
If you have a developer that throws up their arms when you want to upgrade, find a new developer that will help you find a way to upgrade.
You will see a lot of the feature sets in the major release, 3.5, 3.6, etc. the minor releases, 3.5.1 are bug fixes, patches, etc.
You need to stay up to date.
“who’s scared to upgrade?”
We’ve all been there.
the challenge is that someone developed something in a poor way and they developed not using best-practices or using the WordPress API. Not maximizing the opportunity to upgrade.
“Keep software updated”
* leading cause for infection along with passwords
* scared to upgrade because stuff breaks?
* major vs point release
* run upgrade tests
* do your homework
“password” is NOT A GOOD PASSWORD
When you have all your websites on your production server, the most risk you are at because one site could get infected and spread
“Cut out the noise”
* Keep software updated
* no soup kitchen servers
* reduce access
* password management
* backup schedule
from the audience, “a support tech answering your ticket should never be asking for your root password, right?”
Dre, “I wouldn’t be comfortable with that. your password is now in the clear”
“THE PERCENTAGE OF RISK WILL NEVER BE ZERO”
Outdated software is your responsibility, keep it up to date. Unless you’re using a managed hosting, then it’s their responsibility.
“How does this happen?”
1) Outdated software
2) exploited FTP passwords
3) Hosting issue
4) Exploit (ZERO DAY)
Your SEO rankings say “buy amoxicillin, but you don’t see it when you look at the site. that’s malware.
“Have you seen these popups? ‘your computer is infected’ .. they are targeting you to get an anti-virus that you don’t need, so you’re *paying* to infect yourself”
“Do you remember seeing that big red banner? “SOMETHING IS WRONG” and Google is REALLY accurate with this, so trust it”
“How bad is it?”
It’s pretty damn bad.
2 million+ new malware strings monthly
Costs US consumers over $2B yearly
Google issues 3MM+ warnings *DAILY*
Google blacklists 10k websites DAILY on average
“It’s not all Peachy”
Malware, short for malicious software: a software designed to disrupt operations, gather information, or gain unauthorized access
* monitor your website browsing & internet usage
Malware is opportunistic attacks. Attack as many people as possible maximize their profitability, affiliate marketing and more.
[wow, Dre can talk REALLY fast, trying to stay up with him]
The Internet Rocks, a few stats:
* 2 billion Internet users today
* 480% growth in the last 11 years
* 100,000+ domains gained weekly
* 2 billion sites in 2015
Great to see you too Dre :)
Shout to me, woot! @dingman
TITLE: “Real Security for WordPress”
WordCamp 2013…WOW we’re already here