Next up, @Dremeda’s talk on WordPress security.
Stay tuned below for live updates.
WordCamp 2013…WOW we’re already here
TITLE: “Real Security for WordPress”
Shout to me, woot! @dingman
Great to see you too Dre :)
The Internet Rocks, a few stats:
* 2 billion Internet users today
* 480% growth in the last 11 years
* 100,000+ domains gained weekly
* 2 billion sites in 2015
“It’s not all Peachy”
Malware, short for malicious software: a software designed to disrupt operations, gather information, or gain unauthorized access
* monitor your website browsing & internet usage
Malware is opportunistic attacks. Attack as many people as possible maximize their profitability, affiliate marketing and more.
[wow, Dre can talk REALLY fast, trying to stay up with him]
“How bad is it?”
It’s pretty damn bad.
2 million+ new malware strings monthly
Costs US consumers over $2B yearly
Google issues 3MM+ warnings *DAILY*
Google blacklists 10k websites DAILY on average
“Do you remember seeing that big red banner? “SOMETHING IS WRONG” and Google is REALLY accurate with this, so trust it”
“Have you seen these popups? ‘your computer is infected’ .. they are targeting you to get an anti-virus that you don’t need, so you’re *paying* to infect yourself”
Your SEO rankings say “buy amoxicillin, but you don’t see it when you look at the site. that’s malware.
“How does this happen?”
1) Outdated software
2) exploited FTP passwords
3) Hosting issue
4) Exploit (ZERO DAY)
Outdated software is your responsibility, keep it up to date. Unless you’re using a managed hosting, then it’s their responsibility.
“THE PERCENTAGE OF RISK WILL NEVER BE ZERO”
from the audience, “a support tech answering your ticket should never be asking for your root password, right?”
Dre, “I wouldn’t be comfortable with that. your password is now in the clear”
“Cut out the noise”
* Keep software updated
* no soup kitchen servers
* reduce access
* password management
* backup schedule
When you have all your websites on your production server, the most risk you are at because one site could get infected and spread
“password” is NOT A GOOD PASSWORD
“Keep software updated”
* leading cause for infection along with passwords
* scared to upgrade because stuff breaks?
* major vs point release
* run upgrade tests
* do your homework
“who’s scared to upgrade?”
We’ve all been there.
the challenge is that someone developed something in a poor way and they developed not using best-practices or using the WordPress API. Not maximizing the opportunity to upgrade.
You will see a lot of the feature sets in the major release, 3.5, 3.6, etc. the minor releases, 3.5.1 are bug fixes, patches, etc.
You need to stay up to date.
If you have a developer that throws up their arms when you want to upgrade, find a new developer that will help you find a way to upgrade.
Don’t cowboy code, don’t test in production, always test stuff before going into production.
Do your homework.
The Codex has a huge write-up on WordPress security
“No soup kitchen servers”
* WordPressers act like they forgot about DEV
* Cross-contamination is a big deal
* segment by user and account
* Not active, not good enough.
SEGMENT where you can, different servers is better.
Do you remember arbitrary PHP execution? Viva viagra.
If it’s not in use, get rid of it.
We talked about admin, everyone wants to be an admin.
Get rid of the admin user, that will help you.
It will only help a tiny bit, it’s easy to find an admin user for a WordPress site
Typically, one of the first users will remain as an admin, which means it’s fairly easy to figure out an admin account.
Limit failed login attempts, this is a big deal.
This is not part of WordPress natively, a user can just pound your WordPress site and keep trying different passwords.
If a user tries 2 or 3 times, lock them out
[demoing a video right now]
The video demo is demoing it on his own site, dremeda.com, because if you try it another site, it’s actually a felony.
audience question, “the script you ran, is that actually getting the password from the DB or from the text file?”
Dre: “From the txt file, it’s not actually getting into the database”
* Password still top 5 actively used password
* use unique passphrases
* use different passwords across accounts
* Password management tools
it’s 2013 and people are still using “password” as their password”
Users on Linkedin are using “linkedin” in their password.
are you kidding me?
If you’re using “01” or “password01” for bankofamerica and on wordpress.com and on aol.com, guess what, access to all the accounts.
USE DIFFERENT PASSWORDS
In the demo, Dre is using LastPass. GREAT TOOL
If you don’t have a backup schedule in place, you’re doing it wrong.
BACKUP BACKUP BACKUP
Make sure you have a incremental backup routine in place in case your site explodes
Two main tools, VaultPress and BackupBuddy (by iThemes)
That’s it folks! Next up will be Michael Bastos, see tuned on the blog.