8/1/2015

Please Ask Questions! 2

Hacks In The News Office of Personnel Management (OPN) Flash vulnerabilities Sony Heartbleed iCloud Leaked Pictures Home Depot/Target Credit Card Loss NSA Metadata 3

Security x Convenience = Constant 4

Some security issues are out of your hands

Why Does WordPress Get Hacked? Widely Used Thousands plugins which are unmonitored from a single source Same reasons Windows gets hacked more 6

What Happens When Your Site Gets Hacked Spam links Infect other sites Political messages 7

Security Helps SEO 8

9

Keep WordPress And Plugins Updated 10 Also remove plugins and themes you’re not using

Protect Your Login Weak or common passwords Brute force attack 11

Adobe Password Leak Last summer, Adobe lost 150 million passwords The passwords had flaws in their encryption that let hackers easily reverse engine the password list 12

Top 100 Most Common Passwords 13

Improve Password Security Use a password with upper case, lower case, numbers and symbols Use at least 9 characters Do not use a word that is found in a dictionary Use a separate password for all of your sites 14

Protect Your Login Do not use “admin” as your admin name Use a password manager like LastPass or Roboform to generate and store passwords Use SFTP and not FTP 15

Be Aware of Insecure Access 16

Increase Password Security Use Two Factor Authentication Google Authenticator 17

Use A VPN (Virtual Private Network) 18 Check your home router to see if it has this functionality built in

Keep Your Sites Up To Date 19

Google Webmaster Tools Early Warning System Will also give you SEO tips 20

Include Security Plugin Stop brute force password attacks Scan for core code changes Notification of out of date WP and plugins Block entire countries Takes care of a lot of manual blocking 21

Other Quick Tips Change default database table prefix from wp_ Change your authentication keys in wp-config.php ( g/secret-key/1.1/salt/) g/secret-key/1.1/salt/ 22

23

What Is SSL Paid Cheap-Comodo Expensive-Verisign Free Comdo (for 90 days) EFF's Out in Septemberhttps:// startssl.com (free for personal use) Self signed just for security 24

Make Sure WordPress Knows To Use SSL Force SSL login directive in wp-config.php WordPress HTTPS (SSL) Hasn't been updated in a while but it is a pretty simple plugin 25

Brief Overview Of WordPress File Structure / (the root) /wp-admin/ /wp-includes/ /wp-content/ /themes /plugins /uploads /upgrade 26

Check Your Permissions Only allow the web server to read and write, everyone else can only read Files 664 Directories

Stop Key Files From Executing.htaccess deny from all 29 /wp-content/uploads /wp-includes

Stop Key Files From Executing.htaccess order allow,deny deny from all 30 wp-config.php

Restrict Dashboard And Posting To Specific IP Address.htaccess order deny,allow deny from all Allow from xx.xxx.xxx.xxx order deny,allow deny from all Allow from xx.xxx.xxx.xxx WhatIsMyIP.com 31 wp-admin

32

Use A CDN Content Distribution Network Speeds up your site Visitors get something even if your site is down 33

Revert To Backup Hosting Provider BackUpWordPress VaultPress WP-DB-Backup Strategy 34

Cleaning Up Back up what you have including the database and move it offline. Completely replace wp-admin and wp- include. Re-install all plugins from the source. Check all of the files in your theme. Delete everything else. 35

Questions? 36

Twitter.com/ccondray 9/26/2012 Twitter.com/ccondray /1/2015