WP security-wordcamp2016-vitalykarasik

Intro to WordPress SecuritySecurity for smart people

or

Vitaly KarasikDevOps Consultantwww.vitalykarasik.com

WordCamp 201627.03.2016 12135

Hacks Cost You More Than Money

• SEO rating

• Blacklisting

• Reputation - “It can take years to build, and minutes to lose.”

• Customer’s data leak

Attack Types

Exploit Vulnerabilities Brute Force DoS

How to prevent – Concepts

• Security is a process, not a task

• Limiting Access

• Containment

• Preparation and Knowledge

• Trusted Sources

How to prevent – Methods• Updates, Updates, Updates• WordPress Plugins – only trusted, delete unused• Credentials – usernames, passwords, dual-factor• Limiting Access to WP Admin

• Server Hardening• Database User Privileges• FileSystem permissions

Tools and Services

• WP Plugins – WordFence, Sucuri

• DoS Protection, WAF – CloudFlare, Incapsula

• Security Scanners – LMD Scanner, WPScan

• WP Managed Hosting – WPEngine

WordFence Firewall and Brute Force Protection

WordFence Real-time Monitoring

WordFence Reports

Backups and Deployment

• Offsite Backup – UpdraftPlus

• Revision Control – Github, Bitbucket

• Automatic Deployment – Beanstalk

Monitoring – be the first to know!

• Server Monitoring – Anturis, CloudWatch

• Website Monitoring – Anturis, Pingdom

• Logs Monitoring – Logz.io, Loggly

Monitoring – Anturis Screenshot

Resources• WordPress Codex – http://codex.wordpress.org/Hardening_WordPress• WordFence Blog – http://wordfence.com/blog• Sucuri Blog – https://blog.sucuri.net/category/wordpress-security/• WPScan – http://wpscan.org/• LMD Scanner – https://www.rfxn.com/projects/linux-malware-detect/• Security Plugins – http://researchasahobby.com/?p=1915• Hack Target – https://hackertarget.com/wordpress-security-scan

Thanks for listening!Any Questions?

Vitaly KarasikDevOps Consultantwww.vitalykarasik.com

WordCamp 2016

Scan this code to view presentation and links:

WP security-wordcamp2016-vitalykarasik

Internet

Transcript of WP security-wordcamp2016-vitalykarasik