https://www.sucuri.net https://blog.sucuri.net
Who are we?● Globally distributed website security
team
● Website Antivirus + Firewall
● Clean hundreds of websites per day
● Protect against countless attacks
● Platform agnostic
Who am I?● Ben Martin @rngdmstrben
● Remediation Lead and malware slaya' at Sucuri
● Hails from Victoria BC
● ~2 years at the company cleaning websites
● Security / online privacy geek
● Music Producer & cat enthusiest
Building a Better Security Posture
● Security matters: All websites get attacked!
● Responsibility & safety
● Attackers go after low hanging fruit
● Peace of Mind
Security can be complicated but the principles are actually very simple :)
What is 'Security Posture'?● Security is not just a service or
software that can be purchased
● Security is an attitude
● Development of good habits
● Critical thinking + wee bit of healthy paranoia
There are NO silver bullet security solutions!
Be Proactive Not Reactive
● “We are intuitive. We drink water before we become dehydrated. We sleep before we become overtired. Most of the time, we automatically defend ourselves from germs and viruses, because we have consciously (and unconsciously) focused on preventative maintenance for our bodies and minds...Spend more time preventing problems and less time fixing issues that result from a compromise”
David L. Prowse
Common Myth!
● “Bob must have gone to some website that he shouldn't have!”
● All types of websites get attacked/compromised regardless of content
● You don't have to go to “sketchy” websites to find malware
Popular CMS = Targeted CMS
● WP is more than 20% of the Internet!
● Common targets for attackers
● Vulnerable plugins + themes are a big problem
Why would someone want to hack ME!?● Automation – targeted attacks are
usually reserved for big companies
● Same thing that motivates most bad behaviour: Money! $$$
● Phishing, malicious redirects, drive by downloads, blackhat SEO
● Defacements / Hacktivism
Security is a Priority● We all want our websites to have excellent content, look
nice and be easy to use. Add security to that list!
● You are responsible as a site owner
● Check up on your site security every time you log in – familiarize yourself with your environment
● Learn to recognize when something is out of place
What is POOR Security Posture?● Avoiding plugin, theme & core
updates
● Using “freemium” (pirated) plugins, themes or other software
● Lumping multiple websites/subdomains into the same hosting account
● Relying on the assumption that you won't be hacked because it is unlikely (?)
Responsibility● Responsibility to protect your
site visitors & yourself
● Protect your reputation & hard work! “Is this site safe?”
● Consider security a priority from day one
● Your visitors trust you & your website
Plugins● Out of date / vulnerable software is leading
cause of website infection
● Less is more
● Decrease the attack surface
● Avoid old plugins and update update update!!!
● Also helps speed/memory of site
Passwords● Other leading cause of infection
● Pass123 = no bueno
● Automated password attacks
● Reusing passwords = no buneo
● Use secure, encrypted protocols like SFTP or FTPS
Backups
● Backup your website. Always. ALWAYS.
● Your best friend on a rainy day
● Store them offline in a safe place
● Learn how to restore via FTP & database – this goes a long way
Practical Steps to Take
● UPDATE UPDATE UPDATE!!!
● Don't keep old software on your server
● Use a security plugin (Sucuri Scanner, Wordfence, iThemes, etc)
● Consider a firewall – paid & free options available
Practical Steps to Take pt. 2● Default settings are inherantly
unsafe for all software/hardware!
● Exercise least privilege
● define( 'DISALLOW_FILE_EDIT', true );
● Verify your file permissions and ownership ( 644, 755 )
Lock Down /wp-admin
● Don't use admin name 'admin'
● Employ the use of a CAPTCHA
● Restrict access by IP address
● Don't forget to monitor who's logging in
Sucuri Scanner WP Plugin (free)
● Security activity auditing
● File integrity monitoring
● Remote malware scanning
● Website hardening
What if I get HACKED!?!?1● This is when you really
appreciate being proactive
● Website compromises are stressful but don't panic!
● Every problem has a solution
● Not a bad idea to disclose to your visitors
Protect Yourself Online● All this talk about malware, how do I stay safe!?
● Antivirus obviously (yes even if you have a Mac)
● Practice good / responsible browsing habits
● Security browser extensions – NoScript, AdBlock, HTTPS Everywhere
● Web browser security is can be annoying & inconvenient but is very important
visitorTracker_isMob( ){● Very aggressive campaign
targeting multiple vulnerabilities
● Ultimate goal is to redirect users to Nuclear Exploit Kit (Ransomeware, Cryptolocker, other exploits)
● Many thousands of websites infected + blacklisted
Top Related