From https://www.meetup.com/Milwaukee-WordPress-MeetUp/events/233147375/
About the Topic:
Due to popular request ("security" was the #1 ranked topic in our recent member poll), Geoff Myers of SimDex Consulting, Inc. will be presenting a general overview of WordPress security best practices to help you prevent your site from being hacked, attacked, infected, compromised, or otherwise negatively affected by third parties, human or bot.
Subtopics of this presentation will include – but are not limited to – the following:
— Apache / NGINX configuration (web server / host)
— Automatic backups (best practice)
— Automatic updates (best practice)
— CloudFlare (service / CDN)
— iThemes Security (plugin)
— PHP configuration (web server / host)
— Recovering after a hack (post-hack cleanup)
— StatusCake (uptime monitoring service)
— Sucuri (service / plugin)
— Uptime Robot (uptime monitoring service)
— Wordfence (plugin)
— And more!
About the Speaker:
Geoff Myers has been involved in and excited about business, marketing, design, and technology since 2004, when he founded SimDex Consulting, Inc. at the age of 14 in his hometown of Saint Paul, Minnesota. Although SimDex originally started as an IT consulting and support company, it evolved into a web design and development agency by 2008, and eventually matured into a full-service digital marketing consulting firm by 2016, specializing in custom WordPress web application development. For more than 12 years, Geoff has been designing and coding for the web while also growing his – and his clients' – businesses through the application of strategic marketing technologies and the development of custom-built, user-focused web applications.
Geoff originally started out building static websites with Dreamweaver in HTML and CSS, but shifted to using the Joomla! content management system (CMS) by 2008, when version 1.5 was released. In 2010, he fell in love with – and became addicted to – WordPress and its community. Since then, Geoff has designed, developed, marketed, managed, and maintained over 60 WordPress-powered websites for a wide variety of clients in terms of industry, size, type, and location. Lately, Geoff has focused on building highly personalized web applications and integrations for WordPress using PHP and MySQL, the building blocks of WordPress itself.
Questions? Contact Geoff:
Geoff Myers
President + CEO | SimDex Consulting, Inc.
geoff@simdex.org | www.simdex.org
651.447.6247 | 414.455.6675
2. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
BEFORE WE BEGIN…
THIS PRESENTATION IS AVAILABLE ONLINE:
simdex.org/security
Get In Touch:
geoff@simdex.org
simdex.org
414.455.6675
3. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
BEFORE WE BEGIN…
ANNOUNCEMENTS
▸ WordPress Page Builders for Non-Developers (Create Visual
Layouts Without Code)
Tuesday, August 30 @ 9:00am — 11:00am
C2 Graphics Productivity Solutions
▸ WordCamp Milwaukee
Saturday, September 17 — Sunday, September 18
UW-Milwaukee School of Continuing Education
▸ Looking for additional speakers, venues, topics, ideas, etc.
Share your ideas on Meetup, email geoff@simdex.org, or call
414.455.6675
4. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
BEFORE WE BEGIN…
ABOUT GEOFF MYERS
▸ Founded SimDex Consulting, Inc. in 2004
▸ Web Solutions for Small + Medium Sized Businesses
▸ Digital Marketing Consultant + Strategist
▸ 10+ Years as Full Stack Web Designer + Developer
▸ 5+ Years of WordPress Development Experience
▸ 50+ WordPress Sites Built, Maintained + Marketed
▸ Academic Background in Computer Science
▸ Get In Touch: geoff@simdex.org or simdex.org or 414.455.6675
5. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
BEFORE WE BEGIN…
WORDPRESS MAINTENANCE PLAN FROM SIMDEX
How You Benefit:
▸ We Do Everything For You
▸ Unlimited Minor Changes + Revisions
▸ 24 Hour Response Time Guaranteed
▸ Your Total Peace of Mind
▸ Monthly Phone Consultations
▸ No Hourly Fees or Additional Costs
6. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
BEFORE WE BEGIN…
WORDPRESS MAINTENANCE PLAN FROM SIMDEX
Features + Services Included:
▸ Backups
▸ Monitoring
▸ Speed
▸ Changes
▸ Reports
▸ Support
▸ Consulting
▸ Security
▸ Updates
7. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 1)
▸ Low security = high risk
▸ Financial loss, debt, bankruptcy
▸ Legal liability, personal liability
▸ Privacy breach, violation
▸ Data theft, loss, corruption
▸ Damage to professional brand,
reputation, customer trust
▸ Bad for business, bad for customers,
bad for everyone
8. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 2)
▸ 86% of all websites tested by WhiteHat Sentinel had at least one serious*
vulnerability, and most of the time, far more than one – 56% to be precise.
▸ On average, 61% of these vulnerabilities were resolved, but doing so
required an average of 193 days from the first customer notification.
▸ Insufficient transport layer protection is the most likely vulnerability across
vertical industries including retail trade, health care/social assistance,
information technology and financial/insurance, with a range of 65-76%
likelihood.
▸ Source: WhiteHat Security 2015 Website Security Statistics Report Reveals
the Need to Identify Security Metrics Most Important for Vulnerability
Remediation
9. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WHY SHOULD I CARE ABOUT WEBSITE SECURITY? (PART 3)
▸ Organizations that are compliance-driven to remediate vulnerabilities have
the lowest average number of vulnerabilities (12 per website) and the highest
remediation rate (86%).
▸ Organizations that have made the vulnerability feed-to-development process
connection, exhibited roughly 40% less vulnerabilities, fixed issues nearly a
month faster on average and increased remediation rates by 15%.
▸ Considering sites in health care, retail trade and finance were found to be
“always vulnerable,” their remediation rates are relatively low at 20%, 21%,
and 27% respectively.
▸ Source: WhiteHat Security 2015 Website Security Statistics Report Reveals the
Need to Identify Security Metrics Most Important for Vulnerability Remediation
10. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
USEFUL DEFINITIONS (PART 1)
‣ Apache + NGINX = Web Server Software
‣ CDN = Content Delivery / Distribution Network
‣ DNS = Domain Name System
‣ DoS = Denial of Service Attack
‣ DDoS = Distributed DoS Attack
‣ Freemium = Free + Premium (Paid)
‣ HTTPS = Hyper Text Transfer
Protocol Secure
11. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
USEFUL DEFINITIONS (PART 2)
‣ MySQL = Relational Database Management System (RDBMS)
‣ OWASP = Open Web Application Security Project
‣ PHP = Server-Side Scripting Language
‣ SSL = Secure Sockets Layer
‣ TLS = Transport Layer Security
‣ WAF = Web Application Firewall
12. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WHAT AFFECTS WEBSITE SECURITY?
‣ Network Infrastructure (Everything Between Client + Server)
‣ Web Browser / Client (Chrome, Firefox, Safari)
‣ Web Application (WordPress, etc.) ★
‣ Web Server (Configuration) ★
‣ Apache, NGINX, PHP, MySQL
‣ TLS / SSL Certificate
‣ Web Application Firewall (WAF)
13.
14. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
GENERAL WORDPRESS SECURITY ADVICE + BEST PRACTICES
‣ Keep Software Updated (Use Latest Versions) ★
‣ WordPress Core + Themes + Plugins
‣ Apache / NGINX + PHP + MySQL
‣ Regularly Save Backups ★
‣ Harden Software Configuration
‣ Use HTTPS + TLS / SSL Certificate
‣ Use Web Application Firewall (WAF)
35. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
CLOUDFLARE SECURITY FEATURES (PART 1)
▸ Reputation-based threat protection
▸ Comment spam protection
▸ Content scraping protection
▸ Block visitors by IP range
▸ Block visitors by country 💵
▸ Deploy collective intelligence
to identify new threats
▸ Notify visitors on how to
clean their infected machine
▸ Basic DDoS protection
36. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
CLOUDFLARE SECURITY FEATURES (PART 2)
▸ Web application firewall (WAF) 💵
▸ Built-in CloudFlare rule set 💵
▸ OWASP ModSecurity Core rule set 💵
▸ 3rd Party WAF rule sets 💵
▸ Custom WAF rule support 💵
▸ Advanced DDoS protection 💵
▸ Advanced DDoS support 💵
▸ BGP origin protection 💵
37. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
iTHEMES SECURITY PLUGIN FEATURES (PART 1)
▸ Prevents brute force attacks by banning
hosts and users with too many invalid login
attempts
▸ Scans your site to instantly report where
vulnerabilities exist and fixes them in
seconds
▸ Bans troublesome user agents, bots and
other hosts
▸ Strengthens server security
▸ Enforces strong passwords for all accounts
of a configurable minimum role
38. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
iTHEMES SECURITY PLUGIN FEATURES (PART 2)
▸ Forces SSL for admin pages (on
supporting servers)
▸ Forces SSL for any page or post (on
supporting servers)
▸ Turns off file editing from within
WordPress admin area
▸ Detects and blocks numerous attacks to
your filesystem and database
▸ Detects bots and other attempts to
search for vulnerabilities.
39. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
iTHEMES SECURITY PLUGIN FEATURES (PART 3)
▸ Monitors filesystem for unauthorized changes.
▸ Run a scan for malware and blacklists on the
homepage of your site.
▸ Receive email notifications when someone
gets locked out after too many failed login
attempts or when a file on your site has been
changed.
▸ Changes the URLs for WordPress dashboard
areas including login, admin and more
▸ Completely turns off the ability to login for a
given time period (away mode)
40. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
iTHEMES SECURITY PLUGIN FEATURES (PART 4)
▸ Removes theme, plugin, and core
update notifications from users who
do not have permission to update
them
▸ Removes Windows Live Write
header information
▸ Removes RSD header information
▸ Renames "admin" account
▸ Changes the ID on the user with ID 1
41. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
iTHEMES SECURITY PLUGIN FEATURES (PART 5)
▸ Changes the WordPress database table
prefix
▸ Changes wp-content path
▸ Removes login error messages
▸ Makes it easier for users not accustomed to
WordPress to remember login and admin
URLs by customizing default admin URLs
▸ Detects hidden 404 errors on your site that
can affect your SEO such as bad links and
missing images
42. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 1)
▸ Web Application Firewall stops you from getting hacked
by identifying malicious traffic, blocking attackers before
they can access your website.
▸ Threat Defense Feed automatically updates firewall rules
that protect you from the latest threats. Premium
members receive the real-time version.
▸ Block common security threats like fake Googlebots,
malicious scans from hackers and botnets.
▸ Real-time blocking of known attackers. If another site
using Wordfence is attacked and blocks the attacker,
your site is automatically protected.
▸ Block entire malicious networks. Includes advanced IP
and Domain WHOIS to report malicious IP's or networks
and block entire networks using the firewall. Report
security threats to network owner.
43. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 2)
▸ Rate limit or block security threats like aggressive
crawlers, scrapers and bots doing security scans for
vulnerabilities in your site.
▸ Choose whether you want to block or throttle users
and robots who break your security rules.
▸ Premium users can also block countries and schedule
scans for specific times and a higher frequency.
▸ Sign-in using your password and your cellphone to
vastly improve login security. This is called Two Factor
Authentication and is used by banks, government
agencies and military world-wide for highest security
authentication.
▸ Includes two-factor authentication, also referred to as
cellphone sign-in.
44. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 3)
▸ Enforce strong passwords among your
administrators, publishers and users. Improve
login security.
▸ Checks the strength of all user and admin
passwords to enhance login security.
▸ Includes login security to lock out brute force
hacks and to stop WordPress from revealing info
that will compromise security.
▸ Scans for the HeartBleed vulnerability - included
in the free scan for all users.
▸ Scans core files, themes and plugins against
WordPress.org repository versions to check their
integrity. Verify security of your source.
45. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 4)
▸ See how files have changed. Optionally repair
changed files that are security threats.
▸ Scans for signatures of over 44,000 known malware
variants that are known security threats.
▸ Scans for many known backdoors that create security
holes including C99, R57, RootShell, Crystal Shell,
Matamu, Cybershell, W4cking, Sniper, Predator, Jackal,
Phantasma, GFS, Dive, Dx and many many more.
▸ Continuously scans for malware and phishing URL's
including all URL's on the Google Safe Browsing List in
all your comments, posts and files that are security
threats.
▸ Scans for heuristics of backdoors, trojans, suspicious
code and other security issues.
46. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 5)
▸ Includes a firewall to block common security threats like
fake Googlebots, malicious scans from hackers and
botnets.
▸ See all your traffic in real-time, including robots, humans,
404 errors, logins and logouts and who is consuming
most of your content. Enhances your situational
awareness of which security threats your site is facing.
▸ A real-time view of all traffic including automated bots
that often constitute security threats that Javascript
analytics packages never show you.
▸ Real-time traffic includes reverse DNS and city-level
geolocation. Know which geographic area security
threats originate from.
▸ Monitor your DNS security for unauthorized DNS
changes.
47. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 6)
▸ Monitors disk space which is related to security
because many DDoS attacks attempt to consume all
disk space to create denial of service.
▸ Wordfence Security for multi-site also scans all posts
and comments across all blogs from one admin panel.
▸ WordPress Multi-Site (or WordPress MU in the older
parlance) compatible.
▸ Includes Falcon Engine, the fastest WordPress caching
engine available today. Falcon is faster because it
reduces your web server disk and database activity to
a minimum.
▸ Wordfence includes two caching modes for
compatability and has cache management features like
the ability to clear the cache and monitor cache usage.
48. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
WORDFENCE SECURITY PLUGIN FEATURES (PART 7)
▸ Fully IPv6 compatible including all
whois lookup, location, blocking
and security functions.
▸ Includes support for other major
plugins and themes like
WooCommerce.
▸ The Wordfence website includes an
in-depth WordPress Security
Learning Center.
49. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
GEOFF’S WEBSITE SECURITY CHECKLIST (PART 1)
‣ Set up automated backups for
WordPress files + database using
UpdraftPlus
‣ Set up automated updates for
WordPress core + themes + plugins
using Easy Updates Manager
‣ Sign up for and enable CloudFlare
‣ Install free SSL certificate from
CloudFlare or Let’s Encrypt
50. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
GEOFF’S WEBSITE SECURITY CHECKLIST (PART 2)
‣ Change both URLs in WordPress Settings →
General to use HTTPS instead of HTTP
‣ Force HTTPS on all web server resources
using .htaccess
‣ Replace all website URL instances of HTTP
with HTTPS using Better Search Replace
plugin
‣ Install and configure iThemes Security plugin
‣ Install and configure Wordfence Security
plugin OR sign up for Sucuri Security
51. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
DON'T GET HACKED: WORDPRESS SECURITY BEST PRACTICES
HELP! I’VE BEEN HACKED… NOW WHAT?!
▸ Post-Hack Cleanup Options (easiest to hardest):
1. Restore Pre-Hack Backup
2. Sign Up for Sucuri
3. Pay a Professional like SimDex
4. Scan + Clean It Yourself
54. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
THAT’S IT FOR NOW…
THANK YOU!
Questions?
Get In Touch:
geoff@simdex.org
simdex.org
414.455.6675
55. GEOFF@SIMDEX.ORG | WWW.SIMDEX.ORG | 414.455.6675
THAT’S IT FOR NOW…
THIS PRESENTATION IS AVAILABLE ONLINE:
simdex.org/security
Get In Touch:
geoff@simdex.org
simdex.org
414.455.6675