https://www.sucuri.net https://blog.sucuri.net

Who are we?

● Globally distributed website security team

● Website Antivirus + Firewall

● Clean hundreds of websites per day

● Protect against countless attacks

● Not just Wordpress but any other platform too

Who am I?● Ben Martin @rngdmstrben

● Security Analyst at Sucuri

● Hails from Victoria BC

● 1.5 years at the company cleaning websites

● Security / online privacy geek

● Certified Music Producer

Why does security matter?

● All websites get attacked

● Responsibility & safety

● Attackers go after low hanging fruit

● Peace of Mind

Common Myth!

● “Bob must have gone to some website that he shouldn't have!”

● All types of websites get attacked/compromised regardless of content

● You don't have to go to “sketchy” websites to find malware

Be Proactive Not Reactive

● “We are intuitive. We drink water before we become dehydrated. We sleep before we become overtired. Most of the time, we automatically defend ourselves from germs and viruses, because we have consciously (and unconsciously) focused on preventative maintenance for our bodies and minds...Spend more time preventing problems and less time fixing issues that result from a compromise”

David L. Prowse

Responsibility

● Responsibility to protect your site visitors & yourself

● Protect your reputation! “Is this site safe?”

● Consider security a priority from day one

● Your visitors trust you & your website

Why would someone want to hack ME!?● Automation – targeted attacks are usually

reserved for big companies

● Same thing that motivates most bad behaviour: Money! $$$

● Phishing, drive by downloads, blackhat SEO

● Defacements / Hacktivism

Popular CMS = Targeted CMS

● WP is more than 20% of the Internet!

● Common targets for attackers

● Vulnerable plugins + themes are a big problem

Plugins● Out of date / vulnerable software is leading

cause of website infection

● Less is more

● Decrease the attack surface

● Avoid old plugins and update update update!!!

● Also helps speed/memory of site

Passwords

● Other leading cause of infection

● Pass123 = no bueno

● Automated password attacks

● 'admin' Wordpress account name

● Reusing passwords = no buneo

Protection

● UPDATE UPDATE UPDATE!!!

● /back /old software hoarding = no bueno

● Use a security plugin!

● Consider a firewall – paid & free options available

Detection● Keep an eye on things

● Administrators – exercise least privilege, less is more

● Learn your environment, knowledge is power

● Learn to recognize when something is out of place

Response

● This is when you really appreciate being proactive

● Website compromises are stressful but don't panic!

● Every problem has a solution

● Not a bad idea to disclose to your visitors

Backups

● Backup your website. Always. ALWAYS.

● Your best friend on a rainy day

● Store them offline in a safe place

● Learn how to restore via FTP & database – this goes a long way

Hosting Providers

● Read reviews online

● Is security a priority for your hosting provider?

● What will they do if you get hacked?

● Shared – Managed – Dedicated - VPS

Multiple Sites

● Compartmentalize, separate, mitigate risk

● Own one, own them all

● FTP accounts – file ownership, privileges

● Avoid shared hosting if possible

Protect Yourself Online● All this talk about malware, how do I stay safe!?

● Antivirus obviously (yes even if you have a Mac)

● Practice good / responsible browsing habits

● Security browser extensions – NoScript, AdBlock, HTTPS Everywhere

● Web browser security is can be annoying & inconvenient but is very important