Security Best Practices
@V
icDrover
Panama Papers
@V
icDrover
Panama Papers
@V
icDrover
Infected Websites by Platform
Hacked Website Report - Sucuri
@V
icDrover
% Out-of-Date CMS
Hacked Website Report - Sucuri
@V
icDrover
Is YOUR website is vulnerable?
@V
icDrover
Top 3 WordPress causing hacks
Hacked Website Report - Sucuri
@V
icDrover
RevSlider < 3.0.95 = vulnerable
https://www.wordfence.com/blog/2016/04/mossack-fonseca-breach-vulnerable-slider-revolution/
@V
icDrover
WordPress host for Ransomware
http://www.tomsguide.com/us/wordpress-ransomware-epidemic,news-22219.html
@V
icDrover
Levels of website security
@V
icDrover
Levels of website security
@V
icDrover
Password Managers
@V
icDrover
Agency Passwords
@V
icDrover
Trust extends to your team
@V
icDrover
Email security
@V
icDrover
Staff
@V
icDrover
Disaster Response Plan
@V
icDrover
Initial response
→ Who, What, When→ Emergency contact info→ Service provider info
◆ DNS, Server/Host, Data Center, Backups→ 1-time use passwords
@V
icDrover
Security policy
→ Email usage→ Resource access→ Password strength→ Password duration
→ Account sharing→ Team composition→ Disaster planning→ Ongoing Education
@V
icDrover
Levels of website security
Local
Remote
@V
icDrover
Local Resources
@V
icDrover
PHP Usage (Joomla 3.5)
PHP 5.5
PHP 5.2
PHP 5.3
PHP 5.6
PHP 7.x
PHP 5.4
@V
icDrover
Webserver security
@V
icDrover
Heartbleed
@V
icDrover
filippo.io/Heartbleed/
@V
icDrover
Other local issues
→ SSH on non-default port, encryption keys→ Disable FTP (vs. secure FTP)→ Strong database password + table prefix→ Enable logging (usually off by default) → Disable magic_quotes
@V
icDrover
Levels of website security
Local
Remote
@V
icDrover
Remote services - email
@V
icDrover
Remote services - DNS
@V
icDrover
Remote services - reverse proxy
@V
icDrover
Managed Hosting
@V
icDrover
Levels of website security
@V
icDrover
Update all the things
@V
icDrover
Well-known WordPress best-practices
→ Unique administrator account → Disable file editing, PHP Execution→ Limit Login Attempts→ Remove unused themes + plugins→ Block editing of config file
@V
icDrover
Enforce stronger passwords
@V
icDrover
Control New Users
@V
icDrover
Secure failed login message
function wrong_login() { return 'Wrong username or password.';}add_filter('login_errors', 'wrong_login');
functions.php
http://geckogullywebsites.com/wordpress-security-tips-check-for-display-of-unnecessary-information-on-failed-login-attempts/
@V
icDrover
Backup your site + test
@V
icDrover
Akeeba Backup
https://www.akeebabackup.com/
@V
icDrover
Use Redundant firewalls
@V
icDrover
Use Redundant firewalls
@V
icDrover
Use Redundant firewalls
@V
icDrover
Use Redundant firewalls
@V
icDrover
Use Redundant firewalls
Security Best Practices