Transcript Backup Updates and Security 041616

Backup, Updates and Security
Russ Sanderlin | @Tearstone
#wcjax
1
Agenda
• Backups
• Basic Hardening
• Ongoing Security
• Plugins
#wcjax
2
Backups
No Need to Start from Scratch
#wcjax
3
Define You Requirements
Your requirements will drive your solution.
#wcjax
4
WordPress Abstraction
#wcjax
5
Common Backup Methods
• Plugins
• Web Host
• Manual
#wcjax
6
No Shortage of Backup Plugins
• Perfect plugin may await for you.
#wcjax
7
Popular Backup Plugins
• VaultPress
• Backup Buddy
• CodeGuard
• BackWPup
• BackUpWordPress
• WP-DB-Backup
#wcjax
8
Webhosts That Provide Backup Services
#wcjax
9
Manual Backups
via Command Line
• Database
Backup:
mysqldump -u [db user] -p[db user password] [database name] >
dumpfilename.sql
Restore:
mysql -u [db user] -p[db user password] [database name] < dumpfilename.sql
• Files/Binaries
tar cvf archive_name.tar wordpress/
• Download or transfer dumpfilename.sql and archive_name.tar via SFTP
as needed.
#wcjax
10
WordPress Hardening
Start With A Secure Foundation
#wcjax
11
Importance
• 25% of the web
• 2012 – 117,000 WordPress hacked sites were reported
• 2013 – 73.2 % of the top 40,000+ WordPress sites were vulnerable to
exploits
• 4200 WordPress core, theme and plugin vulnerabilities.
#wcjax
12
Attack Surface
• Definition: Sum of the amount of points an attacker could use to get
into a system.
#wcjax
13
Users
• Admin
• Minimum Password Requirements
•
•
•
•
Changed every 60-90 days
At least 8 characters
Combination of mixed case, numbers and special character i.e. #5hN!uM
Avoid dictionary passwords
• 2FA (2 Factor Authentication)
#wcjax
14
Webhost
#wcjax
15
Site
• Avoid running multiple WordPress installations on one domain
• Disable FTP, use SFTP
#wcjax
16
Web Application Firewall
• HTTP conversation
• Look for “mod_security” option
#wcjax
17
Ongoing Security
Ounce of prevention is worth a pound of cure – Benjamin Franklin
#wcjax
18
Update Your Site
• WordPress Core
• Plug-Ins
• Themes
#wcjax
19
Perform Routine Inspections
#wcjax
20
Security SiteCheck Scanner
• Scan site with Securi.Net SiteCheck
• https://sitecheck.sucuri.net/
#wcjax
21
Securi SiteCheck Scanner Example
#wcjax
22
WPScan
• WPSCAN.ORG
#wcjax
23
Security Plugins
Providing a pre-coded helping hand
#wcjax
24
Popular Plugins
#wcjax
25
Online Resources
• WordPress CODEX
• OWASP
#wcjax
26
Backup, Updates and Security
Russ Sanderlin | @Tearstone
Slides: Rsanderlin.com/WCJax_2016
#wcjax
27