 All right, how's everybody doing? Okay, thank you all for coming, especially after noon on the second day. You just never know what kind of attendance you're gonna get on the second day after lunch. So my name is Steve Schwartz. I've got a little WordPress shop up in Charlotte, North Carolina, been doing WordPress stuff for about 10 years now and got hacked about six years ago and decided it was time to get smart about security. So just out of curiosity, how many of you have experienced a hack in the past? Almost everybody. All right, it's about three-fourths of the room. So to those of you who have not experienced a hack, thank you for coming. You've just taken a proactive approach and that's great. A lot of people take a reactive approach to security. And so for those of you who are here taking a proactive approach, I appreciate you being here as well. So if I can get the clicker to work, it's not going to, so I'll just go ahead and use this. I'm gonna hit you guys with a three-step approach and I'm actually gonna try to hit you with about 50 minutes worth of content in about 30 minutes. So if you could save your questions to the end, I'd really appreciate that that will help my ADD personality stay on track and give you the information that I wanna convey to you in 30 minutes. So first thing I'm gonna hit you guys with is I like to call it a common sense approach, but the reality is that so few people do it, I have to do a not so common approach. So that's why not so is in parentheses there. I wanna do a quick nod to the plugins. So in my 30 minutes, I'm gonna spend two minutes tops on plugins. I have a couple plugins that I think are incredibly important and things that you just shouldn't be passing up on. And then I wanna hit some advanced stuff, some sort of aside stuff that you can be doing to protect your stuff. So, and of course, I've got some stories for you. The names have been changed to protect the innocent. Those of you who know Dragnet are laughing. Younger guys in here, that's a 60s cop show, so for the younger audience. First thing I wanna do is I wanna introduce you to Mary and I was planning on having my clicker work here, but you know, it doesn't work. Well, it went backwards. It's going backwards, so it's backwards. All right, so okay, so it's backwards. All right, so this is Mary here. Mary's on the left. And Mary is a recent college graduate, very, very smart kid, got her degree in marketing and was thrilled to have had the opportunity to work for a local dentist office as their marketing coordinator. So in addition to all the traditional marketing tasks that she had, she was also responsible for updating all their social media and writing a couple blog articles per week for them. And I'm gonna tell you something. Mary is smart, she's diligent, she's a hard worker, she's a good person, nothing malicious about Mary whatsoever. Well, one day, it was about a Friday afternoon, Mary had knocked off early, she's over at Starbucks with a couple of friends and she's like, ah, damn, I forgot to do my blog article. So as diligent as she is, she decided to log into Starbucks Wi-Fi and write her blog article. So we all know that we have wireless access points like Starbucks. On this particular day, there was a Starbucks one that had a stronger signal. Mary logged into this. Does anybody know what this is? Pineapple, right? So not only can the pineapple, this is a Wi-Fi pineapple, not only can the pineapple act as a wireless access point, but it could also spoof existing wireless access points and act as the man in the middle. So it doesn't really matter, you're screwed either way. If there's a bad actor in the parking lot or what have you. Unfortunately for Mary on this particular day, this guy was in the parking lot. Okay? I wanna show you Mary three months later. She looks like a completely different person, doesn't she? All right. Couldn't find the same girl with a distressed look on her face. So yeah, this is Mary three months later. Well, let's see what happened. This dude right here, as soon as Mary was gone, she left Starbucks, she didn't think any more of it. He logged in to her WordPress account, the dentist account using all of her credentials. And then he sold on the dark web. And if you think about a small dentist office, what do they have on us? They got a personal information. They got our medical records. They got our social security information and I know you guys are gonna cringe, but for whatever reason, this particular dentist office also had all of the credit card information right there in the WordPress server. So we're talking treasure trove of information here. Sold on the dark web. So what happened? Mary got cayend. The dentist office? Well, this happened. You okay? Massive class action lawsuit on the dentist office. Dentist office has shut down Mary's, I don't know if she's still without a job or not, but no good for anybody, right? So let's take a closer look at what happened. Who knows what this is right here? This is Wireshark, right? Wireshark is a packet sniffer. So if you are the man in the middle, you can basically sniff every single packet that comes and goes on a network. So what I'm gonna show you is, Mary logged in using HTTPS. There was no SSL certificate. So when she logged into her HTTPS website, I'm gonna show you what the hacker saw. And I'm gonna show you exactly what the hacker saw because this is a real example of on a test server of my own, of course. In real text, clear as day username and password if you're not encrypting your stuff. On the other hand, if you use HTTPS and you're using SSL on your client sites, what have you on your own sites, I'll show you what the hacker's gonna say. Same tools, same everything, this is what he's gonna say. Completely useless to him or her. Not that all hackers are men. Clear as text, clear text. If you're logging into your WordPress site on an open Wi-Fi that happens to have a man in the middle attacking, watching your packets, it's clear text, you're logged in. So here's the fix, make it SSL. And then from a WordPress standpoint, you can add a couple of lines to force SSL in your WP config file. And these are the two, I think I got a laser print, laser thing here too, I don't know, this is kind of fancy, but I don't know how to use it. But anyhow, so if you use these two defines, and I'll put this on my website or slide share or whatever so that you guys don't feel like you have to write all this stuff down, but just these two things right here will keep everything, it'll force SSL, okay? So it'll keep everything encrypted. I want backwards. All right, I want to introduce you to a guy by the name of Thrifty Theo. Theo is the, he works in ordering and buying and stuff like that for a mid-sized corporation. And Theo prides himself on saving the company money. That's Theo's thing. So you wouldn't be surprised when Theo was charged with the responsibility of getting hosting for his company's website. Well, Theo decided to go for which one? Which one? Yeah. Oh yeah. All right, Theo's thinking, yeah, I'm the bomb right here, right? So let's take a closer look at a real life shared server. Now I'm gonna do exactly what I told you not to do. I'm gonna, I'm gonna FTP, not SSH or SFTP. I'm gonna use port 21. I'm gonna log into the server and this is what I'm gonna see. Well, it's what we're accustomed to seeing, right? This is our root directory with all of our normal WordPress files, right? Easy peasy. You can't, you can't go up a route or you can't go up past route. You really can't do much of anything. But let's take a look at this shared server if we log in say on port 22 using SFTP. Woo-hoo, we're one folder above the root. And why am I seeing my account? This is my account. This is a real account. That's my real account number. And I'm on server 28 on this shared server. So if I go in my HTML file, I can see all my normal files that I'm accustomed to seeing. No big deal. I should be able to do that. But what if I get nosy? What if I go up, say a folder? Uh-oh. Is that other people's folders on the shared server that I can see clear as day? I shouldn't be able to see all these other people's individual websites on the shared server. What if I get nosy and decide to go up one more? Now I'm looking at all of the servers and all of the clients on any one of those shared servers I can poke into, right? Pretty scary shared server stuff, huh? This is why it's $2.99 a month, mind you. All right, so let's go back. Now I know that I'm on server 28. So as soon as there's a little bit of lag here. So let's go down to server 28. Now I can go on server 28. Now I know my account number is the 729, whatever number. So I can click on my stuff, right? And I can get into my folder. Should be able to, right? Can I click on somebody else's folder? I say, God, I can't. Okay, I can't. Thank God for that, right? I mean, that would just be a complete nightmare. But what if I decide to get a little crazy and I decide to use the directory command, say, oh, I don't know. Directory info. What the hell is this? Are these the user names and the account numbers of everybody on this shared server? No, it can't be that. Of course, my name is SRS 515-0 on this server. So certainly I'm not gonna be able to do a control F and find my account on this server. That's just not possible, right? Oh crap. Well, there's me. There's my username to log into this particular shared host. I now have half of what I need to brute force any account, any account that I want to on this shared server. Not only this shared server, but any of the other servers as well, okay? Now, I'm no black cat hacker, but a black cat hacker could use a hacking device on a simple laptop and brute force a million passwords in an hour. Get through the entire dictionary. Get through every known possible name, your dog's name, anything you could think of in under 14 minutes. That's on a laptop. So you can imagine if a hacker pulled resources together massive servers and decided to do a brute force attack. So what's the solution? Don't use shared servers and don't put your clients on shared servers, okay? I think the best alternative, well, there's a lot of good alternatives depending on your own skill set, okay? I'm huge on VPSs. I have all my clients on VPSs because I know Linux and I know how to manage a VPS server. Beyond VPS is a dedicated server. If you are a Linux admin, I am not, and you know how to configure a server from scratch, you get a dedicated server and have even more free reign of that server. If you're not a Linux guru or want to be or have the time to be, WordPress Manage is a great option for you. You can get on, there's, you know, Bluehost is here and they have managed stuff but just say no to the shared servers. Three dollars and 99 cents a month is great for a cat blog. It is not good for us or our clients, okay? One more story. Gullible Gary, this is Gary right here. Gary's actually, I call him Gullible Gary because it had a nice ring to him, but he's actually another smart guy. Gary works for a big bank. This is Gary's cubicle right here. So on one particular Friday afternoon, Gary's getting ready to get out and go drink some beers with his buddies and he gets a phone call. And the voice on the other line says, hey Gary, this is Tom down in IT. Hey listen, we're getting ready to update the network so that everybody has faster internet next week. And for whatever reason, we don't have the information on your cube. Could you do me a favor, just one second, I'd just like to give you the information. And Gary's like, oh hell yeah, I want faster internet. I forgot to click it, the phone rings to the phone rings and the guy says, do me a favor, go to whatsmyip.org. And Gary dutifully gives him his external IP address. Well, having the IP address of a particular computer inside of an organization doesn't give you the keys to the castle, but it sure as hell shows the hacker where the door is. So now we can just pound on this IP address and enumerate tons and tons and tons of more information. So the hacker wasn't done. This seems how Gary was so gullible. The hacker said, hey Gary, one more thing, can we bench test where you're at right now with your computer? And Gary's like, yeah man, I wanna see how much speed I'm gonna get next week. So yeah, do me a favor, go to halffastusyourcomputer.com. And Gary's like, all right. So obviously this is a made up website, but I mean, we've already got him, right? So do me a favor and click on the click to view button on this website. Well, unbeknownst to Gary, he's now downloading the Trojan, okay? And he doesn't know the difference. So now the hacker says, hey, do me a favor, hit run. Gary's like, yes, and he sees this. And he dutifully reports back to the guy that, oh yeah, I'm at 73 or something like that. And the guy on the other side of the phone says, you know, we're gonna have to get 300 by next Monday. Gary's like, yes. Well, that's not gonna pop up, right? So Gary got duped twice here, okay? Who knows what this is? A rat is a remote access Trojan. Not only did he give them the IP address, which will basically, I mean, they could've got the IP address anyway, but I wanted to give you two examples in one example. The rat is a remote access Trojan that will allow a hacker to remotely do anything on your computer that you can do. They can turn on the microphone and listen to your conversations that are going on around your cube. They can turn on your webcam and they can watch what you're doing and they have full file access to anything that you have access to. So if I've got access to Gary's stuff, I've got access to whatever on the network that Gary has access to and I can infiltrate further, okay, right? So who gets blamed? That should have come up first. Who gets blamed? Okay, so my point of view here is that we as developers and marketers and stuff like that, we need to educate our clients that they don't get duped into social engineering things. You guys know about social engineering? Who knows the number one methodology of which people get social engineering? Just yell it out. Fishing. It's hacking the people, not the tech, but yeah, phishing emails and that sort of thing, okay? Phone calls, we just talked about Gary getting nailed, okay? In person, I mean this really starts to get elevated on a level of corporate and government espionage but people will do what they do in the movies, pretend to be a house cleaner or something like that to get in the office late at night to be able to stick USB drives in machines and try to take stuff. And then the other one, you know, freeware offers and free games and you go to websites USBs every once in a while. Who knows who Kevin Mitnick is? Okay, Kevin Mitnick, the quote unquote greatest hacker of all time, he went to jail, got out of jail and he became a white hat and he now instructs people on things that they could do so that they don't get hacked. Well, according to the Kevin Mitnick organization, when they take USBs, little USB drives and throw them in the parking lots of unsuspecting companies and write down either HR or salaries.xls on them, they've got an 85% open rate, 85% open rate. Once again, I have her in here twice because I love her and we need to educate our clients, okay? All of us do, okay? So now we talk about plugins a lot at work camps. Well, this is the application, this is plugins right here so I wanna hit you with the first four, okay? You gotta remind your clients that security starts with them. I always say security starts at your fingertips because think about your clients, they're gonna work from Starbucks, they're gonna work from home, okay? They have got to have malware protection, spyware protection on their own machines because if they're doing everything else right but yet they're uploading malware to the computer, there's no way you can safeguard from that, okay? Here's the most overlooked one, their own router at home. I always ask my clients, who configured your router at home? Oh, our son did about six years ago. Said, have you ever changed the password on your router? Oh yeah, we changed it. No, not the Wi-Fi. The router, the hardware itself, do you ever change the password to the hardware? And most people have no idea. 85% of all household routers in the United States that are over five years old have password admin as the username and password as the password. Now Netgear and all the other companies within the last few years have gotten smart and they've stopped shipping that way. But if you've got an older router in the house or if your clients have older routers in the house, admin and password pretty easy to hack, okay? Number three, we talked about our pipeline, securing the pipeline, encrypting everything, okay? Number four we talked about, we talked about servers. Yeah, this is the line of communication all the way to where, the application level. Now we're finally at themes and plugins and all this stuff, right? So we have to instruct, we have to educate our clients to not only do this, but this doesn't make a pill of beans a squat if they're not doing all the rest of the stuff, okay? So nod to the plugins. Wordfence is here, I know Nathan from iThemes is here. I don't care which security plugin you use, okay? I personally have all my clients because I was with them from the beginning on Wordfence. And one of the things that I find most important about what Wordfence does for me is the brute force attack feature, okay? Brute force attack feature is if I'm banging, if I'm banging on your IP address, okay? And I could do a million an hour. Wordfence, the brute force component of that will allow you to set a rule like if they bang on it five times and they're not giving a correct password usually in combination, it'll kick them out. And then you can determine how long it kicks them out. You can kick them out for an hour, you can kick them out for, I kick them out for a couple of months on some of my clients that I know that there's only one login, one person logging in. So that's up to you and how you wanna discuss with your clients on how long you wanna kick them out. And then I think the sigma most important plugin that anybody ever, ever had in the history of time on their WordPress site is a backup plugin because backup is the one thing that can save your butts. If you're backing up nightly or if you're backing up weekly depending on how much time you're, or how much activity your clients are updating their blogs, this is for you to figure out. But have backups because you can do all of this stuff and somebody can get social engineered and you can still get hacked. So having a backup, for that client to call you and say we got hacked and for you to be able to say, it's okay, I have a backup from last night or last week, instantly makes you the hero, okay? All right, so let's go beyond. This is part three, all right? Part three is a little bit more technical and involves a little bit of code and stuff like that. But you know what? I've never been formally trained as a developer. I'm not a really, I'm more of a hacker than developer. I can get into the code and I can make it do what I want but because I have to figure it out. And I taught myself Linux and I'm not that bright. So if I can do it, anybody can do it. So I don't want you to be scared about Linux commands and stuff like that because these are just things that you have to put in place. You put in place once and you forget about them, okay? Oh, I forgot to talk about server software. Boom, boom and boom. You guys know that everybody tells you to update your core and update your theme and update your plugins and everything's gonna be hunky-dory, right? Well, if you're sitting on a shared server from five years ago, you probably run in PHP3 or PHP4. Well, guess what? PHP has vulnerabilities. MySQL has vulnerabilities. Apache has vulnerabilities. This is something you have to take a proactive approach. You have to call the host and say, hey, where are we? What PHP? There are ways to figure all this out but the best way is to call the host. You have to take a proactive approach and talk to the host and say, where are we on PHP? Where are we on MySQL? What Apache do I have? Because you wanna make sure that all the patches for this stuff are done too. And that's not gonna happen because you updated your core and your plugins and stuff like that. So make sure that all this stuff is updated. Caveat that by saying, in a rare instance, when you update to say, for example, PHP7, you might break a plugin. So just be cognizant of that. Maybe turn off all your plugins, have them update you to PHP7, turn plugins on one by one and just make sure that nothing broke in the process. Now, I will tell you that I'm running the latest and greatest for all of my clients and I haven't had any plugin run-ins but that's not to say that you might. How am I doing on time? All right, secret keys, okay? There is a component in your WP config file, okay? The default looks like this. You guys know what I'm talking about? Okay, it's in the WP config file. This is what it looks like by default but what you can do is you can make it look like that. And it's like, whoa, what is all that? Well, that essentially encrypts those keys so that it encrypts information stored on users' cookies, okay? And I know it looks like gobbledygook but it's very easy. You just go to api.wordpress.org, blah, blah, blah, blah, blah, and I'll have that for you in the slide presentation show. Okay, so it's very easy to get. You just go there and you cut and paste it in your WP config file. Now, one thing that will happen if you've got a big organization, this will actually kick everybody out and make them log back in. So this is kind of a good thing to do if you warn people in advance or if you do it at midnight or something like that when you don't think you have any users in, okay? Who knows, Mr. HT Access? By half of you, okay? On an Apache server, okay? HT Access is the first file that gets hit long before index.php or index.html. This is the first file that any web visitor is gonna hit before anything like that so you can create rules in HT Access. And what I say is let's put these four items right in the HT Access and like I said, this will be on slide share, okay? And what these things do, I know it looks like I'll be good to some of you, but it's pretty simple. This basically says don't touch my HT Access. And over here, we all know how vulnerable WP config is. This says do not touch my WP config, okay? Likewise, your readme file gives up too much information about your WordPress install so you wanna hide that one as well. And then of course the install PHP as well, okay? So we wanna really do whatever we can to safeguard these four files in particular, okay? This was my favorite. If you're using SSH, you saw even on that shared server, you can actually move WP config one level above the root directory and WordPress core knows that. Not all your plugins might know that, but this is another instance where I've kinda tried intruding, I've been doing this for years and I haven't broke any plugins, okay? So if you put that WP config one level above the root directory and they hack you and they see the root directory, they still can't get to your WP config so they can't see all your database login information, okay? File permissions. Now this is one where people always raise their hand and they say, well, my plugin does that, my plugin does that and that's great. I'm an advocate of hard coding as much as the security stuff as you can into your WordPress install because I'm not an advocate of running four or five different security plugins. Four or five security plugins, it's heavier, site will load longer and they fight with each other and could cause conflicts. You might update a plugin at some point, it'll break and you won't know which security plugin broke it. So I'm an advocate of trying to keep the plugins to a minimal and hard code as much as the stuff as you can. So basically locking down your file permissions for your folders and your files is very helpful and you can get HT Access and WP config, you can take those all the way down to 444. I've heard people, depending on their plugins, take it all the way down to 400 without breaking stuff. So the lower the number, the less permissions, the better. Okay? Content delivery network. It's like having a force field around, you're already force fielded website, right? I love CDNs because you actually have to change your name server information to go through the CDN to get to your website and this is great for protecting against DDoS attacks. Okay? Cloudflare for example, straight out of the box for free. We'll give you DDoS protection. The other thing is, is it put your site, it mirrors your site on a whole bunch of different servers so that your site is served up faster from somebody in Florida. You know, I don't have Florida up there, but Florida might hit the Atlanta server. Somebody from San Diego may hit the LA server. So your stuff is served up faster and we all know that that's becoming more and more and more important from a speed optimization standpoint, okay? If you spend a little bit more money with Cloudflare, like I spend, depending on my clients, I know on my sites, I add, it's $20 a month, it's expensive, but I get another web application firewall and they have all sorts of rules that will prevent against basically brute force attacks, DDoS attacks and stuff like that. So it's basically levels of force fields around your sites and your client sites and the more the better. Anybody know what this is? Yeah, I'm gonna go ahead and I'm gonna pick a form plugin that has not been coded correctly and I'm gonna put it zero or one equals one and I've effectively thrown in a SQL statement that basically says, so on the password, it's looking for a true. If this is true and this is true, it lets me in. Well, if I'm gonna select all users where user ID is zero, which is the first user in just about any database or when is one equal one? Always. I'm in. Simple as that. So the thought here, this is called the SQL injection and the thought here is very, very seriously study any kind of form plugin that you put in on your website. Any place that they can input data has to be, you have to do your due diligence and you have to pick good plugins for your clients. Okay? And then good old cross site scripting. Cross site scripting is using JavaScript. Essentially what happens is the user will go to a site and they'll input something and the JavaScript will actually attack their computer and it'll attack the next person's computer and the next person's computer and the next person's computer and somebody's getting rich off of Monero Bitcoin because they're using everybody's computer resources to mine cryptocurrencies. So watch out for cross site scripting as well and that's just another matter of picking wisely on your plugins and making sure that you're picking plugins that are lots and lots of people praise them and the other thing that you can do that other people don't tell you to do because it's an extra step is Kali Linux offers what they call an exploit database and I think it's if you do a Google search for exploit hyphen DB, you can find the exploit database and you could actually type in a plugin and you can see whether there's ever been an exploit for that particular plugin. So that's kind of one thing that I do above and beyond what everybody else does when I research plugins. Okay? And we're done. How'd I do? 30 minutes, something like that. Hit me with questions.