PRESENTS

THE ULTIMATE GUIDE TO

WORDPRESS SECURITY
IN 2020
+ TIPS FOR STAYING SECURE
WHILE WORKING FROM HOME
TABLE OF
CONTENTS
PART 1: GETTING PART 2: STAYING
1 STARTED WITH 33 SECURE WHILE
WORDPRESS SECURITY WORKING FROM HOME

ACCOUNT LOGIN USE UPDATED

3 SECURITY 34 SOFTWARE & TOOLS

SECURITY PROTECT YOURSELF

14 MONITORING 44 AGAINST PHISHING

PLUGIN & THEME SECURE YOUR

20 MANAGEMENT 47 INTERNET

WORDPRESS SECURITY SERVER

24 MYTHS 48 SECURITY

SIGNS OF WEBSITE WRAPPING UP: A

28 INFECTION 50 SECURITY CHALLENGE

WEBSITE
32 RECOVERY
 WordPress security shouldn’t be so
complicated that people are too
PART 1: GETTING STARTED WITH intimidated to get started. Having

WORDPRESS
the correct security measures in
place is crucial to the success of
any website and you can get

SECURITY started today.

IN 2020 The truth is, most hacks can be

prevented with a few simple
security measures. Let's take a
look at some things that you can
do to lock down your site.

1
KEYS TO A SUCCESSFUL
WORDPRESS SECURITY
STRATEGY
There are 4 keys to a successful WordPress security strategy.

1. Account Login Security

2. Security Monitoring
3. Plugin & Theme Management
4. Website Backup Strategy

2
ACCOUNT LOGIN SECURITY
The great thing about WordPress is how it
makes creating a website accessible to just
about anyone. But with that accessibility comes
predictability. Anyone with experience working
with WordPress knows where changes to the site
are made: via the wp-admin area. They know
where they need to go to access the wp-admin,
the wp-login.php page.

By default, the WordPress login URL is the same

for every WordPress site, and it doesn’t require
any special permissions to access. That’s why the
WordPress login page is the most attacked—and
potentially vulnerable—part of any WordPress
site.

WWW.FRAMEMAG.COM | 20
3
 BY DEFAULT, THE WORDPRESS LOGIN
URL IS THE SAME FOR EVERY
WORDPRESS SITE, AND IT DOESN’T
REQUIRE ANY SPECIAL PERMISSIONS TO
ACCESS. THAT’S WHY THE WORDPRESS
LOGIN PAGE IS THE MOST ATTACKED—
AND POTENTIALLY VULNERABLE—PART
OF ANY WORDPRESS SITE.
HOW TO SECURE YOUR
WORDPRESS LOGIN ACCOUNT
So what should you do? Here's a few tips to increase the security of
your WordPress login account.

1. USE STRONG PASSWORDS

There is a lot of confusing and
contradicting information about
password security best practices The number of
on the internet. In an effort to characters in your
clear up that confusion, let’s break password matters! Take
down the basics of how using a a look at these stats.
strong password improves your
WordPress security. 7 characters will take
.29 milliseconds to
crack.
Whenever creating a password,
8 characters will take
the first item that you will want 5 hours to crack.
to consider is the length of the 9 characters will take
password. The list below shows 4 months to crack.
the estimated time it takes to 10 characters will take
crack a password using a four- 1 decade to crack
12 characters will take
core i5 processor.
2 centuries to crack.

5
So as you can see, adding a single Randomizing characters decreases the
character to your password can predictability and increases the
significantly increase the security of strength of the password. But both of
your login. A password that it is at least these passwords have one thing in
12 characters long, random and common that ultimately reduces the
includes a large pool of characters like password entropy. Both are only using
“ISt8XXa!28X3” will make it very difficult lower case letters, limiting the pool of
to crack. possible characters to 26. That’s why
it’s vital to include alphanumeric,
Unfortunately, some hackers are upper-case letters and common ASCII
leveraging GPUs and stronger CPUs to characters to increase the pool of
decrease the amount of time needed characters needed to crack the
to crack passwords. So to strengthen password to 92.
your logins, also be mindful of
your password entropy. The higher the
password entropy is, the more difficult A password that is at
the password will be to crack. least 12 characters
long, random and
For example, based on just the length
requirement, a password like
includes a large pool
“abcdefghijkl” is 12 characters, which is of characters like
great and should take 200 years to “ISt8XXa!28X3” will
crack. However, since the password make it very difficult
uses sequential strings of letters, it
to crack.
makes the password much more
predictable compared with a password
like “rfybolaawtpm” which has
randomized characters.

WWW.FRAMEMAG.COM | 20
6
2. REFUSE COMPROMISED
PASSWORDS
Attackers often use compromised iThemes Security Pro leverages the
passwords as a starting point for power of the haveibeenpwned API
hacking accounts because it is faster to prevent the use of known
and easier than brute-forcing all compromised passwords on your
possible password combinations. If WordPress website. If your
your password has been exposed password was found in a data
and you’re reusing your credentials breach, iThemes Security will require
across multiple websites, attackers you to update your account’s
could compromise your account in password immediately.
just one or two attempts instead of
millions.
If your password has
A data breach is typically a list of been exposed and
usernames, passwords and often you’re reusing your
other personal data that was
credentials across
exposed when a site was
compromised. Recently, Troy Hunt, multiple websites,
creator of the haveibeenpwned API, attackers could
reported on his blog about the compromise your
"Collection #1" Data Breach. This
account in just one or
data breach contained a staggering
1,160,253,228 unique
two attempts instead
combinations of email addresses of millions.
and passwords.

7
WWW.FRAMEMAG.COM | 20
3. USE A UNIQUE PASSWORD
FOR EVERY ACCOUNT
Another best practice for online
security is using unique passwords
for every account and website login
you have. This is so important, we’ll
say it again: you should be using a
different password for every site.

The more users you have that are

reusing passwords, the weaker your
WordPress login security will be. In
a list compiled by Splash Data, the
most common password included in
all data dumps was 123456. The
WordPress login security of your site
is only as strong as the weakest link,
so be proactive with strong
password requirements.

Ultimately, using a password

manager can help you keep track of
your logins and unique passwords.
With the help of a password
manager, you don’t have to
remember your passwords.

WWW.FRAMEMAG.COM | 20
8
THIS IS SO IMPORTANT, WE’LL SAY IT
AGAIN: YOU SHOULD BE USING A
DIFFERENT PASSWORD FOR EVERY
SITE. WHY? IF YOUR PASSWORD HAS
BEEN EXPOSED AND YOU’RE REUSING
YOUR CREDENTIALS ACROSS
MULTIPLE WEBSITES, ATTACKERS
COULD COMPROMISE YOUR
ACCOUNT IN JUST ONE OR TWO
ATTEMPTS INSTEAD OF MILLIONS.
4. LIMIT LOGIN ATTEMPTS

By default, there isn’t anything A lockout will temporarily disable

built into WordPress to limit the the attacker’s ability to make login
number of failed login attempts attempts. Once the attackers have
someone can make. Without a been locked out three times, they
limit on the number failed login will be banned from even viewing
attempts an attacker can make, the site.
they can keep trying an endless
number of usernames and
passwords until they are
successful.

Increase your WordPress login

security by installing a WordPress
security plugin like iThemes
Security Pro to limit the number of
failed login attempts. The iThemes
Security Pro WordPress Brute
Force Protection feature gives you
the power to set the number of
allowed failed login attempts
before a username or IP is
locked out.

WWW.FRAMEMAG.COM | 20
10
5. LIMIT OUTSIDE
AUTHENTICATION ATTEMPTS
PER REQUEST
There are other ways to log into In addition, when you are
WordPress besides using a login developing your WordPress login
form. Using XML-RPC, an attacker security plan, it is important to be
can make hundreds of username aware that the WordPress Rest
and password attempts in a single API adds additional ways to
HTTP request. authenticate a WordPress user.

The brute force amplification Cookie authentication is one

method allows attackers to make method authentication when
thousands of username and you login WordPress
password attempts using XML-RPC automatically stores a cookie so
in just a few HTTP requests. When
plugins and themes can perform
you know an attacker can use
a function on your behalf.
database dumps as a starting
Cookie authentication will
point and make thousands of
benefit from the protections you
guesses per request, it makes the
have added to the wp-login.php.
importance of WordPress login
security much clearer.

11
WWW.FRAMEMAG.COM | 20
6. USE TWO-FACTOR
AUTHENTICATION
We saved the best way method to Just note that many sites require
increase WordPress login security you to use an email address as a
for last: WordPress two-factor username. If an attacker hacks
authentication. Two-factor one of these sites, the next step
authentication requires an extra will be to try to log into email
code along with your WordPress accounts using the new email
username and password to log in. addresses and passwords they
stole. If one of your users or
There are many methods of two- clients are reusing compromised
factor authentication, but not all passwords on every site, their
methods are created equal. If you email account, along with their
can, avoid using text for two-factor two-factor email codes, will be
authentication. The National compromised.
Institute of Standards and
Technology no longer
recommends using SMS to send
and receive authentication codes.

Using a WordPress security plugin,

like iThemes Security Pro, you
should enable either the email or
mobile app method of two-factor.

WWW.FRAMEMAG.COM | 20
12
7. PASSWORDLESS LOGINS
Passwordless login is a new way to There is a balance to
verify a user’s identity without
WordPress security.
actually requiring a password to
You want your website
login. Passwordless login is both safe
and simple, increasing the likelihood to be secure while
that the average person will secure not getting in the way
their account. Passwordless logins of your users and
lock down your accounts and are
customers.
much easier to use than traditional
credentials.
The Passwordless Login method
You may already be using a form provided by iThemes Security Pro
of passwordless login without will send you an email with a “magic
realizing it. For example, if you link,” or a link that will log you into
are using a thumbprint or Face WordPress with a click of a
ID to open your phone, you are button. This way, the passwordless
using a form of passwordless login requires you to have access to
login. Keep in mind that a the actual email account associated
passwordless login doesn't with the user, providing another
necessarily mean a password layer of security.
isn't assigned to the user. Your
phone still requires you to set a
password or a PIN, but you do
not need to enter it every time
you unlock your phone.

WWW.FRAMEMAG.COM | 20
13
SECURITY MONITORING
Every day, activity takes place on your website that may indicate nefarious
activity. What are these events and are you actively monitoring them? The
next section will cover security monitoring on your website.

WORDPRESS SECURITY LOGS

WordPress security logs provide Here are a few ways WordPress
detailed data and insights about security logging helps with your
activity on your WordPress security monitoring strategy:
website. If you know what to
look for in your logs, you can 1. Identity and stop malicious
easily identify and stop behavior.
malicious behavior on your site. 2. Spot activity that can alert
you of a breach.
WordPress security logs have 3. Assess how much damage
several benefits in your overall was done.
security strategy. If your site does 4. Aide in the repair of a
get hacked, you will want to have hacked site.
the best information to aide in a
quick investigation and recovery. Now let's talk about what
acitvity you should monitor.

14
IF YOUR SITE DOES GET HACKED, YOU
WILL WANT TO HAVE THE BEST
INFORMATION TO AIDE IN A QUICK
INVESTIGATION AND RECOVERY.
1. BRUTE FORCE ATTACKS
Brute force attacks refer to the The iThemes Security Pro’s Local
trial and error method used to Brute Force Protection feature
discover usernames and passwords automatically monitors failed login
in order to hack into a website. attempts and blocks brute force
WordPress doesn’t track any user attacks.
login activity, so there isn’t anything
built into WordPress to protect you
from a brute force attack. It is up to
you to monitor your login security
to protect your WordPress site.

Luckily, a brute force attack isn’t

very sophisticated, and it is pretty
easy to identify in your logs. You will
need to record the username and
IP that is attempting to login and
whether or not the login was
successful. If you see that a single
username or IP has consecutive
multiple failed login attempts, the
chances are you are under a brute
force attacks.

16
WWW.FRAMEMAG.COM | 20
2. FILE CHANGES
Even if you follow WordPress There are several legitimate
security best practices, there is still reasons you would see new file
a chance for your site to become change activity in your logs, but if
compromised. A compromise the changes made were
means the site has had malicious unexpected, you should take the
changes, and that is why is it is so time to assure the changes were
important to stay on top of the file not malicious. For example, if you
changes on your site by recording see a change made to a plugin at
them in your WordPress security the same date and time you
logs. updated the plugin, there would be
no reason to investigate.
File change entries include files
added and removed and
modifications to existing files. Now
that you have the changes
recorded in your security logs, you
should schedule the time to audit
them. If you are an iThemes
Security Pro user, remember to
enable File Change notifications to
be notified when a file changes.

WWW.FRAMEMAG.COM | 20
17
3. MALWARE SCANS
Not only should you run malware Not recording failed scans could
scans, you should also be result in you thinking that your site
recording the results of every is being checked daily for malware
malware scan in your WordPress but, in reality, the scan is failing to
security logs. Some security logs complete.
will only record scan results that
fund malware, but that isn’t
enough. It is crucial to be alerted as
quickly as possible of a breach to
your site. The longer it takes for
you to know about a hack the more
damage it will do.

While it feels good to see the

history of a proactive approach to
security paying off, that is just a
bonus and not the reason to
record malware scans. If you aren’t
documenting your scheduled
scans, then you will have no way of
knowing if there are any scan
failures.

WWW.FRAMEMAG.COM | 20
18
4. USER ACTIVITY
Keeping a record of user activity in your WordPress security logs can be your
saving grace after a successful attack.

1. Logins & Logouts (+ When & record of who adds and removes
Where) - The first type of user plugins. Once your site has been
activity you should track is when hacked, it will easy for the attacker
users log in and log out of your site to add their own custom plugin to
and from where. Monitoring time inject malicious code into the site.
and location of user’s logins can Even if they don’t have access to
help you spot a user that is your server, your WordPress site
compromised. Did that user login can access it. Using a plugin they
at an unusual time or from a new can add redirects to your site to use
place? If so, you may want to start in their next spamvertizement
your investigation with them. campaign. After their malicious
code is executed, they can then
2. New Users - The next activity delete the plugin to remove
you should keep a record of is user evidence of their crime. Lucky for
creation. A common practice for a us we won’t miss any of it because
hacker to perform is to create a it was all documented in our
new admin user in an attempt to WordPress security logs.
be covert. It is easy for you to
notice something strange with your 4. Add/Edit Pages - Now it is time
account but it is much more to look to see if our new user has
difficult to identify malicious activity added any new or made changes to
on another user. existing pages or posts on the site.
Have they added links to send your
3. Add/Remove Plugins - We should traffic to other sites? You will be
now check to see if the new user able to see if any embarrassing
has added or removed any plugins pages have been added to the site
from the site. It is vital to make a and get them taken down.

19
WWW.FRAMEMAG.COM | 20
PLUGIN & THEMES
MANAGEMENT
Plugin and theme management play a big role in the health of your site. In this
section, we'll cover what that means.

1. UPDATE EVERYTHING
When your WordPress site is WordPress security vulnerabilities
running outdated versions of and as a bonus, it reduces the
plugins, themes or WordPress, you amount of time you spend
run the risk of having known maintaining your WordPress site.
exploits on your site.Updates are
not just for new features or bug Keep everything on
fixes; they can also include security
your site updated.
patches for known exploits. Even
though this is the easiest of the 60% of breaches
WordPress security vulnerabilities involved
to prevent, most successful hacks vulnerabilities for
use exploits that are found in
which a patch was
outdated software.
available but not
You can automate updates on your applied.
site Using the iThemes Security
Pro WordPress version
management feature. Automating
your updates ensures you get the
critical security patches that
protect your site against

20
1. AUTOMATICALLY PATCH
KNOWN VULNERABILITIES
Having software with known The improved WordPress Security
vulnerabilities installed on your site Site Scan powered by iThemes
gives hackers the blueprints they performs automatic checks for
need to take over your site. It is hard known vulnerabilities installed on
to keep track of every disclosed your site. And if a patch is
WordPress vulnerability and compare available, iThemes Security Pro
that list to the versions of plugins and will now automatically apply the
themes you have installed on your fix for you.
site.

2. REMOVE UNUSED PLUGIN

& THEMES
The PHP code on your WordPress In addition, avoid using abandoned
site should also be included in the WordPress plugins. If any plugin
WordPress security vulnerabilities installed on your WordPress site has
list. Exploiting PHP code is a common not received an update in six months
method used by hackers to gain or longer, you may want to make
access to your WordPress site, so it is sure it hasn’t been abandoned. A
crucial you reduce the risk by limiting plugin not having any recent updates
exploit opportunities. Uninstall and doesn’t necessarily mean it has been
completely delete any unnecessary abandoned, it could just mean it is
plugins and themes on your feature complete and will only
WordPress site to limit the number of receive updates to ensure
access points and executable code compatibility with the latest versions
on your website. of WordPress and PHP.
WWW.FRAMEMAG.COM | 20
21
3. ONLY INSTALL SOFTWARE
FROM TRUSTED SOURCES
Only install WordPress plugins and Avoid “nulled” or
themes from trusted sources. You bootleg version of
should only install software that you
premium plugins
get from WordPress.org, well-known
commercial repositories or directly
because they usually
from reputable developers. contain malicious
code. It doesn’t matter
You will want to avoid “nulled” how you lock down
version of commercial plugins
your WordPress site if
because they can contain malicious
code. It doesn’t matter how you lock
you are the one
down your WordPress site if you are installing malware.
the one installing malware.

If the WordPress plugin or theme it

isn’t being distributed on the
developer’s website, you will want to
do your due diligence before
downloading the plugin. Reach out to
the developers to see if they are in
any way affiliated with the website
that is offering their product at a free
or discounted price.

WWW.FRAMEMAG.COM | 20
22
 AVOID “NULLED” OR BOOTLEG
VERSION OF PREMIUM PLUGINS
BECAUSE THEY USUALLY CONTAIN
MALICIOUS CODE. IT DOESN’T MATTER
HOW YOU LOCK DOWN YOUR
WORDPRESS WEBSITE IF YOU ARE THE
ONE INSTALLING MALWARE.
WORDPRESS
SECURITY MYTHS
You’ll find lots of security advice The Top 5 WP Security
floating around the internet from Myths
well-intentioned people who
genuinely want to help.
1. You Should Hide Your /wp-
admin or /wp-login URL (Also
Unfortunately, some of this advice
Known As "Hide Backend")
is built on WordPress security
myths and don’t actually add
The idea behind hiding the wp-
any additional security to your
admin is that hackers can’t hack what
WordPress website. In fact, some
they can’t find. If your login URL isn’t
WordPress security “tips” may
the standard WordPress /wp-
increase the likelihood you will run
admin/ URL, aren’t you protected
into issues and conflicts.
from brute force attacks?

We have plenty of WordPress

The truth is that most Hide
security myths to choose from, but
Backend features are simply security
we are only going to focus on the
through obscurity, which isn’t a
top 5 we have consistently seen in
bullet-proof security strategy. While
over 20,000 support tickets. These
hiding your backend wp-admin URL
conversations were used as a
can help to mitigate some of the
basis for the following criteria to
attacks on your login, this approach
select the top myths.
won’t stop all of them.

24
2. You Should Hide Your /wp- The problem with this myth is that
admin or /wp-login URL (Also there isn’t an actual guy behind a
Known As Hide Backend) keyboard looking for the perfect
combination of theme and
The idea behind hiding the wp- WordPress version number to attack.
admin is that hackers can’t hack what However, there are mindless bots
they can’t find. If your login URL isn’t that scour the internet looking for
the standard WordPress /wp- known vulnerabilities in the actual
admin/ URL, aren’t you protected code running on your website, so
from brute force attacks? hiding your theme name and WP
version number won’t protect you.
The truth is that most Hide
Backend features are simply security 4. You Should Rename Your wp-
through obscurity, which isn’t a content Directory
bullet-proof security strategy. While
hiding your backend wp-admin URL The wp-content directory contains
can help to mitigate some of the your plugins, themes and media
attacks on your login, this approach uploads folder. That is a ton of good
won’t stop all of them. stuff and executable code all in one
directory, so it’s understandable that
3. You Should Hide your Theme people want to be proactive and
Name and WordPress Version secure this folder..
Number
Unfortunately, it’s a myth that
If you use your browser’s developer changing the wp-content name will
tools, you can pretty quickly see the add an extra layer of security to the
theme name and WordPress version site. It won’t. We can easily find the
number running on a WordPress site. name of your changed wp-content
The theory behind hiding your theme directory by using the browser
name and WP version is that if developer tools. Changing the name
attackers have this information they of the directory will not add any
will have the blueprint to break into security to your site, but it can cause
your site. conflicts.

WWW.FRAMEMAG.COM | 20
25
5. WordPress is an Insecure
Platform

The most damaging WordPress

security myth is that WordPress itself
is insecure. This is simply not true.
WordPress is the most popular
content management systems in the
world, and it didn’t get that way by not
taking security seriously.

The truth is that the

biggest WordPress security
vulnerability is its users. Most
WordPress hacks on the platform can
be avoided with a little effort from the
site owners.

Keep in mind that the number one

reason for successful WordPress
hacks is outdated software. To get a
patch for a security vulnerability, you
have to keep things updated.
WordPress even allows you to
enable automatic updates so you
don’t have to manually run updates.
But some people still don’t make it a
priority to update their sites on a
regular schedule. So these sites are
filled with outdated software that
makes them ripe for attack. When a
hacker uses a security hole it isn’t a
WordPress flaw, it is a user flaw.

WWW.FRAMEMAG.COM | 20
26
 THE TRUTH IS THAT THE
BIGGEST WORDPRESS SECURITY
VULNERABILITY IS ITS USERS. MOST
WORDPRESS HACKS ON THE
PLATFORM CAN BE AVOIDED WITH A
LITTLE EFFORT FROM THE SITE
OWNERS.
SIGNS OF WEBSITE
INFECTION
Finding yourself asking “Is my and not my home URL. From there, I
WordPress site hacked?” means log in, update my site or edit a post.
you’ll want some quick answers. In After I finish what I came to do, I
this post, we cover seven signs of often leave without looking at my
infection and what to do if you website’s home page.
discover you’ve been hacked.
The primary goal of some hacks is to
The faster you notice the signs of a troll a website or gain notoriety. So
website breach, the quicker you can they only change your homepage to
get your site cleaned up. The quicker something they find funny or to leave
you can get your website cleaned, a hacked by calling card.
the less damage the hack can do to
your website. 2. Your Website Performance Has
Dropped
Not all hacks have the same goal, so
the signs of a website compromise Your site may feel sluggish when it
will depend on the attackers motive. has an infection. You can experience
Here are 7 different symptoms you slowdowns on your website if you
need to look out for when you are are experiencing brute force
monitoring the health of your site. attacks or if there is a malicious script
using your server resources
1. Your Homepage is Different for cryptocurrency mining. Similarly,
Changes to your homepage seem a DDoS (or denial of service attack)
like an obvious sign. But how many happens when a network of
times do you actually run a thorough IPs simultaneously sends requests to
check or your homepage? I know I your website in an attempt to cause
typically go straight to my login URL it to crash.

28
If your site is running slowly, check popup hack and shared screenshots
the server access logs for an and a video of the popups. After I
unexpected number of requests. spent hours running through their
You can also use a web application website, I was not able to recreate
firewall like the one provided anything they were reporting. I was
by Sucuri to help protect your convinced that their personal
website against a DDoS attack. computer had been hacked and not
the website.
3. Your Website Contains
Malicious or Spam Popups Ads Finally, it dawned on me why I wasn’t
able to see the popups. I had installed
There is a good chance a hacker has an ad blocker extension on my
compromised your website if your browser. As soon as I disabled the ad
visitors see popups that redirect blocker extension, I was able to see
them to a malicious website. The popups everywhere. I share this
goal of this type of attack is to drive embarrassing story to hopefully save
traffic away from your site to the you from running into the same
attacker’s site so they can target mistake.
users with click fraud for Pay Per
Click advertising. The most 4. You Notice a Decrease in Website
frustrating thing about this type of Traffic
hack is you may not be able to see
the popups. A popup hack can be If you log into your Google Analytics
designed to not show for logged in account and you notice a steep decline
users, which decreases the odds of in website traffic, your WordPress site
website owners seeing them. So could be hacked. A drop in site traffic
even when the site owner logs out, deserves an investigation. There could
the popups will never display. be a malicious script on your site that
is redirecting visitors away from your
Your view of the popups can also be site or Google could already by
limited if you use an ad blocker blacklisting your website as a malicious
extension in your browser. For site.
example, a customer reported a

WWW.FRAMEMAG.COM | 20
29
 The first thing you want to look for is 6. Unexpected New Admin Users
your website’s outbound traffic.
By tracking your website with Google If your website has any unexpected
Analytics, , you will need to configure registrations of new admin users, that’s
your site to track the traffic leaving your another sign your WordPress site has
site. The easiest way to monitor been hacked. Through an exploit of a
outbound traffic on your WordPress site compromised user, an attacker can
is to use a WordPress Google Analytics create a new admin user. With their
plugin. A good Google Analytics plugin new admin privileges, the hacker is
will allow you to track specific activity ready to cause some major damage
with a click of a button. to your site.

5. Unexpected File Changes In November of 2018, we had several

reports of new admin users being
If files on your website have been created on customer websites. Hackers
changed, added or removed, it could be used a vulnerability in the WP GDPR
a sign that your site has been Compliance plugin
compromised. That’s why it is essential (vulnerability patched in version 1.4.3)
to have a notification system in place to to create new admin users on
alert you of website file changes. You can WordPress sites running the plugin. The
investigate any unexpected changes by plugin exploit allowed unauthorized
comparing the changed file to a version users to modify the user registration to
in a recent backup. change the default new-user role from
a subscriber to an admin.
Using a WordPress security plugin like Unfortunately, this wasn’t the only
iThemes Security can help you track file vulnerability and you can’t just remove
changes. Because of the number of the new users the attacker created and
notifications this setting can generate, patch the plugin.
you can exclude files and directories in
the File Change Detection settings. It is
okay to exclude directories that you
know are going to be regularly updating.
Backup and cache files are a perfect
example of this and excluding them will
reduce the number of notifications you
will receive.
WWW.FRAMEMAG.COM | 20
30
If you had WP GDPR Compliance and and iAmAwesome2019 on another site.
WooCommerce installed, your site might So the hackers were able to figure out
have been injected with malicious code. the password with a little effort.
The attackers were able to use the
WooCommerce plugin background You can also enable the Trusted
installer to insert a backdoor installer in Devices feature in iThemes Security Pro
the database. to restrict admin capabilities for logins
from untrusted devices. If an attacker
7. Admin Users Removed successfully logs into your site as an
If you are unable to log into your existing admin user–either by a brute
WordPress site, even after a password force attack or if the user’s credentials
reset, it may be a serious sign of were part of a database dump–they will
infection. not have full admin capabilities.

When the Gentoo Github repo got Even with the password being
hacked the first thing the attacker did compromised, this breach could have
was delete all admin users. So how did been prevented if the admin was using
this hacker even get into their Github two-factor authentication. Two-Factor
account? A Gentoo admin user’s authentication requires an extra code
password was discovered on a different along with your username and
site. I am guessing that the username password credentials to log in. iThemes
and password was discovered either Security Pro allows you to
through scraping or a database dump. enable WordPress two-factor using a
Even though the admin’s password for mobile app or email to receive your
their Gentoo Github account was access additional code.
different than one used on the
compromised account, it was very
similar. So this would be like me
using iAmAwesome2017 as a password
on one account

31
WWW.FRAMEMAG.COM | 20
WEBSITE RECOVERY
What should you do if your website is a complete loss? What if you've been
hacked and you can't get back in? The easiest and fastest way to come back from
a hack is to restore from a backup. Here are ten tips to create a backup strategy
and peace of mind.

ELEMENTS OF A SOLID
BACKUP STRATEGY
1. Choose a Backup Method - Find 6. Scan Your Backups - If your
a dedicated backup solution like backup is infected it won't help you
BackupBuddy. to clean your site.
2. Decide What to Backup - Your 7. Audit Your Backup Schedules - It
backups should include your is important to do periodic checks to
plugins, themes. media, uploads make sure your backup automations
and database. are still in working order.
3. Choose Your Backup Frequency 8. Practice Restoring - When things
- What is your tolerance for lost go wrong, you will need to know
data. If you are making daily how to use your backup to restore
changes to your site, you should your site.
have daily backups. 9. Know the Limitations of Your
4. Schedule and Automate - Find Environment - If you are on poor
the best time to backup your site hosting make sure your backup
and then use a backup plugin to strategy is right for your site.
automate your backups. 10. Be Prepared to Migrate -
5. Choose an Offsite Location to Sometimes the problem is the host.
Store Your Backups - Store your Knowing how to move your site will
backups in a different location than give you the freedom to move when
your site's server. things go wrong.

32
 With more of us working from
home than ever, it has never been
more important to be vigilant of
possible attacks.

PART 2: STAYING SECURE WHILE

Our friends at Cloudflare recently

WORKING
revealed that hacking and phishing
attempts have been up by 37%

FROM HOME
and, on some days, they are
blocking between four and six
times the number of attacks they
would usually see, since the start
of the COVID-19 pandemic.

Let's take a look at what you can

do to protect to create a secure at
home work environment

33
THE IMPORTANCE OF
USING UPDATED
SOFTWARE & TOOLS
Updates aren't just for cool new features and bug fixes, they can also include
critical security patches. Knowing what to update and how to update is the first
step in create secure and safe while working from home.

WHAT TO UPDATE & HOW TO

AUTOMATE YOUR UPDATES
YOUR OPERATING SYSTEM

APPLICATIONS INSTALLED ON
YOUR DEVICES

WEB BROWSERS

ROUTERS

34
1. YOUR OPERATING SYSTEM
The device you're working on has an It doesn't matter what
Operating System which you will see
other security
written shorthand as OS. The operating
system is the software that works measures you have in
between your hardware and and the place if you are
applications installed on your device.
running an older,
Your OS handles everything from print
jobs to divvying out resources such as
vulnerable version of
CPU and memory usage to the your operating system.
programs running on your computer.

Your operating system plays a major role

on any device you use. That is why it is so
important to keep the OS updated. It
doesn't matter what other security
measures you have in place if you are
running an older, vulnerable version of
your OS.

35
TYPES OF OPERATING SYSTEMS
Server OS - A server OS is an
operating system specifically
designed to run on a server. Server
operating systems are light weight
and focused network computing.
Desktop OS - A desktop OS is an
operating system designed to run on
a Desktop PC or Laptop. The three
most common desktop operating
systems are Windows, macOS, and
Linux.
Mobile OS - A mobile OS is an
operating system designed to run on
a phone or tablet. The two most
popular mobile operating systems
are iOS and Android.

AUTOMATING UPDATES
It is best practice to configure your operating system to update
automatically. Auto-updating your OS means that the latest security
patches will download and install on your device without you
needing to do anything.

36
HOW TO SET AUTOMATIC
UPDATES IN MACOS

1. On your Mac, choose Apple menu > System Preferences, then

click Software Update.
2. To automatically install macOS updates, select “Automatically
keep my Mac up to date.”
3. To set advanced update options, click Advanced, then do any
of the following:
To have your Mac check for updates automatically, select
“Check for updates.”
To have your Mac download updates without asking, select
“Download new updates when available.”
To have your Mac install macOS updates automatically,
select “Install macOS updates.”
To have your Mac install app updates from the App Store
automatically, select “Install app updates from the App
Store.”
To have your Mac install system files and security updates
automatically, select “Install system data files and security
updates.”
4. Click OK.

37
HOW TO SET AUTOMATIC
UPDATES IN WINDOWS 10

1. Open Settings
2. Click on Update & Security
3. Click on Windows Update
4. Click the Advanced Options button

38
HOW TO SET AUTOMATIC
UPDATES IN ANDROID

1. Open Settings
2. Tap on Software
Update
3. Tap Download
Updates
Automatically

39
HOW TO SET AUTOMATIC
UPDATES IN IOS

1. Open Settings
2. Tap or Click on
General
3. Tap or Click on
Software Updates
4. Tap or Click on
Automatic Updates

40
 2. APPLICATIONS INSTALLED
ON YOUR DEVICES
Your next line of defense is to keep the applications you install on your
devices up to date. You can set your apps to auto-update if you
downloaded them from your operating system's app store.

HOW TO SET YOUR HOW TO SET YOUR

ANDROID APPS TO AUTO MICROSOFT STORE
UPDATE APPS TO AUTO
UPDATE
1. OPEN THE GOOGLE PLAY STORE APP.
1. SELECT THE START SCREEN, THEN
2. TAP MENU > SETTINGS. SELECT MICROSOFT STORE.

3. TAP AUTO-UPDATE APPS. 2. IN MICROSOFT STORE AT THE UPPER

RIGHT, SELECT THE ACCOUNT MENU
4. SELECT AN OPTION: (THE THREE DOTS) AND THEN
OVER ANY NETWORK TO SELECT SETTINGS.
UPDATE APPS USING EITHER WI-FI OR
MOBILE DATA. 3. UNDER APP UPDATES, SET UPDATE
OVER WI-FI ONLY TO UPDATE APPS APPS AUTOMATICALLY TO ON.
ONLY WHEN CONNECTED TO WI-FI.

HOW TO SET YOUR HOW TO SET YOUR IOS

MAC STORE APPS TO APPS TO AUTO UPDATE
AUTO UPDATE 1. OPEN SETTINGS.

1. OPEN THE APP STORE 2. TAP [YOUR NAME].

PREFERENCES.
3. TAP ITUNES & APP STORE.
2. CLICK THE AUTOMATIC
UPDATES CHECKBOX. 4. TAP APP UPDATES TO ENABLE
AUTOMATIC UPDATES.

41
 3. WEB BROWSERS
With more of our work being done in the browser it has never been more
important to keep your browser up to date. If you didn't get your desktop
browser (like Safari) from your operating system app store, you will need to
make sure it stays up to date.

HOW TO UPDATE CHROME HOW TO UPDATE EDGE

1. ON YOUR COMPUTER, OPEN CHROME. 1. ON YOUR COMPUTER, OPEN EDGE.

2. AT THE TOP RIGHT, CLICK MORE . 2. ON THE TOP RIGHT CLICK THE
MENU ICON.
3. CLICK UPDATE GOOGLE CHROME.
Important: If you can't find this button, 3. ON THE TOP RIGHT CLICK THE
you're on the latest version. MENU ICON.
4. CLICK RELAUNCH. 4. CLICK ABOUT MICROSOFT EDGE.
The next time you restart your
browser, the update will be applied.
5. CLICK UPDATE.

42
4. ROUTERS
The United States Air Force knows what can happen when
you don't secure your router. A dumb security flaw let a
hacker download US drone secrets, which could have been
easily prevented.

The vulnerability allowed anyone to use the router's FTP

server using the username: admin and password:
password. The hack could have been prevented by either
applying the security patch that had been released prior to
the attack or updating the default passwords.

Always Change the Default Username & Password

A would be attacker can easily find your default router
login details, so it is crucial for you to update the username
and use a strong password.

The instructions to update your router's firmware will vary

by device. Locate your router's Manufacture and model
number, which can typically be found on the back of your
router. Go to the manufacture's website to find how to
update the firmware.

43
PROTECTING
YOURSELF AGAINST
PHISHING
Cybercriminals are taking advantage How do phishing attacks work?
of the uncertainty and the increased
stress that the pandemic has caused Email is the most common tool used
all of us. Not to mention that we all in Phishing attacks. The attacker will
have received an increased number disguise the email to look like it was
of emails due to updates regarding sent from a legitimate company. For
COVID-19. example, an attacker could craft an
email to look like it was sent from
Phishing is a method of cyber-attack your bank.
using email, social media, text
messages, and phone calls to trick
the victim into giving up personal
information. The attacker will then
use the information to access
personal accounts or commit
identity fraud.

Another goal for a phishing attack is

to trick the mark into downloading
and installing malware on their
personal device.

44
HOW TO SPOT A PHISHING EMAIL
1. Look at the from email address Everyone makes mistakes, and not
- If you receive an email from a every email with a typo or two is an
business, the portion of the sender's attempt to scam you. However,
email address after the "@" should multiple grammatical errors warrant a
match the business name. closer look before responding.

If an email is representing a company 3. Suspicious attachments or links -

or government entity but is using a It is worth pausing for a moment
public email address like "@gmail" is a before interacting with any
sign of a phishing email attachment or links included in an
email.
Keep an eye out for subtle
misspellings of the domain name. For If you don't recognize the sender of an
example, let's look at this email email you shouldn't download any
address [email protected]. We attachments included in the email as
can see that Netflix has an extra "x" at it could contain malware and infect
the end. The misspelling is a clear sign your computer. If the email claims to
that the email was sent by a scammer be from a business, you can Google
and should be deleted immediately. their contact information to verify the
email was sent from them before
opening any attachments.
2. Look for grammatical errors - An
email that is full of grammatical
If an email contains a link, you can
mistakes is a sign of a malicious email.
hover your mouse over the link to
All of the words may be spelled
verify the URL is sending you where it
correctly, but sentences are missing
should be.
words that would make the sentence
coherent. For example, "Your account
is been hacked. Update password to
account security".

45
4. Watch out for urgent requests
- A common trick used by
PHISHING
scammers is to create a sense of CHECKLIST
urgency. A malicious email might
manufacture a scenario that needs
immediate action. The more time CHECK SENDER'S
that you have time to think, the EMAIL ADDRESS
greater the chance you will identify
LOOK FOR
the request is coming from a
GRAMMATICAL
scammer.
ERRORS

You may receive an email from your WATCH FOR

"boss" asking you to pay a vendor SUSPICIOUS
asap, or from your bank informing ATTACHMENT & LINKS
you that your account has been
BE WARY OF
hacked and immediate action is
URGENT REQUESTS
required

46
SECURE YOUR INTERNET
There has never been a better time 2. Use a VPN - A VPN, or Virtual
to do an audit of our internet Private - Network is used creates a
security. Now that some of us are secure connection to another
working from home for the first network over the internet. Using a
time. We no longer have the VPN will keep whatever you are
protection that our office IT looking at on the internet private.
provided, and it is our responsibility
to protect the sensitive information 3. Use an Ad Blocker - A good ad
we have trusted with. blocker doesn't will not only block
ads but will prevent your from
Luckily for us, there are some easy visiting known phishing and malware
things we can do to increase the sites.
security and privacy of our internet
traffic drastically.

1. Update Your WiFi Password -

Some manufacturers use the same
default passwords for all of their
devices.

If you are using the password that

came with your WiFi router, it is time
to update your password.

47
SERVER SECURITY
Server security isn't something that is always on the top of our minds.
However, sever security is a critical part of every security plan. Here are
some tips that you can use to start securing your server today.

CHOOSE THE RIGHT WEB HOST

Not all web hosts are created equal and choosing one solely on price
can end up costing you way more in the long run with security issues.
Most shared hosting environments are secure, but some do not
properly separate users accounts.

Does your host:

Update server software regularly?
Does your host enable logging?
Does your host offer sFTP?

48
HTTPS & SSL
SSL encrypts the communication that your customers type in their
browser and send to your site. With SLL, when someone enters
their account name and password, it will be protected when that
information is sent to your site’s server for confirmation.

Encrypting the username and password will make it harder for an

attacker to intercept the username and password in transit from
their browser to your server.

USE A CDN & WAF

A WAF or Web Application Firewall Encrypting the username and
helps protect web applications by password will make it harder for an
filtering and monitoring HTTP traffic attacker to intercept the username
between a web application and the and password in transit from their
Internet. browser to your server.

It typically protects web applications A content delivery network (CDN)

from attacks such as cross-site refers to a geographically distributed
forgery, cross-site-scripting (XSS), file group of servers which work
inclusion, and SQL injection, among together to provide fast delivery of
others. A WAF is a protocol layer Internet content
7 defense (in the OSI model), and is
not designed to defend against all A properly configured CDN may also
types of attacks. This method of help protect websites against some
attack mitigation is usually part of a common malicious attacks, such
suite of tools which together create as Distributed Denial of Service
a holistic defense against a range of (DDOS) attacks..
attack vectors.

49
WRAPPING UP:
A SECURITY CHALLENGE
We covered a lot of ground in this ebook, from securing
your WordPress website to working securely from
home. By adopting a few best practices and adopting
good habits, you can greatly strengthen your defenses
against the most common types of attacks.

Ready to take the challenge? Right now is a great time to

do a security audit of your website and work-from-home
setup to be sure your are using security best practices.
Let's go!

50
 READY TO TAKE THE CHALLENGE?
RIGHT NOW IS A GREAT TIME TO DO A
SECURITY AUDIT OF YOUR WEBSITE
AND WORK-FROM-HOME SETUP TO BE
SURE YOUR ARE USING SECURITY BEST
PRACTICES.
THE #1 WORDPRESS SECURITY PLUGIN

Get started with our single site iThemes

Security Pro plan for just $49* with coupon
SECUREMYWP
code SECUREMYWP

LEARN MORE

*Offer good on any *new* iThemes Security Pro (1 site) plugin

purchase. Coupon can't be used to renew or extend an existing
iThemes Security Pro (1 site) plugin membership.