How Security Incident Response Planning Protects Your WordPress Site
5:30PM Apr 17, +0000
Speakers:
Nathan Ingram
Kathy Zant
Keywords:
security
site
plan
hacked
vulnerability
kathy
wordpress
plugin
compromised
incident response plan
hosting provider
backups
incident
clean
information
solid
malware
incident response
business
hacker
Again, welcome if you're just joining us Hey Rob from Chicago welcome. Hey, Oliver Oliver has a plan. Good deal. That's great.
All right, captions should now be connected for everyone. Welcome, welcome. We're just stuck chatting back and forth just a bit about what's going to be coming up in the next hour. About five minutes away from getting started live. Sue says her plane is called Kathy a classroom Arkansas welcome. Alright folks, if you would like the links for today I'm dropping in the link bundle once again in the chat. There in you'll find today's slides in Audit Checklist, a publication from the NIS t all about these things we will be we will be recording this live stream. It will be available about an hour after we wrap up at the link that is also there in the chat. As you're coming into zoom, open up that Zoom chat say hi and tell us where you're logging in from today. It's good to see folks logging in from around the world already today. We're about four minutes away from getting started. Stacey You're right. knowing who to call is part of the response plan. Indeed. It's great to see everybody coming in. We'd love to welcome you if you just check in there in the chat. Say hi and tell us where you're logging in from. Also let us know Do you currently have a security response plan? Hey Tanya from Finland welcome. Do you currently have a response plan
calling Ghostbusters is not included.
So Sue, said she actually built one after the last pass fiasco. Gosh, that was 2022 Has it been that long ago? That right? I think so. 2022? Yeah,
yeah. Yeah. August 222. Wow.
But a while. Welcome, Marcus from Netherlands. Glad you're here. Rob, that's awesome. Rob says I think I have a plan and after this live stream, he'll know if he's correct. That's great. Love it. That's great. All right, folks. Welcome again. If you're just joining us, pardon me, we're about three minutes away a little less than three minutes away before we get started with Kathy Zant talking about our incident response planning if you're a website owner, a lot of great information coming. Let me drop in once again, our link bundle. Sarah you're coming in as a panelist I don't think Sara meant to do that. Okay, so yeah, Sarah, I think you're using the the admin login so if you'll if you register as a participant Yep.
Sarah is amazing. Everybody should say hi to Sara.
Sara saw so many of you have interacted with Sara either in ticket system or just with some customer service issues solid related. And she she is great to help with all those things. Once again, the link bundle is in the chat. You can download today's slides. Also the audit checklist that Kathy will be talking about as we go and the replay link will have this recorded again starting in about a minute and a half from now. We'll have that up. Hey Jean from Canada. Welcome. Sherry. Good to see everybody. We are just about to get started just about a minute to go. Either check in question today is do you currently have a security response plan for either your personal WordPress site or a site that you're managing for others? Let us hear from you. In the chat. Yes, no, maybe not sure. We're gonna have a lot of good discussion about just exactly how to create such a plan. Heather has a plan. Excellent. Yeah, there's a lot of not really isn't sort ofs about the plan and that's that's why we're all here. I definitely have Marcus same I we have. I think I know what I would do. But I don't have a written out plan or what, how we should respond. And that's probably something we should have. All right. 30 seconds to go, folks. We're just about ready to go. If you're just joining us in zoom and open up the chat, you can chat and say hi, I'm dropping in once again, our slide bundle link bundle that has today's slides as well as an Audit Checklist. Great download from NIS t about computer security incident handling. We're just about ready to get started.
All right, Kathy, are you ready to go?
I'm ready. All right. Well, let's
start the recording and we'll dive in. Well, welcome everyone. Good evening. Good morning. Good afternoon, wherever you happen to be around the world. Welcome to another solid Academy livestream. My name is Nathan Ingram. I'm the host here at solid Academy and joined once again by my friend Kathy Zant. WordPress security guru extraordinaire. Welcome back. Kathy, how are you?
I'm great. It's always good to come and hang out with you and the whole crew at solid. Thanks for having me, Nathan.
Absolutely. So Kathy, you're no stranger at all to our live streams here on solid Academy but for those who don't know you, let's just say you've been around the security world in WordPress for quite some time you want to give folks just a brief overview of some of the roles you played in security world? Yeah,
well, I was in the first hack I experienced was in the 1990s. I inherited a server from the technical person and I was the marketing person who was getting a website up and because I inherited the server, and I assumed the technical person had it secured. They sent me to security school so I have been around the security space longer than word process even been around actually. And of course, as WordPress hacks happened, I had all of that experience and all of that now know how from before that applied into cleaning up hacked sites, and I started really doing it in earnest just for fun. It was kind of neat to see I'm weird. I think malware and hack site investigation is actually fun. I love to see what clever ways hackers break the rules. So I was doing it for fun. And then all of a sudden, I was like, I don't want a full time job. I'm just doing this for fun. And then all of a sudden, I wake up every day and how did I get here? But it's great. I have a great time. And I love empowering people who haven't gotten to some of those experiences with the stories that I've had that I've experienced. I want to empower everyone who's here so that you can apply the lessons from those stories without having to go through it the hard way. Yeah,
that's that's absolutely great. So over the next hour, we're going to be talking about security incident response planning. What in the world is that and why do I need a plan?
Yep, that's what we're going to be talking about. Incident response planning sounds very boring. But it actually going through the process of doing this actually really helps you understand your site security actually it's almost like getting the typography of everything that touches your site. So it's really important to do it's something that security professionals do all the time. This is part of security 101 You don't hear about a lot as it applies to WordPress sites. So we'd like to change that.
Yeah, very good. All right. So we'll be talking about this subject here over the next hour, folks, let me do a couple of housekeeping notes. And I'll turn it over to Kathy to get us started on this issue of security response planning. I'm going to drop in the chat if you're just joining us. The link bundle is now back in the chat. You can open up the Zoom chat and see that you can download today's slides at that first link and follow along with Kathy as she presents. Also Kathy will be sharing a security checklist that you can access with that second link@zant.com If you're watching this on the replay all these links are down below the video. There's also this link we've supplied that's a PDF of the computer security incident handling guide from the NIS t a federal agency here in the United States. This is also being recorded. So if you'd like to go back and rewatch any part of this, or share it with someone else. We'll have the replay up about an hour after we wrap up. The last thing I'll mention is this is of course a live stream and we invite your questions. We'll have a good time of q&a as we wrap up today. And to ask a question, please do not use the webinar chat. Instead mouse over the shared screen and click on the q&a icon. And there in the q&a is where you will ask your questions. I'd encourage you just to leave that open throughout the livestream today. Because as other people ask questions, and you also have that question, you can click the thumbs up icon. And we'll take those questions in the order of upvotes when we wrap up with the presentation today. So with that Kathy I'll disappear and let you get into it.
Awesome. Thanks, Nathan. All right, everyone, thanks for being here. We're going to try to make this as fun as possible. You know me I'm not here to have a dry boring security conversation. So we're gonna have some fun with the movie airplane. Because when events happen in the airline industry, if you're working ever for an airline, when events happen, bad things happen with people falling out of the sky, and we don't want that so they take incidents and security incidents very very seriously. So we're gonna use the movie airplane as kind of a way to add some levity to all of this it's interesting. One of the first jobs I had was helping an airline get their website up. And sure enough, as soon as the marketing people had the website all up and going. It came over and wanted to have a word they wanted to apply all of these security principles and availability principles, all of the stuff that you know, we deal with in operations for it. They wanted a word so these are not principles that are new. These are things that have been used in the security space for a very long period of time. But you know, here I'm talking about in the WordPress space so much you hear a lot of stories about sites that get hacked. And you get a lot of stories about people who are like shocked that this could happen that a vulnerability could exist in a plugin or a theme. How did they get into my site and people are shocked that this happens. And so I want to kind of change our mindset on this just a bit. Just some background on me. I was a developer for many years. I've cleaned over 3000 hacked WordPress sites. Over a course of a few years I've been to DEF CON I've been I went down an elevator or an escalator at Caesar's Palace and there are Russian hackers behind me and Chinese hackers in front of me and I'm just like, What am I doing here? But yeah, the security space is super exciting. Things are always changing very quickly. I've also led some incident response initiatives for some very major WordPress hacks and so I've learned a little bit about what goes into an incident response and so I'll share that information with you so that you can better plan. First, let's talk about what is a security incident. You're gonna hear me talked about integrity confidentially and availability a lot throughout this is a tenant of in of information security. It's not just about websites, CIA confidentiality, availability and integrity, anything that compromises that is considered an incident. Now one event a security event. This might be someone who's brute forcing, trying to log in, but it's not somebody who is an out valid user that's something small like that can be an event and something that's different from an incident or a breach or an event is a breach. And it's a breach is an incident that results in confirmed disclosure. We know that they've gotten through our defenses and that our data has been exposed. So these are all terms that are important as you're thinking through what could happen to your asset your WordPress site. As it exists on the internet. Here's the CIA triad has nothing to do with the three letter government agency but confidentiality, that we have our users data and we're protecting that integrity that the system has no problems associated with it, that it has integrity, and then availability that the system is available to the users who need to use it. So this is what we are trying to protect as security professionals. And you might not feel like a security professional. But if you're the only one or you are the only one who's in charge of managing a site, you're a security professional. If there's no one else, guess what you get to wear that hat to I know you're excited about that. Why do you need an incident response plan? Well, have you ever been in a car accident? Have you ever been in any kind of any kind of event that has been scary that has compromised? Something important to you? If you are in a car accident or something bad happens on the road it just like common sense goes out the window it kind of looks like the movie airplane. Everybody's panicking like crazy. And what happens when you panic? You aren't thinking straight you aren't thinking about you know, who do I call you're not thinking about what needs to be had. You just want it to stop you want the malware to be gone. You want the intrusion to stop happening. But you're not thinking through all of the different dependencies that exist and the confidentiality, the integrity and the availability of your system. When you plan for it when you're thinking clearly when we're sitting here around a nice zoom campfire thinking about what could possibly happen to our site, then it's a little bit different. We're thinking clearly we have those plus or minus seven tidbits of information that we can take in. When you're under stress and you can't get all of that information. You pick up one thing and the one thing is Please make it stop. You can't think clearly. So that's why we have to plan for events like this to happen. Why is this important? Well, if you are running a WordPress site for a small business, that is maybe a website that's taking in information or taking in commerce or you have customers who are logging in frequently, or students in an LMS system, or perhaps a business that needs to have the reputation of their business upheld and they're getting tons of search traffic that goes into various fun funnels. It's an asset it is something that is driving business. It's something that is bringing money and and let's just look at the stats. According to the National Cyber Security Alliance. 60% of small businesses go out of business within six months. Of a data breach. Now this isn't you know, all WordPress data breaches. This is data breaches as a whole. But still, if something happens with WordPress, what happens with you know, the bank account what happens with all these other things like WordPress is a great testing ground because it is the most popular content management system out there. It is a great place for you to practice good security hygiene to learn new things, because you can take everything that you're learning and you can apply it to all aspects of the business. So it's really important for us to consider the security of our WordPress site and everything else in our business. Now AT and T of course, they sell security solutions as well, but they did a study and they found that companies that pro actively have security policies have better growth. They had 24% sales growth over three years and 20% profit margins. Whereas companies without active security policies had 6% growth and 3% profit margin. If you sell sites to other people, I want you to take this slide. Take all the information off of its I don't claim ownership. This is other people's data, but you take this information and you use this in your sales and in your conversations with your customers about why security is important and why you prioritize it. Security then becomes a differentiator for your business. You are proactively helping not just your customers secure their sight better, not just develop a better WordPress site, but you're thinking about their business as a whole. There's a lot at stake when it comes to security. Now what we're trying to do here with incident response is we're trying to help our business and help our clients make better decisions so that they can manage the risks before a security event or incident happens so you can protect the entirety of the business. I can talk about one specific incident. It was a pretty huge hack. It was on the news. And that business ceased to exist shortly thereafter. And like the WordPress hack was just a reused password. You know, we all know better, right? But because security wasn't prioritized by that business. They were able to pivot into various other areas of the business and they went out of business. They were no longer in business within it was I think it was less than six months. But it was a massive impact. Just one reused password on a WordPress site that turned into the destruction of an entire business. I know it sounds far fetched, but I'm under NDA. So I can't tell you who it was. But it did happen. And it can happen. It has happened.
Let's talk a little bit about the incident response cycle as it's defined by NIS T and some various other security organizations. So this is not just like, Okay, I've got the plan. The plan has to think through a lot of different phases. So you you want to prepare for security events and security incidents. You want to plan for adequate detection. You want to plan for the containment of any kind of threat or any kind of breach. Then you're going to have a post mortem post incident, you're going to see what happened, what went wrong here. And then that is going to feed into preparing for the next next incident. You hear a lot about you know, you know if my site gets hacked, well, I'll deal with that. If my site gets hacked, I'll just restore from a backup if my site gets hacked. And I want you to start thinking about when your site gets hacked, not F because it will get hacked. security events will happen. You know, bless us all if it doesn't, but if you plan as if when I am planning for when this is going to happen, this is how we're going to handle it. This is what we're going to do. This is how we're going to detect it so that the hackers not in the site for six weeks or six days or even six hours that they are in there for six minutes. We know about it and we take response and contain that and solve that problem quickly so that our customers never know so that Google never knows so that the CEO just gets the post mortem. And there isn't a long drawn out repair process. When we can think through the entire cycle and think about when our site is going to get hacked, we are going to be more able to respond. So again, preparation is assessing the risk what is at stake, put together a communication plan who needs to know what and when do they need to know it? Who is responsible for containing things who's responsible for communicating things, and then detecting anything that's not normal? Now, obviously, there is a background noise on the internet at this point that is brute force attacks. It's just you know, the white noise of the internet, I guess or the Choose a color noise, whatever it's going to be. It's just there. brute force attacks, or just you know, bots that are just, it's always happening, what's normal, what's not normal? What is unusual what do we need to respond to containment of the threat? How do we stop the hacker immediately stopped the threat immediately. Getting rid of the malware getting rid of the problem, the vulnerability, identifying the root cause how someone got in, you know, there's plenty of hack sites services that will just like clean up the hack site for you and you're done with your hack. Okay, that's over. But what did you learn? Did you learn how the hacker got in? How'd you figure that out? Did you go through a log file analysis and really look at it to get a plan for who's going to be responsible for all that? Then of course, you have to recover the systems, bring them back to normal and then of course, feed into the next incident response plan and figure out your lessons that are to be learned out. You're going to want to prioritize communication. Every incident response that I have ever been on, you have a core team of people who are doing the investigation, you have people who are doing the eradication, getting rid of the malware figuring out what vulnerability was, was exploited and patching that vulnerability. There are people who are heads down working. And then there are people who want to know what's going on there are people who need to know what's going on. There are people who must know what's going on, and decisions need to be made about all of that. You really need to prioritize communication planning as a part of this who's in charge of communication. It's not the person who's doing the eradication. It's not the person who's reviewing the log files. A lot of times it was me who was in charge of communicating, because I'm gonna take technical data, let the people do they didn't have to explain so much to me because I did have a technical background, but I could take that information and then relay it to non technical people, to CEOs, to marketers, to PR people. All of these people like when you have a big security incident happening and it's on the news. There are going to be people who are going to be asking questions of marketing folks of the PR folks, the communication folks and they are going to have to be able to communicate about what's going on in a way that makes sense and isn't incendiary and shows that the community is that the communication team and that the incident response team have everything under control. Think about a national event. When there's an emergency a national disaster happens and everybody wants to know what the heck is going on. pops into my head here, Hurricane Katrina, huge national disaster and everybody in the media was wanting to know what the heck was going on. And what who's, who's died, what's at stake, and you need to have someone who communicates that and puts everybody at ease and keeps everyone calm and gives the responders you know you don't want to talk to every single fireman who's trying to rescue people. They're busy. So just like with that your incident is an emergency for your particular website for your business. You have to think through who is going to be in charge of communication, and how will they get information. So just very important to prioritize that All right, let's start talking through some of these questions. Now. I can't give you like, here's everything that's going to have to happen with your site. Your businesses are all different. Some of them are ecommerce, some of them are courses. Some of them are brochure sites. Some of them are for very large organizations. Some of them are for educational institutions, small businesses, all sorts of various different stakeholders, different needs different
everything's so different. So I can't say like here's the template, but I can give you some things to think about. You need to start putting together a plan have who is on the incident response team and what are their roles, what systems are involved. Now, if you are hosting at a hosting company, where how do you contact them? Do you have a phone number? Who Can you contact there? What kind of relationship do you have? You see, like all the different pair creations of what can happen? But you need to have all of this in the plan because remember, when the incident is happening, everybody's pulling their hair out. Nobody knows where the FTP password is and the incident response team needs to know where that information is they need to be able to get into the hosting panel. Someone needs to be able to contact the hosting provider and let them know what's going on. You need to be able to get into WP admin but what if that's down? Do you have all of the information for access available? I can't tell you how many sites I've cleaned personally, that were delayed in getting the malware out of there because they didn't know their hosting password. They didn't know their FTP password. There was no way to delegate all of these types of things need to be considered. So who was then the IR team? What systems are involved? And the contact information of everybody that needs to be informed? Then you need to identify what reporting tools do you have? Now obviously solid security has some reporting in it but there's other reporting tools as well. What are you using and what can you use? In order to provide information to the people who need to have it? And of course, risk assessment is something that you should be doing fairly regularly. This is looking at all of the vulnerabilities that exist not just in WordPress, but that exist in PHP, and web servers. All of these types of things. That may be something that's delegated to your hosting provider and they handle all of that for you. But ultimately, WordPress gives you the freedom and the flexibility to own your site. That means you have the ultimate responsibility to make sure what things do the hosting company take care of in terms of risk assessment. There was a release last just this last week and there was like this huge vulnerability in firewalls, Palo Alto firewalls, it's like a 10 out of 10. Of course, me being the security geek. I was reading up all about it and, you know, hugging apps over Saturday. Like wow, this is got to really stink. I'm sure you do that work right now. You don't need to worry about that. But does your hosting provider handle all of that you need to know Does that have any impact on your site and does your hosting provider have any kind of exposure there? Those types of things. You just need to be aware of the topography of the land that surrounds your WordPress site. It's not just about WP admin. It's about managing the hosting provider. It's about managing all of the people who are using the site. If you have lots of users, what do they need to know do you need to lock them out when the incident is underway? And how do you communicate to someone who is a contributor or an editor and they don't really have anything to do other than posting content? What do you tell them about what's happening when an incident is happening? Do you have a template email ready to go saying there's going to be downtime for the next few hours? We know you might have some work that you need to do, but please check in tomorrow. If you have any questions, let us know who is sending that email to those types of contributors and editors to make sure that they just kind of step off. You don't want somebody accessing the site when an incident is happening. Having all of that planned out. It's going to save you lots of trauma. When everybody's hair's on fire and you're trying to figure it out. You just take the plan out and you get to work implementing that plan. Of course, documenting everything, knowing all of the systems that are in place, how things are structured, how to access them. And then let's talk a little bit about backups. Lots of people are like, Oh, hosting provider handles all of that, oh, I've got my backups. They are written up to AWS and I know they're fine. What was the last time you tested your backups? Because if you have an incident that happens in you know you have backup from 15 minutes before the intrusion and you can just like wipe it out lockdown the vulnerability saves you a lot of time. But what happens in the middle of an incident when you go to that backup and you realize oh, my gosh, that backup process hasn't been running for six weeks what's going on? Always good to do your auditing and making sure that you have your clean and tested backups, make sure that you can actually restore from them that that's adequate process. And then you have to train everyone that's involved. In an incident response. So everybody on that team needs some kind of training, which leads us to practice make preparedness God That sounds so hokey, I think they pulled that out of a government document. To be prepared, you have to practice um, so in the security world, we do something called tabletop exercises, where we actually pretend the site's hacked. We actually pretend to pretend that a hacker is in the house and what are we doing? You know, in the military, they do things like this drills. They don't tell people it's just a drill. They it's happening. Here we go. This thing is happening and you need to respond. You will see very quickly, where your plan isn't good enough. You put it into practice. Oh, well, we didn't think about we didn't think about the front office that they log in and do all of this stuff. It becomes extremely apparent as soon as you practice. And if you're not quite sure how to practice all of that stuff. You can hire someone called a penetration tester. And they will actually look for real vulnerabilities in your system. And actually, as long as you tell them where the scope is and say go for this go for this WordPress. site and try to find a vulnerability there. Um, you could say just try to find a vulnerability anywhere and they might try to socially engineer someone to give up giving up a password you can really see where some vulnerabilities happen there. These are called Red team exercises. Blue Team is the defensive side and security and the red team exercise would be something where you hire security professionals to actually an ethical hacking team to actually attack you. And they will show you so much about where your vulnerabilities are. So when do you practice? Well soon as you have your plan. Time to practice let's see if we can actually put this in place. Let's pretend to hackers actually happening but you should also practice every time you're adding new services. You're adding new systems. We're bringing a new website online. Let's add that to the incident response plan and let's practice and see if we have really thought through everything that is being touched here. When you're adding new staff is a wonderful time to test for this because they need to know what's happening with an incident and what needs to happen. And then once you go through a practice it's of course it's good to report on your practice as if it was a full incident. Response, like go through the actual reporting, lessons learned and then improve your incident response plan.
Now detection, like I said before, it's really important to understand what normal baseline behavior is. What's background noise? What's you know, some jerk always trying to log in? Is it what's normal and what's not normal? Now, you can have things called attack precursors, and these might be probing bots. And this might be like going just going over a log files and you you know, have a procedure where you're looking at log file files fairly regularly. If you're doing a security auditing every quarter as I recommend, then you know what log files will typically look like. You might see something weird like, Huh, I wonder what this weird request is. This could be a probing bot looking for a vulnerability and you can get targeted spear phishing. Emails, lots of spear phishing emails happening, where people are like, sending spoofed emails that look like they're coming from the CEO saying, I need you to pay this bill right away. But it's not from the CEO, those types of things. But those kinds of attacks can be you know, much broader on an organization it might not just be about WordPress, it could be the entire organization under attack. And we want what we want to do with detection is we want to know what's normal. And then we want to look for indications that our site's been compromised or indications that we're under attack. So we're looking for attack precursors, we're looking for any indications of compromise, any unusual logins, any malware that's been detected on the site. Anytime your site is not under heavy traffic, but your resources are spiking through the roof, something's going on and that should be investigated. Anytime do your files. Get changed? And you know, you didn't update any plugins yesterday, but look at all these weird new files. Any kind of user reports that's the worst is when a customer calls and says, Hey, I tried to visit your site and it wanted me to update my Adobe Flash Player or something like that, you know, that's the worst bounced emails can even be a sign that there is a problem. So you need to define what normal baseline behavior looks like. And then you need to put together a list of things that look abnormal. What is your what are your reporting tools telling you what is the solid WP Plugin telling you in terms of file changes in terms of unusual logins, in terms of all of the reporting that happens there? So, you know, build all of that into your detection routines. Then it's time to contain things and you need to plan for how things are going to be contained. You need to verify what's happened and then prevent the situation from getting any getting worse. So then you have to determine is the site under active attack? Does the site need to be taken down if you get a call from a customer or you notice that your site is redirecting visitors to a bad neighborhood of the internet? Perhaps you do want to take things down until you can make it stop doing that. You don't want to have the problem affecting more than what it already has. So we want to stop the problem from getting worse right? So if people are getting redirected you might want to take the site down. If you notice an intrusion and the worst thing that's happening is somebody has you know, spam links on some blog posts, maybe you can leave that up and just, you know, clean it. Replace the site with a clean version, that type of thing. You'll have to each attack is different. Each indication of compromise. is different. So you're gonna have to make determinations based on each of those different permeations. Then we need to understand what can we learn from the attacker? Was this a targeted attacks that could affect the business further, or was this just general bought malware where we were just caught up in vulnerability and you know, we've can see other people who have had the same type of vulnerability compromised. We need to prepare evidence for communication, the person who's going to be standing in front of the media, should that have any effect on you? You're going to have to prepare log files, IP addresses, malware, hashes, go on VirusTotal and figure all of that out. Get all your times it's a crime scene. There's been an intrusion if somebody didn't break into your house or maybe physically break into your office but they broke into your digital asset and as far as security professionals are concerned who are trying to protect the confidentiality, the integrity and the availability of your systems. It's a crime scene. So what do you do? You gather evidence you don't go start ripping out malware and deleting malware you preserve that evidence, you make a backup backup, you label it hacked so nobody ever tries to restore it and you preserve the evidence of everything that you're finding as forensic data that can be used if you're ever in a lawsuit because customer data, you know, they got into your WooCommerce and put JavaScripts scraper in there and we're stealing credit cards and the PCI DSS people want to talk to you. That type of thing. You want to preserve the data and you want to enforce a chain of custody because it is a crime scene. You want to make sure that you know where the backups are going to go. You need to plan for this. Where is all of this information going to be stored and who is responsible for ensuring that that is that the integrity of the forensic evidence is kept? This does not sound fun does it? at all, but it's important if your site is hacked, it can be considered a crime scene and you may need to use evidence in the future on it. Then of course, you have to get rid of the problem, right? You have to get rid of you have to figure out the intrusion factor which is the vulnerability that was exploited, whether that was a password that was reused or an actual software vulnerability. So how did they get in? Anytime you're doing any kind of eradication, you have to assume that backdoors have been placed throughout the site. You have to assume everything in that hosting account has been compromised. So if you've ever been on a live stream with me and heard me say don't put 35 sites in a cpanel This is why because if there's one site that has been compromised, you must assume that everything that is in that cPanel has been compromised. You have to assume that the hosting account could have been compromised until you can prove otherwise. assume everything is dirty until you can prove that it's clean. Once you have the site all cleaned up and everything then you change passwords on everything. That includes your MySQL password, your hosting account, password, FTP, passwords, SSH passwords, every password needs to be changed. Um, you have to assume that that entire account has been compromised. Backups, you'll have to go over your backups and determine first of all you have to when you determine the intrusion factor, you'll know when it happened, and you're going to have to assume that if backups are being held on the server, you'll have to assume that those have been compromised, but you'll be able to tell what backups are clean and which aren't. Once you have identified the intrusion factor when it happened, and what malware time you'll see timestamps although don't rely 100% on timestamps, those can be messed with once a hosting account has been compromised as well. But all of the bad backups, what's the plan for that? You have to put that in the plan. Make sure you delete all of the bad backups so there's never you know if a backup has been taken with malware in it after an intrusion, you want to make sure you delete those backups so that they are not inadvertently restored. And again, just assume every single password has been exposed. And then you gotta bring your site back to life. You got to plan for that. So you'll have to decide whether or not a clean recent backup can be used. And if not, you'll backup that in fact infected site to a zip and you will clean the backup files and data plate. My slide got covered up with Ted.
But anyway, I know what I'm saying here. I'll fix the slide after the presentation. You don't want to clean the site and the server that is hacked. The hacker might still be active on that server. You have to assume that if it's compromised you can't do the work there. This is why you can't install a plugin and say oh, hey, malware cleaning plugin, go clean this up because the hacker could still be on there. They could get into that PHP process that's cleaning the malware, and they can compromise that plugin as well. So you want to take a zip, take a snapshot of that site, bring it to a isolated location that goes through the database to clean it there. Then we want to do a swap. So like let's say your site's under public HTML, you'll change the name on the server to public html hacked. Then you'll pull the cleaned site public html clean, and then we switch the names. So public html clean becomes public html and public html hacked goes away. And then you all at once, lock out all of those files change all of those passwords immediately clean up the database, all of that stuff as fast as possible then you want to test and clean that live site. If all that sounds interesting to you, we will be doing a how to clean a hack site. Course sometime soon. It's on the academy solid Academy site somewhere I will share my way of doing that. And then, you know, obviously locked down the site but you're not done. You still have to figure out what have we learned from this? What happened? How did it happen? How did our team respond? How did the incident response plan go? So you want to put this as part of the plan? Ask all of these what are the questions we're going to ask after the after the incident has happened? How did the team respond and how could we have done things better? Was the plan useful? Where was it not? What information did we need sooner? What tools would have made our response easier? So ask all of those questions and that's going to inform the next incident because remember, it's not if your site gets hacked, it's one this just isn't for WordPress, of course. This is for all of your systems. It's for your most vulnerable systems. It's for your people. It's important to test everyone in your organization who has access to anything you've probably heard me talk about the principle of least privilege only give access to the people who are doing a job for as long and for as little as they need to do the job that you've asked them to do. So principle of least privilege, something you want to apply to everything. But you also want to train your people. You want to empower them. You want to protect them from themselves a lot of times and situations with bad passwords and whatnot. But you want to help people make better decisions. So these types of things don't just apply to WordPress you can apply this to you know, Sally who's just doing appointments for the sales team. She can learn from security as well and what does what happens if her system gets compromised. So there is a link from NIST that walks through everything that you could ever think about with incident response planning. I hope that this presentation gave you some things to think about with regard is in regards to your WordPress site and how to protect yourself and go get the Audit Checklist. If you just go to the Zantac comm slash solid checklist, there's a forum there. You can also get on my mailing list. I mail about everything related to security that I can I have the bandwidth to talk about. I also am on social media wherever you are active you can probably find me Kathy Zant I'm very active on my YouTube channel if you go to youtube.com and then at Kathy Zant I've got a video coming out in the next wish it was hours so it's probably going to be a day still waiting for something. But it's going to be about VPNs. And a really scary story about how big data was spying on some people using a VPN. So I'm going to talk about all kinds of security things. It's not just about WordPress with me, but WordPress of course is one of the best ways that we can empower you.
Very good. Kathy, this has been really interesting. So a lot of folks I know who are we have a bunch of questions stacked up I want to get to those but a lot of folks that are watching live today are solopreneurs or small. Agencies. There's one or two people at the most. How can a small agency implement a strategy like this? A lot of what we talked about, you know was we have marketing people and development people whatever. So if I'm a small agency, how do I do this?
For customers, for their clients, or for themselves?
Well, let's just say I have a site that is under management with my agency, and there's a security incident.
Yeah, well, I would. So there's going to be some things that are common as your agency for all of your clients for all of the sites that you manage. You have your stack, right you have your stack of hosting your hosting with whatever hosting agency you have your stack of plugins that you use, you know what your game, all the pieces on the chessboard, right? So it's gonna be different for client a because they have events calendar on there and all the rest of the sites don't that type of thing. I would start from that stack from that generic stack of where everybody gets this thing and what your responsibilities are. I've worked with some clients who have had, like, they're like, Okay, if this site gets hacked, our client site gets hacked. It's going to be on the news because it's like just that high profile of a site. That's going to be way different, right? So they have to have like, they need to know who the PR people are. They need to talk through like the client, all the client communications that need to happen, who are the news, people that are going to be covering that particular site? So thinking through all of that stuff, like what's the worst case scenario of what happens? It's on the news, you know, like, think about Taylor Swift sites get gets hacked, God forbid now, poor Taylor. She's got a record release coming up. If that were to happen in the middle of her record release, what would happen? What's her web team gonna do? How are they going to cover all of this? When everybody's trying to buy her latest album, and they're getting redirected to, you know, a call center scam or something like that? Like, what do you do? What do you how who's going to handle it? Who's going to communicate about it? The news media is going to be crazy who's going to be the PR person. So that's not going to be every single person but there's it's going to be that way for some sites and you need to think through who was going to be four. But then you're going to have your audits like, things. You know, I would say, if I was getting started, I would take the audit checklist that you can get if you fill out that form on my site. I'll send you that audit checklist. I would start doing your quarterly audits on your on your sites, pick one, and what is the stack and then I would start writing out the incident response plan. Take some of the NIST stuff and just start writing out the incident response plan of how that's going to be for that site. And that could just be templated over to the rest of them. Yeah,
it's a great point. And so you know, maybe for those who are operating with as a solo or a small team, perhaps, you know, the the issue could be I have a canned email that's just like, say a site gets compromised. I have a candy mail that I can tweak slightly for this to inform the client, let them know what's going on. I have a receipt. Like I'm not gonna clean up my own hacked site. I don't want to get into that. But I have a resource person like right promise, right? We want your website or whatever other group you want to use. So I kind of there's a plan in place that I can execute. Is that a
good step forward? Yeah, exactly. Like who you're going to Who are you going to call? Who do you need to call? How soon do you need to notify customers? So you need to set some rules up you know, if you notice within the first hour, you probably want to prioritize the cleanup and the customer doesn't know yet. Prioritize the cleanup and the remediation first, and then after all of that is done, then you notify the customer. If you know that the site's redirecting and you have to turn it down or turn it off and not you know, have their customers visiting the site. Then you have the rule of Alright, we're going to notify the customer right away and then start remediation because it's going to be different for each individual thing. You have to think about the risks and the impact to the customer and to the customers customers. It's going to be different.
Really good. All right, we have a bunch of questions. I want to make sure we get to these. The first one is from Marcus Marcus says I constantly notice people are bots trying to log into my WordPress admin page. The solid security have features to block these people or bots from doing this and what are those options?
Yeah, that has the brute force protection and solid security right?
Yeah, and so Marcus, the. So first of all, I would recommend that so we always talk about here in regard to security, multiple layers of security. You want some things at the network level, like at your DNS with a service like Cloudflare you want something at the hosting level that your server whoever's providing your server has some security. And you also want to have WordPress security. There are WordPress security plugins that are trying to do jobs that really should be at the network level and that can end up slowing down your website. So it's important to have a strategy that includes all three layers. So for example, with the sites that we manage, in my agency, we use Cloudflare as the first line of defense and so before you can even access the WP login page, you have to pass through a Cloudflare managed challenge that's going to cut out all that bot traffic now also in salt to answer your specific question. Yes, in solid security there are there there are different lockouts based on the number of failed login attempts and so forth. But often just putting a CAPTCHA on that login page is going to be enough for you to filter out a lot of that traffic, but really first line of defense is the network level before it even gets to WordPress, but hopefully that that gives you something to go on there. If not, you can follow up with something else in the chat. Ryan would like to know how much responsibility is on the hosting company versus the individual website owner when it comes to website security.
Ultimately, whose site is that? Ultimately, everything's your responsibility and you are farming out the site security to your hosted parts of it right to your hosting provider. But if you just say, Oh, well, my host takes care of everything. You're losing out on a couple of things. First of all, you're losing out on the opportunity to really become informed of all of the different aspects of security because I'm telling you going through. It's not fun. I tried to make this fun, but I know security is not fun. You want to just say somebody else. I don't want to be the security professional. But guess what you log into your bank account. Every single one of us is exposed to the internet and exposed to hackers and every single one of us from Aunt Mary to all of us have a risk profile we have we could come under attack at any time. This is an opportunity for you to really be aware of your site security. There's tons of hosting providers that do exceptional that have things like grid pane with Calvin Elkins Nico's fortress, I have been playing with that and that is next level, like oh, I'll just go get a cup of coffee. Oh, it's locked me out. All right. Have you have to have that kind of security that exists? It's pretty intense. I don't know if I want my my cat bog on there doing all of that, you know, and again, you know, there's a security continuum. The least secure thing has everyone acts gives everyone access to everything. And the most secure thing is buried in cement six feet underground in the backyard. And is it connected to the internet? Where does your site fall? Sally's cat blog doesn't need that much security. Taylor Swift during the launch party, probably want to have heightened security on that site. You don't want anything to go wrong during that particular timeframe. So it's going to be even more heightened because of what's going on right.
Yeah, for sure. And you know, I think especially when it comes to these questions about who does what, in regard to security, right, it's very important, I think just to have a conversation with your hosting provider and just ask questions, you know, what are you doing? What do you expect the site owner to do? And just make sure that the whole spectrum of security is covered. And for the question which security plugins we recommend that's there in the chat, but we clearly recommend solid security pro here from solid WP. Let's see great comment from monta there in the q&a, folks, if you haven't read that, just underscoring the importance of security. Anonymous attendee is asking what will happen if I use an outdated plugin on my website
outdated plug in. Do you ever limit login attempts, Nathan? Oh, yes, it worked for like years and years and years and it wasn't updated, but it kept working and it was like there were warnings on wordpress.org that hadn't been updated in like so many years, but it just worked. There were no vulnerabilities. There were no problems. It didn't have any kind of conflict with WordPress core. It still worked, but it wasn't updated. I personally, you know, you just have to get to know the software software is a lot about trust. It's about relationships. It's about knowing who the developers are. If you know that that's like sort of the scene with like limit login attempts and it was that way for so many years. But WordPress is changing really fast. So even beyond security, because WordPress is growing and changing so fast and going sort of like through this revolution of a new way of doing things. You want to keep your plugins updated. i This one site I cleaned up it was so outdated, and I couldn't I was trying to help this person update it and it was like update. Alright, let's go to version 2.4. Let's go to that five, put into that six. And I was just like, Oh no, this, you do not want to go through that because you update word WooCommerce. And what does it tell you? It's updating the database. You know, there's things that happen in updates. You don't want to let your plugins get too far behind. You know, if you want to wait because you're worried about bugs or whatever, wait for a little while but still make it part of your plan that you're keeping everything updated and then stay with the the future of WordPress.
Yeah, that's great. Stacy has the comment of the hour in the chat which says if the plugin is from G Aton. Don't use it. And for those of you that aren't from that, just Google G Aton. And Stacey, you win the day. Okay, question from Doug. Does this sound good enough, so I don't have to delete my users, but keep them frozen while we clean the site. While I'm cleaning up an infected site. And I change all the user roles to no role for the site. Then when the site is ready to be uploaded. I'll have all the users still in the database and force them to do a password change. Yeah,
you'll want to use this all to make a password change if you're I would force the password reset beforehand and then just email your users and let them know that you know you in a lot of jurisdictions require that you know if you have a user, their username, or their IP address is considered personally identifiable information. So a lot of jurisdictions will require you to do a breach notification. So you can do that breach notification and by the way, you got to set reset your password. Sorry, that type of thing.
Yeah, for sure. And I think that's a great process to lock people out just yet move them to no role and they can't log in. So there are also plugins you can add that will prevent logins while that plugin is active, but that's just as good as anything. Let's see Ryan would like to know if solid WP acts as a WAF or web application firewall. What are your thoughts on plugins like wordfence and laughs that like that, like wordfence provides?
I prefer? Well, I mean, you can use wordfence but I'd like Cloud laughs that are filtering traffic like Cloudflare it really cuts down on some of that background noise on the internet. clubfoot actually has some WordPress related types of security options. I think in their paid plan, but I would use a cloud WAF to filter those types of things out. wordfence does have some features that are integrated with integrated with WordPress. But at the patch stack integration with solid WP with this virtual patching has the same type of effect as a WAF. And I have just been, I've been you know I've been in the security space for WordPress for all the work that Oliver and his team does at patch stack as a CVE numbering authority has been top notch has been incredible. The way that they're they're supporting all of the various plugin developers in terms of, you know, handling I mean, there's just like there's background noise of people logging in on the internet. there's background noise of security researchers who send you messages saying there's a vulnerability on your site pay me and patch stack filters out a lot of those garbage reports for plugin developers and works with plugin developers of like, okay, this is what they're saying and this is how you solve this and and helping them become more secure. I love the community aspect. Of what patch deck is doing. I love their integration with solid WP so if i The way I'm going is patch stack and solid WP personally.
Yeah, for sure. And right and that's one thing I was I was talking about a little earlier when I mentioned that there are approaches to security and WordPress plugins that really are doing a network job trying to do that at the WordPress level. And that often results in performance issues. That's why just have a good web application firewall like Cloudflare where you can put some great rules and by the way, I dropped this link in the chat a minute ago. For solid Academy members our premium course this month, which is happening next week is a Claure a course I'm teaching called Cloudflare for agencies where we're walking through a lot of these settings and that's available for solid Academy members. And if you have a solid suite membership, you have a solid Academy membership. So you are able to join that course Tuesday Wednesday of next week at no cost. So Ryan, hopefully that was enough information for you there. Let's see. What other questions do we have? Marcus I wonder what Kathy means by don't put all sites in one cPanel account in cPanel wh M I have several cPanel accounts they fall under my main cPanel account is that risky?
Wh M is a management console for multiple cPanel accounts. So as long as that cPanel installation, that is one PHP based user one server based user and how that's installed. So as long as you have W Hm. You can have many cPanel accounts. The thing is, is add on domains within cPanel that you have like your one user, your one server based user and you can have like Zantac calm in there. And then I can do like staging.zant.com and Oh look, I can even put another domain in there and look if all of a sudden you've got 5060 different sites in there and one of them gets hacked. And then they are because it's all one server based user. It's all one user that's running PHP. So one site gets hacked, they're all polluted. But the W A charm thing that's a management console as long as you have the individual C panels.
Yeah, my first you talked about your origin story is WordPress security. The first time we had a security issue was many many years ago I was probably a year into WordPress, and I had about 30 websites in a single cPanel I didn't know any better. Yeah. And they one site had comp gotta compromise and they all did. And so Marcus, the thinking about cPanel it's one website per cPanel just like Kathy said that puts it in the fence in a fence. So if that website gets hacked, it stays inside those walls. Wh M can have many cPanel. So for example, we just launched the site for a client that's a subdomain of their primary site. And they're in separate cPanel even though they share the same primary domain, there's a subdomain in the main domain, but they're in different C panels because they're two separate WordPress sites, and that security needs to be compartmentalized. So hope Marcus is saying I have one cPanel login that allows me to log into other cPanel accounts via wh M and cPanel. Marcus, I would talk to your hosting provider and get clarity on that because you may have a wh M login that gets you into other C panels. But the question I would ask your host and Kathy correct me if I'm wrong. Just make sure that all your C panels are separate. That's the big thing. Yeah. Yeah. Yeah. Let's see coming from Ryan in the chat. I use Elementor. It's just a page builder. So not really a huge factor. Regarding security unless you're not keeping it patched. What would you say to that?
Oh Elementor Do you really want to know?
I really want to know. I am.
Yeah, Elementor has had some vulnerabilities as have some of the add on plugins. So just make sure you're on their mailing list and that you keep everything updated. They have had some fairly significant vulnerabilities. So yes, it's a page builder. It's also a plugin. And it also is additional code that you're adding into WordPress. That can indeed have vulnerabilities in it. So
yeah, as I've watched plugin vulnerabilities over the last, the years that we've been doing our monthly news roundup here on solid Academy. I think most major page builders have had vulnerabilities. But wow, they are more frequent in Elementor than others. So just make sure that whatever I mean, this is any plugin, whatever plugins you use, make sure they stay up to date and you're watching WordPress security news. And even more than that, this is the beauty of solid security pro is that with the site scan and with the version management feature, and the patch stack firewall, here's what will happen. Twice a day all of your sites are scanned for vulnerabilities. If a theme or plugin on your site is vulnerable, and that patch exists, then solid security if you have the version management feature turned on will automatically update that theme or plugin without you having to lift a finger. If there's not a patch available, then patch stack will virtually patch that vulnerability. So it as if that vulnerability doesn't exist, where it prevents that vulnerability from being exploited until the developer releases the patch. So it's really that's why we say you can reduce your security risk to almost zero using those features. So Kathy, this has been great. A lot of questions, a lot of good security talk. We have another live stream with you coming up in just a few weeks. I dropped that link in just a bit ago. We're talking on May the eighth about three weeks from now about how to clean a hacked WordPress site. I've just dropped that link in the chat again, folks, if you'd like to join us for that, register for that it's a free live stream. So as we're wrapping up, Kathy, give us a few give us a good takeaway. What do you want to leave us with?
I want you to just think about it's not if it's one, plan for it now. And then when everybody's hair's on fire, you get to be cool as a cucumber because you got the plan. You're gonna bring everybody in for landing nice and safe. How's that?
Absolutely. It's good stuff. Thanks again, Kathy, for being with us today. Thank you all as well. Great questions. Great audience participation. We'll have this replay up and about an hour from now I'm dropping in our link bundle one more time if you've missed that to grab the slides, the Audit Checklist link and the PDF from the NIS T. Also those links if you're watching on the replay or just here below the video you can grab all of those in download. Well that's going to do it for us today. I'm back for members for office hours here tomorrow, one o'clock Central on solid Academy where we go further together.