Pick His Brain!
I’d like to introduce one of our members, Thomas J. Raef, for our next ‘Pick His Brain’ session and I want to thank him for the participation.
When someone is highly recommended by Terry Samuels for web security, it speaks volumes.
Thomas has removed malwares from over 3.9 million websites and that’s an impressive number by any standards.
If you have any questions related to website security and prevention, please feel free to pick his brain.
Note: Due to his busy schedule, he’ll start answering starting Aug. 24th. You are more than welcome to load up questions.
Here are the rules.
1) I’ll let the thread go on until he asks me to stop. Theoretically, this thread can continue until the FaceBook stock value goes to zero.
2) Please, no snarky remarks. I will not tolerate any intentional negativity. We are here to learn from each other’s success and strategies.
3) Please do not PM him and bother him. If you have a private question, ask for his permission on this thread when appropriate.
What are your go to WordPress security plugins and why?
We’ve removed malware from WP sites with every security plugin and every firewall.
Most WP sites have 2 or more security plugins and they still get infected.
Is it better to not have one or is some protection better than none?
There are so many better things to do.
Htaccess, php.ini, renaming wp-admin, hiding user names, etc.
These things don’t bog down your site.
Could you please give some specific htaccess and php.ini recommendations? Also we use a plugin to change wp-admin, is there a better way?
All the plugin does is add a few lines to the .htaccess file. You can do the same.
It is the best way to handle the renaming.
What are the most common hacks that you see in WP?
Stolen or easily guessed login credentials.
Do you see more targeted bruteforce, or more like list based attacks?
We only see successful attacks when they’ve stolen the login credentials with a password stealing Trojan on someone’s local computer.
No big scale attacks?
We see attacks on a large scale, but none of them successful.
We use the information in these large scale attacks to report to various providers of compromised systems/sites which removes those digital assets from the hacker’s inventory.
We’ve had single days where we’ve reported over 25,000 to a single provider.
What we should do to protect our sites?
Create .htaccess files and php.ini files.
Reduce the number of admin level users, delete admins that no longer need access, run a good anti-virus program on your local computer.
Is there software you can run against your own website to find any potential exploits (running off a live exploit.db) and get them fixed?
If you’re running WordPress, just keep the core, theme and plugins updated -DAILY!
Have you ever had to remove malware from a site hosted on Kinsta or Flywheel? If so, how did it occur and what recommendations would you give to avoid such vulnerabilities?
Flywheel yes, Kinsta no.
They’re hosting platforms like any other.
We’ve serviced many sites on WP Engine too.
What programs do you recommend using for scanning wordpress plugins for malware/spyware/viruses/etc?
There aren’t any really.
You can use Sucuri’s sitecheck, but that only scans from the outside so it will miss a lot of malware. This is why we created our Freemium plan.
It will scan all your files even on a shared hosting account and only tell you if there are any infections.
Sorry for the shameless plug of our service but that’s why we created it, because there wasn’t anything else on the market.
How did you initially learn everything you know now about wp security? Any sites you recommend to stay updated on latest exploits, patches etc.
It’s not so much about individual exploits and patches.
You must learn coding techniques in the various programming languages.
Then you develop a plan on how to protect that class of exploits.
Then by having knowledge of hosting environments you can determine how to create an effective defense.
How can I learn about Web Application Security and prevention? How does one get clients for Vulnerability Scanning and Penetration testing consultancy?
Learning? You just have to Google those terms and read everything you can.
Then think outside the box. As far as getting clients, determine your target audience and decide how to best reach them.
Then tailor message that resonates with them.
Their age, profession, where they are in the purchase spectrum.
How to find out the way the hacker manage to gain access? Because changing password may not be enough.
You need to analyze the log files.
And also look at the infected files and where they were located.
What plugins were installed.
Check the IP address of each successful login.
What framework do you recommend if I am starting a new site from scratch as far as security. I was thinking Bootstrap framework
Frameworks are useful, as long as they use parameterized SQL queries and provide for prevention of XSS.