1. WordPress
Security Briefing
How To Keep Your WordPress Site Secure
WP Apprentice
Presented by

2. Who is this guy?
Founder WPApprentice.com
Web Developer 16 years
CMS specialist
Using WP since v. 0.9
Manage 30 + WP sites

3. Overview of todays session
The current state of web & WordPress security
Hacking risks
How sites get hacked
How to tell if your site has been hacked
Security best practices
Recommended plugins & security services

4. WordPress in the news

8. It’s not just WordPress

12. the web is becoming a very bad neighborhood

13. Is WordPress secure?

15. Linux - Operating System
Apache - Web Server
MySQL - Database Server
PHP - Scripting language
Built on layers of technology

16. WordPress itself has layers
WordPress Core
WordPress Themes
WordPress Plugins

17. What are the risks?

18. What’s the worst that can happen?
Site defaced
Content modified
Content injection (spam)
Site deleted
Backdoor installed - hackers your your site to attack others
Malware distribution from your website

19. What’s the worst that can happen?
Damage to your reputation
Damage to your visitors computers
Damage to your relationship with your customers
Site removed from Google and other search engines
Possible legal liabilities depending on information exposed or lost

20. Why would anyone hack MY
website?

21. “I just installed WordPress on a new domain.
I have zero traffic, in fact I’m still setting up my website”
What are the chances?

23. This isn’t about you or your website - most attacks are automated
Don’t take hacking personally - hackers don’t
They see your server as an asset for future hacking activity
The hacker perspective

24. How websites get hacked

25. How websites get hacked
Weak password
Outdated software
Use of insecure FTP
Shared web host / bad file permissions
Security weakness in plugin
Security weakness in theme
Security weakness in WP (these are patched very quickly)

26. How to tell if your site has been
hacked

28. Google: site:yourdomainname.com

29. http://www.google.com/safebrowsing/diagnostic?site=yourdomain.com

30. http://www.google.com/webmasters/

32. http://sucuri.net

33. http://sucuri.net

34. WordPress Security
Best Practices

35. Backups are the only sure way to protect your website
Schedule database backups daily
Schedule full site backups weekly
Be sure to backup your /wp-content/uploads folder
Move backup files off your server
http://wpapprentice.com/blog/preparing-for-a-wordpress-disaster/
Backup Regularly

36. http://ithemes.com/backupbuddy/

37. http://vaultpress.com

38. Never name an account “Admin” or any variation
Don’t post from an account with admin privileges
Create an account specifically for posting - assign Editor role
WordPress user setup

41. Use a strong password (and don’t re-use passwords)

42. http://agilebits.com/onepassword

43. Check file and folder permissions on your server

46. Update WordPress, Plugins, and Themes asap

48. http://managewp.com

50. http://infinitewp.com

51. Delete what you don’t use (plugins and themes)

54. Avoid free plugins and themes from sketchy sources

57. Don’t install outdated plugins

59. Plugins & Security Services

66. http://cloudflare.com

68. How to fix a hacked site

69. How to fix your hacked site
Reinstall fresh copy of WordPress
Rebuild site from a clean backup
Or, hire a professional (Sucuri does this)

70. Getting off the blacklist
Google Webmaster Tools
Sucuri will do this as part of cleanup service

71. This is too much work!

72. Use WordPress.com and
don’t worry

73. http://wordpress.com

74. Q & A

75. Thank You