SlideShare ist ein Scribd-Unternehmen logo
1 von 40
Downloaden Sie, um offline zu lesen
WORDPRESS SECURITY IS LIKE 

A HHAM SANDWICH
JAMES HIPKIN
Involved in advertising and
marketing for many years
Started in traditional
advertising
Moved over to direct marketing
Been involved with digital for over ten years
Currently an owner and the Managing
Director at Red8 Interactive
More than 20% of
websites are using
WordPress
This makes WordPress
a target for hackers
NOT IF, BUT WHEN
Without protection, it’s not a question of if, but when
SO HOW CAN YOU BE PROTECTED?
THINK HHAM SANDWICH
Hosting
Hardening
Access
Maintenance
SOME CONTEXT
You don’t need to follow every
recommendation presented here to be
secure—there isn’t a silver bullet, but
do something
SOME CONTEXT
No site is immune to hacking, no matter
what you do, a dedicated individual, if
they have the skills, can gain access to
virtually any site
SOME CONTEXT
“…but my site doesn’t get much traffic.”
HOSTING
The trouble with sharing
- Because shared servers must support many applications, server
software is often out of date, which means hackers can exploit
security holes in old software, holes that were plugged by yet to be
implemented updates
- Shared hosts are concerned about security, but their solutions are
generic, they aren’t designed specifically for WordPress
HOSTING
MANAGED WP HOSTS
It’s all about commitment—since the server
is only supporting one application,
WordPress:
- Server software is kept up-to-date
- Security precautions are specific
- WordPress updates are automatic
- Backups and security scans are automatic
- Quality control over plugins—known
vectors and server thrashers aren’t allowed
MANAGED WP HOSTS
But wait, there’s more…
managed WP hosts perform
better, they’re optimized to
support WordPress’ specific
requirements
MANAGED WP HOSTS
We use WP Engine
Others you can consider:
- Pagely
- Pressable
- Synthesis
HARDENING
HARDENING
Make it hard for the hackers’
bots and they will move on
Recommendations can be
added individually, which may
require a developer
Many are included options in
the iThemes Security plugin
HARDENING
Shut down the theme and plugin Editor
- Disallow the theme and plugin
editor by adding the following to
wp-config.php:
define( 'DISALLOW_FILE_EDIT',
true );
HARDENING
Set permissions on your wp-content
and themes directories to 755
Set permissions on files to 644
HARDENING
Hackers will try to add a .php file via wp-includes
and/or wp-content/uploads/ folders.To disable PHP
execution in these directories:
- Create a file in a text editor, call it .htaccess
and add the following code: 

<Files *.php>

deny from all

</Files>
- Use FTP to place this file in the 

folders
HARDENING
Change the database prefix
- In the WP-config.php file change the file prefix from “wp_”
to “wp_randomlettersandnumbers_”
- Or “randomlettersandnumbers_”
- This is best accomplished during the

initial install of WordPress
- Or use iThemes Security or the 

Change DB Prefix plugin on an 

older site
HARDENING
Use the Disable Comments plugin to
turn off post comments if they aren’t
required, which closes several 

attack vectors
Use a third party like Disqus to manage
comments so they are off the server
HARDENING
Install iThemes Security for one-stop
shop security (some setup required)
HARDENING
Install the BruteProtect plugin to block
brute force attacks
Limit Login Attempts is another choice, but
it’s best in combination with other measures
ACCESS
ACCESS
You need ten Admins? Really?
• Use the User Role Editor
plugin to create a custom
user role, Manager or Web
Master, with the same
capabilities as an Admin
but without the ability to
add or delete plugins and
themes, two common
vectors for hackers
ACCESS
U/P: admin/password123? Really?
- Delete the admin user if 

it exists
- Use the Enforce Strong
Passwords plugin to, well,
enforce strong passwords
ACCESS
Consider two-factor
authentication using the
Google Authenticator plugin
Or Rublon is an excellent
plugin for two-factor
authentication
ACCESS
Login Security Solution is
another good choice
Or install CLEF, it replaces
passwords with a simple,
encrypted authentication
using your smart phone
ACCESS
Force administration over SSL—this is important if
the dashboard will be accessed by multiple users
over public WiFi networks
- Install an SSL certificate and add the following
to the wp-config.php file:
• require_once(ABSPATH . 'wp-settings.php');

define('FORCE_SSL_LOGIN', true);

define('FORCE_SSL_ADMIN', true);
ACCESS
Consider adding a firewall to the site
- Among other benefits, Cloud Flare and
Sucuri will block malicious attacks before
they reach your server
- While not a 100% solution—a firewall
can block access to software
vulnerabilities before they can be fixed
via updates
ACCESS
Secure your WiFi
“Over three hours, he 

revealed 23 Wi-Fi hotspots, 

more than a third of which 

were open to snoops or used crackable
WEP instead of the more modern
WPA encryption.”
Coco, modeling the WarKitteh collar. 

Photo credit: Gene Bransfield
ACCESS
For a less industrial
strength, but still effective
solution consider Cloak, a
personalVPN service for
Apple devices
MAINTENANCE
MAINTENANCE
Seriously, keep all
WordPress software up
to date
Keep WordPress
and plugins up to date
MAINTENANCE
Delete all unused plugins and themes
—this is very important, old plugins and
themes are a common vector for
hackers
MAINTENANCE
If it’s not provided by the host, install a
backup plugin
- BackupBuddy and 

VaultPress are 

good choices
- Store backups in a 

remote location
MAINTENANCE
Scan the site periodically (nightly?) using
a service like Sucuri
MAINTENANCE
Seriously, keep WordPress, themes and
plugins up to date
!
!
And back the site up 

frequently to a remote location
THIS?
Do these things and the chances you will be
hacked are greatly reduced
OR THIS…
FOLLOW THESE
RECOMMENDATIONS
AND THE CHANCES
OF GETTING
HACKED WILL 

BE GREATLY

REDUCED
THANKYOU!
Red8 Interactive
San Francisco, CA
St. Louis, MO
!
James Hipkin
james@red8interactive.com
415.789.3685
The slides are available on SlideShare:

http://www.slideshare.net/Red8Interactive/hham-for-wp-security

Weitere ähnliche Inhalte

Was ist angesagt?

How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
Is your Wordpress safe enough?
Is your Wordpress safe enough? Is your Wordpress safe enough?
Is your Wordpress safe enough? saidmurat
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 
WordPress(The Big Picture)
WordPress(The Big Picture)WordPress(The Big Picture)
WordPress(The Big Picture)Sandip Basnet
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!Marko Heijnen
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Vasile
 
What I learned about SEO (while building a WordPress Theme)
What I learned about SEO (while building a WordPress Theme)What I learned about SEO (while building a WordPress Theme)
What I learned about SEO (while building a WordPress Theme)David Zimmerman
 
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)brandbuildsell
 
WordPress Security - Kulpreet Singh
WordPress Security - Kulpreet SinghWordPress Security - Kulpreet Singh
WordPress Security - Kulpreet Singhguest4fe370
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
How to Increase Security on your Wordpress Website
How to Increase Security on your Wordpress WebsiteHow to Increase Security on your Wordpress Website
How to Increase Security on your Wordpress WebsiteMeganGood12
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteWP Engine
 
WordPress on Amazon ec2
WordPress on Amazon ec2WordPress on Amazon ec2
WordPress on Amazon ec2belsien
 
WordCamp Atlanta- Shared Hosting and WordPress
WordCamp Atlanta- Shared Hosting and WordPressWordCamp Atlanta- Shared Hosting and WordPress
WordCamp Atlanta- Shared Hosting and WordPressAl Davis
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 

Was ist angesagt? (20)

How to install wordpress
How to install wordpress How to install wordpress
How to install wordpress
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
Is your Wordpress safe enough?
Is your Wordpress safe enough? Is your Wordpress safe enough?
Is your Wordpress safe enough?
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
 
WordPress(The Big Picture)
WordPress(The Big Picture)WordPress(The Big Picture)
WordPress(The Big Picture)
 
Security, more important than ever!
Security, more important than ever!Security, more important than ever!
Security, more important than ever!
 
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hackerDan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
Dan Catalin Vasile - Defcamp2013 - Does it pay to be a blackhat hacker
 
What I learned about SEO (while building a WordPress Theme)
What I learned about SEO (while building a WordPress Theme)What I learned about SEO (while building a WordPress Theme)
What I learned about SEO (while building a WordPress Theme)
 
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
Ten Easy Steps to Hackproof Your WordPress Install (Blogging While Brown 2013)
 
WordPress Security - Kulpreet Singh
WordPress Security - Kulpreet SinghWordPress Security - Kulpreet Singh
WordPress Security - Kulpreet Singh
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
How to Increase Security on your Wordpress Website
How to Increase Security on your Wordpress WebsiteHow to Increase Security on your Wordpress Website
How to Increase Security on your Wordpress Website
 
How to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael TremanteHow to Ensure You're Launching the Most Secure Website - Michael Tremante
How to Ensure You're Launching the Most Secure Website - Michael Tremante
 
Php2pdf
Php2pdfPhp2pdf
Php2pdf
 
How WordPress Works
How WordPress WorksHow WordPress Works
How WordPress Works
 
WordPress on Amazon ec2
WordPress on Amazon ec2WordPress on Amazon ec2
WordPress on Amazon ec2
 
WordCamp Atlanta- Shared Hosting and WordPress
WordCamp Atlanta- Shared Hosting and WordPressWordCamp Atlanta- Shared Hosting and WordPress
WordCamp Atlanta- Shared Hosting and WordPress
 
Hands on workshop on word press
Hands on workshop on word pressHands on workshop on word press
Hands on workshop on word press
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup   ehermits - how to keep your blog from being hacked 2012Neo word press meetup   ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 

Ähnlich wie WordPress Security is like a HHAM Sandwich

Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening StepsPlasterdog Web Design
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress SecurityNile Flores
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteReliqusConsulting
 
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012WordCamp Sydney
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Vlad Lasky
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITEAcodez IT Solutions
 
7. mastering wordpress
7. mastering wordpress7. mastering wordpress
7. mastering wordpressMoreNiche
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 

Ähnlich wie WordPress Security is like a HHAM Sandwich (20)

Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 
Introduction to WordPress Security
Introduction to WordPress SecurityIntroduction to WordPress Security
Introduction to WordPress Security
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your Website
 
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012
 
WordPress Security 2018
WordPress Security 2018WordPress Security 2018
WordPress Security 2018
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
 
7. mastering wordpress
7. mastering wordpress7. mastering wordpress
7. mastering wordpress
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertComplete Wordpress Security By CHETAN SONI - Cyber Security Expert
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 

Kürzlich hochgeladen

Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxWorkforce Group
 
Mihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZMihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZKanakChauhan5
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxJemalSeid25
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003believeminhh
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.mcshagufta46
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfAnhNguyen97152
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Lviv Startup Club
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato pptElizangelaSoaresdaCo
 
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfChicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfSourav Sikder
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...IMARC Group
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsyasinnathani
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Winbusinessin
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfHajeJanKamps
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsIntellect Design Arena Ltd
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfHajeJanKamps
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessAPCO
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfCharles Cotter, PhD
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHelene Heckrotte
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...Brian Solis
 

Kürzlich hochgeladen (20)

Cracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptxCracking the ‘Business Process Outsourcing’ Code Main.pptx
Cracking the ‘Business Process Outsourcing’ Code Main.pptx
 
Mihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZMihir Menda - Member of Supervisory Board at RMZ
Mihir Menda - Member of Supervisory Board at RMZ
 
Introduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptxIntroduction to The overview of GAAP LO 1-5.pptx
Introduction to The overview of GAAP LO 1-5.pptx
 
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
The Vietnam Believer Newsletter_MARCH 25, 2024_EN_Vol. 003
 
A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.A flour, rice and Suji company in Jhang.
A flour, rice and Suji company in Jhang.
 
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdfGraham and Doddsville - Issue 1 - Winter 2006 (1).pdf
Graham and Doddsville - Issue 1 - Winter 2006 (1).pdf
 
Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024Borderless Access - Global B2B Panel book-unlock 2024
Borderless Access - Global B2B Panel book-unlock 2024
 
Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)Michael Vidyakin: Introduction to PMO (UA)
Michael Vidyakin: Introduction to PMO (UA)
 
Plano de marketing- inglês em formato ppt
Plano de marketing- inglês  em formato pptPlano de marketing- inglês  em formato ppt
Plano de marketing- inglês em formato ppt
 
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdfChicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
Chicago Medical Malpractice Lawyer Chicago Medical Malpractice Lawyer.pdf
 
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
Boat Trailers Market PPT: Growth, Outlook, Demand, Keyplayer Analysis and Opp...
 
Data skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story pointsData skills for Agile Teams- Killing story points
Data skills for Agile Teams- Killing story points
 
Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024Ethical stalking by Mark Williams. UpliftLive 2024
Ethical stalking by Mark Williams. UpliftLive 2024
 
PDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdfPDT 88 - 4 million seed - Seed - Protecto.pdf
PDT 88 - 4 million seed - Seed - Protecto.pdf
 
Upgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking ApplicationsUpgrade Your Banking Experience with Advanced Core Banking Applications
Upgrade Your Banking Experience with Advanced Core Banking Applications
 
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdfPDT 89 - $1.4M - Seed - Plantee Innovations.pdf
PDT 89 - $1.4M - Seed - Plantee Innovations.pdf
 
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for BusinessQ2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
Q2 2024 APCO Geopolitical Radar - The Global Operating Environment for Business
 
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdfTalent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
Talent Management research intelligence_13 paradigm shifts_20 March 2024.pdf
 
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptxHELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
HELENE HECKROTTE'S PROFESSIONAL PORTFOLIO.pptx
 
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
The End of Business as Usual: Rewire the Way You Work to Succeed in the Consu...
 

WordPress Security is like a HHAM Sandwich

  • 1. WORDPRESS SECURITY IS LIKE 
 A HHAM SANDWICH
  • 2. JAMES HIPKIN Involved in advertising and marketing for many years Started in traditional advertising Moved over to direct marketing Been involved with digital for over ten years Currently an owner and the Managing Director at Red8 Interactive
  • 3. More than 20% of websites are using WordPress This makes WordPress a target for hackers NOT IF, BUT WHEN Without protection, it’s not a question of if, but when
  • 4. SO HOW CAN YOU BE PROTECTED?
  • 6. SOME CONTEXT You don’t need to follow every recommendation presented here to be secure—there isn’t a silver bullet, but do something
  • 7. SOME CONTEXT No site is immune to hacking, no matter what you do, a dedicated individual, if they have the skills, can gain access to virtually any site
  • 8. SOME CONTEXT “…but my site doesn’t get much traffic.”
  • 10. The trouble with sharing - Because shared servers must support many applications, server software is often out of date, which means hackers can exploit security holes in old software, holes that were plugged by yet to be implemented updates - Shared hosts are concerned about security, but their solutions are generic, they aren’t designed specifically for WordPress HOSTING
  • 11. MANAGED WP HOSTS It’s all about commitment—since the server is only supporting one application, WordPress: - Server software is kept up-to-date - Security precautions are specific - WordPress updates are automatic - Backups and security scans are automatic - Quality control over plugins—known vectors and server thrashers aren’t allowed
  • 12. MANAGED WP HOSTS But wait, there’s more… managed WP hosts perform better, they’re optimized to support WordPress’ specific requirements
  • 13. MANAGED WP HOSTS We use WP Engine Others you can consider: - Pagely - Pressable - Synthesis
  • 15. HARDENING Make it hard for the hackers’ bots and they will move on Recommendations can be added individually, which may require a developer Many are included options in the iThemes Security plugin
  • 16. HARDENING Shut down the theme and plugin Editor - Disallow the theme and plugin editor by adding the following to wp-config.php: define( 'DISALLOW_FILE_EDIT', true );
  • 17. HARDENING Set permissions on your wp-content and themes directories to 755 Set permissions on files to 644
  • 18. HARDENING Hackers will try to add a .php file via wp-includes and/or wp-content/uploads/ folders.To disable PHP execution in these directories: - Create a file in a text editor, call it .htaccess and add the following code: 
 <Files *.php>
 deny from all
 </Files> - Use FTP to place this file in the 
 folders
  • 19. HARDENING Change the database prefix - In the WP-config.php file change the file prefix from “wp_” to “wp_randomlettersandnumbers_” - Or “randomlettersandnumbers_” - This is best accomplished during the
 initial install of WordPress - Or use iThemes Security or the 
 Change DB Prefix plugin on an 
 older site
  • 20. HARDENING Use the Disable Comments plugin to turn off post comments if they aren’t required, which closes several 
 attack vectors Use a third party like Disqus to manage comments so they are off the server
  • 21. HARDENING Install iThemes Security for one-stop shop security (some setup required)
  • 22. HARDENING Install the BruteProtect plugin to block brute force attacks Limit Login Attempts is another choice, but it’s best in combination with other measures
  • 24. ACCESS You need ten Admins? Really? • Use the User Role Editor plugin to create a custom user role, Manager or Web Master, with the same capabilities as an Admin but without the ability to add or delete plugins and themes, two common vectors for hackers
  • 25. ACCESS U/P: admin/password123? Really? - Delete the admin user if 
 it exists - Use the Enforce Strong Passwords plugin to, well, enforce strong passwords
  • 26. ACCESS Consider two-factor authentication using the Google Authenticator plugin Or Rublon is an excellent plugin for two-factor authentication
  • 27. ACCESS Login Security Solution is another good choice Or install CLEF, it replaces passwords with a simple, encrypted authentication using your smart phone
  • 28. ACCESS Force administration over SSL—this is important if the dashboard will be accessed by multiple users over public WiFi networks - Install an SSL certificate and add the following to the wp-config.php file: • require_once(ABSPATH . 'wp-settings.php');
 define('FORCE_SSL_LOGIN', true);
 define('FORCE_SSL_ADMIN', true);
  • 29. ACCESS Consider adding a firewall to the site - Among other benefits, Cloud Flare and Sucuri will block malicious attacks before they reach your server - While not a 100% solution—a firewall can block access to software vulnerabilities before they can be fixed via updates
  • 30. ACCESS Secure your WiFi “Over three hours, he 
 revealed 23 Wi-Fi hotspots, 
 more than a third of which 
 were open to snoops or used crackable WEP instead of the more modern WPA encryption.” Coco, modeling the WarKitteh collar. 
 Photo credit: Gene Bransfield
  • 31. ACCESS For a less industrial strength, but still effective solution consider Cloak, a personalVPN service for Apple devices
  • 33. MAINTENANCE Seriously, keep all WordPress software up to date Keep WordPress and plugins up to date
  • 34. MAINTENANCE Delete all unused plugins and themes —this is very important, old plugins and themes are a common vector for hackers
  • 35. MAINTENANCE If it’s not provided by the host, install a backup plugin - BackupBuddy and 
 VaultPress are 
 good choices - Store backups in a 
 remote location
  • 36. MAINTENANCE Scan the site periodically (nightly?) using a service like Sucuri
  • 37. MAINTENANCE Seriously, keep WordPress, themes and plugins up to date ! ! And back the site up 
 frequently to a remote location
  • 38. THIS?
  • 39. Do these things and the chances you will be hacked are greatly reduced OR THIS… FOLLOW THESE RECOMMENDATIONS AND THE CHANCES OF GETTING HACKED WILL 
 BE GREATLY
 REDUCED
  • 40. THANKYOU! Red8 Interactive San Francisco, CA St. Louis, MO ! James Hipkin james@red8interactive.com 415.789.3685 The slides are available on SlideShare:
 http://www.slideshare.net/Red8Interactive/hham-for-wp-security