An overview of WordPress security targeted at beginning and intermediate users. Some light coding required. Talks about hosting, hardening, access and maintenance, the four areas to consider to keep a WordPress site protected from hackers.
2. JAMES HIPKIN
Involved in advertising and
marketing for many years
Started in traditional
advertising
Moved over to direct marketing
Been involved with digital for over ten years
Currently an owner and the Managing
Director at Red8 Interactive
3. More than 20% of
websites are using
WordPress
This makes WordPress
a target for hackers
NOT IF, BUT WHEN
Without protection, it’s not a question of if, but when
6. SOME CONTEXT
You don’t need to follow every
recommendation presented here to be
secure—there isn’t a silver bullet, but
do something
7. SOME CONTEXT
No site is immune to hacking, no matter
what you do, a dedicated individual, if
they have the skills, can gain access to
virtually any site
10. The trouble with sharing
- Because shared servers must support many applications, server
software is often out of date, which means hackers can exploit
security holes in old software, holes that were plugged by yet to be
implemented updates
- Shared hosts are concerned about security, but their solutions are
generic, they aren’t designed specifically for WordPress
HOSTING
11. MANAGED WP HOSTS
It’s all about commitment—since the server
is only supporting one application,
WordPress:
- Server software is kept up-to-date
- Security precautions are specific
- WordPress updates are automatic
- Backups and security scans are automatic
- Quality control over plugins—known
vectors and server thrashers aren’t allowed
12. MANAGED WP HOSTS
But wait, there’s more…
managed WP hosts perform
better, they’re optimized to
support WordPress’ specific
requirements
13. MANAGED WP HOSTS
We use WP Engine
Others you can consider:
- Pagely
- Pressable
- Synthesis
15. HARDENING
Make it hard for the hackers’
bots and they will move on
Recommendations can be
added individually, which may
require a developer
Many are included options in
the iThemes Security plugin
16. HARDENING
Shut down the theme and plugin Editor
- Disallow the theme and plugin
editor by adding the following to
wp-config.php:
define( 'DISALLOW_FILE_EDIT',
true );
18. HARDENING
Hackers will try to add a .php file via wp-includes
and/or wp-content/uploads/ folders.To disable PHP
execution in these directories:
- Create a file in a text editor, call it .htaccess
and add the following code:
<Files *.php>
deny from all
</Files>
- Use FTP to place this file in the
folders
19. HARDENING
Change the database prefix
- In the WP-config.php file change the file prefix from “wp_”
to “wp_randomlettersandnumbers_”
- Or “randomlettersandnumbers_”
- This is best accomplished during the
initial install of WordPress
- Or use iThemes Security or the
Change DB Prefix plugin on an
older site
20. HARDENING
Use the Disable Comments plugin to
turn off post comments if they aren’t
required, which closes several
attack vectors
Use a third party like Disqus to manage
comments so they are off the server
22. HARDENING
Install the BruteProtect plugin to block
brute force attacks
Limit Login Attempts is another choice, but
it’s best in combination with other measures
24. ACCESS
You need ten Admins? Really?
• Use the User Role Editor
plugin to create a custom
user role, Manager or Web
Master, with the same
capabilities as an Admin
but without the ability to
add or delete plugins and
themes, two common
vectors for hackers
27. ACCESS
Login Security Solution is
another good choice
Or install CLEF, it replaces
passwords with a simple,
encrypted authentication
using your smart phone
28. ACCESS
Force administration over SSL—this is important if
the dashboard will be accessed by multiple users
over public WiFi networks
- Install an SSL certificate and add the following
to the wp-config.php file:
• require_once(ABSPATH . 'wp-settings.php');
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);
29. ACCESS
Consider adding a firewall to the site
- Among other benefits, Cloud Flare and
Sucuri will block malicious attacks before
they reach your server
- While not a 100% solution—a firewall
can block access to software
vulnerabilities before they can be fixed
via updates
30. ACCESS
Secure your WiFi
“Over three hours, he
revealed 23 Wi-Fi hotspots,
more than a third of which
were open to snoops or used crackable
WEP instead of the more modern
WPA encryption.”
Coco, modeling the WarKitteh collar.
Photo credit: Gene Bransfield
31. ACCESS
For a less industrial
strength, but still effective
solution consider Cloak, a
personalVPN service for
Apple devices
34. MAINTENANCE
Delete all unused plugins and themes
—this is very important, old plugins and
themes are a common vector for
hackers
35. MAINTENANCE
If it’s not provided by the host, install a
backup plugin
- BackupBuddy and
VaultPress are
good choices
- Store backups in a
remote location
39. Do these things and the chances you will be
hacked are greatly reduced
OR THIS…
FOLLOW THESE
RECOMMENDATIONS
AND THE CHANCES
OF GETTING
HACKED WILL
BE GREATLY
REDUCED
40. THANKYOU!
Red8 Interactive
San Francisco, CA
St. Louis, MO
!
James Hipkin
james@red8interactive.com
415.789.3685
The slides are available on SlideShare:
http://www.slideshare.net/Red8Interactive/hham-for-wp-security