Nick Batik led this WordPressP Security Presentation, which addressed Site Security and Administration. As the popularity of WordPress has increased so has it's attractiveness to hackers. Nick will review the basics of keeping your WordPress site secure and talk about some of the WordPress security plugins and services available to keep your site and your online community safe.
2. PleiadesServices.com @nick_batik@sandi_batik
Nick BatikNick Batik founded Pleiades Publishing
Services in 1992, has been building
websites since 1994 and has been a
WordPress consultant and developer since
2007. A WordPress Evangelist, and a
CoOrganizer of the Austin WordPress
Meetup, he has presented technical
WordPress classes at numerous WPATX
meetups and WordCamps. He specializes
the system design and implementation of
custom, often complex WordPress-based
solutions that address client data
management issues. As the back-end
developer, he creates the core
computational logic of the website or
information system to implement the
customized functionality.
Follow me @nick_batik / @WPATX
Contact me at: pleiadesservices.com
https://www.linkedin.com/in/nicholasbatik
3. PleiadesServices.com @nick_batik@sandi_batik
How to Secure and
Maintain Your WordPress
SiteSecuring your website, databases and files
has become a mandatory task of every
WordPress site manager, administrator and
owner.
The core of WordPress is a fairly
secure system and is designed for ease of
updating and a fast development cycle
Most WordPress security problems are easy
to control and are due to either poor
judgement by the end user, poorly coded
themes and plugins, or bad hosting.
4. PleiadesServices.com @nick_batik@sandi_batik
Keep Your Version of
WordPress Up-To-
Date#1 Excuse for not updating…“What if it
‘breaks’ one of my plugins?”
A Hacked site or ‘Temporary’ issue with
one plugin…Seriously, you are actually
thinking about this…
WordPress core updates fix recently
discovered security problems. If your site
isn’t updated — it is vulnerable
5. PleiadesServices.com @nick_batik@sandi_batik
Keep Your Version of
WordPress Up-To-
DateAdvanced Automatic Updates Plugin
Adds options to WordPress’ built-in
Automatic Updates feature.
Security updates and supports
installing major releases, plugins,
themes, or even regular SVN
checkouts!
6. PleiadesServices.com @nick_batik@sandi_batik
Update All
Your Plugins
Security vulnerabilities are frequently found in
third party WordPress plugins — Even the
most popular and trusted plugins can have
vulnerabilities
Good Plugin developers handle security fixes
quickly release an update
Then it is YOUR responsibility to update to
the latest version OR your site is still
vulnerable to hackers
7. PleiadesServices.com @nick_batik@sandi_batik
Remove Any Inactive
or Unused Plugins
The more plugins you have installed on your site
— the greater your risk for having a vulnerability
in one of those plugins
Security Best Practice to minimize risks is to
completely uninstall any plugins you are not using
How do you tell which plugins are not being
used? They are marked as ‘Inactive’ in the Plugin
section of the WordPress admin.
Delete them!
8. PleiadesServices.com @nick_batik@sandi_batik
Update Your Themes
The same logic that applies to
WordPress core updates and plugin
updates, applies to themes
Securing WordPress means that all
themes need to be kept updated to
their latest versions
9. PleiadesServices.com @nick_batik@sandi_batik
Update Your Themes
OMG! I made changes to my Theme- If I update
I’ll loose them ALL!!!
This is why we stressed the importance of using
‘Child Themes’ rather than making any changes
to the actual theme.
When you make all charges in your Child Theme
you can easily update to get the latest fixes and
security updates without breaking your Theme’s
changes.
10. PleiadesServices.com @nick_batik@sandi_batik
Update Your Themes
A Best Security Practice is to also
remove any unused themes.
You can check which themes
requiring updates from the
Appearance > Themes section in the
WordPress admin.
11. PleiadesServices.com @nick_batik@sandi_batik
Only Install Themes, Plugins
and Scripts From Their
Official SourceUsing any software from a “FREE” Pirate
site is NEVER a good idea!
Many of these “Free Download” pirated
themes have maliciously tweaked scripts
that install a back door which allows your
site to be remotely controlled by hackers.
Why would you “trust” a source whose
business model is based on stealing other
designers’ work?
12. PleiadesServices.com @nick_batik@sandi_batik
Only Install Themes, Plugins
and Scripts From Their
Official SourceWhere do you find Free vetted
WordPress Themes?
WordPress.org is the safest place to
find Free WordPress Themes
For a Review of WordPress Themes
go to:
https://www.slideshare.net/sbatik/ho
w-wordpress-themes-work
13. PleiadesServices.com @nick_batik@sandi_batik
Choose a Secure
WordPress Hosting
ServiceSecurity conscious hosting services
will have a dedicated security team
who monitor the latest vulnerabilities
and preemptively apply rules on their
firewalls to mitigate any hack attacks
on your site.
Shared Hosting solutions are always
a bit tricky because you can’t control
the site hygiene of your neighbors.
14. PleiadesServices.com @nick_batik@sandi_batik
Choose a Secure
WordPress Hosting
ServiceEvery Developer has their own
favorites
For Managed Hosting we prefer —
https://wpengine.com/
For inexpensive hosting, we use two
— https://www.siteground.com &
https://www.godaddy.com/hosting/wo
rdpress-hosting
15. PleiadesServices.com @nick_batik@sandi_batik
Make Sure Your Site is
Running the Latest Version
of PHPThe global WordPress statistics page
shows:
Only 1.7% of WordPress installations run
on the latest version of PHP (7)
19.8% run version 5.6, which is still
supported
The balance of WordPress installations
almost 80% run on versions that are no
longer supported!
16. PleiadesServices.com @nick_batik@sandi_batik
Make Sure Your Site is
Running the Latest Version
of PHPPHP, the underlying engine of WordPress, gets
regular version and security updates
If you site is not running on PHP7 that means known
security issues are not be fixed and your site is
vulnerable to exploitation.
PHP version updates depends largely on your hosting
service.
A good hosting service should make the latest PHP
versions available for use with your WordPress
installation
17. PleiadesServices.com @nick_batik@sandi_batik
Change the
Admin Username
Hackers LOVE folks who chose
‘admin’ as their default administrator
user name
Easiest way to secure your
WordPress admin login against brute
force attacks is to change the default
“admin” username to something
more difficult to guess
18. PleiadesServices.com @nick_batik@sandi_batik
Change the
Admin UsernameHow to change if your user name is
currently ‘admin’
Create a new administrator user with
a less obvious username and delete
the old admin user
This is quick and easy WordPress
security step to stop simple hacking
attempts
20. PleiadesServices.com @nick_batik@sandi_batik
Always Use
Strong PasswordsDo you have any idea how many WordPress sites
have either ‘12345’ OR ‘password’ as a
PASSWORD!!!
Then of there is the other favorite username and
password combination: admin/admin
Hackers know users are prone to using simple,
easy to guess passwords - so they use lists of
commonly used passwords to gain control of your
site
‘Brute-forcing a password’ is when hackers try
these common passwords over and over again
21. PleiadesServices.com @nick_batik@sandi_batik
Don’t Reuse
PasswordsUsers don’t want to remember long
complicated passwords for each of their
accounts
Got it! That is why the are password
manager services like KeePass that
generate nice long encrypted user names
and passwords and store them securely
Use a password manager — or risk
compromising all of your accounts
22. PleiadesServices.com @nick_batik@sandi_batik
Avoid Plain-Text
Password Transmission
To Protect Your Password(s)
Internet traffic is being constantly
‘sniffed and snooped’
Don’t send passwords over email,
chat, social networks or other
unencrypted forms of transmission
Sensitive data must always be sent
in encrypted form
23. PleiadesServices.com @nick_batik@sandi_batik
Avoid Plain-Text
Password Transmission
To Protect Your Password(s)
Implement HTTPS on your WordPress
site, particularly on your backend, to
avoid passwords being sent in plain-text
Don’t use plain FTP when accessing your
site. Use SSH or FTPS to encrypt data
transmission
To do this you’ll need to setup an FTPS
account on your hosting server
24. PleiadesServices.com @nick_batik@sandi_batik
Only Update Your Site
From Trusted
NetworksUsers Who understand and value
Internet Security would NEVER
update a website from an untrusted
network such as the ‘FREE’ Wifi
connection at a local coffee house.
Only update your site from trusted
networks, such as those at your
home, office or your encrypted Hot-
Spot.
25. PleiadesServices.com @nick_batik@sandi_batik
Use a Local Anti-Virus
Viruses are designed to spread
themselves as far and wide as
possible
Many office workstations being used
by WordPress Administrators are
infected with at least one virus
These viruses can snoop passwords,
credit card and other personal
information
26. PleiadesServices.com @nick_batik@sandi_batik
Use a Local Anti-Virus
Make sure your local workstation is
running a good and updated antivirus
to prevent it from getting infected and
spreading to your website.
ClamAV is an open source antivirus
engine for detecting trojans, viruses,
malware & other malicious threats.
27. PleiadesServices.com @nick_batik@sandi_batik
Enable Google
Search ConsoleGoogle Search Console is a free
service offered by Google that helps
you monitor and maintain your site’s
presence
Google Search console will advise you
if your website starts to host any
malicious files
This tool is not preventative - it is a
handy ‘Malware-Heads-Up’
29. PleiadesServices.com @nick_batik@sandi_batik
Sometimes Your Only
Option Is Just Restore
From Backup
Bad things happen to good websites:
Not only do they hacked, but can fall
victim to accidents, power failures,
and technical mishaps
You must have a ‘Back-Up’ Plan —
actually backup and periodically, test
your backups
30. PleiadesServices.com @nick_batik@sandi_batik
WordPress Backup
and Restore —
BackupBuddy
BackupBuddy handles WordPress backup and restore like a
champ. What good is a backup if you don’t also have a way to
restore your WordPress site?
A solid WordPress backup solution must include both
components:
A complete backup – Unlike other WordPress backup plugins,
BackupBuddy backs up your entire WordPress installation,
including your media library, themes, plugins, widgets, content,
settings plus your database. Don’t be fooled by backup plugins
that only back up your database—that won’t be enough to
restore your site in its entirety.
A quick and easy way to restore WordPress – If something goes
wrong, BackupBuddy can get your site up & running in no time
using the restore function.
33. PleiadesServices.com @nick_batik@sandi_batik
Limit Login Attempts
The Limit Login WordPress plugin
detects a number of incorrect login
attempts and denies that user the
possibility of trying again for some
time.
This, of course, makes the brute-
forcing attempts much more difficult
to succeed and significantly improves
your WordPress security.
34. PleiadesServices.com @nick_batik@sandi_batik
Enable Two-Factor
Authentication
2FA - besides your regular password,
you will also need a time-based
security token that is unique to each
user. This token also expires after a
period of time usually 60 seconds.
The security token is typically
generated by an app such as the
Google Authenticator.
35. PleiadesServices.com @nick_batik@sandi_batik
Ensure File
Permissions Are
CorrectPHP and WordPress in general use a
set of permissions associated with
files and folders.
In general, your web server typically
needs to be able to write files for
WordPress to work correctly, but the
public internet NEVER needs to have
write access to your files.
36. PleiadesServices.com @nick_batik@sandi_batik
Block Malicious
CountriesIP Geo Block plugin protects your site
against such threats of attack to the back-
end of your site not only by blocking
requests from undesired countries but also
with the original feature ‘Zero-day Exploit
Prevention’ (WP-ZEP).
And it also blocks undesired requests to
the login form (login attempt), comment
form (spam and trackback) and XML-RPC
(login attempt and pingback).
37. PleiadesServices.com @nick_batik@sandi_batik
Change the Default
Table Prefix
Change Table Prefix is mainly useful
if you have not changed the
database prefix at the time of
installation and want to change post
installation to make your website
more secure and protected from SQL
injections.
38. PleiadesServices.com @nick_batik@sandi_batik
Disable PHP
ExecutionOne of the first things a hacker would do if
they got some kind of access to your site
would be to execute PHP from within a
directory
Add the below code to the .htaccess file in
the root directory of your WordPress
installation:
<Files *.php>
Order Allow, Deny
Deny from all
</Files>
40. PleiadesServices.com @nick_batik@sandi_batik
Restrict Database
User Privileges
In general, the database user only
needs the following privileges: For
most WordPress day-to-day
operations, the database user only
needs data read and data write
privileges to the database: SELECT,
INSERT, UPDATE and DELETE.
41. PleiadesServices.com @nick_batik@sandi_batik
Disable File Editing
You can (and should) disable file
editing for WordPress administrators
after your website goes live through
the following command in the wp-
config.php file:
define('DISALLOW_FILE_EDIT', true);
44. PleiadesServices.com @nick_batik@sandi_batik
Set WordPress Secret
Authentication Keys
You might have come across these eight
WordPress security and authentication keys
in your wp-config.php file and wondered
what they are. You may also have never
seen or heard about them.
They look something like this:
define('AUTH_KEY', 'j+Oq5CL Z6M?dc|9KwWv(k9&RK[,>K@vGRY0AvEPrnHav-wq.+&d))-Y}22tD JE');
define('SECURE_AUTH_KEY', 'Vk~ Qe#?z7GKB>%F2MFOF?6~j#f&FJMG.Y@;~Hlih8jf[}Cgl@-<>w[C -j.E@D#');
define('LOGGED_IN_KEY', 'YR,_/w.(Ud*.,/(aBmNs?JQGmC4W@<vu_(G:!+@x*?x}?g+8h[vJF!dCsekIf009');
define('NONCE_KEY', 'yY%{Hx|-WsSSVVFp2h+to5bl;uZ|Za,uT;qC;!b<Oew!NIjrNE#B}N#b4Y45^eh6');
define('AUTH_SALT', 'mHq/^I#e-;<`(i}@B_ik`9nVbiS4f^PFI+-ZP((p(M%]!x+:)45BRTTdzAZ<^c3{');
define('SECURE_AUTH_SALT', '+cE7REA-3}V|0Dd#ze8ml=%3;GdRw!EuPGJaOoM}qUd;}doDslqweWY7sJX 9Yab');
define('LOGGED_IN_SALT', 'A-&{HPc3#P/5-aK88R!~ A9q|PbZrxC9#ZtOie%E~ld;*?x4V)Zd4lPZBX(j?U]y');
define('NONCE_SALT', 'O[byb]ByAxb!Q1l8Z>nyh|EwAECr-HXCQQI;fE|q[YY1|tpve8:EZ&X-TPqFnS#v');
45. PleiadesServices.com @nick_batik@sandi_batik
Some Additional
Resources Mentioned
During MeetingPHP Compatibility Checker Plugin — The WP
Engine PHP Compatibility Checker can be
used by any WordPress website on any web
host to check PHP version compatibility
BackWPup — This backup plugin can be used
to save your complete installation including
/wp-content/ and push them to an external
Backup Service, like Dropbox, S3, FTP and
many more, see list below. With a single
backup .zip file you are able to easily restore
an installation
46. PleiadesServices.com @nick_batik@sandi_batik
Followup to the
WordPress
Permissions DiscussionEverything You Need to Know About Changing File
Permissions you can find in the WordPress Codex (This is
your Official Source for All Things WordPress)
The Permission plugins mentioned are
User Role Editor — This WordPress plugin lets you
change user role (except Administrator) capabilities easy,
with a few clicks. Just turn on check boxes of capabilities
you wish to add to the selected role and click “Update”
button to save your changes.
Press Permit Core — is an advanced content permissions
system. It is derived from Role Scoper, but with extensive
improvements in versatility, performance and user-
friendliness.
48. PleiadesServices.com @nick_batik@sandi_batik
Source For Free
SSL Certificate
Let’s Encrypt
Some Hosting Companies will give
you a complimentary SSL as part of
your hosting package - Ask your
current hosting company about their
SSL policies while you inquire about
what version of PHP they are running