wordpress security

GlobalSpex, Inc. www.globalspex.com @globalspex info@globalspex.com

WORDPRESS SECURITY

http://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/

According to WP White Security, more than 70% of WordPress installations are vulnerable to hacker attacks and the total number of hacked WordPress websites in 2012 was a whopping 170,000. This figure is growing every year.

HOW DO THEY HACK IT?Security VulnerabilityWordPress ThemeWordPress PluginWeak Passwords

by inserting code & leaving a backdoor

WHAT CAN YOU DO?

1. Find and use a good host who understands WordPress2. During Installation (dB prefix, WP keys, etc.)3. Keep WP and all plugins, themes updated. 4. Watch your file permissions.5. Disable error reporting6. Use .htaccess for more protection.7. Use strong passwords.8. Hide the login page.9. Don’t use Admin as a user.10. Remove the WP version

INSTALLATION

1. SALT keys.

2. Don’t use wp_ for the table prefix. $table_prefix = 'ArcL3an_';

KEEP WORDPRESS, THEMES, PLUGINS UPDATED

1. Regularly upgrade and backup your WP install’s files and database.

2. Be ruthless when it comes to plugins. If you can do without the functionality a plugin offers, deactivate it and remove it.

3. Careful with free Themes not found on the repository.

FILE PERMISSIONS, ERROR REPORTING, AND .HTACCESS

1. File Permissions1. All directories should be 755 or 7502. All files should be 644 or 6403. wp-config.php should be 600

2. If a plugin or theme causes an error, the error message may display your server path.

3. With .htaccess you can block IP addresses, restrict to certain IP addresses, restrict what folders can be browsed.

4. Disable XML-RPC. Use a plugin: https://wordpress.org/plugins/disable-xml-rpc/

STRONGER LOGINS1. Limit number of times to login.2. Strong passwords for everyone. You can force new users.3. Do not use ‘Admin’ as a username or anything obvious like

‘administrator’ or ‘user’4. 2 Step Authentication. It forces everyone to use an authorization

code in order to login to your website.5. Hide your login page. Give it a new name like /login instead of /wp-

admin

OTHER …1. Remove WP version number from code. Add the following code to

the top of your theme functions.php file:

2. Add a firewall, check your virus scanner, 3. Don’t access your site at Cafe or open network.4. Be careful you give Admin or Editor status.5. Be wary of allowing people to upload files to your website via a form

as hackers can use it to upload a malicious script – Even if you only allow image uploads, sneaky files such as image.jpg.php have been known to slip through

remove_action('wp_head', 'wp_generator');

BACK UP!!

When was the last time you backed up?

Daily databaseMonthly full backup including files

Christina Hawkins@globalspex

sales@globalspex.com

281-940-7002