wordpress security
DESCRIPTION
This was a 45 minute presentation given to the Calgary WordPress Meetup group on April 23, 2013 on WordPress Security along with additional tips and tricks on password best practices. Meetup: http://www.meetup.com/The-Calgary-WordPress-Meetup-Group/ Presenter: http://rexroar.comTRANSCRIPT
Do you use the same password on
multiple sites?
If you don’t follow password best practices, your hacked
WordPress account could lead to other compromised accounts
What’s at risk?
• Redirect visitors to a completely different website
• Compromise shared hosting server and infect other sites
• Phish for sensitive info• Hijack links• Blacklisted by Google and other search engines• And more…
Things you can do
• Keep your core, themes & plugins updated• Remove unused themes & plugins from
server• Remove the WP version number• Select a good username• Never write as an Administrator• Create & use a strong password• Secure WordPress further
Keep up-to-date
• The majority of hacked WordPress sites are not updated!
• Before ever making updates, ensure you backup your database AND content
• Use a plugin like Backup Buddy to automate the task or other free options
• Update WordPress, themes & plugins
Clean up your house
• Remove unused themes (twentyten, etc)
• Remove inactive plugins from WordPress and the server
• Don’t keep .sql files (or other backups) stored on your server
Remove the WP version number
http://www.wpbeginner.com/wp-tutorials/the-right-way-to-remove-wordpress-version-number/
Select a good username
• Never use ‘admin’ or ‘administrator’ as your username
• Never use the sitename as your username
• If you have one of these, get rid of it…now
• Your personal name is OK, but your password needs to be strong
Never write as an Admin user
• In no time at all a username can be determined
• If a post is written as an admin, half the job is already done
Create & use a strong password
• Your birthdate, wedding anniversary, or dates of birth of your children or spounse
• Your name, username, company name, names of your children
• Your SIN number
• Only numbers or letters
• A short, easy to remember password
• The word ‘password’• No words found in a
dictionary*
When creating a password, do NOT use:
Create & use a strong password
• At least 10 characters• A mix of numbers, upper and lower case letters
and special characters• A password you have never used before• Consider ‘salting’ your password• Have a system or mnemonic
When creating a password, do use:
Create & use a strong passwordConsider a multi-word combo password
Credit: http://xkcd.com/936/
Create & use a strong password
• More likely to be remembered
• Words must be random
• Words must not relate
• Upper & lower cases still matter
• Add a number or two
• Special character as well
Consider a multi-word combo password
Create & use a strong password
DO NOT store your password in an obvious place!
• NOT on a sticky note on your monitor
• NOT in your daily planner
Use a Password Keeper
• LastPass.com
• AgileBits.com/OnePassword
Create & use a strong password
Don’t panic, password recovery is built in!
Create & use a strong password
Password Generator
• www.StrongPasswordGenerator.com
• www.random.org/passwords/
Test your password
• www.PasswordMeter.com
• www.grc.com/haystack.htm
Secure WordPress further
Four free plugins you can use to secure WP• Limit login attempts• Better WP security• Wordfence• WP-Security scan
All are located in the WordPress plugin repository
Resources
Sucuri.net
• $89.99/year
• Malware cleanup, monitoring and more
Duo Security
• Free*
• Add two-factor sign in for your installation
Next steps?
• Implement this stuff!!
• Start with the basics– A strong password– A good username– Writing with an editor username
WordCamp Calgary 2013• Tickets on sale April 24
• $40 for two-day conference
• http://2013.calgary.wordcamp.org