wordpress security
DESCRIPTION
WordPress Security featuresTRANSCRIPT
GlobalSpex, Inc. www.globalspex.com @globalspex [email protected]
WORDPRESS SECURITY
http://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/
According to WP White Security, more than 70% of WordPress installations are vulnerable to hacker attacks and the total number of hacked WordPress websites in 2012 was a whopping 170,000. This figure is growing every year.
HOW DO THEY HACK IT?Security VulnerabilityWordPress ThemeWordPress PluginWeak Passwords
by inserting code & leaving a backdoor
WHAT CAN YOU DO?
1. Find and use a good host who understands WordPress2. During Installation (dB prefix, WP keys, etc.)3. Keep WP and all plugins, themes updated. 4. Watch your file permissions.5. Disable error reporting6. Use .htaccess for more protection.7. Use strong passwords.8. Hide the login page.9. Don’t use Admin as a user.10. Remove the WP version
INSTALLATION
1. SALT keys.
2. Don’t use wp_ for the table prefix. $table_prefix = 'ArcL3an_';
KEEP WORDPRESS, THEMES, PLUGINS UPDATED
1. Regularly upgrade and backup your WP install’s files and database.
2. Be ruthless when it comes to plugins. If you can do without the functionality a plugin offers, deactivate it and remove it.
3. Careful with free Themes not found on the repository.
FILE PERMISSIONS, ERROR REPORTING, AND .HTACCESS
1. File Permissions1. All directories should be 755 or 7502. All files should be 644 or 6403. wp-config.php should be 600
2. If a plugin or theme causes an error, the error message may display your server path.
3. With .htaccess you can block IP addresses, restrict to certain IP addresses, restrict what folders can be browsed.
4. Disable XML-RPC. Use a plugin: https://wordpress.org/plugins/disable-xml-rpc/
STRONGER LOGINS1. Limit number of times to login.2. Strong passwords for everyone. You can force new users.3. Do not use ‘Admin’ as a username or anything obvious like
‘administrator’ or ‘user’4. 2 Step Authentication. It forces everyone to use an authorization
code in order to login to your website.5. Hide your login page. Give it a new name like /login instead of /wp-
admin
OTHER …1. Remove WP version number from code. Add the following code to
the top of your theme functions.php file:
2. Add a firewall, check your virus scanner, 3. Don’t access your site at Cafe or open network.4. Be careful you give Admin or Editor status.5. Be wary of allowing people to upload files to your website via a form
as hackers can use it to upload a malicious script – Even if you only allow image uploads, sneaky files such as image.jpg.php have been known to slip through
remove_action('wp_head', 'wp_generator');
BACK UP!!
When was the last time you backed up?
Daily databaseMonthly full backup including files
