wordpress setup and security - updated
DESCRIPTION
Since WordPress enjoys the position of being one of the most widely used web platforms, it is also one of the most attacked. This has become particularly clear with the DNS and dictionary attack over the last month. From installation to operation there are some fairly easy, yet must-do, steps to make sure your site is as secure as possible. In this session, we will look at the basics of WP security touching on everything from file permissions and user accounts to preventing script injection and backup procedures to protect your blog from hacking or downtime. We will cover techniques that apply to both ORG and COM installations, and highlight what can and cannot be done on both. Michael Carnell (http://www.MichaelCarnell.com) is a systems programmer for the Medical University of South Carolina. He is also data director for DesignTechWeb (http://www.DesignTechWeb.com), a partnership which produces sophisticated and secure website solutions for locally owned businesses and not-for-profits. He is both Microsoft and Apple Certified, and often teaches classes and speaks on PC, Macintosh and Web technologies. Oh, and he loves trains and British cars.TRANSCRIPT
WordPress Setup and Security
Michael Carnell - @carnellm http://www.DesignTechWeb.com
These slides are available at�http://www.MichaelCarnell.com/presentations�
or http://slideshare.net/carnellm
Wait! Before We Start • Your Domain Name!
• Domain Name Registrar!
• Need not be the same as your host (should not?)!
• Needs to be in YOUR name!
• Privacy? Depends on type of site and you!
• My preferred registrar these days is Hover.com!
Let’s Talk Hosting
The Not So Good " GoDaddy - common back end database that
isn’t secured well and suffers from performance overload, poor support!
" Brinkster - has been hacked numerous times!
" FreeHostia - slow, free account is very limited, always pushing the upsell!
" Doing it yourself …!
For the Good Times " DreamHost - Not always the cheapest, but
good and good support. But watch CPU usage as they will cut off processes.!
" MediaTemple - Again, not cheap, but very stable and secure. Monitors scripts.!
" BlueHost!
" HostGator!
The Basic Rules " Do your research - "
http://www.DesignTechWeb.com/hosting!
" Check their own support forums!
" Is there a free trial or money back guarantee?!
" If you are a high traffic site (really), you need a dedicated server!
" None of this really applies to WordPress.com!
The Dirty Details�for WordPress
Install Correctly " While installing (most will use OneClick) . . .!
" Consider your directory? Do you use the standard? Root?!
" Consider altering the database name if your install allows!
" Make database username and password long and cryptic. Store them away not to be used!
" Don’t user redundant info - admin name same as username, same as blog name, etc...!
Double Check the Install " File level tasks to be done via FTP . . .!
" Delete ..\wp-admin\install.php!
" In wp-config.php, add the optional security keys - "http://api.wordpress.org/secret-key/1.1/!
" Add index.php, a blank file to all plugin and theme directories if it isn’t already there!
" Check the file directory privileges (if you are comfortable)!
Post Install Setup " Create new admin user with strong password!
" Change Admin password and make a subscriber"Why not delete??!
" Make your main admin’s display name different from login name !
" Change setting to allow editing by outside packages if wanted - but know what you are doing!
" Change “permalink” structure (thank you WP 3.3!)!
" Demo Time Again....!
As You Build • Themes and Plug-ins : be safe!
• Consider the source!
• Always be suspicious!
• Again, do you research and ask around!
• Consider Search Engine Visibility (under Settings / Reading)!
• Put up a Coming Soon or Down for Maintenance screen!
• Understand your Discussion Settings!
Discussion Settings
Discussion Settings, part 2
Security Plugins You Need " Some more plugins that you should have:!
" Askimet - AntiSpam, comes with the install, you will just need key!
" Block Bad Queries - blocks code injection through queries!
" Search Meter - What are your visitors looking for, but also shows extraneous search injections!
" SecureWordPress - basically a security audit!
" AntiVirus or another such!
" Limit Login Attempts – Helps protect against dictionary attacks!
" Demo Time Again!!
Simple Backup for WP " Your content is your responsibility, not your host’s!
" Great a GMail account or use your current one with custom address such as “[email protected]”!
" Make a filter that auto files away all email coming in to that address!
" Database - WP-DB-Backup!
" Images & Themes - WordPress Backup !
" Doesn’t hurt to occasionally backup manually too!
Stay Up-To-Date " WordPress 3.5.1 is Out – 3.6 coming soon! !
" You will need to update your base software – unless your host does it for you or you are WordPress.com!
" You will also need to update both your plug-ins and themes.!" Test your plug-ins so you can rollback if they don’t
work!" Be careful of what theme updates will do to any
customizations you have made!" As always, backup first!
Michael Carnell!http://www.MichaelCarnell.com!
@carnellm on Twitter!
Slides available on"http://slideshare.net/carnellm"
and further info available on...!
Sophisticated Secure Websites!http://www.DesignTechWeb.com!
Q & A