Calgary WordPress Meetup - May 10, 2016
-
Upload
re-carlson -
Category
Technology
-
view
243 -
download
2
Transcript of Calgary WordPress Meetup - May 10, 2016
#YYCWPMUG - ANNOUNCEMENTS
• Our Building’s New Security Policy
• Summer Sessions TBD
WORDCAMP 2016Fort Calgary • May 28-29Speakers and sessions being announced on https://2016.calgary.wordcamp.org/
THIS TALK IS NOT FOR DEVELOPERS.
Chris WiegmanSecuring Your Code –
WordPress Security for Developers
May 7, 2015 at LoopConf
Las Vegas, NV
https://youtu.be/nuWR_HiBHYc
BEST PRACTICES IN LOGIN SECURITY
Never use “admin” as a username, and enforce strong passwords for your users.
Never publish pages or posts using accounts with Administrator-level permission.
Limit login attempts and change /wp-admin/ to something else.
Disable the Dashboard editor in wp-config.php
define('DISALLOW_FILE_EDIT', true);
.htaccess
index.php
wp-config.php
wp-blog-header.php
/wp-admin/
/wp-content/
/wp-content/plugins
/wp-content/themes
/wp-content/uploads
/wp-content/upgrade
404 604
400 600
400 600
400 600
705
705
705
705
705
755
Shared hosting providers
won’t allow you to change
Owner permissions.
WHAT IS .HTACCESS?
“ .htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis. A file,
containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that
directory, and all subdirectories thereof. ”
FILES ARE HIDDEN BY DEFAULT
WHAT ELSE CAN YOU DO WITH .HTACCESS?
Define Error Pages – 400, 401, 403, 404, 500
Define caching-specific rules
Restrict users based on IP address
Force browser to use a different index file
Add 301 redirect rules
More info: Tuts+ Article
USING SHARED HOSTING?
Add & customize this code to .htaccess
suPHP_ConfigPath /home/username/
Then upload your customized php.ini file to this directory & set file permissions to 600.
CHECK YOUR SETTINGS IN PHP.INI
PHP Safe Mode: OffPHP Allow URL fopen: OffPHP Allow URL Include: OffPHP Display Errors: OffPHP Display Startup Errors: OffPHP Expose PHP: OffPHP Register Globals: OffPHP MySQL Allow Persistent Connections: OffPHP Output Buffering: OffPHP Max Script Execution Time: 60 SecondsPHP Magic Quotes GPC: OffPHP XML Support: YesPHP IPTC Support: YesPHP Exif Support: No
Other Fun Stuff
memory_limit = 128M
upload_max_filesize = 50M
DENY ACCESS TO SETTINGS FILES
<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html
|bb-config\.php)">
Order Allow,Deny
Deny from all
#Allow from 192.168.0.1
</FilesMatch>