WordPress Security: Get it or Lose It - DaytonWP January 2013 MeetUp
-
Upload
daytonwp -
Category
Technology
-
view
494 -
download
0
description
Transcript of WordPress Security: Get it or Lose It - DaytonWP January 2013 MeetUp
Nathan Driver
WordPress Security
Who Am I
Media – Marketing - Geek
@natedriver
linkedin.com/in/ndriver
nathandriver.com
WP Security: 3 Sections
…and everything in between
Basic Settings
PLUGINS
Advanced
Settings
Basic Settings: Noob
Starting with the basics
Change the table prefix It Is NOT that difficult
Stop using ADMIN Do not make easy for hackers to ‘guess’ your username
WP Security: Basic Settings
DON’T MAKE
IT EASY
WP Security: Basic Settings
WP Security: Basic Settings
• A strong password: • has at least 15 characters; • has uppercase letters; • has lowercase letters; • has numbers; • has symbols, such as ` ! " ? $ ? % ^ & * ( ) _ - + = { [ } ] : ; @ ' ~ # | \ < , > . ?
/ • is not like your previous passwords; • is not your name; • is not your login; • is not your friend’s name; • is not your family member’s name; • is not a dictionary word; • is not a common name; • is not a keyboard pattern, such as qwerty, asdfghjkl, or 12345678.
WP Security: Basic Settings
WP Security: Basic Settings
UPDATE – UPDATE - UPDATE
You see it – do something about it!
Plugins: Help Yourself
They’re there to help make your life easier
WP Security: Plugins
BACKUP – BACKUP - BACKUP
VaultPress http://vaultpress.com
Brute Force
WP Security: Plugins
Limit Login Attempts: http://wordpress.org/extend/plugins/limit-login-attempts/
WP Security: Plugins
WP Security Scan: 1. Passwords 2. File Permissions 3. Database security 4. Version hiding 5. WordPress admin protection/security 6. Removes WP Generator META tag from
core code
WP Security: Plugins
Better WP Security • Remove the meta “Generator” tag • Change the urls for WordPress dashboard including login, admin,
and more • Completely turn off the ability to login for a given time period (away
mode) • Remove theme, plugin, and core update notifications from users
who do not have permission to update them • Remove Windows Live Write header information • Remove RSD header information • Rename “admin” account • Change the ID on the user with ID 1 • Change the WordPress database table prefix • Change wp-content path • Removes login error messages • Display a random version number to non administrative users
anywhere version is used
Advanced: Watch Yourself
Behind the scenes
phpMyAdmin -> Database -> …users
WP Security: Advanced Settings
Alternative steps: •Create a new user •Give them admin rights •Log out •Log in under new user •Delete “admin” account
WP Security: Advanced Settings
WP Security: Advanced Settings
Folder Permissions
• All directories should be 755 or 750. • All files should be 644 or 640. Exception: wp-
config.php should be 600 to prevent other users on the server from reading it.
• No directories should ever be given 777, even upload directories. Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a 755 directory.
WP Security: Advanced Settings
Get rid of WordPress version
Fix by placing either one in the functions of your theme •remove_action(‘wp_head’,’wp_generator’); •function remove_wp_version() { return ‘’; }
This can be found • Header.php {header meta} • Readme.html file
Nathan Driver Media – Marketing – Geek
@natedriver www.nathandriver.com
Get It or Lose It
WordPress Security: