WORDPRESS SECURITY IS LIKE A HHAM SANDWICH

JAMES HIPKINInvolved in advertising and marketing for many years

Started in traditional advertising

Moved over to direct marketing

Been involved with digital for over ten years

Currently an owner and the Managing Director at Red8 Interactive

More than 20% of websites are using WordPress

This makes WordPress a target for hackers

NOT IF, BUT WHEN

Without protection, it’s not a question of if, but when

SO HOW CAN YOU BE PROTECTED?

THINK HHAM SANDWICH

Hosting

Hardening

Access

Maintenance

SOME CONTEXTYou don’t need to follow every recommendation presented here to be secure—there isn’t a silver bullet, but do something

SOME CONTEXTNo site is immune to hacking, no matter what you do, a dedicated individual, if they have the skills, can gain access to virtually any site

SOME CONTEXT

“…but my site doesn’t get much traffic.”

HOSTING

The trouble with sharing

- Because shared servers must support many applications, server software is often out of date, which means hackers can exploit security holes in old software, holes that were plugged by yet to be implemented updates

- Shared hosts are concerned about security, but their solutions are generic, they aren’t designed specifically for WordPress

HOSTING

MANAGED WP HOSTS

It’s all about commitment—since the server is only supporting one application, WordPress:

- Server software is kept up-to-date

- Security precautions are specific

- WordPress updates are automatic

- Backups and security scans are automatic

- Quality control over plugins—known vectors and server thrashers aren’t allowed

MANAGED WP HOSTS

But wait, there’s more…managed WP hosts perform better, they’re optimized to support WordPress’ specific requirements

MANAGED WP HOSTS

We use WP Engine

Others you can consider :

- Pagely

- Pressable

- Synthesis

HARDENING

HARDENINGMake it hard for the hackers’ bots and they will move on

Recommendations can be added individually, which may require a developer

Many are included options in the iThemes Security plugin

HARDENINGShut down the theme and plugin Editor

- Disallow the theme and plugin editor by adding the following to wp-config.php: define( 'DISALLOW_FILE_EDIT', true );

HARDENINGSet permissions on your wp-content and themes directories to 755

Set permissions on files to 644

HARDENINGHackers will try to add a .php file via wp-includes and/or wp-content/uploads/ folders. To disable PHP execution in these directories:

- Create a file in a text editor, call it .htaccess and add the following code: <Files *.php> deny from all</Files>

- Use FTP to place this file in the folders

HARDENINGChange the database prefix

- In the WP-config.php file change the file prefix from “wp_” to “wp_randomlettersandnumbers_”

- Or “randomlettersandnumbers_”

- This is best accomplished during the initial install of WordPress

- Or use iThemes Security or the Change DB Prefix plugin on an older site

HARDENINGUse the Disable Comments plugin to turn off post comments if they aren’t required, which closes several attack vectors

Use a third party like Disqus to manage comments so they are off the server

HARDENINGInstall iThemes Security for one-stop shop security (some setup required)

HARDENINGInstall the BruteProtect plugin to block brute force attacks

Limit Login Attempts is another choice, but it’s best in combination with other measures

ACCESS

ACCESS

You need ten Admins? Really?

• Use the User Role Editor plugin to create a custom user role, Manager or Web Master, with the same capabilities as an Admin but without the ability to add or delete plugins and themes, two common vectors for hackers

ACCESSU/P: admin/password123? Really?

- Delete the admin user if it exists

- Use the Enforce Strong Passwords plugin to, well, enforce strong passwords

ACCESSConsider two-factor authentication using the Google Authenticator plugin

Or Rublon is an excellent plugin for two-factor authentication

ACCESSLogin Security Solution is another good choice

Or install CLEF, it replaces passwords with a simple, encrypted authentication using your smart phone

ACCESSForce administration over SSL—this is important if the dashboard will be accessed by multiple users over public WiFi networks

- Install an SSL certificate and add the following to the wp-config.php file:

• require_once(ABSPATH . 'wp-settings.php');define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true);

ACCESSConsider adding a firewall to the site

- Among other benefits, Cloud Flare and Sucuri will block malicious attacks before they reach your server

- While not a 100% solution—a firewall can block access to software vulnerabilities before they can be fixed via updates

ACCESSSecure your WiFi

“Over three hours, he revealed 23 Wi-Fi hotspots, more than a third of which were open to snoops or used crackable WEP instead of the more modern WPA encryption.”

Coco, modeling the WarKitteh collar. Photo credit: Gene Bransfield

ACCESSFor a less industrial strength, but still effective solution consider Cloak, a personal VPN service for Apple devices

MAINTENANCE

MAINTENANCE

Seriously, keep all WordPress software up to date

Keep WordPressand plugins up to date

MAINTENANCE

Delete all unused plugins and themes—this is very important, old plugins and themes are a common vector for hackers

MAINTENANCEIf it’s not provided by the host, install a backup plugin

- BackupBuddy and VaultPress are good choices

- Store backups in a remote location

MAINTENANCEScan the site periodically (nightly?) using a service like Sucuri

MAINTENANCESeriously, keep WordPress, themes and plugins up to date

!

!

And back the site up frequently to a remote location

THIS?

Do these things and the chances you will be hacked are greatly reduced

OR THIS…

FOLLOW THESE RECOMMENDATIONS AND THE CHANCES OF GETTING HACKED WILL BE GREATLY REDUCED

THANK YOU!

Red8 Interactive San Francisco, CA St. Louis, MO !James Hipkin james@red8interactive.com 415.789.3685

The slides are available on SlideShare:http://www.slideshare.net/Red8Interactive/hham-for-wp-security