WORDPRESS SECURITY IS LIKE A HHAM SANDWICH
JAMES HIPKINInvolved in advertising and marketing for many years
Started in traditional advertising
Moved over to direct marketing
Been involved with digital for over ten years
Currently an owner and the Managing Director at Red8 Interactive
More than 20% of websites are using WordPress
This makes WordPress a target for hackers
NOT IF, BUT WHEN
Without protection, it’s not a question of if, but when
SO HOW CAN YOU BE PROTECTED?
THINK HHAM SANDWICH
Hosting
Hardening
Access
Maintenance
SOME CONTEXTYou don’t need to follow every recommendation presented here to be secure—there isn’t a silver bullet, but do something
SOME CONTEXTNo site is immune to hacking, no matter what you do, a dedicated individual, if they have the skills, can gain access to virtually any site
SOME CONTEXT
“…but my site doesn’t get much traffic.”
HOSTING
The trouble with sharing
- Because shared servers must support many applications, server software is often out of date, which means hackers can exploit security holes in old software, holes that were plugged by yet to be implemented updates
- Shared hosts are concerned about security, but their solutions are generic, they aren’t designed specifically for WordPress
HOSTING
MANAGED WP HOSTS
It’s all about commitment—since the server is only supporting one application, WordPress:
- Server software is kept up-to-date
- Security precautions are specific
- WordPress updates are automatic
- Backups and security scans are automatic
- Quality control over plugins—known vectors and server thrashers aren’t allowed
MANAGED WP HOSTS
But wait, there’s more…managed WP hosts perform better, they’re optimized to support WordPress’ specific requirements
MANAGED WP HOSTS
We use WP Engine
Others you can consider :
- Pagely
- Pressable
- Synthesis
HARDENING
HARDENINGMake it hard for the hackers’ bots and they will move on
Recommendations can be added individually, which may require a developer
Many are included options in the iThemes Security plugin
HARDENINGShut down the theme and plugin Editor
- Disallow the theme and plugin editor by adding the following to wp-config.php: define( 'DISALLOW_FILE_EDIT', true );
HARDENINGSet permissions on your wp-content and themes directories to 755
Set permissions on files to 644
HARDENINGHackers will try to add a .php file via wp-includes and/or wp-content/uploads/ folders. To disable PHP execution in these directories:
- Create a file in a text editor, call it .htaccess and add the following code: <Files *.php> deny from all</Files>
- Use FTP to place this file in the folders
HARDENINGChange the database prefix
- In the WP-config.php file change the file prefix from “wp_” to “wp_randomlettersandnumbers_”
- Or “randomlettersandnumbers_”
- This is best accomplished during the initial install of WordPress
- Or use iThemes Security or the Change DB Prefix plugin on an older site
HARDENINGUse the Disable Comments plugin to turn off post comments if they aren’t required, which closes several attack vectors
Use a third party like Disqus to manage comments so they are off the server
HARDENINGInstall iThemes Security for one-stop shop security (some setup required)
HARDENINGInstall the BruteProtect plugin to block brute force attacks
Limit Login Attempts is another choice, but it’s best in combination with other measures
ACCESS
ACCESS
You need ten Admins? Really?
• Use the User Role Editor plugin to create a custom user role, Manager or Web Master, with the same capabilities as an Admin but without the ability to add or delete plugins and themes, two common vectors for hackers
ACCESSU/P: admin/password123? Really?
- Delete the admin user if it exists
- Use the Enforce Strong Passwords plugin to, well, enforce strong passwords
ACCESSConsider two-factor authentication using the Google Authenticator plugin
Or Rublon is an excellent plugin for two-factor authentication
ACCESSLogin Security Solution is another good choice
Or install CLEF, it replaces passwords with a simple, encrypted authentication using your smart phone
ACCESSForce administration over SSL—this is important if the dashboard will be accessed by multiple users over public WiFi networks
- Install an SSL certificate and add the following to the wp-config.php file:
• require_once(ABSPATH . 'wp-settings.php');define('FORCE_SSL_LOGIN', true); define('FORCE_SSL_ADMIN', true);
ACCESSConsider adding a firewall to the site
- Among other benefits, Cloud Flare and Sucuri will block malicious attacks before they reach your server
- While not a 100% solution—a firewall can block access to software vulnerabilities before they can be fixed via updates
ACCESSSecure your WiFi
“Over three hours, he revealed 23 Wi-Fi hotspots, more than a third of which were open to snoops or used crackable WEP instead of the more modern WPA encryption.”
Coco, modeling the WarKitteh collar. Photo credit: Gene Bransfield
ACCESSFor a less industrial strength, but still effective solution consider Cloak, a personal VPN service for Apple devices
MAINTENANCE
MAINTENANCE
Seriously, keep all WordPress software up to date
Keep WordPressand plugins up to date
MAINTENANCE
Delete all unused plugins and themes—this is very important, old plugins and themes are a common vector for hackers
MAINTENANCEIf it’s not provided by the host, install a backup plugin
- BackupBuddy and VaultPress are good choices
- Store backups in a remote location
MAINTENANCESeriously, keep WordPress, themes and plugins up to date
!
!
And back the site up frequently to a remote location
THIS?
Do these things and the chances you will be hacked are greatly reduced
OR THIS…
FOLLOW THESE RECOMMENDATIONS AND THE CHANCES OF GETTING HACKED WILL BE GREATLY REDUCED
THANK YOU!
Red8 Interactive San Francisco, CA St. Louis, MO !James Hipkin [email protected] 415.789.3685
The slides are available on SlideShare:http://www.slideshare.net/Red8Interactive/hham-for-wp-security
Top Related