WordPress Security Basics East Bay WordPress Meetup 6/20/10 Sallie Goetsch
Wait! Isn’t WordPress Secure?
Secure Host Dedicated Server VPS Reliable Shared Hosting (NOT Network Solutions). “A properly configured web server will not allow users to access the files of another user, regardless of file permissions. The web server is the responsibility of the hosting provider. The methods for doing this (suexec, et al) have been around for 5+ years.” Matt Mullenweg
Basics Back Up! Update WordPress Update Plugins
Check Your File Permissions
Move wp-config.php Up one directory (WP will look for it there automatically) Best when you can move wp-config.php out of the public_html (or analagous) directory Don’t do this with nested WP installs!
wp-config.php: Unique Keys
Username & Password Never use “admin” for your admin account Use a strong password
Database Table Name Change from wp_ to something-else_ (or just choose something else to start with)
Bonus: .htaccess (Only works for static IP addresses) AuthUserFile /dev/nullAuthGroupFile /dev/nullAuthName "Access Control"AuthType Basicorder deny,allowdeny from all#IP address to Whitelistallow from xxx.xxx.xxx.xxx