2. How to HackProof Your WordPress Site WordPress Security South FloridaWordPress MeetUp
3.
4.
5. Tonight Link Injections Basic WordPress Security Security Based Plug-ins South FloridaWordPress MeetUp
6. “Hackproof” This is impossible. Seriously… it’s IMPOSSIBLE! Hackers are Lazy. Make yourself a hard target. They will move on to someone else. South FloridaWordPress MeetUp
7. Link Injection Hacker bots look for known exploits (SQL Injection, folder perms, etc). This allows them to insert spam files/links Your WordPress Themes, plugins, and core files are the target South FloridaWordPress MeetUp
8. Link Injection Hosting account contains two separate sites South FloridaWordPress MeetUp WordPress WordPress MU
9. Link Injection Hacker puts a file on WPMU install South FloridaWordPress MeetUp WordPress WordPress MU
10. Link Injection WPMU file hacks WordPress install Installs spam links into files South FloridaWordPress MeetUp WordPress WordPress MU
11. Link Injection WPMU Shows No Spam, Appears Clean Cleaning WP Results in Recurring Injections South FloridaWordPress MeetUp WordPress MU WordPress
13. Link Injection What does this do to your site? Part of a “Link Farm” Loss of Trust and Authority Reduced Page Rank Lost Rankings Showing up for non-relevant terms (Viagra) South FloridaWordPress MeetUp
14. Basic WP Security South FloridaWordPress MeetUp Are you using the default “Admin” account?
16. Basic WP Security DON’T USE “ADMIN” Create a Unique User Account Assign it the Administrator Role Log Out, Log Back in with new Administrator Account Delete Original “Admin” Account South FloridaWordPress MeetUp
17. Basic WP Security Use of “Permissions” Permissions tell the server who is allowed to access a file and what they can do with the file once they access it. Owner, Group, Public Read, Write, Execute South FloridaWordPress MeetUp
18. Basic WP Security Use of “Permissions” Good Rule of Thumb: Files should be set to 644 Folders should be set to 755 Permission levels vary depending on server configuration South FloridaWordPress MeetUp
19. Basic WP Security Move the wp-config.php file WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory South FloridaWordPress MeetUp
20. Basic WP Security Move the wp-config.php file This makes it nearly impossible for anyone to access your wp-config.php South FloridaWordPress MeetUp If WordPress is located here: public_html/wordpress/wp-config.php You can move your wp-config.php file to here public_html/wp-config.php
21. Basic WP Security Move the wp-content Directory WordPress 2.6 added the ability to move the wp-content Directory to the location of your choice If hackers can’t find your wp-content folder, they can’t hack it. South FloridaWordPress MeetUp
22. Basic WP Security South FloridaWordPress MeetUp Move the wp-content Directory 1. Move your wp-content directory 2. Make two additions to wp-config.php define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content'); If you have compatibility issues with plugins there are two optional settings define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');
23. Basic WP Security RemoveWordPress Version fromthe Header South FloridaWordPress MeetUp Viewing source on most WP sites will reveal the version they are running <meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats --> This helps hackers find vulnerable WP blogs running older versions To remove find the code below in your header.php file of your theme and remove it <meta name="generator" content="WordPress <?phpbloginfo('version'); ?>" /> <!-- leave this for stats please -->
24. Basic WP Security RemoveWordPress Version fromthe Header South FloridaWordPress MeetUp The wp_head function also includes the WP version in your header To remove drop this line of code in your themes functions.php file remove_action('wp_head', 'wp_generator'); Themes and plugins might also display versions in your header.
25. Basic WP Security Use Secure Passwords Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc South FloridaWordPress MeetUp BAD PASSWORD: johnrocks GOOD PASSWORD: S-gnop2D[6@8 WordPress will tell you when you have it right
26. Basic WP Security South FloridaWordPress MeetUp Are you using the same password in multiple places?
28. Basic WP Security Change WordPress Table Prefix Edit wp-config.php before installing WordPress Change the prefix wp_ to something unique South FloridaWordPress MeetUp /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = ‘zztop_'; All database tables will now have a unique prefix (iezztop_posts)
29. Basic WP Security Other Advanced Security Techniques Force SSL Login for Administrators Lockdown Admin via .htaccess Use Secret Keys with Passwords South FloridaWordPress MeetUp