This is the presentation I gave to the South Florida WordPress Meetup group on WordPress Security.

2. How to HackProof Your WordPress Site WordPress Security South FloridaWordPress MeetUp

5. Tonight Link Injections Basic WordPress Security Security Based Plug-ins South FloridaWordPress MeetUp

6. “Hackproof” This is impossible. Seriously… it’s IMPOSSIBLE! Hackers are Lazy. Make yourself a hard target. They will move on to someone else. South FloridaWordPress MeetUp

7. Link Injection Hacker bots look for known exploits (SQL Injection, folder perms, etc). This allows them to insert spam files/links Your WordPress Themes, plugins, and core files are the target South FloridaWordPress MeetUp

8. Link Injection Hosting account contains two separate sites South FloridaWordPress MeetUp WordPress WordPress MU

9. Link Injection Hacker puts a file on WPMU install South FloridaWordPress MeetUp WordPress WordPress MU

10. Link Injection WPMU file hacks WordPress install Installs spam links into files South FloridaWordPress MeetUp WordPress WordPress MU

11. Link Injection WPMU Shows No Spam, Appears Clean Cleaning WP Results in Recurring Injections South FloridaWordPress MeetUp WordPress MU WordPress

12. Link Injection South FloridaWordPress MeetUp

13. Link Injection What does this do to your site? Part of a “Link Farm” Loss of Trust and Authority Reduced Page Rank Lost Rankings Showing up for non-relevant terms (Viagra) South FloridaWordPress MeetUp

14. Basic WP Security South FloridaWordPress MeetUp Are you using the default “Admin” account?

15. Basic WP Security South FloridaWordPress MeetUp

16. Basic WP Security DON’T USE “ADMIN” Create a Unique User Account Assign it the Administrator Role Log Out, Log Back in with new Administrator Account Delete Original “Admin” Account South FloridaWordPress MeetUp

17. Basic WP Security Use of “Permissions” Permissions tell the server who is allowed to access a file and what they can do with the file once they access it. Owner, Group, Public Read, Write, Execute South FloridaWordPress MeetUp

18. Basic WP Security Use of “Permissions” Good Rule of Thumb: Files should be set to 644 Folders should be set to 755 Permission levels vary depending on server configuration South FloridaWordPress MeetUp

19. Basic WP Security Move the wp-config.php file WordPress 2.6 added the ability to move the wp-config.php file one directory above your WordPress root WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory South FloridaWordPress MeetUp

20. Basic WP Security Move the wp-config.php file This makes it nearly impossible for anyone to access your wp-config.php South FloridaWordPress MeetUp If WordPress is located here: public_html/wordpress/wp-config.php You can move your wp-config.php file to here public_html/wp-config.php

21. Basic WP Security Move the wp-content Directory WordPress 2.6 added the ability to move the wp-content Directory to the location of your choice If hackers can’t find your wp-content folder, they can’t hack it. South FloridaWordPress MeetUp

22. Basic WP Security South FloridaWordPress MeetUp Move the wp-content Directory 1. Move your wp-content directory 2. Make two additions to wp-config.php define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' ); define( 'WP_CONTENT_URL', 'http://domain.com/blog/wp-content'); If you have compatibility issues with plugins there are two optional settings define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' ); define( 'WP_PLUGIN_URL', 'http://domain.com/blog/wp-content/plugins');

23. Basic WP Security RemoveWordPress Version fromthe Header South FloridaWordPress MeetUp Viewing source on most WP sites will reveal the version they are running <meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats --> This helps hackers find vulnerable WP blogs running older versions To remove find the code below in your header.php file of your theme and remove it <meta name="generator" content="WordPress <?phpbloginfo('version'); ?>" /> <!-- leave this for stats please -->

24. Basic WP Security RemoveWordPress Version fromthe Header South FloridaWordPress MeetUp The wp_head function also includes the WP version in your header To remove drop this line of code in your themes functions.php file remove_action('wp_head', 'wp_generator'); Themes and plugins might also display versions in your header.

25. Basic WP Security Use Secure Passwords Use strong passwords to protect your website from dictionary attacks Not just for WordPress, but also FTP, MySQL, etc South FloridaWordPress MeetUp BAD PASSWORD: johnrocks GOOD PASSWORD: S-gnop2D[6@8 WordPress will tell you when you have it right

26. Basic WP Security South FloridaWordPress MeetUp Are you using the same password in multiple places?

27. Basic WP Security South FloridaWordPress MeetUp

28. Basic WP Security Change WordPress Table Prefix Edit wp-config.php before installing WordPress Change the prefix wp_ to something unique South FloridaWordPress MeetUp /** * WordPress Database Table prefix. * * You can have multiple installations in one database if you give each a unique * prefix. Only numbers, letters, and underscores please! */ $table_prefix = ‘zztop_'; All database tables will now have a unique prefix (iezztop_posts)

29. Basic WP Security Other Advanced Security Techniques Force SSL Login for Administrators Lockdown Admin via .htaccess Use Secret Keys with Passwords South FloridaWordPress MeetUp

30. Basic WP Security Recommended Security Plugins WP Security Scan South FloridaWordPress MeetUp http://wordpress.org/extend/plugins/wp-security-scan/

31. Basic WP Security Recommended Security Plugins WP Exploit Scanner South FloridaWordPress MeetUp http://wordpress.org/extend/plugins/exploit-scanner/

32. Basic WP Security Recommended Security Plugins WP Exploit Scanner South FloridaWordPress MeetUp http://wordpress.org/extend/plugins/exploit-scanner/

33. Basic WP Security Recommended Security Plugins WordPress File Monitor South FloridaWordPress MeetUp http://wordpress.org/extend/plugins/wordpress-file-monitor/

34. Basic WP Security Recommended Security Plugins Login Lockdown South FloridaWordPress MeetUp http://wordpress.org/extend/plugins/login-lockdown/

36. http://codex.wordpress.org/Hardening_WordPress

37. http://codex.wordpress.org/Changing_File_Permissions

38. http://codex.wordpress.org/Editing_wp-config.php

39. http://codex.wordpress.org/htaccess_for_subdirectories

40. Blog Security Articles

41. http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/

42. http://www.growmap.com/wordpress-exploits/

43. http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/

44. http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/

45. http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/

46. http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog

48. http://codex.wordpress.org/Hardening_WordPress

49. http://codex.wordpress.org/Changing_File_Permissions

50. http://codex.wordpress.org/Editing_wp-config.php

51. http://codex.wordpress.org/htaccess_for_subdirectories

52. Blog Security Articles

53. http://www.wpbeginner.com/wp-tutorials/11-vital-tips-and-hacks-to-protect-your-wordpress-admin-area/

54. http://www.growmap.com/wordpress-exploits/

55. http://lorelle.wordpress.com/2009/03/07/firewalling-and-hack-proofing-your-wordpress-blog/

56. http://semlabs.co.uk/journal/how-to-stop-your-wordpress-blog-getting-hacked/

57. http://www.makeuseof.com/tag/18-useful-plugins-and-hacks-to-protect-your-wordpress-blog/

58. http://www.catswhocode.com/blog/10-easy-ways-to-secure-your-wordpress-blog