Building SecureWordPress Sites            By Sakin Shrestha     Blog: http://sakinshrestha.com    Email: sakin@catchintern...
Sakin Shrestha•   Founder of Catch Internet and Catch Themes•   WordPress Theme Developer•   Business Consultant•   Member...
WordPress• Most Popular Open Source Web Application• 17% of the Websites in the World• 1 in 6 websites
Top 10 Myths That                    We Live BySource:http://www.problogger.net/archives/2012/08/29/top-10-wordpress-secur...
The Myths We Live ByMyth 1:  WordPress is not SecureReality:• Old versions of WordPress are NOT  secure• Current WordPress...
The Myths We Live ByMyth 2:  Nobody wants to hack my siteReality:• Most hacking attempts are automated• Once your site is ...
The Myths We Live ByMyth 3:  My WordPress site is 100% securedReality:• No site that’s accessible on the internet will  ev...
The Myths We Live ByMyth 4:  Updating my themes and plugins  whenever I log in is good enoughReality:• It’s not. You need ...
The Myths We Live ByMyth 5:  I only use themes and plugins from  wordpress.org, so I’m safeReality:• Plugins and themes ar...
The Myths We Live ByMyth 6:  If I de-activate a theme or plugin, there is  no riskReality:• There is risk• Because even fi...
The Myths We Live ByMyth 7:   My site is secured by Security PluginsReality:• It just add layer of protection• It won’t he...
The Myths We Live ByMyth 8:  If my site is compromised I will quickly find  outReality:• Many hacks are invisible to visit...
The Myths We Live ByMyth 9:  My password is good enoughReality:• A normal 8 characters or less password  can be decoded ea...
The Myths We Live ByMyth 10:  If my site is hacked, my hosting can  restore it for meReality:• Yes if you have premium hos...
Building SecureWordPress Sites      inSimple 10 Steps
Building Secure WordPress SitesStep 1:Secure your own ComputerRecommendation:Keep it privateRun anti-virus software regula...
Building Secure WordPress SitesStep 2:Get reliable Hosting serverRecommended Hosting:Bluehost  Media Temple  Web Synthesis...
Building Secure WordPress SitesStep 3:Add Secret Keys in wp-config.php fileRecommendation:  A secret key is a hashing salt...
Building Secure WordPress SitesStep 4:Proper File and Folder PermissionRecommendation:  Files should be set to 644  Folder...
Building Secure WordPress SitesStep 5:Use strong password and remove admin  nameRecommendation:  Use password generator to...
Building Secure WordPress SitesStep 6:Get reliable WordPress themeRecommendation:  Use free theme hosted in WordPress.org ...
Building Secure WordPress SitesStep 7:Get reliable WordPress pluginsRecommendation:  Try to minimize the use of plugins  F...
Building Secure WordPress SitesStep 8:Setup backup scheduleRecommendation:  Use backup plugin such as  VaultPress, Backup ...
Building Secure WordPress SitesStep 9:Update Update and UpdateRecommendation:  No Excuse  Update your WordPress, Themes an...
Building Secure WordPress SitesStep 10:Install Security PluginsRecommendation:   Better WP SecuritySucuriSitecheck Malware...
Better WP Security: Hides•   Remove the meta "Generator” tag•   Change the urls for WordPress dashboard including    login...
Better WP Security: Protects•   Scan your site to instantly tell where vulnerabilities are    and fix them in seconds•   B...
Better WP Security: Detect•       Monitor filesystem for unauthorized changes•       Detect bots and other attempts to sea...
Resources for WordPress SecuritySecurity Related Articles• http://codex.wordpress.org/Hardening_WordPress• http://blog.suc...
Resources for WordPress SecuritySupport Forums• Hacked: http://wordpress.org/tags/hacked• Malware: http://wordpress.org/ta...
Building SecureWordPress Sites      Sakin ShresthaBlog: http://sakinshrestha.comEmail: sakin@catchinternet.com   Twitter: ...
Building Secure WordPress Sites
Upcoming SlideShare
Loading in...5
×

Building Secure WordPress Sites

4,082

Published on

Talk on Securing WordPress site at WordCamp Nepal 2012. I will be covering Top 10 Myths That We Live By and Building Secure WordPress Sites in Simple 10 Steps. Watch Video at http://wordpress.tv/2013/02/26/sakin-shrestha-building-secure-wordpress-sites/

Published in: Technology
0 Comments
4 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
4,082
On Slideshare
0
From Embeds
0
Number of Embeds
5
Actions
Shares
0
Downloads
11
Comments
0
Likes
4
Embeds 0
No embeds

No notes for slide

Building Secure WordPress Sites

  1. 1. Building SecureWordPress Sites By Sakin Shrestha Blog: http://sakinshrestha.com Email: sakin@catchinternet.com Twitter: @sakinshrestha
  2. 2. Sakin Shrestha• Founder of Catch Internet and Catch Themes• WordPress Theme Developer• Business Consultant• Member of WordPress Theme Review Team
  3. 3. WordPress• Most Popular Open Source Web Application• 17% of the Websites in the World• 1 in 6 websites
  4. 4. Top 10 Myths That We Live BySource:http://www.problogger.net/archives/2012/08/29/top-10-wordpress-security-myths/
  5. 5. The Myths We Live ByMyth 1: WordPress is not SecureReality:• Old versions of WordPress are NOT secure• Current WordPress version is secure
  6. 6. The Myths We Live ByMyth 2: Nobody wants to hack my siteReality:• Most hacking attempts are automated• Once your site is on public web hosting, you need to protect it.• When using WordPress you need to keep theme and plugins updated
  7. 7. The Myths We Live ByMyth 3: My WordPress site is 100% securedReality:• No site that’s accessible on the internet will ever be 100% secure.• You need to have a good backup available
  8. 8. The Myths We Live ByMyth 4: Updating my themes and plugins whenever I log in is good enoughReality:• It’s not. You need to update it ASAP• Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS!
  9. 9. The Myths We Live ByMyth 5: I only use themes and plugins from wordpress.org, so I’m safeReality:• Plugins and themes are the #1 way hackers gain access to your site• Only WordPress current Core is secure• WordPress.org is safer but not sure bet
  10. 10. The Myths We Live ByMyth 6: If I de-activate a theme or plugin, there is no riskReality:• There is risk• Because even files of de-activated plugins and themes can be access via the Internet
  11. 11. The Myths We Live ByMyth 7: My site is secured by Security PluginsReality:• It just add layer of protection• It won’t help much if a hacker gains access to your online session & password, or sensitive files• It won’t help if the hosting server is compromised
  12. 12. The Myths We Live ByMyth 8: If my site is compromised I will quickly find outReality:• Many hacks are invisible to visitors and only visible to bots• You may not know until your site has been blacklisted by Google• Use site monitoring service or plugin
  13. 13. The Myths We Live ByMyth 9: My password is good enoughReality:• A normal 8 characters or less password can be decoded easily.• Try using mix of characters, numbers and special characters• Use password generator tools
  14. 14. The Myths We Live ByMyth 10: If my site is hacked, my hosting can restore it for meReality:• Yes if you have premium hosting severs like WordPress VIP Hosting• No for normal hosting.
  15. 15. Building SecureWordPress Sites inSimple 10 Steps
  16. 16. Building Secure WordPress SitesStep 1:Secure your own ComputerRecommendation:Keep it privateRun anti-virus software regularly Don’t login via insecure or public WIFI network Be careful of sites you click on.
  17. 17. Building Secure WordPress SitesStep 2:Get reliable Hosting serverRecommended Hosting:Bluehost Media Temple Web Synthesis WP Engine WordPress VIP Hosting
  18. 18. Building Secure WordPress SitesStep 3:Add Secret Keys in wp-config.php fileRecommendation: A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. Visit this URL to get your secret keys: https://api.wordpress.org/secret- key/1.1/salt/
  19. 19. Building Secure WordPress SitesStep 4:Proper File and Folder PermissionRecommendation: Files should be set to 644 Folders should be set to 755
  20. 20. Building Secure WordPress SitesStep 5:Use strong password and remove admin nameRecommendation: Use password generator to reset passwords for WP, FTP, Hosting and Email Create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin
  21. 21. Building Secure WordPress SitesStep 6:Get reliable WordPress themeRecommendation: Use free theme hosted in WordPress.org Use premium theme only from reputed theme development companies ( Catch Themes, Woo Themes, Graph Paper Press)
  22. 22. Building Secure WordPress SitesStep 7:Get reliable WordPress pluginsRecommendation: Try to minimize the use of plugins For free plugins only use Top Rated and Popular plugins in WordPress.org For premium plugins check the code, change logs and feedbacks
  23. 23. Building Secure WordPress SitesStep 8:Setup backup scheduleRecommendation: Use backup plugin such as VaultPress, Backup Buddy, WP DB Backup, WP Online backup and so on Backup as often as you don’t want to loose data
  24. 24. Building Secure WordPress SitesStep 9:Update Update and UpdateRecommendation: No Excuse Update your WordPress, Themes and Plugins
  25. 25. Building Secure WordPress SitesStep 10:Install Security PluginsRecommendation: Better WP SecuritySucuriSitecheck Malware Scanner Secure WordPressBulletProof Security WP Security Scan
  26. 26. Better WP Security: Hides• Remove the meta "Generator” tag• Change the urls for WordPress dashboard including login, admin, and more• Completely turn off the ability to login for a given time period (away mode)• Remove theme, plugin, and core update notifications from users who do not have permission to update them• rename "admin" account and Change the ID on the user with ID 1• Change the WordPress database table prefix• Removes login error messages
  27. 27. Better WP Security: Protects• Scan your site to instantly tell where vulnerabilities are and fix them in seconds• Ban troublesome bots and other hosts• Ban troublesome user agents• Prevent brute force attacks by banning hosts and users with too many invalid login attempts• Enforce strong passwords for all accounts of a configurable minimum role• Force SSL for admin page (on supporting servers)• Turn off file editing from within WordPress admin area• Detect and block numerous attacks to your filesystem and database
  28. 28. Better WP Security: Detect• Monitor filesystem for unauthorized changes• Detect bots and other attempts to search for vulnerabilities Better WP Security: Recovery • Create and email database backups on a customizable schedule
  29. 29. Resources for WordPress SecuritySecurity Related Articles• http://codex.wordpress.org/Hardening_WordPress• http://blog.sucuri.net/2012/04/lockdown-wordpress-a- security-webinar-with-dre-armeda.html• http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the- hacker-and-ensure-your-site-is-locked.html• http://catchinternet.com/blog/wordpress-security-tips/Clean a Hacked Site• http://codex.wordpress.org/FAQ_My_site_was_hacked• http://www.marketingtechblog.com/wordpress-hacked/• http://sakinshrestha.com/wordpress/fix-if-your-wordpress- site-is-hacked/
  30. 30. Resources for WordPress SecuritySupport Forums• Hacked: http://wordpress.org/tags/hacked• Malware: http://wordpress.org/tags/malware
  31. 31. Building SecureWordPress Sites Sakin ShresthaBlog: http://sakinshrestha.comEmail: sakin@catchinternet.com Twitter: @sakinshrestha

×