• Save
Building Secure WordPress Sites
Upcoming SlideShare
Loading in...5
×

Like this? Share it with your network

Share

Building Secure WordPress Sites

  • 4,378 views
Uploaded on

Talk on Securing WordPress site at WordCamp Nepal 2012. I will be covering Top 10 Myths That We Live By and Building Secure WordPress Sites in Simple 10 Steps. Watch Video at......

Talk on Securing WordPress site at WordCamp Nepal 2012. I will be covering Top 10 Myths That We Live By and Building Secure WordPress Sites in Simple 10 Steps. Watch Video at http://wordpress.tv/2013/02/26/sakin-shrestha-building-secure-wordpress-sites/

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
4,378
On Slideshare
3,158
From Embeds
1,220
Number of Embeds
8

Actions

Shares
Downloads
11
Comments
0
Likes
4

Embeds 1,220

http://devotepress.com 1,193
https://twitter.com 14
http://abtasty.com 5
http://www.wowpin.net 3
http://www.365dailyjournal.com 2
http://sakinshrestha.com 1
http://wowpin.net 1
http://prlog.ru 1

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. Building SecureWordPress Sites By Sakin Shrestha Blog: http://sakinshrestha.com Email: sakin@catchinternet.com Twitter: @sakinshrestha
  • 2. Sakin Shrestha• Founder of Catch Internet and Catch Themes• WordPress Theme Developer• Business Consultant• Member of WordPress Theme Review Team
  • 3. WordPress• Most Popular Open Source Web Application• 17% of the Websites in the World• 1 in 6 websites
  • 4. Top 10 Myths That We Live BySource:http://www.problogger.net/archives/2012/08/29/top-10-wordpress-security-myths/
  • 5. The Myths We Live ByMyth 1: WordPress is not SecureReality:• Old versions of WordPress are NOT secure• Current WordPress version is secure
  • 6. The Myths We Live ByMyth 2: Nobody wants to hack my siteReality:• Most hacking attempts are automated• Once your site is on public web hosting, you need to protect it.• When using WordPress you need to keep theme and plugins updated
  • 7. The Myths We Live ByMyth 3: My WordPress site is 100% securedReality:• No site that’s accessible on the internet will ever be 100% secure.• You need to have a good backup available
  • 8. The Myths We Live ByMyth 4: Updating my themes and plugins whenever I log in is good enoughReality:• It’s not. You need to update it ASAP• Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS!
  • 9. The Myths We Live ByMyth 5: I only use themes and plugins from wordpress.org, so I’m safeReality:• Plugins and themes are the #1 way hackers gain access to your site• Only WordPress current Core is secure• WordPress.org is safer but not sure bet
  • 10. The Myths We Live ByMyth 6: If I de-activate a theme or plugin, there is no riskReality:• There is risk• Because even files of de-activated plugins and themes can be access via the Internet
  • 11. The Myths We Live ByMyth 7: My site is secured by Security PluginsReality:• It just add layer of protection• It won’t help much if a hacker gains access to your online session & password, or sensitive files• It won’t help if the hosting server is compromised
  • 12. The Myths We Live ByMyth 8: If my site is compromised I will quickly find outReality:• Many hacks are invisible to visitors and only visible to bots• You may not know until your site has been blacklisted by Google• Use site monitoring service or plugin
  • 13. The Myths We Live ByMyth 9: My password is good enoughReality:• A normal 8 characters or less password can be decoded easily.• Try using mix of characters, numbers and special characters• Use password generator tools
  • 14. The Myths We Live ByMyth 10: If my site is hacked, my hosting can restore it for meReality:• Yes if you have premium hosting severs like WordPress VIP Hosting• No for normal hosting.
  • 15. Building SecureWordPress Sites inSimple 10 Steps
  • 16. Building Secure WordPress SitesStep 1:Secure your own ComputerRecommendation:Keep it privateRun anti-virus software regularly Don’t login via insecure or public WIFI network Be careful of sites you click on.
  • 17. Building Secure WordPress SitesStep 2:Get reliable Hosting serverRecommended Hosting:Bluehost Media Temple Web Synthesis WP Engine WordPress VIP Hosting
  • 18. Building Secure WordPress SitesStep 3:Add Secret Keys in wp-config.php fileRecommendation: A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. Visit this URL to get your secret keys: https://api.wordpress.org/secret- key/1.1/salt/
  • 19. Building Secure WordPress SitesStep 4:Proper File and Folder PermissionRecommendation: Files should be set to 644 Folders should be set to 755
  • 20. Building Secure WordPress SitesStep 5:Use strong password and remove admin nameRecommendation: Use password generator to reset passwords for WP, FTP, Hosting and Email Create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin
  • 21. Building Secure WordPress SitesStep 6:Get reliable WordPress themeRecommendation: Use free theme hosted in WordPress.org Use premium theme only from reputed theme development companies ( Catch Themes, Woo Themes, Graph Paper Press)
  • 22. Building Secure WordPress SitesStep 7:Get reliable WordPress pluginsRecommendation: Try to minimize the use of plugins For free plugins only use Top Rated and Popular plugins in WordPress.org For premium plugins check the code, change logs and feedbacks
  • 23. Building Secure WordPress SitesStep 8:Setup backup scheduleRecommendation: Use backup plugin such as VaultPress, Backup Buddy, WP DB Backup, WP Online backup and so on Backup as often as you don’t want to loose data
  • 24. Building Secure WordPress SitesStep 9:Update Update and UpdateRecommendation: No Excuse Update your WordPress, Themes and Plugins
  • 25. Building Secure WordPress SitesStep 10:Install Security PluginsRecommendation: Better WP SecuritySucuriSitecheck Malware Scanner Secure WordPressBulletProof Security WP Security Scan
  • 26. Better WP Security: Hides• Remove the meta "Generator” tag• Change the urls for WordPress dashboard including login, admin, and more• Completely turn off the ability to login for a given time period (away mode)• Remove theme, plugin, and core update notifications from users who do not have permission to update them• rename "admin" account and Change the ID on the user with ID 1• Change the WordPress database table prefix• Removes login error messages
  • 27. Better WP Security: Protects• Scan your site to instantly tell where vulnerabilities are and fix them in seconds• Ban troublesome bots and other hosts• Ban troublesome user agents• Prevent brute force attacks by banning hosts and users with too many invalid login attempts• Enforce strong passwords for all accounts of a configurable minimum role• Force SSL for admin page (on supporting servers)• Turn off file editing from within WordPress admin area• Detect and block numerous attacks to your filesystem and database
  • 28. Better WP Security: Detect• Monitor filesystem for unauthorized changes• Detect bots and other attempts to search for vulnerabilities Better WP Security: Recovery • Create and email database backups on a customizable schedule
  • 29. Resources for WordPress SecuritySecurity Related Articles• http://codex.wordpress.org/Hardening_WordPress• http://blog.sucuri.net/2012/04/lockdown-wordpress-a- security-webinar-with-dre-armeda.html• http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the- hacker-and-ensure-your-site-is-locked.html• http://catchinternet.com/blog/wordpress-security-tips/Clean a Hacked Site• http://codex.wordpress.org/FAQ_My_site_was_hacked• http://www.marketingtechblog.com/wordpress-hacked/• http://sakinshrestha.com/wordpress/fix-if-your-wordpress- site-is-hacked/
  • 30. Resources for WordPress SecuritySupport Forums• Hacked: http://wordpress.org/tags/hacked• Malware: http://wordpress.org/tags/malware
  • 31. Building SecureWordPress Sites Sakin ShresthaBlog: http://sakinshrestha.comEmail: sakin@catchinternet.com Twitter: @sakinshrestha