Wordpress: A Gentle Introduction

WordPressA Rather Gentle Introduction
by John Feminella
w: http://distilledb.com
e: johnf.public@distilledb.com
t: superninjarobot

Introduction
Slide 2

What are these cards for?Questions and feedback
Slide 3

Filling out cards
Slide 4
your evaluation and criticism is welcomed!
presentation:
Was the material presented in a way that you found engaging and could appreciate?
utility:
Did you get value out of the presentation?
technical depth:
Did you find that the technical aspects of the presentation were appropriate and useful?
any other comments:
I love feedback!

Analog hyperlinks{{abcd}} == http://is.gd/abcd
Slide 5

Tools of the talk
Slide 6
WordPress 2.8
the eponymous blogging/publishing app
{{14RRW}}
FTP client
transfer files to and from remote locations
{{15eCh}}
ssh client / PuTTY
connect to remote shells
{{15eEA}}
shell access helpful but not strictly necessary

What’s this talk about?
Slide 7
start-to-finish installation of WordPress 2.8
an introduction to WordPress 2.8
basics of the Unix environment, permissions
open questions
security power tips, common errors

WordPress 2.8
Slide 8
better IIS support for Windows hosts
better security
better administrative usability
widgets API
{{15h2u}}
minor cosmetic improvements with comments, posts
better automation
smarter interoperability between plugins, less conflicts

Basic installation steps
Slide 9
DOWNLOAD
go to wordpress.org
DATABASES
configure with your host
UNZIP
go to wordpress.org
CONFIGURE WORDPRESS
edit wp-config.php
LOG IN
all done!

Power demoInstalling WordPress 2.8 and supporting tools
Slide 10

PermissionsThe Unix permissions model
Slide 11

Security basics: file permissions
Slide 12
read
determine which actions can be taken on files or directories
permissions
write
execute

Slide 13
read
missing permission denies request
write
permissions
execute
result
sum the value of active permissions to produce a summary result

Slide 14
read
write
permissions
execute
result

Security basics: user categories
Slide 15
owner
files belong to both a specific user called the owner and a group
categories
group
world is the set of all users that is not the owner or the group
world

Putting permissions together
Slide 16
categories
index.html
owner
world
group
read
write
permissions
execute
result

Files differ from directories
Slide 17
categories
wordpress/
owner
world
group
list
write
permissions
go to
result

Common permissions
Slide 18
EXECUTABLE BINARIES
755
STATIC CONTENT
644
*.sh
*.bin
*.php
*.html
STANDARD DIRECTORY
755
*.css
*.jpg
*.txt
*.png
SECURED DIRECTORY
700

Power demoExamining effects of permissions
Slide 19

Security power tipsSimple ways to harden your site and avoid complications
Slide 20

Security power tips
Slide 21
wrong / unreadable permissions
drw-r--r-- 7 bob bob 4096 Jun 10 20:32 wp-admin/
-rw-r--r-- 1 bob bob 2341 May 20 11:32 wp-load.php
-rw-r--r-- 1 bob bob 21019 Jun 3 17:15 wp-login.php
insecure permissions
drwxrwxrwx 7 bob bob 4096 Jun 10 20:32 wp-admin/
-rw-r--r-- 1 bob bob 2341 May 20 11:32 wp-load.php
-rw-r--r-- 1 bob bob 21019 Jun 3 17:15 wp-login.php
find . –type d –perm 0777 –print0 | xargs -0 chmod 755

Security power tips
Slide 22
avoid meta-generator strings
...
<head> 
<meta content=“WordPress <?phpbloginfo(‘version’); ?>” name=“generator”/>
</head>
...
defend your wp-admin folder and site configuration
limit access by IP address using .htaccess
AskApache Password Protect
Login Lockdown plugin
{{15ff3}}
{{15fc2}}
{{15fg6}}

Security power tips
Slide 23
if possible, use SFTP or SSH instead of FTP
transmitting over FTP is not at all secure
your host may not support SFTP, but all should allow shell access to savvy users
update early and often
Wordpress Automatic Upgrade Plugin
Instant Upgrade plugin
{{15foD}}
{{15foO}}

Security power tips
Slide 24
perform regular and frequent backups
separate your WP database from other information and data
avoids DoS issues
trivial for determined attackers to overwhelm most entry-level databases

Security power tips
Slide 25
prevent search robots from crawling
// In robots.txt:
Disallow: /path/to/wordpress/wp-*
{{15fDZ}}
prevent casual browsing of directories
// In .htaccess
Options All -Indexes
{{15fBq}}

Questions?
Slide 26

that’s all, folks!
Slide 27

Wordpress: A Gentle Introduction

by John Feminella on Jun 26, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

2 Embeds 37

Statistics

Wordpress: A Gentle Introduction — Presentation Transcript

http://indorgs.virginia.edu	34
http://www.slideshare.net	3