Why Security?• SEO / Google rankings• Downtime - Decreased Revenue• Website / Business / Personal Credibility• Increased Costs with cleaning up the mess ( Potentially Law Suits )• Lose everything - no site :-(
• If a vulnerability is discovered in WordPress and a new version is released to address the issue, the information required to exploit the vulnerability is almost certainly in the public domain.• This makes old versions more open to attack, and is one of the primary reasons you should always keep WordPress up to date.
• REMOVE unused themes and plugins (or at least keep them up to date as well). Even when not activated, a vulnerable plugin or theme can be used to attack a site.
2. Rename “admin” account• Make it hard for an attacker. If they already know your username that’s half the battle• As of 3.0 WordPress asks upfront during installation for an admin account name - dont use "admin" and I recommend not using anything related to the domain.
• If you do happen to have an “admin” account there are a few options: ‣ Admin Renamer Extender - http://wordpress.org/ extend/plugins/admin-renamer-extended/ ‣ Create another administrator user and then login as new administrator user and delete "admin" user. ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly
3. Change your table_preﬁx• My what? Its a database thing...• Many published WordPress-speciﬁc SQL-injection attacks make the assumption that the table_preﬁx is wp_, the default.• Changing this can block at least some SQL injection attacks.• Good news - WordPress now asks upfront during installation for you to specify a table preﬁx - so don’t use “wp”.
• If you haven’t changed your preﬁx: ‣ Change Table Preﬁx (http://wordpress.org/extend/ plugins/change-table-preﬁx/) ‣ Get your hands dirty with MySQL or use phpmyadmin to edit the database directly (remember to update your wp-conﬁg.php ﬁle as well)
4. Setup Security Keys• Often referred to as Salts - they add random elements to your password when encrypting information in cookies ( that are used during the WordPress login process )• They live in your sites wp-conﬁg.php and can be changed at any time• https://api.wordpress.org/secret-key/1.1/salt/
• WordPress now generates the salts for you if none are provided - but it’s better to be safe than sorry.
5. Use Strong Passwords• Weak passwords leave your site vulnerable to: ‣ Brute Force Attacks ‣ Dictionary Attacks• Please use a strong password• Don’t reuse passwords• WordPress has a built in strength meter (don’t ignore it)
7. Use SFTP or FTPS• FTP transmits all data in the clear - including passwords• If you need to regularly connect or upload ﬁles to your site use SFTP or FTPS (especially if you are using public wiﬁ)
8. Check File Permissions• Tricky to get right (especially in shared hosting where it is more important to get it right)• A good rule of thumb is to set ﬁle and folder permissions at 644 for ﬁles and 755 for folders
9. Move wp-conﬁg.php• wp-conﬁg.php is the main conﬁguration ﬁle for your site• WordPress automatically checks the parent directory if a wp- conﬁg.php ﬁle is not found in your root directory• Recommended that it is moved up one level (to the parent directory) to make sure only your account and the server can read the ﬁle
• If WordPress is located here: ‣ /public_html/mysite/wp-conﬁg.php• You can move wp-conﬁg.php to here: ‣ /public_html/wp-conﬁg.php
• This makes it much more difﬁcult for anyone to access your wp-conﬁg.php ﬁle as it now resides outside of your sites root directory
10. Run Backups• Hosts may provide backups• However often... ‣ they don’t back up the right things ‣ they don’t back up regularly enough ‣ they don’t know WordPress ‣ they may charge you to restore your site
11. Choose hosting wisely• In my experience you get what you pay for• Look for hosts that have ‣ Good backup regime ‣ WordPress Expertise (tougher than you think) ‣ SFTP (SSH File Transport Protocol) or FTPS (FTP Secure)
12. Be Security Minded• Keep your own machine clean• Don’t share or reuse passwords• If you use public computers be sure to log out of WP• If you use public networks ‣ avoid using ftp (thats the insecure one) ‣ avoid logging into WP if your not using HTTPS
There’s a plugin for that• There are also range of “all in one” solutions that will cover most of the above as well as things like: ‣ Remove the WordPress version/generator tag ‣ Remove update notiﬁcations ‣ Remove login error messages ‣ Change location of login urls