Top Ten WordPress Security Tips for 2012


Published on

My list of the Top Ten W

Published in: Technology, Business
No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Top Ten WordPress Security Tips for 2012

  2. Brad WilliamsCo-Founder WebDevStudios.comCo-Author Professional WordPress & Professional WordPress Plugin DevelopmentCo-Organizer WordCamp PhillyCo-Host WP Late Night
  3. FOR WORDPRESSTop Ten WordPress Security Tips
  4. FOR WORDPRESS1 Update Update Update Keep WordPress Updated! Minor WordPress versions ( ie 3.3.x ) do NOT add new features. They contain bug fixes and security patches
  5. FOR WORDPRESS1 Update Update Update Update Those Plugins! The plugin Changelog tab makes it very easy to view what has changed in a new plugin version
  6. FOR WORDPRESS1. Update Update Update NO EXCUSES! UPDATE!
  7. FOR WORDPRESS2. Use Secret Keys Some secrets should remain secrets
  8. FOR WORDPRESS2. Use Secret Keys A secret key is a hashing salt which makes your site harder to hack by adding random elements to the cookies WordPress creates.1. Edit wp-config.php BEFORE AFTER define(AUTH_KEY, put your unique phrase here); define(AUTH_KEY, *8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD); define(SECURE_AUTH_KEY, put your unique phrase here); define(SECURE_AUTH_KEY, q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1); define(LOGGED_IN_KEY, put your unique phrase here); define(LOGGED_IN_KEY, D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+); define(NONCE_KEY, put your unique phrase here); define(NONCE_KEY, oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H); define(AUTH_SALT, put your unique phrase here); define(AUTH_SALT, r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt); define(SECURE_AUTH_SALT, put your unique phrase here); define(SECURE_AUTH_SALT, 3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-); define(LOGGED_IN_SALT, put your unique phrase here); define(LOGGED_IN_SALT, `@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*); define(NONCE_SALT, put your unique phrase here); define(NONCE_SALT, O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6);2. Visit this URL to get your secret keys:
  9. FOR WORDPRESSDo you login with username admin?
  11. FOR WORDPRESS3. Delete the Admin user account Change the admin username in MySQL: UPDATE wp_users SET user_login=hulkster WHERE user_login=admin; Or create a new account with administrator privileges. 1. Create a new account. Make the username very unique 2. Set account to Administrator role 3. Log out and log back in with new account 4. Delete admin account WordPress will allow you to reassign all content written by admin to an account of your choice.
  12. FOR WORDPRESS3. Delete the Admin user account WordPress lets you set the username during the installation process!DONT USE ADMIN!
  13. FOR WORDPRESS3. Delete the Admin user account Knowing your username is half the battle. Dont make it easy on the hackers.
  14. FOR WORDPRESS4. File and Folder Permissions What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default settings above If your host requires 777…SWITCH HOSTS!
  15. FOR WORDPRESS4. File and Folder Permissions Or via SSH with the following commands find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ;
  16. FOR WORDPRESS5. Move wp-config.php WordPress features the ability to move the wp-config.php file one directory above your WordPress root If WordPress is located here: public_html/wordpress/wp-config.php You can move your wp-config.php file to here public_html/wp-config.php WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory This makes it nearly impossible for anyone to access your wp-config.php file from a browser as it now resides outside of your website’s root directory
  17. FOR WORDPRESS6. Lock Down WP Login and WP Admin
  18. FOR WORDPRESS6. Lock Down WP Login and WP AdminAdd the code below to wp-config.php to force SSL (https) on logindefine(FORCE_SSL_LOGIN, true);Add the code below to wp-config.php to force SSL (https) on all admin pagesdefine(FORCE_SSL_ADMIN, true); Using SSL (https) on all admin screens in WordPress will encrypt all data transmitted with the same encryption as online shopping
  19. FOR WORDPRESS6. Lock Down WP Login and WP Admin1. Create an .htaccess file in your wp-admin directory2. Add the following lines of code: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from allow from 123.123.123.* Only a user with the IP or 123.123.123.* can access wp-admin
  20. FOR WORDPRESS7. Use Trusted Sources for Themes & Plugins reviewed the top 10 results for “free wordpress themes” on Google. Out of the ten sites reviewed 1. Safe: 1 2. Iffy: 1 3. Avoid: 8Source:
  21. FOR WORDPRESS 7. Use Trusted Sources for Themes & PluginsThe only safe site reviewed was Most themes included base64() encoded text links to promote various servies Source:
  22. FOR WORDPRESS8. Be Secure Locally Think of your local environment as if it was a medieval castle and you’re the queen or king. Your kingdom must be protected! Keep your computer up to date • Ensure you’re patching or installing updates ASAP • Automatic updates rock! Install an anti-virus solution • Ensure you’re keeping definitions current • Automatic updates aren’t a bad idea here either! Yes, personal firewalls still apply!
  23. FOR WORDPRESS8. Be Secure Locally It’s your information, but who’s watching & listening? You may be a network geek at home, but what happens at Starbucks? Your Internet Connection Use SSL whenever possible, especially on an unverified connection. • HTTPS is a great way to ensure your transactions & traffic are traveling with security in mind. Connecting To Your Site(s) Consider using sFTP or SSH vs. FTP •Still widely marketed, but did you know your credentials are passed unencrypted when using FTP? •If unavoidable, do not allow anonymous logins, limit connections, practice least privilege. •Don’t store your credentials in your FTP client.
  24. FOR WORDPRESS9. Use a Trusted HostYou get whatyou pay for…
  25. FOR WORDPRESS9. Use a Trusted Host At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you. Your Lovely Host • Cheap doesn’t always mean best, or safe! • How many sites on their network are blacklisted for malware reasons? • What version of software do they run and how often do they update? • How are account credentials stored & who has access?
  26. FOR WORDPRESS9. Use a Trusted Host Only use a trusted host that clearly states their security policies. Bonus points if they specialize in WordPress specific hosting!
  27. FOR WORDPRESS10. Use Common Sense• Use a strong password • BAD: bradisawesome • GOOD: SCrEE79joLly$ • A=@, E=3, S=$, O=0 (This is not unique, they know this)• Update passwords regularly (Monthly, make a schedule)• Know your admins, limit number of accounts (WP, FTP, Hosting, etc)• Backup, Backup, Backup (Use BackupBuddy for scheduled backups)
  28. FOR WORDPRESSPlugins & Services
  29. FOR WORDPRESSLogin Lockdown
  30. FOR WORDPRESSBulletProof Security • .htaccess lockdown rules for various directories (root, wp- admin, etc) • Security status scanner for folder/file permissions and file checks • Very well documented
  31. FOR WORDPRESS Secure WordPress• Hides login error messages• Adds index.php to /themes and /plugins to prevent directory listing• Removes WP, plugin, and theme update notices for non-admins• and more!
  32. FOR WORDPRESS Exploit Scanner• Scans your files and database for potentially malicious code• Does not remove code, only detects it
  33. FOR WORDPRESS• Free Website Malware Scanner:• Website monitoring• Hack cleanup services• Sucuri Security Plugin • Free to clients • Web Application Firewall • Integrity Monitoring • Auditing • Hardening
  34. FOR WORDPRESS• Security Related Articles • • • locked.html • malware-company.html• Clean a Hacked Site • •• Support Forums • Hacked: • Malware:
  35. Brad Williamsbrad@webdevstudios.comBlog: strangework.comTwitter: @williamsbaIRC: WDS-BradProfessional WordPress Second Editioncoming December 2012!