Locking down word press
Upcoming SlideShare
Loading in...5
×
 

Like this? Share it with your network

Share

Locking down word press

on

  • 826 views

This was a presentation that I gave at SEO Grail on WordPress security and optimization.

This was a presentation that I gave at SEO Grail on WordPress security and optimization.

Statistics

Views

Total Views
826
Views on SlideShare
826
Embed Views
0

Actions

Likes
1
Downloads
4
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Locking down word press Presentation Transcript

  • 1. LOCKING DOWNWORDPRESSSecurity, Page SpeedOptimization&Implications on SEO
  • 2. WHY SECURE YOUR SITE?  Protect your visitors  Save money, time and effort@PROTECHIG
  • 3. INITIAL THINGS TO CONSIDER… What is WordPress’s biggest Vulnerability?  Your Individual/Website’s  78% of malaware infections Goals are caused by outdated core  Choosing the right web host applications, plugins, modules, or some other  How much traffic do you server side software have Sucuri Labs  Backups – How often? How thorough?@PROTECHIG
  • 4. BASIC SECURITY MEASURES  Admin Username  Admin Password  Using different user for basic tasks  Location  Themes & Plugins  Login Lockdown@PROTECHIG
  • 5. UPDATES  Keep WordPress Up To date  Always update Themes & Plugins@PROTECHIG
  • 6. CREDENTALS  The most common Administrator username is “admin” it’s easy for hackers to guess  Use Secure passwords with Capital Letters, Numbers, and Special Characters  Create Different, non-admin accounts to use for basic tasks  Editing Posts  Publishing Get A Secure Password http://strongpasswordgenerator.com@PROTECHIG
  • 7. LOCATION  Never use an unsecured “open” hotspot  It is extremely easy for someone to listen for your personal information@PROTECHIG
  • 8. BASIC SECURITY PLUGINS TO CONSIDER  Theme Check – Compares your theme to current WP Standards  Plugin Check – Compares your installed Plugins to WP Standards  Login Lockdown – Limit your login attempts & Restrict IPs Theme Check: http://wordpress.org/extend/plugins/theme-check/ Plugin Check: http://wordpress.org/extend/plugins/plugin-check/ Login Lockdown: http://wordpress.org/extend/plugins/login-lockdown/@PROTECHIG
  • 9. ADVANCED WORDPRESS SECURITY  FTP/SSH – Use SFTP or SSH whenever possible  Two – Factor Authentication  Block/Limit IPs  Sucuri Sitecheck Malware Scanner  Kill PHP Execution in uploads  Database Vulnerabilities@PROTECHIG
  • 10. TWO FACTOR AUTHENTICATION Duo Security  Sign up for a free account  add a "Web SDK" integration in the Duo administrative interface and set its "Visual Style" to "WordPress".  Install and activate the Duo WordPress plugin.  fill in the "Integration Key" and "Secret Key" Sign Up URL: http://www.duosecurity.com WordPress Plugin: http://wordpress.org/extend/plugins/duo- wordpress/@PROTECHIG
  • 11. DUO SECURITY INTEGRATION@PROTECHIG
  • 12. SUCURI SITECHECK MALWARE SCANNER  check for malware, spam, blacklisting and other security issues like htaccess redirections, hidden eval code WordPress Plugin: http://wordpress.org/extend/plugins/sucuri-scanner/ Web Interface: http://sitecheck.sucuri.net@PROTECHIG
  • 13. LIMIT ADMIN ACCESS TO YOUR IP  Create a new .htaccess file in your text editor  Past in this code: order deny, allow allow from 202.090.21.1 (replace with your IP address) deny from all • Upload (VIA SFTP) to your wp-admin directory • Be aware, most IPs change frequently Find Out Your IP: http://www.whatismyip.com/@PROTECHIG
  • 14. KILLING PHP EXECUTION: WHY & HOW  There is no need to allow it in your uploads directory  Create a .htaccess file in the /wp-content/uploads directory  <Files *.php> Deny from All </Files> Learn More About .htaccess security: http://www.netmagazine.com/tutorials/protect-your-wordpress- site-htaccess@PROTECHIG
  • 15. DATABASE VULNERABILITIES  Why is this significant?  Is the database name and database username different?  Is the password super-secure?  Is the table prefix not wp_? MySQL Security Guidelines: http://dev.mysql.com/doc/refman/5.0/en/security- guidelines.html@PROTECHIG
  • 16. CHANGING DATABASE TABLE PREFIX  During the initial WordPress install  Change it in wp-config.php, or in the guided install  After WordPress is installed 1. Access Database through PHPMyAdmin (or SSH) 2. Change the table prefix manually 3. Update wp-config.php@PROTECHIG
  • 17. BACKDOOR HACK  Your Website is accessed through unconventional methods  FTP  SSH  WP-Admin  Constantly Evolving@PROTECHIG
  • 18. DRIVE-BY DOWNLOADS  The web equivalent to a drive-by shooting  Point is to download a payload onto users local machine How Do Hackers Gain Access?  SQL Injection  Compromised Credentials (WordPress, FTP)  Outdated Software@PROTECHIG
  • 19. PHARMA HACK@PROTECHIG
  • 20. HOW IT AFFECTS TRAFFIC September 3Rd@PROTECHIG
  • 21. WORDPRESS OPTIMIZATION@PROTECHIG
  • 22. SERVER-SIDE  Browser Caching  NGINX  Compression  MySQL Caching  Managed DNS Hosting  CDN/Load Balancing@PROTECHIG
  • 23. WORDPRESS SPECIFIC  WP Super Cache / W3 Total Cache  WP Smush.it  Remove Unnecessary plugins WP Super Cache: http://wordpress.org/extend/plugins/wp-super- cache/ W3 Total Cache: http://wordpress.org/extend/plugins/w3-total-cache/ WP Smush.it: http://wordpress.org/extend/plugins/wp-smushit/@PROTECHIG
  • 24. DESIGNER LEVEL  Minify HTML/JavaScript/CSS  Avoid the @import CSS  Enque Google’s Version of Jquery  Web Fonts  Use Image Sprites@PROTECHIG
  • 25. THANKS FOR LISTENING  Slideshare: ZachRussell  Twitter: @ProTechIg  Website: protechig.com@PROTECHIG