Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ithemes presentation

12,623 views

Published on

This presentation covers WordPress security using the popular iThemes Security plugin. We go over details and settings for both the free and premium versions of the plugin.

Published in: Internet
  • Be the first to comment

Ithemes presentation

  1. 1. WordPress Security using iThemes Security Jason Yingling | Lead Developer Red8 Interactive | red8interactive.com @jason_yingling | jasonyingling.me
  2. 2. HHAM • Hosting • Hardening • Access • Maintenance
  3. 3. WordPress Hosting • Support for latest software • Optimized for running WordPress • Malware scanning • Work with WordPress 24/7 • Backups
  4. 4. Hardening • Protecting your site from common security risks – Don’t use the ‘admin’ username – Strong passwords – Hide the login area – Brute Force Protection – 404 Protection – Malware scanning
  5. 5. Access • Minimize number of administrators • Remove file editing from dashboard • Two Factor Authentication
  6. 6. Maintenance • Keep WordPress up to date • Keep plugins up to date • Remove unused themes and plugins
  7. 7. iThemes Security
  8. 8. iThemes Landing Page • Broken down into high priority, medium priority, and low priority
  9. 9. Global Settings • Write to wp- config.php • Emails for lockout notifications, file change warnings, etc.
  10. 10. Global Settings • Error messages to display to locked out users
  11. 11. Global Settings • Enables blacklisting repeat offenders • Good idea to switch these up from the defaults
  12. 12. Global Settings • Enables blacklisting repeat offenders • Good idea to switch these up from the defaults
  13. 13. 404 Detection • Blocks attacker for scanning for known vulnerabilities
  14. 14. Away Mode • Allows for disabling access to the dashboard between certain hours • Do you really need to be able to edit 24/7? • Taking a vacation
  15. 15. Banned Users • Enable HackRepair.com’s blacklist feature • Enable Ban Users • Permanently bans attackers IPs
  16. 16. Brute Force Protection • Limit the number of bad login attempts before temporarily locking out the offending host
  17. 17. Brute Force Protection • Switch it up from the default • 4 Max Login Attempts Per Host • 9 Max Login Attempts Per User • 6 Minutes to Remember Bad Login
  18. 18. Database Backups • Sends a database backup via email or stores on server • Plugins – BackupBuddy – BackWPUp – WPmudev Snapshot – VaultPress
  19. 19. File Change Detection • Allows you to include and exclude specific files that may change often • Helpful to see what files were changed if an attack happens
  20. 20. Hide Login Area • Change login url from /wp-admin • Makes it more difficult for attacker to find login area • Avoid using iThemes default /wplogin
  21. 21. SSL • Requires SSL setup on server • Allows you to force SSL for Dashboard
  22. 22. Strong Passwords • Enables you to force strong passwords for users for certain user roles
  23. 23. System Tweaks • Some of this may be performed by your host • Good idea to have on unless you know something conflicts on your site
  24. 24. WordPress Tweaks
  25. 25. WordPress Tweaks
  26. 26. WordPress Tweaks
  27. 27. Advanced Settings • Change name of ‘admin’ user • Change user with id of 1
  28. 28. Advanced Settings • Change WordPress salts
  29. 29. Advanced Settings • Change name of wp-content directory • Not necessary on most WP specific hosts
  30. 30. Advanced Settings • Change database prefix to make your tables harder to find
  31. 31. iThemes Security Pro • Allow you to temporarily bump a users access
  32. 32. iThemes Security Pro • More password options • Password generator on user profile • Password expiration • Force password change
  33. 33. iThemes Security Pro • Use Google’s reCAPTCHA for login, registration, and commenting
  34. 34. iThemes Security Pro • Allow users to setup Two Factor Authentication using Google Authenticator app
  35. 35. iThemes Security Pro • Log user activities at a certain role such as login, saving content, and more
  36. 36. Locked yourself out? • Login to your database via phpMyAdmin or a program like Sequel Pro • Navigate to the itsec_lockouts table • Delete the row with your IP
  37. 37. Locked yourself out? • Disable plugin via FTP • Navigate to /wp-content/plugins • Rename the ithemes-security plugin directory
  38. 38. Questions? • Jason Yingling | Red8 Interactive • @jason_yingling • http://jasonyingling.me

×