WordPress Security is like a HHAM Sandwich


Published on

An overview of WordPress security targeted at beginning and intermediate users. Some light coding required. Talks about hosting, hardening, access and maintenance, the four areas to consider to keep a WordPress site protected from hackers.

Published in: Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

WordPress Security is like a HHAM Sandwich

  2. 2. JAMES HIPKIN Involved in advertising and marketing for many years Started in traditional advertising Moved over to direct marketing Been involved with digital for over ten years Currently an owner and the Managing Director at Red8 Interactive
  3. 3. More than 20% of websites are using WordPress This makes WordPress a target for hackers NOT IF, BUT WHEN Without protection, it’s not a question of if, but when
  5. 5. THINK HHAM SANDWICH Hosting Hardening Access Maintenance
  6. 6. SOME CONTEXT You don’t need to follow every recommendation presented here to be secure—there isn’t a silver bullet, but do something
  7. 7. SOME CONTEXT No site is immune to hacking, no matter what you do, a dedicated individual, if they have the skills, can gain access to virtually any site
  8. 8. SOME CONTEXT “…but my site doesn’t get much traffic.”
  9. 9. HOSTING
  10. 10. The trouble with sharing - Because shared servers must support many applications, server software is often out of date, which means hackers can exploit security holes in old software, holes that were plugged by yet to be implemented updates - Shared hosts are concerned about security, but their solutions are generic, they aren’t designed specifically for WordPress HOSTING
  11. 11. MANAGED WP HOSTS It’s all about commitment—since the server is only supporting one application, WordPress: - Server software is kept up-to-date - Security precautions are specific - WordPress updates are automatic - Backups and security scans are automatic - Quality control over plugins—known vectors and server thrashers aren’t allowed
  12. 12. MANAGED WP HOSTS But wait, there’s more… managed WP hosts perform better, they’re optimized to support WordPress’ specific requirements
  13. 13. MANAGED WP HOSTS We use WP Engine Others you can consider: - Pagely - Pressable - Synthesis
  14. 14. HARDENING
  15. 15. HARDENING Make it hard for the hackers’ bots and they will move on Recommendations can be added individually, which may require a developer Many are included options in the iThemes Security plugin
  16. 16. HARDENING Shut down the theme and plugin Editor - Disallow the theme and plugin editor by adding the following to wp-config.php: define( 'DISALLOW_FILE_EDIT', true );
  17. 17. HARDENING Set permissions on your wp-content and themes directories to 755 Set permissions on files to 644
  18. 18. HARDENING Hackers will try to add a .php file via wp-includes and/or wp-content/uploads/ folders.To disable PHP execution in these directories: - Create a file in a text editor, call it .htaccess and add the following code: 
 <Files *.php>
 deny from all
 </Files> - Use FTP to place this file in the 
  19. 19. HARDENING Change the database prefix - In the WP-config.php file change the file prefix from “wp_” to “wp_randomlettersandnumbers_” - Or “randomlettersandnumbers_” - This is best accomplished during the
 initial install of WordPress - Or use iThemes Security or the 
 Change DB Prefix plugin on an 
 older site
  20. 20. HARDENING Use the Disable Comments plugin to turn off post comments if they aren’t required, which closes several 
 attack vectors Use a third party like Disqus to manage comments so they are off the server
  21. 21. HARDENING Install iThemes Security for one-stop shop security (some setup required)
  22. 22. HARDENING Install the BruteProtect plugin to block brute force attacks Limit Login Attempts is another choice, but it’s best in combination with other measures
  23. 23. ACCESS
  24. 24. ACCESS You need ten Admins? Really? • Use the User Role Editor plugin to create a custom user role, Manager or Web Master, with the same capabilities as an Admin but without the ability to add or delete plugins and themes, two common vectors for hackers
  25. 25. ACCESS U/P: admin/password123? Really? - Delete the admin user if 
 it exists - Use the Enforce Strong Passwords plugin to, well, enforce strong passwords
  26. 26. ACCESS Consider two-factor authentication using the Google Authenticator plugin Or Rublon is an excellent plugin for two-factor authentication
  27. 27. ACCESS Login Security Solution is another good choice Or install CLEF, it replaces passwords with a simple, encrypted authentication using your smart phone
  28. 28. ACCESS Force administration over SSL—this is important if the dashboard will be accessed by multiple users over public WiFi networks - Install an SSL certificate and add the following to the wp-config.php file: • require_once(ABSPATH . 'wp-settings.php');
 define('FORCE_SSL_LOGIN', true);
 define('FORCE_SSL_ADMIN', true);
  29. 29. ACCESS Consider adding a firewall to the site - Among other benefits, Cloud Flare and Sucuri will block malicious attacks before they reach your server - While not a 100% solution—a firewall can block access to software vulnerabilities before they can be fixed via updates
  30. 30. ACCESS Secure your WiFi “Over three hours, he 
 revealed 23 Wi-Fi hotspots, 
 more than a third of which 
 were open to snoops or used crackable WEP instead of the more modern WPA encryption.” Coco, modeling the WarKitteh collar. 
 Photo credit: Gene Bransfield
  31. 31. ACCESS For a less industrial strength, but still effective solution consider Cloak, a personalVPN service for Apple devices
  33. 33. MAINTENANCE Seriously, keep all WordPress software up to date Keep WordPress and plugins up to date
  34. 34. MAINTENANCE Delete all unused plugins and themes —this is very important, old plugins and themes are a common vector for hackers
  35. 35. MAINTENANCE If it’s not provided by the host, install a backup plugin - BackupBuddy and 
 VaultPress are 
 good choices - Store backups in a 
 remote location
  36. 36. MAINTENANCE Scan the site periodically (nightly?) using a service like Sucuri
  37. 37. MAINTENANCE Seriously, keep WordPress, themes and plugins up to date ! ! And back the site up 
 frequently to a remote location
  38. 38. THIS?
  39. 39. Do these things and the chances you will be hacked are greatly reduced OR THIS… FOLLOW THESE RECOMMENDATIONS AND THE CHANCES OF GETTING HACKED WILL 
  40. 40. THANKYOU! Red8 Interactive San Francisco, CA St. Louis, MO ! James Hipkin james@red8interactive.com 415.789.3685 The slides are available on SlideShare: