Building Secure WordPress Sites


Published on

Talk on Securing WordPress site at WordCamp Nepal 2012. I will be covering Top 10 Myths That We Live By and Building Secure WordPress Sites in Simple 10 Steps. Watch Video at

Published in: Technology
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Building Secure WordPress Sites

  1. 1. Building SecureWordPress Sites By Sakin Shrestha Blog: Email: Twitter: @sakinshrestha
  2. 2. Sakin Shrestha• Founder of Catch Internet and Catch Themes• WordPress Theme Developer• Business Consultant• Member of WordPress Theme Review Team
  3. 3. WordPress• Most Popular Open Source Web Application• 17% of the Websites in the World• 1 in 6 websites
  4. 4. Top 10 Myths That We Live BySource:
  5. 5. The Myths We Live ByMyth 1: WordPress is not SecureReality:• Old versions of WordPress are NOT secure• Current WordPress version is secure
  6. 6. The Myths We Live ByMyth 2: Nobody wants to hack my siteReality:• Most hacking attempts are automated• Once your site is on public web hosting, you need to protect it.• When using WordPress you need to keep theme and plugins updated
  7. 7. The Myths We Live ByMyth 3: My WordPress site is 100% securedReality:• No site that’s accessible on the internet will ever be 100% secure.• You need to have a good backup available
  8. 8. The Myths We Live ByMyth 4: Updating my themes and plugins whenever I log in is good enoughReality:• It’s not. You need to update it ASAP• Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS!
  9. 9. The Myths We Live ByMyth 5: I only use themes and plugins from, so I’m safeReality:• Plugins and themes are the #1 way hackers gain access to your site• Only WordPress current Core is secure• is safer but not sure bet
  10. 10. The Myths We Live ByMyth 6: If I de-activate a theme or plugin, there is no riskReality:• There is risk• Because even files of de-activated plugins and themes can be access via the Internet
  11. 11. The Myths We Live ByMyth 7: My site is secured by Security PluginsReality:• It just add layer of protection• It won’t help much if a hacker gains access to your online session & password, or sensitive files• It won’t help if the hosting server is compromised
  12. 12. The Myths We Live ByMyth 8: If my site is compromised I will quickly find outReality:• Many hacks are invisible to visitors and only visible to bots• You may not know until your site has been blacklisted by Google• Use site monitoring service or plugin
  13. 13. The Myths We Live ByMyth 9: My password is good enoughReality:• A normal 8 characters or less password can be decoded easily.• Try using mix of characters, numbers and special characters• Use password generator tools
  14. 14. The Myths We Live ByMyth 10: If my site is hacked, my hosting can restore it for meReality:• Yes if you have premium hosting severs like WordPress VIP Hosting• No for normal hosting.
  15. 15. Building SecureWordPress Sites inSimple 10 Steps
  16. 16. Building Secure WordPress SitesStep 1:Secure your own ComputerRecommendation:Keep it privateRun anti-virus software regularly Don’t login via insecure or public WIFI network Be careful of sites you click on.
  17. 17. Building Secure WordPress SitesStep 2:Get reliable Hosting serverRecommended Hosting:Bluehost Media Temple Web Synthesis WP Engine WordPress VIP Hosting
  18. 18. Building Secure WordPress SitesStep 3:Add Secret Keys in wp-config.php fileRecommendation: A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. Visit this URL to get your secret keys: key/1.1/salt/
  19. 19. Building Secure WordPress SitesStep 4:Proper File and Folder PermissionRecommendation: Files should be set to 644 Folders should be set to 755
  20. 20. Building Secure WordPress SitesStep 5:Use strong password and remove admin nameRecommendation: Use password generator to reset passwords for WP, FTP, Hosting and Email Create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin
  21. 21. Building Secure WordPress SitesStep 6:Get reliable WordPress themeRecommendation: Use free theme hosted in Use premium theme only from reputed theme development companies ( Catch Themes, Woo Themes, Graph Paper Press)
  22. 22. Building Secure WordPress SitesStep 7:Get reliable WordPress pluginsRecommendation: Try to minimize the use of plugins For free plugins only use Top Rated and Popular plugins in For premium plugins check the code, change logs and feedbacks
  23. 23. Building Secure WordPress SitesStep 8:Setup backup scheduleRecommendation: Use backup plugin such as VaultPress, Backup Buddy, WP DB Backup, WP Online backup and so on Backup as often as you don’t want to loose data
  24. 24. Building Secure WordPress SitesStep 9:Update Update and UpdateRecommendation: No Excuse Update your WordPress, Themes and Plugins
  25. 25. Building Secure WordPress SitesStep 10:Install Security PluginsRecommendation: Better WP SecuritySucuriSitecheck Malware Scanner Secure WordPressBulletProof Security WP Security Scan
  26. 26. Better WP Security: Hides• Remove the meta "Generator” tag• Change the urls for WordPress dashboard including login, admin, and more• Completely turn off the ability to login for a given time period (away mode)• Remove theme, plugin, and core update notifications from users who do not have permission to update them• rename "admin" account and Change the ID on the user with ID 1• Change the WordPress database table prefix• Removes login error messages
  27. 27. Better WP Security: Protects• Scan your site to instantly tell where vulnerabilities are and fix them in seconds• Ban troublesome bots and other hosts• Ban troublesome user agents• Prevent brute force attacks by banning hosts and users with too many invalid login attempts• Enforce strong passwords for all accounts of a configurable minimum role• Force SSL for admin page (on supporting servers)• Turn off file editing from within WordPress admin area• Detect and block numerous attacks to your filesystem and database
  28. 28. Better WP Security: Detect• Monitor filesystem for unauthorized changes• Detect bots and other attempts to search for vulnerabilities Better WP Security: Recovery • Create and email database backups on a customizable schedule
  29. 29. Resources for WordPress SecuritySecurity Related Articles•• security-webinar-with-dre-armeda.html• hacker-and-ensure-your-site-is-locked.html• a Hacked Site••• site-is-hacked/
  30. 30. Resources for WordPress SecuritySupport Forums• Hacked:• Malware:
  31. 31. Building SecureWordPress Sites Sakin ShresthaBlog: http://sakinshrestha.comEmail: Twitter: @sakinshrestha