Successfully reported this slideshow.

WordPress Security: Get it or Lose It


Published on

A break down from WordPress security items that should be reviewed when using the content management system.
Broken down into three stages:
1) Novice - Basic Settings
2) Plugins
3) Advanced Settings

Published in: Education
  • Be the first to comment

  • Be the first to like this

WordPress Security: Get it or Lose It

  1. 1. Nathan DriverWordPress Security
  2. 2. Who Am IMedia – Marketing - Geek @natedriver
  3. 3. WP Security: 3 Sections Basic PLUGINS Advanced Settings Settings …and everything in between
  4. 4. Basic Settings:Noob Starting with the basics
  5. 5. WP Security: Basic Settings Stop using ADMIN Do not make easy for hackers to ‘guess’ your username Change the table prefix It Is NOT that difficult
  6. 6. WP Security: Basic Settings DON’T MAKE IT EASY
  7. 7. WP Security: Basic Settings
  8. 8. WP Security: Basic Settings• A strong password:• has at least 15 characters;• has uppercase letters;• has lowercase letters;• has numbers;• has symbols, such as ` ! " ? $ ? % ^ & * ( ) _ - + = { [ } ] : ; @ ~ # | < , > . ? /• is not like your previous passwords;• is not your name;• is not your login;• is not your friend’s name;• is not your family member’s name;• is not a dictionary word;• is not a common name;• is not a keyboard pattern, such as qwerty, asdfghjkl, or 12345678.
  9. 9. WP Security: Basic Settings UPDATE – UPDATE - UPDATEYou see it – do something about it!
  10. 10. Plugins: Help Yourself They’re there to help make your life easier
  11. 11. WP Security: Plugins BACKUP – BACKUP - BACKUP VaultPress
  12. 12. WP Security: PluginsBrute Force Limit Login Attempts: mit-login-attempts/
  13. 13. WP Security: Plugins WP Security Scan: 1.Passwords 2.File Permissions 3.Database security 4.Version hiding 5.WordPress admin protection/security 6.Removes WP Generator META tag from core code
  14. 14. WP Security: Plugins Better WP Security• Remove the meta “Generator” tag• Change the urls for WordPress dashboard including login, admin, and more• Completely turn off the ability to login for a given time period (away mode)• Remove theme, plugin, and core update notifications from users who do not have permission to update them• Remove Windows Live Write header information• Remove RSD header information• Rename “admin” account• Change the ID on the user with ID 1• Change the WordPress database table prefix• Change wp-content path• Removes login error messages• Display a random version number to non administrative users anywhere version is used
  15. 15. Advanced: Watch Yourself Behind the scenes
  16. 16. WP Security: Advanced Settings phpMyAdmin -> Database -> …users
  17. 17. WP Security: Advanced SettingsAlternative steps:•Create a new user•Give them admin rights•Log out•Log in under new user•Delete “admin” account
  18. 18. WP Security: Advanced Settings Folder Permissions • All directories should be 755 or 750. • All files should be 644 or 640. Exception: wp- config.php should be 600 to prevent other users on the server from reading it. • No directories should ever be given 777, even upload directories. Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a 755 directory.
  19. 19. WP Security: Advanced Settings Get rid of WordPress version This can be found •Header.php {header meta} •Readme.html file Fix by placing either one in the functions of your theme •remove_action(‘wp_head’,’wp_generator’); •function remove_wp_version() { return ‘’; }