Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

How to secure and maintain your word press site


Published on

Nick Batik led this WordPressP Security Presentation, which addressed Site Security and Administration. As the popularity of WordPress has increased so has it's attractiveness to hackers. Nick will review the basics of keeping your WordPress site secure and talk about some of the WordPress security plugins and services available to keep your site and your online community safe.

Published in: Technology
  • Login to see the comments

How to secure and maintain your word press site

  1. 1. @nick_batik@sandi_batik How to Secure and Maintain Your WordPress Site Austin WordPress Beginner’s Meetup May 15, 2017
  2. 2. @nick_batik@sandi_batik Nick BatikNick Batik founded Pleiades Publishing Services in 1992, has been building websites since 1994 and has been a WordPress consultant and developer since 2007. A WordPress Evangelist, and a CoOrganizer of the Austin WordPress Meetup, he has presented technical WordPress classes at numerous WPATX meetups and WordCamps. He specializes the system design and implementation of custom, often complex WordPress-based solutions that address client data management issues. As the back-end developer, he creates the core computational logic of the website or information system to implement the customized functionality. Follow me @nick_batik / @WPATX Contact me at:
  3. 3. @nick_batik@sandi_batik How to Secure and Maintain Your WordPress SiteSecuring your website, databases and files has become a mandatory task of every WordPress site manager, administrator and owner. The core of WordPress is a fairly secure system and is designed for ease of updating and a fast development cycle Most WordPress security problems are easy to control and are due to either poor judgement by the end user, poorly coded themes and plugins, or bad hosting.
  4. 4. @nick_batik@sandi_batik Keep Your Version of WordPress Up-To- Date#1 Excuse for not updating…“What if it ‘breaks’ one of my plugins?” A Hacked site or ‘Temporary’ issue with one plugin…Seriously, you are actually thinking about this… WordPress core updates fix recently discovered security problems. If your site isn’t updated — it is vulnerable
  5. 5. @nick_batik@sandi_batik Keep Your Version of WordPress Up-To- DateAdvanced Automatic Updates Plugin Adds options to WordPress’ built-in Automatic Updates feature. Security updates and supports installing major releases, plugins, themes, or even regular SVN checkouts!
  6. 6. @nick_batik@sandi_batik Update All Your Plugins Security vulnerabilities are frequently found in third party WordPress plugins — Even the most popular and trusted plugins can have vulnerabilities Good Plugin developers handle security fixes quickly release an update Then it is YOUR responsibility to update to the latest version OR your site is still vulnerable to hackers
  7. 7. @nick_batik@sandi_batik Remove Any Inactive or Unused Plugins The more plugins you have installed on your site — the greater your risk for having a vulnerability in one of those plugins Security Best Practice to minimize risks is to completely uninstall any plugins you are not using How do you tell which plugins are not being used? They are marked as ‘Inactive’ in the Plugin section of the WordPress admin. Delete them!
  8. 8. @nick_batik@sandi_batik Update Your Themes The same logic that applies to WordPress core updates and plugin updates, applies to themes Securing WordPress means that all themes need to be kept updated to their latest versions
  9. 9. @nick_batik@sandi_batik Update Your Themes OMG! I made changes to my Theme- If I update I’ll loose them ALL!!! This is why we stressed the importance of using ‘Child Themes’ rather than making any changes to the actual theme. When you make all charges in your Child Theme you can easily update to get the latest fixes and security updates without breaking your Theme’s changes.
  10. 10. @nick_batik@sandi_batik Update Your Themes A Best Security Practice is to also remove any unused themes. You can check which themes requiring updates from the Appearance > Themes section in the WordPress admin.
  11. 11. @nick_batik@sandi_batik Only Install Themes, Plugins and Scripts From Their Official SourceUsing any software from a “FREE” Pirate site is NEVER a good idea! Many of these “Free Download” pirated themes have maliciously tweaked scripts that install a back door which allows your site to be remotely controlled by hackers. Why would you “trust” a source whose business model is based on stealing other designers’ work?
  12. 12. @nick_batik@sandi_batik Only Install Themes, Plugins and Scripts From Their Official SourceWhere do you find Free vetted WordPress Themes? is the safest place to find Free WordPress Themes For a Review of WordPress Themes go to: w-wordpress-themes-work
  13. 13. @nick_batik@sandi_batik Choose a Secure WordPress Hosting ServiceSecurity conscious hosting services will have a dedicated security team who monitor the latest vulnerabilities and preemptively apply rules on their firewalls to mitigate any hack attacks on your site. Shared Hosting solutions are always a bit tricky because you can’t control the site hygiene of your neighbors.
  14. 14. @nick_batik@sandi_batik Choose a Secure WordPress Hosting ServiceEvery Developer has their own favorites For Managed Hosting we prefer — For inexpensive hosting, we use two — & rdpress-hosting
  15. 15. @nick_batik@sandi_batik Make Sure Your Site is Running the Latest Version of PHPThe global WordPress statistics page shows: Only 1.7% of WordPress installations run on the latest version of PHP (7) 19.8% run version 5.6, which is still supported The balance of WordPress installations almost 80% run on versions that are no longer supported!
  16. 16. @nick_batik@sandi_batik Make Sure Your Site is Running the Latest Version of PHPPHP, the underlying engine of WordPress, gets regular version and security updates If you site is not running on PHP7 that means known security issues are not be fixed and your site is vulnerable to exploitation. PHP version updates depends largely on your hosting service. A good hosting service should make the latest PHP versions available for use with your WordPress installation
  17. 17. @nick_batik@sandi_batik Change the Admin Username Hackers LOVE folks who chose ‘admin’ as their default administrator user name Easiest way to secure your WordPress admin login against brute force attacks is to change the default “admin” username to something more difficult to guess
  18. 18. @nick_batik@sandi_batik Change the Admin UsernameHow to change if your user name is currently ‘admin’ Create a new administrator user with a less obvious username and delete the old admin user This is quick and easy WordPress security step to stop simple hacking attempts
  19. 19. @nick_batik@sandi_batik Username Changer Plugin Username Changer is a handy, easy to use Plugin for WordPress Beginners
  20. 20. @nick_batik@sandi_batik Always Use Strong PasswordsDo you have any idea how many WordPress sites have either ‘12345’ OR ‘password’ as a PASSWORD!!! Then of there is the other favorite username and password combination: admin/admin Hackers know users are prone to using simple, easy to guess passwords - so they use lists of commonly used passwords to gain control of your site ‘Brute-forcing a password’ is when hackers try these common passwords over and over again
  21. 21. @nick_batik@sandi_batik Don’t Reuse PasswordsUsers don’t want to remember long complicated passwords for each of their accounts Got it! That is why the are password manager services like KeePass that generate nice long encrypted user names and passwords and store them securely Use a password manager — or risk compromising all of your accounts
  22. 22. @nick_batik@sandi_batik Avoid Plain-Text Password Transmission To Protect Your Password(s) Internet traffic is being constantly ‘sniffed and snooped’ Don’t send passwords over email, chat, social networks or other unencrypted forms of transmission Sensitive data must always be sent in encrypted form
  23. 23. @nick_batik@sandi_batik Avoid Plain-Text Password Transmission To Protect Your Password(s) Implement HTTPS on your WordPress site, particularly on your backend, to avoid passwords being sent in plain-text Don’t use plain FTP when accessing your site. Use SSH or FTPS to encrypt data transmission To do this you’ll need to setup an FTPS account on your hosting server
  24. 24. @nick_batik@sandi_batik Only Update Your Site From Trusted NetworksUsers Who understand and value Internet Security would NEVER update a website from an untrusted network such as the ‘FREE’ Wifi connection at a local coffee house. Only update your site from trusted networks, such as those at your home, office or your encrypted Hot- Spot.
  25. 25. @nick_batik@sandi_batik Use a Local Anti-Virus Viruses are designed to spread themselves as far and wide as possible Many office workstations being used by WordPress Administrators are infected with at least one virus These viruses can snoop passwords, credit card and other personal information
  26. 26. @nick_batik@sandi_batik Use a Local Anti-Virus Make sure your local workstation is running a good and updated antivirus to prevent it from getting infected and spreading to your website. ClamAV is an open source antivirus engine for detecting trojans, viruses, malware & other malicious threats.
  27. 27. @nick_batik@sandi_batik Enable Google Search ConsoleGoogle Search Console is a free service offered by Google that helps you monitor and maintain your site’s presence Google Search console will advise you if your website starts to host any malicious files This tool is not preventative - it is a handy ‘Malware-Heads-Up’
  28. 28. @nick_batik@sandi_batik Secure WordPress With a WordPress Security Plugin or Service Go-To Security Plug-ins WordFence iThemes Security Pro Sucuri Security Sucuri Free Website Malware and Security Scanner
  29. 29. @nick_batik@sandi_batik Sometimes Your Only Option Is Just Restore From Backup Bad things happen to good websites: Not only do they hacked, but can fall victim to accidents, power failures, and technical mishaps You must have a ‘Back-Up’ Plan — actually backup and periodically, test your backups
  30. 30. @nick_batik@sandi_batik WordPress Backup and Restore — BackupBuddy BackupBuddy handles WordPress backup and restore like a champ. What good is a backup if you don’t also have a way to restore your WordPress site? A solid WordPress backup solution must include both components: A complete backup – Unlike other WordPress backup plugins, BackupBuddy backs up your entire WordPress installation, including your media library, themes, plugins, widgets, content, settings plus your database. Don’t be fooled by backup plugins that only back up your database—that won’t be enough to restore your site in its entirety. A quick and easy way to restore WordPress – If something goes wrong, BackupBuddy can get your site up & running in no time using the restore function.
  31. 31. @nick_batik@sandi_batik WordPress Backup and Restore Made Easy with BackupBuddy backup-and-restore
  32. 32. @nick_batik@sandi_batik Some Advanced WordPress Security Tips For Security Geeks
  33. 33. @nick_batik@sandi_batik Limit Login Attempts The Limit Login WordPress plugin detects a number of incorrect login attempts and denies that user the possibility of trying again for some time. This, of course, makes the brute- forcing attempts much more difficult to succeed and significantly improves your WordPress security.
  34. 34. @nick_batik@sandi_batik Enable Two-Factor Authentication 2FA - besides your regular password, you will also need a time-based security token that is unique to each user. This token also expires after a period of time usually 60 seconds. The security token is typically generated by an app such as the Google Authenticator.
  35. 35. @nick_batik@sandi_batik Ensure File Permissions Are CorrectPHP and WordPress in general use a set of permissions associated with files and folders. In general, your web server typically needs to be able to write files for WordPress to work correctly, but the public internet NEVER needs to have write access to your files.
  36. 36. @nick_batik@sandi_batik Block Malicious CountriesIP Geo Block plugin protects your site against such threats of attack to the back- end of your site not only by blocking requests from undesired countries but also with the original feature ‘Zero-day Exploit Prevention’ (WP-ZEP). And it also blocks undesired requests to the login form (login attempt), comment form (spam and trackback) and XML-RPC (login attempt and pingback).
  37. 37. @nick_batik@sandi_batik Change the Default Table Prefix Change Table Prefix is mainly useful if you have not changed the database prefix at the time of installation and want to change post installation to make your website more secure and protected from SQL injections.
  38. 38. @nick_batik@sandi_batik Disable PHP ExecutionOne of the first things a hacker would do if they got some kind of access to your site would be to execute PHP from within a directory Add the below code to the .htaccess file in the root directory of your WordPress installation: <Files *.php> Order Allow, Deny Deny from all </Files>
  39. 39. @nick_batik@sandi_batik Segregate Your WordPress Databases If you run multiple websites on the same hosting server account, you might be tempted to create all of the sites in the same database. Don’t.
  40. 40. @nick_batik@sandi_batik Restrict Database User Privileges In general, the database user only needs the following privileges: For most WordPress day-to-day operations, the database user only needs data read and data write privileges to the database: SELECT, INSERT, UPDATE and DELETE.
  41. 41. @nick_batik@sandi_batik Disable File Editing You can (and should) disable file editing for WordPress administrators after your website goes live through the following command in the wp- config.php file: define('DISALLOW_FILE_EDIT', true);
  42. 42. @nick_batik@sandi_batik Secure Your wp-config.php File add the following to your .htaccess files <files wp-config.php> order allow,deny deny from all </files>
  43. 43. @nick_batik@sandi_batik Disable XML-RPC Beginning in 3.5, XML-RPC is enabled by default. Additionally, the option to disable/enable XML-RPC was removed. XML-RPC is considered by many to be one of the biggest security risks to WordPress.
  44. 44. @nick_batik@sandi_batik Set WordPress Secret Authentication Keys You might have come across these eight WordPress security and authentication keys in your wp-config.php file and wondered what they are. You may also have never seen or heard about them. They look something like this: define('AUTH_KEY', 'j+Oq5CL Z6M?dc|9KwWv(k9&RK[,>K@vGRY0AvEPrnHav-wq.+&d))-Y}22tD JE'); define('SECURE_AUTH_KEY', 'Vk~ Qe#?z7GKB>%F2MFOF?6~j#f&FJMG.Y@;~Hlih8jf[}Cgl@-<>w[C -j.E@D#'); define('LOGGED_IN_KEY', 'YR,_/w.(Ud*.,/(aBmNs?JQGmC4W@<vu_(G:!+@x*?x}?g+8h[vJF!dCsekIf009'); define('NONCE_KEY', 'yY%{Hx|-WsSSVVFp2h+to5bl;uZ|Za,uT;qC;!b<Oew!NIjrNE#B}N#b4Y45^eh6'); define('AUTH_SALT', 'mHq/^I#e-;<`(i}@B_ik`9nVbiS4f^PFI+-ZP((p(M%]!x+:)45BRTTdzAZ<^c3{'); define('SECURE_AUTH_SALT', '+cE7REA-3}V|0Dd#ze8ml=%3;GdRw!EuPGJaOoM}qUd;}doDslqweWY7sJX 9Yab'); define('LOGGED_IN_SALT', 'A-&{HPc3#P/5-aK88R!~ A9q|PbZrxC9#ZtOie%E~ld;*?x4V)Zd4lPZBX(j?U]y'); define('NONCE_SALT', 'O[byb]ByAxb!Q1l8Z>nyh|EwAECr-HXCQQI;fE|q[YY1|tpve8:EZ&X-TPqFnS#v');
  45. 45. @nick_batik@sandi_batik Some Additional Resources Mentioned During MeetingPHP Compatibility Checker Plugin — The WP Engine PHP Compatibility Checker can be used by any WordPress website on any web host to check PHP version compatibility BackWPup — This backup plugin can be used to save your complete installation including /wp-content/ and push them to an external Backup Service, like Dropbox, S3, FTP and many more, see list below. With a single backup .zip file you are able to easily restore an installation
  46. 46. @nick_batik@sandi_batik Followup to the WordPress Permissions DiscussionEverything You Need to Know About Changing File Permissions you can find in the WordPress Codex (This is your Official Source for All Things WordPress) The Permission plugins mentioned are User Role Editor — This WordPress plugin lets you change user role (except Administrator) capabilities easy, with a few clicks. Just turn on check boxes of capabilities you wish to add to the selected role and click “Update” button to save your changes. Press Permit Core — is an advanced content permissions system. It is derived from Role Scoper, but with extensive improvements in versatility, performance and user- friendliness.
  47. 47. @nick_batik@sandi_batik Our Favorite WordPress Security BlogsSucuri Blog Follow Sucuri on Twitter for latest news on exploits —@sucurisecurity & sucurilabs WordFence Blog — Follow Wordfence Security news on twitter @wordfence
  48. 48. @nick_batik@sandi_batik Source For Free SSL Certificate Let’s Encrypt Some Hosting Companies will give you a complimentary SSL as part of your hosting package - Ask your current hosting company about their SSL policies while you inquire about what version of PHP they are running