11. Targeted Attacks
• Against Large Enterprise with mass user base.
• Sophisticated attacks mostly involving group of
• DDOS attacks to bring website down.
• Done for financial/data benefits.
13. Tips to Save Yourself
“A stitch in time, saves nine.”
– Matt Mullenweg
14. For “I Don’t Care” Rockstars
I know you login with admin to post blogs.
Please change it from now.
15. Know your Host
1. Cheap should never be the criteria.
2. Choose your host wisely.
3. Know there security plan.
4. If your host do not offer SSH, time to find a new.
5. What will they do in case you get hacked?
16. Be Safe and Connect Securely
1. Choose SFTP over FTP.
2. Always login with least privileges.
• Use account with least privileges to get your task done.
• Avoid using root as far as possible.
3. Marry Linux as your OS.
4. Keep antivirus updated, on your Mac too.
17. Backup Regularly
1. Do not rely on your host to backup data for you.
2. All it takes is a single command to do the job.
3. Use VaultPress to do backup job.
4. Never keep backup on same server.
5. Keeping backup of database is equally important.
18. Update Update Update
1. Single key to cut off most of attacks on WordPress.
2. Version like 3.1.X are mostly security patches.
3. Not just WordPress, update your themes and plugin as
4. Keep an eye on all vulnerabilities exposed and check if
that can affect you.
19. Care your WordPress
1. Use secure passwords and do not share.
2. Change Passwords regularly.
3. Login with least privileges possible.
4. Create a nickname to post blogs.
5. Do not search “Free Woo themes” until you plan
to end up serving Viagra from your blog.
20. For “Yes, I do care” guys
• Connect Securely, use SSH/SFTP
• Choose a different “Admin” name.
• Use a Nickname to post blogs.
• Keep WordPress cookies salted.
21. For “Yes, I do care” guys
• Limit theme and plugin use, delete unused ones.
• Move up wp-config.php one level and lock it
• Rename database prefix during installation.
• ‘Limit Login Attempts’ – kills brute force
• Disable user registration
• Use Child Themes to modify CSS instead of
tweaking base files.
22. For “Yes, I do care” guys
• Manage File Permissions
Files: 644 or 640
Folder: 755 or 750
• Hide version info – these small steps help.
In functions.php add these lines
23. For “Yes, I do care” guys
• Enable SSL Login
Site needs to be accessible from https
Add following lines in wp-config.php
24. For “Yes, I do care” guys
• Discourage unnecessary crawl
Crawlers can crawl unnecessary files and expose them to hackers.
Create a robot.txt and disallow crawling of unnecessary files.
26. Kill PHP Execution
Ensure that PHP files can not be executed from within a
If it messes with theme/plugin, ensure this is implemented in at
least wp-includes and uploads directory.
27. Disable Editing in WP Admin
Too often your passwords get hacked and you end up
giving hacker access to entire code base.
Add these lines in wp-config.php
28. Limit Admin/Login access by IP
Add these lines of code in the .htaccess file placed in
To implement this, you need to have static ip address.
29. Forbid Proxy Comment Posting
Deny requests that use a proxy server to post comments
and eliminate some spam.
30. Disable PHP settings
Edit php.ini - Idea is to turn display errors to off, in case of
error they might return location of your web root.
This will most likely break something, test in dev server before
moving to live
31. Some Security Plugins
• Duo Two Factor Authentication
• Limit Login Attempts
• BulletProof Security