SlideShare a Scribd company logo

Building Secure WordPress Sites

Catch Themes
Catch Themes

Talk on Securing WordPress site at WordCamp Nepal 2012. I will be covering Top 10 Myths That We Live By and Building Secure WordPress Sites in Simple 10 Steps. Watch Video at http://wordpress.tv/2013/02/26/sakin-shrestha-building-secure-wordpress-sites/

Technology
1 of 32
Building Secure WordPress Sites By Sakin Shrestha Blog: http://sakinshrestha.com Email: sakin@catchinternet.com Twitter: @sakinshrestha
Sakin Shrestha • Founder of Catch Internet and Catch Themes • WordPress Theme Developer • Business Consultant • Member of WordPress Theme Review Team
WordPress • Most Popular Open Source Web Application • 17% of the Websites in the World • 1 in 6 websites
Top 10 Myths That We Live By Source: http://www.problogger.net/archives/2012/08/29/top-10- wordpress-security-myths/
The Myths We Live By Myth 1: WordPress is not Secure Reality: • Old versions of WordPress are NOT secure • Current WordPress version is secure
The Myths We Live By Myth 2: Nobody wants to hack my site Reality: • Most hacking attempts are automated • Once your site is on public web hosting, you need to protect it. • When using WordPress you need to keep theme and plugins updated
The Myths We Live By Myth 3: My WordPress site is 100% secured Reality: • No site that’s accessible on the internet will ever be 100% secure. • You need to have a good backup available
The Myths We Live By Myth 4: Updating my themes and plugins whenever I log in is good enough Reality: • It’s not. You need to update it ASAP • Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS!
The Myths We Live By Myth 5: I only use themes and plugins from wordpress.org, so I’m safe Reality: • Plugins and themes are the #1 way hackers gain access to your site • Only WordPress current Core is secure • WordPress.org is safer but not sure bet
The Myths We Live By Myth 6: If I de-activate a theme or plugin, there is no risk Reality: • There is risk • Because even files of de-activated plugins and themes can be access via the Internet
The Myths We Live By Myth 7: My site is secured by Security Plugins Reality: • It just add layer of protection • It won’t help much if a hacker gains access to your online session & password, or sensitive files • It won’t help if the hosting server is compromised
The Myths We Live By Myth 8: If my site is compromised I will quickly find out Reality: • Many hacks are invisible to visitors and only visible to bots • You may not know until your site has been blacklisted by Google • Use site monitoring service or plugin
The Myths We Live By Myth 9: My password is good enough Reality: • A normal 8 characters or less password can be decoded easily. • Try using mix of characters, numbers and special characters • Use password generator tools
The Myths We Live By Myth 10: If my site is hacked, my hosting can restore it for me Reality: • Yes if you have premium hosting severs like WordPress VIP Hosting • No for normal hosting.
Building Secure WordPress Sites in Simple 10 Steps
Building Secure WordPress Sites Step 1: Secure your own Computer Recommendation: Keep it private Run anti-virus software regularly Don’t login via insecure or public WIFI network Be careful of sites you click on.
Building Secure WordPress Sites Step 2: Get reliable Hosting server Recommended Hosting: Bluehost Media Temple Web Synthesis WP Engine WordPress VIP Hosting
Building Secure WordPress Sites Step 3: Add Secret Keys in wp-config.php file Recommendation: A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. Visit this URL to get your secret keys: https://api.wordpress.org/secret- key/1.1/salt/
Building Secure WordPress Sites Step 4: Proper File and Folder Permission Recommendation: Files should be set to 644 Folders should be set to 755
Building Secure WordPress Sites Step 5: Use strong password and remove admin name Recommendation: Use password generator to reset passwords for WP, FTP, Hosting and Email Create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin
Building Secure WordPress Sites Step 6: Get reliable WordPress theme Recommendation: Use free theme hosted in WordPress.org Use premium theme only from reputed theme development companies ( Catch Themes, Woo Themes, Graph Paper Press)
Building Secure WordPress Sites Step 7: Get reliable WordPress plugins Recommendation: Try to minimize the use of plugins For free plugins only use Top Rated and Popular plugins in WordPress.org For premium plugins check the code, change logs and feedbacks
Building Secure WordPress Sites Step 8: Setup backup schedule Recommendation: Use backup plugin such as VaultPress, Backup Buddy, WP DB Backup, WP Online backup and so on Backup as often as you don’t want to loose data
Building Secure WordPress Sites Step 9: Update Update and Update Recommendation: No Excuse Update your WordPress, Themes and Plugins
Building Secure WordPress Sites Step 10: Install Security Plugins Recommendation: Better WP Security SucuriSitecheck Malware Scanner Secure WordPress BulletProof Security WP Security Scan
Better WP Security: Hides • Remove the meta "Generator” tag • Change the urls for WordPress dashboard including login, admin, and more • Completely turn off the ability to login for a given time period (away mode) • Remove theme, plugin, and core update notifications from users who do not have permission to update them • rename "admin" account and Change the ID on the user with ID 1 • Change the WordPress database table prefix • Removes login error messages
Better WP Security: Protects • Scan your site to instantly tell where vulnerabilities are and fix them in seconds • Ban troublesome bots and other hosts • Ban troublesome user agents • Prevent brute force attacks by banning hosts and users with too many invalid login attempts • Enforce strong passwords for all accounts of a configurable minimum role • Force SSL for admin page (on supporting servers) • Turn off file editing from within WordPress admin area • Detect and block numerous attacks to your filesystem and database
Better WP Security: Detect • Monitor filesystem for unauthorized changes • Detect bots and other attempts to search for vulnerabilities Better WP Security: Recovery • Create and email database backups on a customizable schedule
Resources for WordPress Security Security Related Articles • http://codex.wordpress.org/Hardening_WordPress • http://blog.sucuri.net/2012/04/lockdown-wordpress-a- security-webinar-with-dre-armeda.html • http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the- hacker-and-ensure-your-site-is-locked.html • http://catchinternet.com/blog/wordpress-security-tips/ Clean a Hacked Site • http://codex.wordpress.org/FAQ_My_site_was_hacked • http://www.marketingtechblog.com/wordpress-hacked/ • http://sakinshrestha.com/wordpress/fix-if-your-wordpress- site-is-hacked/
Resources for WordPress Security Support Forums • Hacked: http://wordpress.org/tags/hacked • Malware: http://wordpress.org/tags/malware
Building Secure WordPress Sites Sakin Shrestha Blog: http://sakinshrestha.com Email: sakin@catchinternet.com Twitter: @sakinshrestha

Recommended

10 Ways to Secure WordPress
10 Ways to Secure WordPress10 Ways to Secure WordPress
10 Ways to Secure WordPressJeremy Green
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security EssentialsAngela Bowman
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 

Recommended

10 Ways to Secure WordPress
10 Ways to Secure WordPress10 Ways to Secure WordPress
10 Ways to Secure WordPressJeremy Green
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
WordPress Security Essentials
WordPress Security EssentialsWordPress Security Essentials
WordPress Security EssentialsAngela Bowman
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wildrebelpixel
 
WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupChris Burgess
 
The Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityThe Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityAidanChard
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guideMickey Mellen
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security BasicsRyan Plas
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
An example of cms - wordpress
An example of cms - wordpressAn example of cms - wordpress
An example of cms - wordpressEunus Hosen
 
Sucuri Webinar: Beginner's Guide to CDNs
Sucuri Webinar: Beginner's Guide to CDNsSucuri Webinar: Beginner's Guide to CDNs
Sucuri Webinar: Beginner's Guide to CDNsSucuri
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityBrad Williams
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte SecureMichele Butcher-Jones
 
Why wordpress is not completely safe
Why wordpress is not completely safeWhy wordpress is not completely safe
Why wordpress is not completely safeBrainwork Technologies
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesJonathan Hall
 
WordPress Security Tips
WordPress Security TipsWordPress Security Tips
WordPress Security TipsCatch Themes
 
WordPress Security
WordPress Security WordPress Security
WordPress Security Christina Hawkins
 
Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Michele Butcher-Jones
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 

More Related Content

What's hot

WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wildrebelpixel
 
WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupChris Burgess
 
The Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityThe Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityAidanChard
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guideMickey Mellen
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security BasicsRyan Plas
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
An example of cms - wordpress
An example of cms - wordpressAn example of cms - wordpress
An example of cms - wordpressEunus Hosen
 
Sucuri Webinar: Beginner's Guide to CDNs
Sucuri Webinar: Beginner's Guide to CDNsSucuri Webinar: Beginner's Guide to CDNs
Sucuri Webinar: Beginner's Guide to CDNsSucuri
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSiteGround.com
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid ThemSiteGround.com
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security pptCheap SSL Coupon Code
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesJonathan Hall
 
WordPress Security Tips
WordPress Security TipsWordPress Security Tips
WordPress Security TipsCatch Themes
 

What's hot (20)

WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
WordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User MeetupWordPress Security Basics - Melbourne WordPress User Meetup
WordPress Security Basics - Melbourne WordPress User Meetup
 
The Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress SecurityThe Ultimate Guide to Wordpress Security
The Ultimate Guide to Wordpress Security
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security Basics
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
 
An example of cms - wordpress
An example of cms - wordpressAn example of cms - wordpress
An example of cms - wordpress
 
Sucuri Webinar: Beginner's Guide to CDNs
Sucuri Webinar: Beginner's Guide to CDNsSucuri Webinar: Beginner's Guide to CDNs
Sucuri Webinar: Beginner's Guide to CDNs
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Secrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla RevealedSecrets to a Hack-Proof Joomla Revealed
Secrets to a Hack-Proof Joomla Revealed
 
8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them8 Most Popular Joomla Hacks & How To Avoid Them
8 Most Popular Joomla Hacks & How To Avoid Them
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
 
Tips to improve word press security ppt
Tips to improve word press security pptTips to improve word press security ppt
Tips to improve word press security ppt
 
Keep Your SIte Secure
Keep Your SIte SecureKeep Your SIte Secure
Keep Your SIte Secure
 
Why wordpress is not completely safe
Why wordpress is not completely safeWhy wordpress is not completely safe
Why wordpress is not completely safe
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best Practices
 
WordPress Security Tips
WordPress Security TipsWordPress Security Tips
WordPress Security Tips
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 

Similar to Building Secure WordPress Sites

Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Michele Butcher-Jones
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best PracticesRobert Vidal
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupOyster Bay Marauders LLC
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBrian Layman
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityIvan Storck
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Everything WordPress
Everything WordPressEverything WordPress
Everything WordPressEric Myers
 
How WordPress Sites Get Hacked
How WordPress Sites Get HackedHow WordPress Sites Get Hacked
How WordPress Sites Get HackedAndrew Marks
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015kriptonium
 
WordPress Intermediate Workshop
WordPress Intermediate WorkshopWordPress Intermediate Workshop
WordPress Intermediate WorkshopThe Toolbox, Inc.
 
Basics for Securing WordPress
Basics for Securing WordPressBasics for Securing WordPress
Basics for Securing WordPressmiss604
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityNathan Platt
 
WordPress Security 101 - WordCamp Nairobi 2019
WordPress Security 101 - WordCamp Nairobi 2019WordPress Security 101 - WordCamp Nairobi 2019
WordPress Security 101 - WordCamp Nairobi 2019stk_jj
 

Similar to Building Secure WordPress Sites (20)

Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?Your Site Has Been Hacked, Now What?
Your Site Has Been Hacked, Now What?
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP Meetup
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being HackedBlog World 2010 - How to Keep Your Blog from Being Hacked
Blog World 2010 - How to Keep Your Blog from Being Hacked
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Everything WordPress
Everything WordPressEverything WordPress
Everything WordPress
 
How WordPress Sites Get Hacked
How WordPress Sites Get HackedHow WordPress Sites Get Hacked
How WordPress Sites Get Hacked
 
WordPress Complete Tutorial
WordPress Complete TutorialWordPress Complete Tutorial
WordPress Complete Tutorial
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
WordPress Intermediate Workshop
WordPress Intermediate WorkshopWordPress Intermediate Workshop
WordPress Intermediate Workshop
 
Joomla! security jday2015
Joomla! security jday2015Joomla! security jday2015
Joomla! security jday2015
 
Basics for Securing WordPress
Basics for Securing WordPressBasics for Securing WordPress
Basics for Securing WordPress
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
I Have My WordPress Site Now What?
I Have My WordPress Site Now What?I Have My WordPress Site Now What?
I Have My WordPress Site Now What?
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
WordPress Security 101 - WordCamp Nairobi 2019
WordPress Security 101 - WordCamp Nairobi 2019WordPress Security 101 - WordCamp Nairobi 2019
WordPress Security 101 - WordCamp Nairobi 2019
 

More from Catch Themes

Building WordPress Theme Business: My Story
Building WordPress Theme Business: My StoryBuilding WordPress Theme Business: My Story
Building WordPress Theme Business: My StoryCatch Themes
 
Speaking at WordCamps? What not to do…
Speaking at WordCamps? What not to do…Speaking at WordCamps? What not to do…
Speaking at WordCamps? What not to do…Catch Themes
 
Opening Remarks - WordCamp Kathmandu, 2016
Opening Remarks - WordCamp Kathmandu, 2016 Opening Remarks - WordCamp Kathmandu, 2016
Opening Remarks - WordCamp Kathmandu, 2016 Catch Themes
 
Breaking social barriers and creating opportunities
Breaking social barriers and creating opportunitiesBreaking social barriers and creating opportunities
Breaking social barriers and creating opportunitiesCatch Themes
 
World of Creative Designer & Front-end-Developer
World of Creative Designer & Front-end-DeveloperWorld of Creative Designer & Front-end-Developer
World of Creative Designer & Front-end-DeveloperCatch Themes
 
Approaches To WordPress Theme Development
Approaches To WordPress Theme DevelopmentApproaches To WordPress Theme Development
Approaches To WordPress Theme DevelopmentCatch Themes
 
Contributing to WordPress Theme Review at WordPress.org
Contributing to WordPress Theme Review at WordPress.orgContributing to WordPress Theme Review at WordPress.org
Contributing to WordPress Theme Review at WordPress.orgCatch Themes
 
How to get your theme on Top 15 Popular Themes at WordPress.org
How to get your theme on Top 15 Popular Themes at WordPress.orgHow to get your theme on Top 15 Popular Themes at WordPress.org
How to get your theme on Top 15 Popular Themes at WordPress.orgCatch Themes
 
Starting WordPress Theme Review
Starting WordPress Theme ReviewStarting WordPress Theme Review
Starting WordPress Theme ReviewCatch Themes
 
WordPress Uses & Scope
WordPress Uses & ScopeWordPress Uses & Scope
WordPress Uses & ScopeCatch Themes
 

More from Catch Themes (10)

Building WordPress Theme Business: My Story
Building WordPress Theme Business: My StoryBuilding WordPress Theme Business: My Story
Building WordPress Theme Business: My Story
 
Speaking at WordCamps? What not to do…
Speaking at WordCamps? What not to do…Speaking at WordCamps? What not to do…
Speaking at WordCamps? What not to do…
 
Opening Remarks - WordCamp Kathmandu, 2016
Opening Remarks - WordCamp Kathmandu, 2016 Opening Remarks - WordCamp Kathmandu, 2016
Opening Remarks - WordCamp Kathmandu, 2016
 
Breaking social barriers and creating opportunities
Breaking social barriers and creating opportunitiesBreaking social barriers and creating opportunities
Breaking social barriers and creating opportunities
 
World of Creative Designer & Front-end-Developer
World of Creative Designer & Front-end-DeveloperWorld of Creative Designer & Front-end-Developer
World of Creative Designer & Front-end-Developer
 
Approaches To WordPress Theme Development
Approaches To WordPress Theme DevelopmentApproaches To WordPress Theme Development
Approaches To WordPress Theme Development
 
Contributing to WordPress Theme Review at WordPress.org
Contributing to WordPress Theme Review at WordPress.orgContributing to WordPress Theme Review at WordPress.org
Contributing to WordPress Theme Review at WordPress.org
 
How to get your theme on Top 15 Popular Themes at WordPress.org
How to get your theme on Top 15 Popular Themes at WordPress.orgHow to get your theme on Top 15 Popular Themes at WordPress.org
How to get your theme on Top 15 Popular Themes at WordPress.org
 
Starting WordPress Theme Review
Starting WordPress Theme ReviewStarting WordPress Theme Review
Starting WordPress Theme Review
 
WordPress Uses & Scope
WordPress Uses & ScopeWordPress Uses & Scope
WordPress Uses & Scope
 

Recently uploaded

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Scott Keck-Warren
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 3652toLead Limited
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...Fwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024Scott Keck-Warren
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticscarlostorres15106
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machinePadma Pradeep
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 

Recently uploaded (20)

Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024Advanced Test Driven-Development @ php[tek] 2024
Advanced Test Driven-Development @ php[tek] 2024
 
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
Tech-Forward - Achieving Business Readiness For Copilot in Microsoft 365
 
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks..."LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
"LLMs for Python Engineers: Advanced Data Analysis and Semantic Kernel",Oleks...
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024SQL Database Design For Developers at php[tek] 2024
SQL Database Design For Developers at php[tek] 2024
 
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmaticsKotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
Kotlin Multiplatform & Compose Multiplatform - Starter kit for pragmatics
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Install Stable Diffusion in windows machine
Install Stable Diffusion in windows machineInstall Stable Diffusion in windows machine
Install Stable Diffusion in windows machine
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Pigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food ManufacturingPigging Solutions in Pet Food Manufacturing
Pigging Solutions in Pet Food Manufacturing
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 

Building Secure WordPress Sites

  • 1.
  • 2. Building Secure WordPress Sites By Sakin Shrestha Blog: http://sakinshrestha.com Email: sakin@catchinternet.com Twitter: @sakinshrestha
  • 3. Sakin Shrestha • Founder of Catch Internet and Catch Themes • WordPress Theme Developer • Business Consultant • Member of WordPress Theme Review Team
  • 4. WordPress • Most Popular Open Source Web Application • 17% of the Websites in the World • 1 in 6 websites
  • 5. Top 10 Myths That We Live By Source: http://www.problogger.net/archives/2012/08/29/top-10- wordpress-security-myths/
  • 6. The Myths We Live By Myth 1: WordPress is not Secure Reality: • Old versions of WordPress are NOT secure • Current WordPress version is secure
  • 7. The Myths We Live By Myth 2: Nobody wants to hack my site Reality: • Most hacking attempts are automated • Once your site is on public web hosting, you need to protect it. • When using WordPress you need to keep theme and plugins updated
  • 8. The Myths We Live By Myth 3: My WordPress site is 100% secured Reality: • No site that’s accessible on the internet will ever be 100% secure. • You need to have a good backup available
  • 9. The Myths We Live By Myth 4: Updating my themes and plugins whenever I log in is good enough Reality: • It’s not. You need to update it ASAP • Timthumb script exploit was discovered and exploited on a mass number of blogs within DAYS!
  • 10. The Myths We Live By Myth 5: I only use themes and plugins from wordpress.org, so I’m safe Reality: • Plugins and themes are the #1 way hackers gain access to your site • Only WordPress current Core is secure • WordPress.org is safer but not sure bet
  • 11. The Myths We Live By Myth 6: If I de-activate a theme or plugin, there is no risk Reality: • There is risk • Because even files of de-activated plugins and themes can be access via the Internet
  • 12. The Myths We Live By Myth 7: My site is secured by Security Plugins Reality: • It just add layer of protection • It won’t help much if a hacker gains access to your online session & password, or sensitive files • It won’t help if the hosting server is compromised
  • 13. The Myths We Live By Myth 8: If my site is compromised I will quickly find out Reality: • Many hacks are invisible to visitors and only visible to bots • You may not know until your site has been blacklisted by Google • Use site monitoring service or plugin
  • 14. The Myths We Live By Myth 9: My password is good enough Reality: • A normal 8 characters or less password can be decoded easily. • Try using mix of characters, numbers and special characters • Use password generator tools
  • 15. The Myths We Live By Myth 10: If my site is hacked, my hosting can restore it for me Reality: • Yes if you have premium hosting severs like WordPress VIP Hosting • No for normal hosting.
  • 16. Building Secure WordPress Sites in Simple 10 Steps
  • 17. Building Secure WordPress Sites Step 1: Secure your own Computer Recommendation: Keep it private Run anti-virus software regularly Don’t login via insecure or public WIFI network Be careful of sites you click on.
  • 18. Building Secure WordPress Sites Step 2: Get reliable Hosting server Recommended Hosting: Bluehost Media Temple Web Synthesis WP Engine WordPress VIP Hosting
  • 19. Building Secure WordPress Sites Step 3: Add Secret Keys in wp-config.php file Recommendation: A secret key is a hashing salt which makes your site harder to hack by adding random elements to the password. Visit this URL to get your secret keys: https://api.wordpress.org/secret- key/1.1/salt/
  • 20. Building Secure WordPress Sites Step 4: Proper File and Folder Permission Recommendation: Files should be set to 644 Folders should be set to 755
  • 21. Building Secure WordPress Sites Step 5: Use strong password and remove admin name Recommendation: Use password generator to reset passwords for WP, FTP, Hosting and Email Create a new admin user, log out, login as new user, delete old the “admin” user and assign posts/pages to new admin
  • 22. Building Secure WordPress Sites Step 6: Get reliable WordPress theme Recommendation: Use free theme hosted in WordPress.org Use premium theme only from reputed theme development companies ( Catch Themes, Woo Themes, Graph Paper Press)
  • 23. Building Secure WordPress Sites Step 7: Get reliable WordPress plugins Recommendation: Try to minimize the use of plugins For free plugins only use Top Rated and Popular plugins in WordPress.org For premium plugins check the code, change logs and feedbacks
  • 24. Building Secure WordPress Sites Step 8: Setup backup schedule Recommendation: Use backup plugin such as VaultPress, Backup Buddy, WP DB Backup, WP Online backup and so on Backup as often as you don’t want to loose data
  • 25. Building Secure WordPress Sites Step 9: Update Update and Update Recommendation: No Excuse Update your WordPress, Themes and Plugins
  • 26. Building Secure WordPress Sites Step 10: Install Security Plugins Recommendation: Better WP Security SucuriSitecheck Malware Scanner Secure WordPress BulletProof Security WP Security Scan
  • 27. Better WP Security: Hides • Remove the meta "Generator” tag • Change the urls for WordPress dashboard including login, admin, and more • Completely turn off the ability to login for a given time period (away mode) • Remove theme, plugin, and core update notifications from users who do not have permission to update them • rename "admin" account and Change the ID on the user with ID 1 • Change the WordPress database table prefix • Removes login error messages
  • 28. Better WP Security: Protects • Scan your site to instantly tell where vulnerabilities are and fix them in seconds • Ban troublesome bots and other hosts • Ban troublesome user agents • Prevent brute force attacks by banning hosts and users with too many invalid login attempts • Enforce strong passwords for all accounts of a configurable minimum role • Force SSL for admin page (on supporting servers) • Turn off file editing from within WordPress admin area • Detect and block numerous attacks to your filesystem and database
  • 29. Better WP Security: Detect • Monitor filesystem for unauthorized changes • Detect bots and other attempts to search for vulnerabilities Better WP Security: Recovery • Create and email database backups on a customizable schedule
  • 30. Resources for WordPress Security Security Related Articles • http://codex.wordpress.org/Hardening_WordPress • http://blog.sucuri.net/2012/04/lockdown-wordpress-a- security-webinar-with-dre-armeda.html • http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the- hacker-and-ensure-your-site-is-locked.html • http://catchinternet.com/blog/wordpress-security-tips/ Clean a Hacked Site • http://codex.wordpress.org/FAQ_My_site_was_hacked • http://www.marketingtechblog.com/wordpress-hacked/ • http://sakinshrestha.com/wordpress/fix-if-your-wordpress- site-is-hacked/
  • 31. Resources for WordPress Security Support Forums • Hacked: http://wordpress.org/tags/hacked • Malware: http://wordpress.org/tags/malware
  • 32. Building Secure WordPress Sites Sakin Shrestha Blog: http://sakinshrestha.com Email: sakin@catchinternet.com Twitter: @sakinshrestha