Bastian Grimm, profile picture
Uploaded byBastian Grimm
13,504 views

Hardening WordPress - Friends of Search 2014 (WordPress Security)

The document outlines essential steps to enhance WordPress security, including regular updates, removing unused plugins/themes, and frequent backups. Key recommendations also include properly setting up WordPress with unique keys, protecting critical files, and implementing two-factor authentication. Additional tips suggest locking out multiple failed login attempts and adjusting file permissions for better security.

Embed presentation

FRIENDS OF SEARCH HARDENING WORDPRESS VARIOUS TWEAKS FOR BETTER WP SECURITY
WHAT REALLY MATTERS: TOP 3! IF YOU HAVE 5 MINS TO SPARE, JUST DO THESE…
#1 Update your blogs regularly! http://wordpress.org/extend/plugins/wp-updates-notifier/
Change update behavior… Be sure to REALLY know what you’re doing there…! # Disables ALL core updates: define('WP_AUTO_UPDATE_CORE', false); # Enables all core updates, including minor and majors: define('WP_AUTO_UPDATE_CORE', true); # Default: Enables core updates for minor releases: define('WP_AUTO_UPDATE_CORE', 'minor'); Want something more fine-grained? Check AUTO_UPDATE_$TYPE filter (e.g. auto_update_plugin, auto_update_theme, etc.) which is used for specific updates. http://github.com/georgestephanis/update-control/
WWW.INFINITEWP.COM
WWW.MANAGEWP.COM
#2 Get rid of stuff you don’t use! Remove all inactive plug-ins as well as themes!
#3 Backup Database & Files, often! http://wordpress.org/extend/plugins/backwpup/
SECURITY STARTS AT SETUP MAKE THINGS RIGHT FROM THE BEGINNING…!
#4 Setup WordPress properly Use unique keys and salts to add random elements for encryption! Use a cryptic prefix to prevent automated scripts and SQL injections. $table_prefix = ‘wp_VzQCxSJv7uL_ ‘; https://api.wordpress.org/secret-key/1.1/salt/
#5 Protect your wp-config.php <files wp-config.php> order deny,allow deny from all </files> This needs to go into your WP roots’ .htaccess file to prevent external access Even better… move wpconfig.php outside of „www“. Also do chmod 400/440
#6 Remove the default „admin“ Setup new user as admin; logout. Login w/ new admin; delete old one. Make sure to use a STRONG password, pleeaaasssseeee! http://www.random.org/passwords/
#7 Protect your Login (and wp-admin) Recommended: Try the “Lockdown WP Admin” plug-in to protect PHP files in wpadmin as well as the login itself. Don’t just put an .htaccess for basic passwd. protection. It’s a lot of pain… http://wordpress.org/extend/plugins/lockdown-wp-admin/
#8 Lock-out multiple failed logins Limit Login Attempts http://wordpress.org/extend/plugins/limit-login-attempts/
#9 Even better: Two-factor Verification Info: http://gdig.de/1t - Download: http://gdig.de/1u
#9 Even better: Two-factor Verification Google Authenticator http://wordpress.org/plugins/google-authenticator/
#9 Even better: Two-factor Verification Provide your login credentials and get auth-code from your mobile phones‘ G-Auth-App.
WWW.DUOSECURITY.COM
WWW.DUOSECURITY.COM
WWW.GETCLEF.COM
#10 Block malicious URL requests domain.com/?q=%2e%2e or domain.com/path/base64_ will return HTTP 403 (Forbidden). http://wordpress.org/plugins/block-bad-queries/
ADDITIONAL TWEAKS THINGS YOU COULD DO IN YOUR CONFIG AS WELL…
#11 SSL Logins & Administration define('FORCE_SSL_LOGIN', true); Set FORCE_SSL_LOGIN to “true” to force all logins to happen over SSL. (still allows non-SSL admin sessions) define('FORCE_SSL_ADMIN', true); Use FORCE_SSL_ADMIN to force all logins and all admin sessions to happen over SSL (can be slow…)
#12 Move the “wp-content” folder define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content'); WP_CONTENT_DIR points to “new” the full local path (no trailing slash) define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content'); WP_CONTENT_URL points to “new” full URI (no trailing slash either)
#13 Disable File Editing define('DISALLOW_FILE_EDIT', true); Set DISALLOW_FILE_EDIT to “true” to disable editing files from dashboard. By default, admins are allowed to edit PHP files. Setting the above is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users.
#14 Fix File & Folder Permissions WP-Security Scan Very important: chmod your wp-config.php to be read-only! http://wordpress.org/extend/plugins/wp-security-scan/
WORDPRESS.ORG/PLUGINS/WORDFENCE/
WORDPRESS.ORG/PLUGINS/BETTER-WP-SECURITY/
@basgr SEO Trainings, Seminars & Strategy Consulting Berlin-based Full-Service Performance Marketing Agency WordPress Security, Consulting & Development www.bg.vu/fos14

More Related Content

PPTX
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
byBastian Grimm
 
PPTX
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
byBastian Grimm
 
PPTX
On-Page SEO EXTREME - SEOZone Istanbul 2013
byBastian Grimm
 
PPTX
Technical SEO: Crawl Space Management - SEOZone Istanbul 2014
byBastian Grimm
 
PDF
SEO Tools of the Trade - Barcelona Affiliate Conference 2014
byBastian Grimm
 
PPTX
What's in my SEO Toolbox: Linkbuilding Edition - SMX Milan 2014
byBastian Grimm
 
PPTX
Structured Data & Schema.org - SMX Milan 2014
byBastian Grimm
 
PPTX
Seozone - 5 tips
byAnna Morrison
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
byBastian Grimm
 
40 WordPress Tips: Security, Engagement, SEO & Performance - SMX Sydney 2013
byBastian Grimm
 
On-Page SEO EXTREME - SEOZone Istanbul 2013
byBastian Grimm
 
Technical SEO: Crawl Space Management - SEOZone Istanbul 2014
byBastian Grimm
 
SEO Tools of the Trade - Barcelona Affiliate Conference 2014
byBastian Grimm
 
What's in my SEO Toolbox: Linkbuilding Edition - SMX Milan 2014
byBastian Grimm
 
Structured Data & Schema.org - SMX Milan 2014
byBastian Grimm
 
Seozone - 5 tips
byAnna Morrison
 

What's hot

PDF
Prebrowsing - Velocity NY 2013
bySteve Souders
 
PDF
Your WordPress Website Is/Not Hacked
byAngela Bowman
 
PDF
Your WordPress Site is and is not Hacked - You don't know until you check
byAngela Bowman
 
PDF
Plugins at WordCamp Phoenix
byAndrew Ryno
 
PDF
SEO Social Blog: Wordpress SEO with Joost de Valk
bySEO Social Blog
 
PPT
Matt
byamitagarwal
 
PPT
Whitehat seo tips for bloggers
byimarketingtrends
 
PPT
Whitehat Seo Tips For Bloggers
byClaudio Juliana
 
PPT
CONSEJOS PARA OPTIMIZAR EL BLOG
bylomasbuscadoengoogle
 
PPT
SEO Tips For Bloggers
byguest3c5779
 
PDF
Joost's Wordpress Affiliate Session @ LAC 2010
bya4u
 
PDF
The Need for Speed (5 Performance Optimization Tipps) - brightonSEO 2014
byBastian Grimm
 
ODP
Don't sh** in the Pool
byChris Jean
 
PPTX
10 Tips to make your Website lightning-fast - SMX Stockholm 2012
byBastian Grimm
 
PDF
Really Awesome WordPress Plugins You Should Know About
byAngela Bowman
 
PDF
International Site Speed Tweaks - ISS 2017 Barcelona
byBastian Grimm
 
PPTX
SMX Advanced 2018 SEO for Javascript Frameworks by Patrick Stox
bypatrickstox
 
PDF
How I learned to stop worrying and love the .htaccess file
byRoxana Stingu
 
PDF
Make your website load really really fast - seo campus 2017
bySEO Camp Association
 
PPT
Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nl
byPhilip Locke
 
Prebrowsing - Velocity NY 2013
bySteve Souders
 
Your WordPress Website Is/Not Hacked
byAngela Bowman
 
Your WordPress Site is and is not Hacked - You don't know until you check
byAngela Bowman
 
Plugins at WordCamp Phoenix
byAndrew Ryno
 
SEO Social Blog: Wordpress SEO with Joost de Valk
bySEO Social Blog
 
Matt
byamitagarwal
 
Whitehat seo tips for bloggers
byimarketingtrends
 
Whitehat Seo Tips For Bloggers
byClaudio Juliana
 
CONSEJOS PARA OPTIMIZAR EL BLOG
bylomasbuscadoengoogle
 
SEO Tips For Bloggers
byguest3c5779
 
Joost's Wordpress Affiliate Session @ LAC 2010
bya4u
 
The Need for Speed (5 Performance Optimization Tipps) - brightonSEO 2014
byBastian Grimm
 
Don't sh** in the Pool
byChris Jean
 
10 Tips to make your Website lightning-fast - SMX Stockholm 2012
byBastian Grimm
 
Really Awesome WordPress Plugins You Should Know About
byAngela Bowman
 
International Site Speed Tweaks - ISS 2017 Barcelona
byBastian Grimm
 
SMX Advanced 2018 SEO for Javascript Frameworks by Patrick Stox
bypatrickstox
 
How I learned to stop worrying and love the .htaccess file
byRoxana Stingu
 
Make your website load really really fast - seo campus 2017
bySEO Camp Association
 
Joomla wireframing Template - Joomladay Netherlands 2014 #jd14nl
byPhilip Locke
 

Viewers also liked

PPTX
Motivarea si evaluarea angajaților
byOdooRomania
 
PDF
Agep welcome leipzig
bybfnd
 
PPTX
Rasmus Lassen, Byggechef i Københavns Ejendomme
byMikkel Rohde Madsen
 
PPTX
history of cinema powerpoint in Malayalam
byAndur Sahadevan
 
PDF
Internationalizing Ubuntu apps
byDavid Planella
 
PPT
e ID
by
 
PDF
vmchecker @SCS
byRăzvan Deaconescu
 
PPS
Quien sera
byfrani
 
DOC
British Royal House
byLorena GL
 
PDF
BIM ir SOLIDWORKS
byIN RE UAB
 
PDF
SOLIDWORKS Plastics LT
byIN RE UAB
 
PDF
KM-Report may-2015
byMobidays
 
PDF
CCR&R Part Two (Planning)
byUniversity of Oregon
 
PPTX
Ciencias del Deporte
byErika_Bello
 
PPTX
Generalsekretærfrokost 23.05.16
byFrivillighet Norge
 
PDF
Ne explanation of the last tenth of the quran
byLoveofpeople
 
PPTX
“Η Logo στην εκπαίδευση: Μια κοινότητα πρακτικής και μάθησης” - i2fest 2015
byKaterina Glezou
 
PPTX
Tekijänoikeusaineistot luokittelutavan valinta
bySanna Brauer
 
PPTX
Российский фронт битвы гигантов
byMik Chernomordikov
 
PPTX
Content marketing: Sjarlatan eller superhelt?
bySindre Holme
 
Motivarea si evaluarea angajaților
byOdooRomania
 
Agep welcome leipzig
bybfnd
 
Rasmus Lassen, Byggechef i Københavns Ejendomme
byMikkel Rohde Madsen
 
history of cinema powerpoint in Malayalam
byAndur Sahadevan
 
Internationalizing Ubuntu apps
byDavid Planella
 
e ID
by
 
vmchecker @SCS
byRăzvan Deaconescu
 
Quien sera
byfrani
 
British Royal House
byLorena GL
 
BIM ir SOLIDWORKS
byIN RE UAB
 
SOLIDWORKS Plastics LT
byIN RE UAB
 
KM-Report may-2015
byMobidays
 
CCR&R Part Two (Planning)
byUniversity of Oregon
 
Ciencias del Deporte
byErika_Bello
 
Generalsekretærfrokost 23.05.16
byFrivillighet Norge
 
Ne explanation of the last tenth of the quran
byLoveofpeople
 
“Η Logo στην εκπαίδευση: Μια κοινότητα πρακτικής και μάθησης” - i2fest 2015
byKaterina Glezou
 
Tekijänoikeusaineistot luokittelutavan valinta
bySanna Brauer
 
Российский фронт битвы гигантов
byMik Chernomordikov
 
Content marketing: Sjarlatan eller superhelt?
bySindre Holme
 

Similar to Hardening WordPress - Friends of Search 2014 (WordPress Security)

PPTX
WordPress Security Updated - NYC Meetup 2009
byBrad Williams
 
PPT
WordPress Security - WordCamp Boston 2010
byBrad Williams
 
PDF
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
byChetan Soni
 
PPTX
WordPress End-User Security
byDre Armeda
 
PPTX
Wordpress Security & Hardening Steps
byPlasterdog Web Design
 
PDF
WordPress Security
byChristina Hawkins
 
PPTX
Protect Your WordPress From The Inside Out
bySiteGround.com
 
PPT
WordPress Security - WordCamp NYC 2009
byBrad Williams
 
PPT
Now That's What I Call WordPress Security 2010
byBrad Williams
 
PDF
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
PPTX
Website security
byAkhilesh Kant
 
PPTX
How to Secure your WordPress Website - WordCamp UK 2014
byPrimary Image Ltd
 
PDF
Top Ten WordPress Security Tips for 2012
byBrad Williams
 
PDF
WordPress Security - 12 WordPress Security Fundamentals
byfindingsimple
 
KEY
Securing WordPress by Jeff Hoffman
byJeff Hoffman
 
PDF
Secure wordpress
byPrabesh Thapa
 
PDF
WordPress Security is like a HHAM Sandwich
byRed8 Interactive
 
PPT
Wordpress Security Tips
byLalit Nama
 
PPTX
WordPress Security Fundamentals - WordCamp Biratnagar 2018
byAbul Khayer
 
PDF
WordPress Security 101 - Meetup Nairobi March 2020
bystk_jj
 
WordPress Security Updated - NYC Meetup 2009
byBrad Williams
 
WordPress Security - WordCamp Boston 2010
byBrad Williams
 
Complete Wordpress Security By CHETAN SONI - Cyber Security Expert
byChetan Soni
 
WordPress End-User Security
byDre Armeda
 
Wordpress Security & Hardening Steps
byPlasterdog Web Design
 
WordPress Security
byChristina Hawkins
 
Protect Your WordPress From The Inside Out
bySiteGround.com
 
WordPress Security - WordCamp NYC 2009
byBrad Williams
 
Now That's What I Call WordPress Security 2010
byBrad Williams
 
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
Website security
byAkhilesh Kant
 
How to Secure your WordPress Website - WordCamp UK 2014
byPrimary Image Ltd
 
Top Ten WordPress Security Tips for 2012
byBrad Williams
 
WordPress Security - 12 WordPress Security Fundamentals
byfindingsimple
 
Securing WordPress by Jeff Hoffman
byJeff Hoffman
 
Secure wordpress
byPrabesh Thapa
 
WordPress Security is like a HHAM Sandwich
byRed8 Interactive
 
Wordpress Security Tips
byLalit Nama
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
byAbul Khayer
 
WordPress Security 101 - Meetup Nairobi March 2020
bystk_jj
 

More from Bastian Grimm

PDF
Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018
byBastian Grimm
 
PDF
Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017
byBastian Grimm
 
PDF
Migration Best Practices - Search Y 2019, Paris
byBastian Grimm
 
PPTX
Migration Best Practices - Peak Ace on Air
byBastian Grimm
 
PDF
Migration Best Practices - SMX London 2018
byBastian Grimm
 
PDF
Technical SEO vs. User Experience - Bastian Grimm, Peak Ace AG
byBastian Grimm
 
PDF
Migration Best Practices - SEOkomm 2018
byBastian Grimm
 
PDF
Migration Best Practices - SMX West 2019
byBastian Grimm
 
PDF
Web Performance Madness - brightonSEO 2018
byBastian Grimm
 
PDF
The need for Speed: Advanced #webperf - SEOday 2018
byBastian Grimm
 
PDF
Super speed around the globe - SearchLeeds 2018
byBastian Grimm
 
PDF
Advanced data-driven technical SEO - SMX London 2019
byBastian Grimm
 
PDF
AMP - SMX München 2018
byBastian Grimm
 
PDF
SEOday Köln 2020 - Surprise, Surprise - 5 SEO secrets
byBastian Grimm
 
PDF
Welcome to a new reality - DeepCrawl Webinar 2018
byBastian Grimm
 
PDF
OK Google, Whats next? - OMT Wiesbaden 2018
byBastian Grimm
 
PDF
Digitale Assistenzsysteme - SMX München 2018
byBastian Grimm
 
PDF
Whats Next in SEO & CRO - 3XE Conference 2018 Dublin
byBastian Grimm
 
PDF
How fast is fast enough - SMX West 2018
byBastian Grimm
 
PDF
Digitale Assistenten - OMX 2017
byBastian Grimm
 
Data-driven Technical SEO: Logfile Auditing - SEOkomm 2018
byBastian Grimm
 
Migration Best-Practices: So gelingt der erfolgreiche Relaunch - SEOkomm 2017
byBastian Grimm
 
Migration Best Practices - Search Y 2019, Paris
byBastian Grimm
 
Migration Best Practices - Peak Ace on Air
byBastian Grimm
 
Migration Best Practices - SMX London 2018
byBastian Grimm
 
Technical SEO vs. User Experience - Bastian Grimm, Peak Ace AG
byBastian Grimm
 
Migration Best Practices - SEOkomm 2018
byBastian Grimm
 
Migration Best Practices - SMX West 2019
byBastian Grimm
 
Web Performance Madness - brightonSEO 2018
byBastian Grimm
 
The need for Speed: Advanced #webperf - SEOday 2018
byBastian Grimm
 
Super speed around the globe - SearchLeeds 2018
byBastian Grimm
 
Advanced data-driven technical SEO - SMX London 2019
byBastian Grimm
 
AMP - SMX München 2018
byBastian Grimm
 
SEOday Köln 2020 - Surprise, Surprise - 5 SEO secrets
byBastian Grimm
 
Welcome to a new reality - DeepCrawl Webinar 2018
byBastian Grimm
 
OK Google, Whats next? - OMT Wiesbaden 2018
byBastian Grimm
 
Digitale Assistenzsysteme - SMX München 2018
byBastian Grimm
 
Whats Next in SEO & CRO - 3XE Conference 2018 Dublin
byBastian Grimm
 
How fast is fast enough - SMX West 2018
byBastian Grimm
 
Digitale Assistenten - OMX 2017
byBastian Grimm
 

Recently uploaded

PDF
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
PDF
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
PDF
The year in review - MarvelClient in 2025
bypanagenda
 
PDF
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
PDF
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
PDF
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
PDF
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
PDF
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
PDF
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
PDF
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
PDF
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
PDF
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
PDF
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
PDF
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
PPTX
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
PDF
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
PDF
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
PDF
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
PDF
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
PDF
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 
Vibe Coding vs. Spec-Driven Development [Free Meetup]
byHaim Michael
 
Security Technologys: Access Control, Firewall, VPN
byShielaLasala
 
The year in review - MarvelClient in 2025
bypanagenda
 
Empowering Productivity with Clever Prompts and Intelligent Agents
byUni Systems S.M.S.A.
 
Unser Jahresrückblick – MarvelClient in 2025
bypanagenda
 
Generative AI in UiPath: Mastering the Generative Extractor for Intelligent D...
byDianaGray10
 
Igniting the Future: Copilot trends, agentic transformation and product roadm...
byUni Systems S.M.S.A.
 
Unlocking the Power of Salesforce Architecture: Frameworks for Effective Solu...
byvarsha30tiwari
 
The major tech developments for 2026 by Pluralsight, a research and training ...
byChris Skinner
 
eResource Scheduler Enterprise Resource Management and Scheduling Software.pdf
byeResource Scheduler
 
DIGITAL FORENSICS - Notes for Everything.pdf
bypankajkumavatbeit
 
Top 7 Manufacturing Software for Small Businesses Boosting Growth in 2025
byEnvertis Software Solutions
 
How Mobile Apps Are Shaping the Future of Digital Innovation
byWilliam Taylor
 
Accelerating Responsible AI Adoption in Public Sector and Private Organizations.
byYasir Naveed Riaz
 
The Future of IT Service Management AI Automation & Beyond.pptx
byChetu
 
Top Cybersecurity Threats 2025 Guide by Sureshdas
byPrintersassist
 
Innovative AI Solutions for Business Growth.pdf
byVox Works
 
AI and Computer Architecture: 200 Years Together
byDmitry Zinoviev
 
Ransomware_Resilience_Strategic_Playbook.pdf
byAfonso Henrique Rodrigues Alves
 
Recursive Self Improvement vs Continuous Learning
byBob Marcus
 

Hardening WordPress - Friends of Search 2014 (WordPress Security)

  • 1.
    FRIENDS OF SEARCH HARDENING WORDPRESS VARIOUSTWEAKS FOR BETTER WP SECURITY
  • 2.
    WHAT REALLY MATTERS:TOP 3! IF YOU HAVE 5 MINS TO SPARE, JUST DO THESE…
  • 3.
    #1 Update yourblogs regularly! http://wordpress.org/extend/plugins/wp-updates-notifier/
  • 4.
    Change update behavior… Besure to REALLY know what you’re doing there…! # Disables ALL core updates: define('WP_AUTO_UPDATE_CORE', false); # Enables all core updates, including minor and majors: define('WP_AUTO_UPDATE_CORE', true); # Default: Enables core updates for minor releases: define('WP_AUTO_UPDATE_CORE', 'minor'); Want something more fine-grained? Check AUTO_UPDATE_$TYPE filter (e.g. auto_update_plugin, auto_update_theme, etc.) which is used for specific updates. http://github.com/georgestephanis/update-control/
  • 5.
  • 6.
  • 7.
    #2 Get ridof stuff you don’t use! Remove all inactive plug-ins as well as themes!
  • 8.
    #3 Backup Database& Files, often! http://wordpress.org/extend/plugins/backwpup/
  • 9.
    SECURITY STARTS ATSETUP MAKE THINGS RIGHT FROM THE BEGINNING…!
  • 10.
    #4 Setup WordPressproperly Use unique keys and salts to add random elements for encryption! Use a cryptic prefix to prevent automated scripts and SQL injections. $table_prefix = ‘wp_VzQCxSJv7uL_ ‘; https://api.wordpress.org/secret-key/1.1/salt/
  • 11.
    #5 Protect yourwp-config.php <files wp-config.php> order deny,allow deny from all </files> This needs to go into your WP roots’ .htaccess file to prevent external access Even better… move wpconfig.php outside of „www“. Also do chmod 400/440
  • 12.
    #6 Remove thedefault „admin“ Setup new user as admin; logout. Login w/ new admin; delete old one. Make sure to use a STRONG password, pleeaaasssseeee! http://www.random.org/passwords/
  • 13.
    #7 Protect yourLogin (and wp-admin) Recommended: Try the “Lockdown WP Admin” plug-in to protect PHP files in wpadmin as well as the login itself. Don’t just put an .htaccess for basic passwd. protection. It’s a lot of pain… http://wordpress.org/extend/plugins/lockdown-wp-admin/
  • 14.
    #8 Lock-out multiplefailed logins Limit Login Attempts http://wordpress.org/extend/plugins/limit-login-attempts/
  • 15.
    #9 Even better:Two-factor Verification Info: http://gdig.de/1t - Download: http://gdig.de/1u
  • 16.
    #9 Even better:Two-factor Verification Google Authenticator http://wordpress.org/plugins/google-authenticator/
  • 17.
    #9 Even better:Two-factor Verification Provide your login credentials and get auth-code from your mobile phones‘ G-Auth-App.
  • 18.
  • 19.
  • 20.
  • 21.
    #10 Block maliciousURL requests domain.com/?q=%2e%2e or domain.com/path/base64_ will return HTTP 403 (Forbidden). http://wordpress.org/plugins/block-bad-queries/
  • 22.
    ADDITIONAL TWEAKS THINGS YOUCOULD DO IN YOUR CONFIG AS WELL…
  • 23.
    #11 SSL Logins& Administration define('FORCE_SSL_LOGIN', true); Set FORCE_SSL_LOGIN to “true” to force all logins to happen over SSL. (still allows non-SSL admin sessions) define('FORCE_SSL_ADMIN', true); Use FORCE_SSL_ADMIN to force all logins and all admin sessions to happen over SSL (can be slow…)
  • 24.
    #12 Move the“wp-content” folder define('WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'].'/blog/my-wp-content'); WP_CONTENT_DIR points to “new” the full local path (no trailing slash) define('WP_CONTENT_URL', 'http://domain.com/blog/my-wp-content'); WP_CONTENT_URL points to “new” full URI (no trailing slash either)
  • 25.
    #13 Disable FileEditing define('DISALLOW_FILE_EDIT', true); Set DISALLOW_FILE_EDIT to “true” to disable editing files from dashboard. By default, admins are allowed to edit PHP files. Setting the above is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users.
  • 26.
    #14 Fix File& Folder Permissions WP-Security Scan Very important: chmod your wp-config.php to be read-only! http://wordpress.org/extend/plugins/wp-security-scan/
  • 27.
  • 28.
  • 29.
    @basgr SEO Trainings, Seminars& Strategy Consulting Berlin-based Full-Service Performance Marketing Agency WordPress Security, Consulting & Development www.bg.vu/fos14