Peter Baylies, profile picture
Uploaded byPeter Baylies
1,974 views

WordPress Server Security

This document provides best practices for securing a WordPress server. It recommends making regular backups, changing defaults, using strong passwords, updating software, and limiting access. Specific tips include moving wp-config.php out of the webroot, using security plugins, tightening file permissions, disabling unneeded software, and regularly scanning for vulnerabilities. While security is an ongoing process, following these guidelines helps protect a WordPress site.

Embed presentation

Downloaded 13 times
WordPress Server Security Best Practices Peter Baylies aka @pbaylies on Twitter Semper Fi Web Design
Security • isn't simple • isn't perfect • isn't ever finished • ...no pressure!
Basic Tips and Gotchas • Backups, backups, backups. • Change the defaults • Use strong passwords (and password salts!) • Use SFTP and HTTPS • Update all the things • Trust no one.
Do I Need To Do All This? • Probably? - depends on your situation. • Find a great managed hosting company? • http://wpdevshed.com/managed-wordpress-hosting/ • Have a good sysadmin - or be one.
Good Advice • Limiting Access - reduce possible entry points • Containment - minimize potential damage • Preparation and Knowledge - backups! • Trusted Sources - download from reputable sites • http://codex.wordpress.org/Hardening_WordPress
Understanding the Environment • “LAMP” Environment – OS -­‐ Linux – Webserver -­‐ Apache – Database -­‐ MySQL – Scripting -­‐ PHP • and… WordPress!
WordPress Security • Move wp-config.php out of the webroot • Friends don't let friends use any eval plugins. • iThemes Security - https://ithemes.com/tutorials/ getting-started-ithemes-security-part-1/ • Wordfence - https://wordpress.org/plugins/wordfence/ • BruteProtect (soon to be JetPack) - https:// wordpress.org/plugins/bruteprotect/
OS Level Security • File permissions • User groups • mount / chroot / jail • Firewalls - csf / lfd • Virtual Machines • ...and much more. http://en.wikipedia.org/wiki/Unix_security
Web Server Security • Turn off indexing • Disable unnecessary modules • Use Deny / Allow directives, .htaccess • Hardening - mod_security, mod_evasive • Consider using a service like CloudFlare • http://www.tecmint.com/apache-security-tips/
Database security • User permissions • Disable remote access • Change the defaults • mysql_secure_installation • http://dev.mysql.com/doc/refman/5.0/en/mysql-secure- installation.html
PHP Security • suPHP - http://www.suphp.org/Home.html • Suhosin - back from the dead - https://github.com/ stefanesser/suhosin • php.ini - disable_functions - http://php.net/manual/en/ ini.core.php#ini.disable-functions • php.ini - set open_basedir - http://php.net/manual/en/ ini.core.php#ini.open-basedir
More Tools and Testing • Sucuri Sitecheck - http://sitecheck.sucuri.net/ • Beyond Security - https://www.scanmyserver.com/ • Hacker Target - http://hackertarget.com/wordpress-security- scan/ • WPScan - https://github.com/wpscanteam/wpscan
So You Think You Got • Don't Panic! • Contact your host • Remember those backups I mentioned? • Change passwords, check logs • Tools - rkhunter, ClamAV, Linux Malware Detect • http://codex.wordpress.org/ FAQ_My_site_was_hacked
Questions? • Thank you! • Slides available here -

More Related Content

PPTX
Managing Multisite: Lessons from a Large Network
byWilliam Earnhardt
 
PPTX
Getting started with WordPress development
bySteve Mortiboy
 
PDF
Using composer with WordPress
byMicah Wood
 
PDF
8 Ways to Hack a WordPress website
bySiteGround.com
 
PPTX
WordPress Plugins and Security
byThink Media Inc.
 
KEY
WordPress Security
byIvan Storck
 
PPTX
Anthony Somerset - Site Speed = Success!
byWordCamp Cape Town
 
PDF
High Performance WordPress
byvnsavage
 
Managing Multisite: Lessons from a Large Network
byWilliam Earnhardt
 
Getting started with WordPress development
bySteve Mortiboy
 
Using composer with WordPress
byMicah Wood
 
8 Ways to Hack a WordPress website
bySiteGround.com
 
WordPress Plugins and Security
byThink Media Inc.
 
WordPress Security
byIvan Storck
 
Anthony Somerset - Site Speed = Success!
byWordCamp Cape Town
 
High Performance WordPress
byvnsavage
 

What's hot

PPTX
WordPress security for everyone
byVladimír Smitka
 
PDF
Speeding up your WordPress Site - WordCamp Toronto 2015
byAlan Lok
 
PPT
WordPress Fav Plugins & Security
byThe Toolbox, Inc.
 
PDF
WordPress Intermediate Workshop
byThe Toolbox, Inc.
 
PPTX
WordCamp Boston WordPress plugins-8-2014
byThe Toolbox, Inc.
 
PPTX
A crash course in scaling wordpress
byGovLoop
 
PPTX
HyperDB, MySQL Performance, & Flavors of MySQL
byEvan Volgas
 
PDF
WordPress Security - 12 WordPress Security Fundamentals
byfindingsimple
 
PPTX
Piecing Together the WordPress Puzzle
byBusiness Vitality LLC
 
PPTX
Let’s write a plugin
byBrian Layman
 
PDF
10 things every developer should know about their database to run word press ...
byOtto Kekäläinen
 
PPTX
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
byBrian Layman
 
PPT
Blog World 2010 - How to Keep Your Blog from Being Hacked
byBrian Layman
 
PPTX
Presentation to SAIT Students - Dec 2013
byThink Media Inc.
 
PDF
WordPress Security Basics - Melbourne WordPress User Meetup
byChris Burgess
 
PDF
Here Be Dragons - Debugging WordPress
byRami Sayar
 
PPTX
Multisite core concepts final
byUmesh Chaudhary
 
PPTX
WordPress Security
byNathan Platt
 
PPTX
WordPress.org & Optimizing Security for your WordPress sites
byGovLoop
 
PPTX
Speeding Up WordPress sites
byJason Yingling
 
WordPress security for everyone
byVladimír Smitka
 
Speeding up your WordPress Site - WordCamp Toronto 2015
byAlan Lok
 
WordPress Fav Plugins & Security
byThe Toolbox, Inc.
 
WordPress Intermediate Workshop
byThe Toolbox, Inc.
 
WordCamp Boston WordPress plugins-8-2014
byThe Toolbox, Inc.
 
A crash course in scaling wordpress
byGovLoop
 
HyperDB, MySQL Performance, & Flavors of MySQL
byEvan Volgas
 
WordPress Security - 12 WordPress Security Fundamentals
byfindingsimple
 
Piecing Together the WordPress Puzzle
byBusiness Vitality LLC
 
Let’s write a plugin
byBrian Layman
 
10 things every developer should know about their database to run word press ...
byOtto Kekäläinen
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
byBrian Layman
 
Blog World 2010 - How to Keep Your Blog from Being Hacked
byBrian Layman
 
Presentation to SAIT Students - Dec 2013
byThink Media Inc.
 
WordPress Security Basics - Melbourne WordPress User Meetup
byChris Burgess
 
Here Be Dragons - Debugging WordPress
byRami Sayar
 
Multisite core concepts final
byUmesh Chaudhary
 
WordPress Security
byNathan Platt
 
WordPress.org & Optimizing Security for your WordPress sites
byGovLoop
 
Speeding Up WordPress sites
byJason Yingling
 

Similar to WordPress Server Security

PDF
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
PDF
ResellerClub Ctrl+F5 - WordPress Security session
byPratik Jagdishwala
 
PDF
Word camp2011 introwordpresssecurity
byDavid Wilemski
 
PPTX
WordPress Security and Best Practices
byRobert Vidal
 
PPTX
WordPress Security Best Practices
byZero Point Development
 
ODP
Wordpress Security 101
byRobert Rowley
 
PDF
Head Slapping WordPress Security
byChris Burgess
 
PPTX
WordPress Security - WordPress Meetup Copenhagen 2013
byThor Kristiansen
 
PDF
Introduction to WordPress Security
byNile Flores
 
PPSX
WordPress Security by Nirjhor Anjum
byAbul Khayer
 
PPTX
WordPress Security Fundamentals - WordCamp Biratnagar 2018
byAbul Khayer
 
PPT
Securing Your WordPress Website - WordCamp GC 2011
byVlad Lasky
 
PPT
Securing Your WordPress Website by Vlad Lasky
bywordcampgc
 
PPTX
Professional WordPress Security: Beyond Security Plugins
byChris Burgess
 
PDF
WordPress Security 2018
byAdrian Mikeliunas
 
PDF
Your WordPress Website Is/Not Hacked
byAngela Bowman
 
PDF
WordPress security 101 - WP Turku Meetup 2.2.2017
byOtto Kekäläinen
 
PDF
WordPress Hardening: Strategies to Secure & Protect Your Website
byReliqusConsulting
 
PDF
Null bhopal Sep 2016: What it Takes to Secure a Web Application
byAnant Shrivastava
 
PDF
Seravo.com: WordPress Security 101
bySeravo
 
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
ResellerClub Ctrl+F5 - WordPress Security session
byPratik Jagdishwala
 
Word camp2011 introwordpresssecurity
byDavid Wilemski
 
WordPress Security and Best Practices
byRobert Vidal
 
WordPress Security Best Practices
byZero Point Development
 
Wordpress Security 101
byRobert Rowley
 
Head Slapping WordPress Security
byChris Burgess
 
WordPress Security - WordPress Meetup Copenhagen 2013
byThor Kristiansen
 
Introduction to WordPress Security
byNile Flores
 
WordPress Security by Nirjhor Anjum
byAbul Khayer
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
byAbul Khayer
 
Securing Your WordPress Website - WordCamp GC 2011
byVlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
bywordcampgc
 
Professional WordPress Security: Beyond Security Plugins
byChris Burgess
 
WordPress Security 2018
byAdrian Mikeliunas
 
Your WordPress Website Is/Not Hacked
byAngela Bowman
 
WordPress security 101 - WP Turku Meetup 2.2.2017
byOtto Kekäläinen
 
WordPress Hardening: Strategies to Secure & Protect Your Website
byReliqusConsulting
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
byAnant Shrivastava
 
Seravo.com: WordPress Security 101
bySeravo
 

More from Peter Baylies

PDF
Membership Plugins in WordPress
byPeter Baylies
 
PDF
Debugging and Profiling in WordPress: What is My Site Doing?
byPeter Baylies
 
PDF
Speed Up That Site! - a guide to caching plugins
byPeter Baylies
 
KEY
Doing cool stuff with WordPress
byPeter Baylies
 
PDF
Mastering the shortcode api
byPeter Baylies
 
PDF
Add tag shortcode
byPeter Baylies
 
PDF
Add loop shortcode
byPeter Baylies
 
PDF
Add title shortcode
byPeter Baylies
 
Membership Plugins in WordPress
byPeter Baylies
 
Debugging and Profiling in WordPress: What is My Site Doing?
byPeter Baylies
 
Speed Up That Site! - a guide to caching plugins
byPeter Baylies
 
Doing cool stuff with WordPress
byPeter Baylies
 
Mastering the shortcode api
byPeter Baylies
 
Add tag shortcode
byPeter Baylies
 
Add loop shortcode
byPeter Baylies
 
Add title shortcode
byPeter Baylies
 

WordPress Server Security

  • 1.
    WordPress Server Security Best Practices Peter Baylies aka @pbaylies on Twitter Semper Fi Web Design
  • 2.
    Security • isn'tsimple • isn't perfect • isn't ever finished • ...no pressure!
  • 3.
    Basic Tips andGotchas • Backups, backups, backups. • Change the defaults • Use strong passwords (and password salts!) • Use SFTP and HTTPS • Update all the things • Trust no one.
  • 5.
    Do I NeedTo Do All This? • Probably? - depends on your situation. • Find a great managed hosting company? • http://wpdevshed.com/managed-wordpress-hosting/ • Have a good sysadmin - or be one.
  • 7.
    Good Advice •Limiting Access - reduce possible entry points • Containment - minimize potential damage • Preparation and Knowledge - backups! • Trusted Sources - download from reputable sites • http://codex.wordpress.org/Hardening_WordPress
  • 9.
    Understanding the Environment • “LAMP” Environment – OS -­‐ Linux – Webserver -­‐ Apache – Database -­‐ MySQL – Scripting -­‐ PHP • and… WordPress!
  • 10.
    WordPress Security •Move wp-config.php out of the webroot • Friends don't let friends use any eval plugins. • iThemes Security - https://ithemes.com/tutorials/ getting-started-ithemes-security-part-1/ • Wordfence - https://wordpress.org/plugins/wordfence/ • BruteProtect (soon to be JetPack) - https:// wordpress.org/plugins/bruteprotect/
  • 11.
    OS Level Security • File permissions • User groups • mount / chroot / jail • Firewalls - csf / lfd • Virtual Machines • ...and much more. http://en.wikipedia.org/wiki/Unix_security
  • 12.
    Web Server Security • Turn off indexing • Disable unnecessary modules • Use Deny / Allow directives, .htaccess • Hardening - mod_security, mod_evasive • Consider using a service like CloudFlare • http://www.tecmint.com/apache-security-tips/
  • 13.
    Database security •User permissions • Disable remote access • Change the defaults • mysql_secure_installation • http://dev.mysql.com/doc/refman/5.0/en/mysql-secure- installation.html
  • 14.
    PHP Security •suPHP - http://www.suphp.org/Home.html • Suhosin - back from the dead - https://github.com/ stefanesser/suhosin • php.ini - disable_functions - http://php.net/manual/en/ ini.core.php#ini.disable-functions • php.ini - set open_basedir - http://php.net/manual/en/ ini.core.php#ini.open-basedir
  • 15.
    More Tools andTesting • Sucuri Sitecheck - http://sitecheck.sucuri.net/ • Beyond Security - https://www.scanmyserver.com/ • Hacker Target - http://hackertarget.com/wordpress-security- scan/ • WPScan - https://github.com/wpscanteam/wpscan
  • 17.
    So You ThinkYou Got • Don't Panic! • Contact your host • Remember those backups I mentioned? • Change passwords, check logs • Tools - rkhunter, ClamAV, Linux Malware Detect • http://codex.wordpress.org/ FAQ_My_site_was_hacked
  • 18.
    Questions? • Thankyou! • Slides available here -