Manifest Creative, profile picture
Uploaded byManifest Creative
PDF, PPTX7,276 views

WordPress Security 101

Security 101 provides tips for improving WordPress security in 3 sentences: 1) It discusses why websites are hacked, common security issues in WordPress like outdated plugins, and recommendations for strong passwords and access controls. 2) The document recommends securing your host, backing up your site regularly, and using security plugins and tools to scan for vulnerabilities. 3) Developers are advised to follow best practices for coding securely and users are given resources for securing their WordPress installations.

Embed presentation

Download as PDF, PPTX
Security 101 ~ Improving the security of your WordPress installation ~ @manifestphil manifestbozeman.com
Why would anyone hack me? It's not personal, but there are several motivating factors… ■ For attention ■ Profit scams ■ Own one, own them all… ■ To steal information "All I wanted was to sell my cupcakes online!" Most website hacks are performed by automated computer programs, and are not directed at your website personally. However, the bigger you are, the more worthwhile it becomes for a hacker to invest time, energy and resources.
Favorite WordPress Security Breaches There are certain types of hacks that target WordPress specifically: ■ Defacement / Hacktavism ■ SEO Hijacking ■ Affiliate/Malicious Redirects ■ Backdoors ■ Drive-by Downloads Don't become a Canadian pharmacy!
What is security, exactly? ■ Security is about risk reduction. There is no silver bullet. ■ Security is never absolute. ■ To think you will never be Security is all about not being an easy target. infected is like saying you'll never be sick. ■ Detection is the key! Sometimes security means simply having a plan for what we will do in a worst case scenario… Play "what if?" Security means different things for different types of organizations. Like tourists, it's best avoid being "that guy".
So what's the problem? ■ The ecosystem/environment ■ Access control ■ Software vulnerabilities ■ Extensibility Keeping your installation current is the easiest security improvement you can make. Feature The Wordpress core is in fact very v3.5.1 Security secure. When an issue arises, the core team is quick to patch the vulnerability, and push that to end Major users.
Start by securing your own computer… ■ Good, up-to-date antivirus software ■ Keep your own software up to date ■ Know where you're surfing the web And getting a good web host. ■ Not much you can do if you're using a shared host. ■ Consider a dedicated / VPS environment or go with a managed host. ● What security does my host use? ● What kind of reputation do they have? ● What will they do if you get hacked? A managed WordPress host doesn't mean you'll be any safer, but it does mean you'll have resources to lean on.
Change your passwords… like yesterday. ■ Hard to guess. Hard for a brute force attack to succeed. ■ Avoid any combination of your name, company name, username, etc. ■ Don't use dictionary words; in any language. ■ Stop using the same password for everything. Email, DB, Admin, FTP. My daughter is Emery. 07152013 She likes dogs! MdiE.07152013Sld! 1Password KeyPassX
You need a backup plan. Or two. ■ Clean backups mean you never need to start from scratch. ■ Backup your database, content, themes. ○ Specialized installations may need more, e.g. custom plugins, .htaccess, etc. ■ Backup to multiple locations. ○ Backups stored on your primary server cannot be trusted. ○ Hard drives fail. Homes burn down. Offices are burglarized. ■ Backup frequency ○ Depends on how much work or information you stand to lose. ■ Manual vs. Automatic Backup Buddy - $75 VaultPress - $15/mo. WP to Dropbox - FREE
Control the access to your site. ■ Connect using sFTP, SSH or FTP-SSL. ■ Login to wp-admin using SSL (https: Reading //mydomain.com/wp-admin) Recommendation ■ Your FTP username/password should Check out the eBook, Locking Down not be the same as your WordPress WordPress, by Michael admin username/password. Pick. ■ Least Privileged It's available as a free download at CodePoet. ○ Everyone doesn't need to be an admin. com ○ Every user should have own access. What's in a free ○ You don't need to log in as admin theme? ○ The focus is on the role, not their name When you search Google ○ Kill generic accounts for free or cheap themes you're probably going to ■ Blacklist known bad bots and users create a security vulnerability. Go with more reputable sources.
Setting up your WordPress installation ■ Turn off directory listings Maintainability Tips ■ Kill PHP execution If you have plugins installed that you do not use, delete them! ■ Deny access to wp-config.php Did you purchase or download ■ Ensure file permissions are correct a theme? Use child themes to allow the main theme to be updated without breaking your ○ Directories should be 755 layout. ○ Files should be 644 ■ Properly configure wp-config Developer Tips ○ Disable theme/plugin editing via admin Following WordPress code standards when developing a ○ Force SSL for admin login and use theme will ensure that client updates don't break the site. ○ Add secret keys Because you're a ninja-coder, ■ Remove the admin account you can confidently allow your customer access to keep WordPress updated. ■ Change the database table prefix Help your clients setup ■ Use trusted sources for themes and plugins automatic backups, please!
Turn off Directory Listings Where does it go? What does it do? /.htaccess Prevents the Apache web server from displaying a list of all the files in a directory. Should be added to the . htaccess file in your WordPress root directory.
Kill PHP Execution Where does it go? What does it do? /wp-content/uploads/.htaccess Prevents PHP code from being executed in these two /wp-includes/.htaccess directories. Many backdoor access scripts disguise themselves in these locations. If neither of these locations has an existing .htaccess file, you may need to create it. Full instructions »
Deny access to wp-config.php Where does it go? What does it do? /.htaccess Prevents any direct access by users to the wp-config.php file. Full instructions » For the extra cautious You can also use Apache's .htaccess file to "whitelist" only certain IP addresses that should be allowed to access your /wp-admin directory. Here's directions on how!
Disable editing via WP admin Where does it go? What does it do? /wp-config.php Removes the ability to edit theme or plugin files via the WordPress admin panel.
Setup Unique Keys & Salts Where does it go? What does it do? /wp-config.php Ensures better encryption of information stored in your browser's cookies. How do I get these keys? Use the online generator and copy-paste them into your file.
Force SSL use for wp-admin Where does it go? What does it do? /wp-config.php Forces all WP Admin connections to be routed through SSL.
Hide login error messages Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing whether the username or password is incorrect.
Remove the WP version number Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Removes the WordPress version number from the HTML generated by your website. (And the RSS feed too!) While you're at it… Delete the readme.txt file and wp-config-sample.php files in your WordPress root directory. You can safely delete the install.php file located in your wp-admin folder as well.
Remove author username from comments Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing the username of the post author.
Remove the admin account Steps 1. Create a new user. The e-mail address associated with each user must be unique. 2. Click delete on the admin account. You'll be presented with this screen. 3. Assign all of the posts to the new user that you created and confirm the deletion. 4. If needed, change your email address back to your primary contact. Not geeky enough? Alternatively, create a new user and run the following SQL command.
Change your database table prefix Why you should care Many SQL injection attacks assume that your database prefix will be wp_ Don't make the hacker's job easy! On a new installation WordPress allows you to set the table prefix when installing a new site. On existing sites You'll either need to change things in the database and wp-config.php directly, or use a plugin to help you. For heaven's sake Make a backup of your site database before trying to change table prefix names.
WordPress powers 22% of new active websites, in the U.S. It powers 17% of the top million websites in the world. Use the power of this vast community and keep WordPress updated! @manifestphil manifestbozeman.com
Site Security Tools Documentation, etc. ■ Securi Site Scanner ■ WP Codex ■ Google Safe Browsing ■ Perishable Press 5G Blacklist ■ Bots vs. Browsers ■ How anyone can hack your WP site in less than 5 minutes ■ iSecLab.org - Wepawet (and what you can do…) ■ Unmask Parasites ■ Protecting /wp-admin using Apache ■ Smashing Magazine ■ What to do if you're hacked Plugin Recommendations ■ Limit Login Attempts ■ WP Security Scan ■ Duo Two-Factor Authentication ■ WP File Monitor Plus ■ Theme Check ■ Akismet
Resources for theme and plugin developers ■ Data validation and sanitization in WordPress ■ Andrew Nacin: Y U No Code Well ■ Understanding WordPress Capabilities and Nonces ■ WordPress Plugin Development Best Practices ■ StackExchange: WordPress Answers ■ WP Hackers Mailing List

More Related Content

PPTX
Webinar - Tips and Tricks on Website Security
byStopTheHacker
 
PPTX
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
PDF
Joomla! security jday2015
bykriptonium
 
PDF
WordPress Security Best Practices 2019 Update
byZero Point Development
 
PPTX
Understanding word press security wwc-4-7-17
byNicholas Batik
 
PPTX
WordPress Security Best Practices
byZero Point Development
 
PDF
Top Ten WordPress Security Tips for 2012
byBrad Williams
 
PPTX
WordPress Security - WordCamp phoenix 2013
byDre Armeda
 
Webinar - Tips and Tricks on Website Security
byStopTheHacker
 
Thoughts on Defensive Development for Sitecore
byPINT Inc
 
Joomla! security jday2015
bykriptonium
 
WordPress Security Best Practices 2019 Update
byZero Point Development
 
Understanding word press security wwc-4-7-17
byNicholas Batik
 
WordPress Security Best Practices
byZero Point Development
 
Top Ten WordPress Security Tips for 2012
byBrad Williams
 
WordPress Security - WordCamp phoenix 2013
byDre Armeda
 

Viewers also liked

PPT
Taller De Blogs
byAster
 
PPT
QuiéN Soy
byAster
 
PPS
Las mejores fotos del 2007
bynicoh
 
PPT
Ma
byAster
 
PPT
Subiendo ImáGenes A Una Entrada
byAster
 
PPS
Las Mejores Fotos
byPromociones Mexico Marketing
 
PPT
Creando Un Blog
byAster
 
PPT
Elliot standard presentation
byelliotproject
 
PDF
Gem fall 2016 (2)
byBeatrice Watson
 
Taller De Blogs
byAster
 
QuiéN Soy
byAster
 
Las mejores fotos del 2007
bynicoh
 
Ma
byAster
 
Subiendo ImáGenes A Una Entrada
byAster
 
Las Mejores Fotos
byPromociones Mexico Marketing
 
Creando Un Blog
byAster
 
Elliot standard presentation
byelliotproject
 
Gem fall 2016 (2)
byBeatrice Watson
 

Similar to WordPress Security 101

PPTX
WordPress Security - WordPress Meetup Copenhagen 2013
byThor Kristiansen
 
PPTX
WordPress Plugins and Security
byThink Media Inc.
 
PDF
WordCamp Mid-Atlantic WordPress Security
byBrad Williams
 
PPT
Securing Your WordPress Website - WordCamp GC 2011
byVlad Lasky
 
PPT
Securing Your WordPress Website by Vlad Lasky
bywordcampgc
 
PPTX
WordPress End-User Security
byDre Armeda
 
PPTX
WordPress Security and Best Practices
byRobert Vidal
 
PDF
WordPress Security - 12 WordPress Security Fundamentals
byfindingsimple
 
PPTX
Making & Keeping WordPress Secure
byChad Warner
 
PPT
WordPress Security
byBrad Williams
 
PDF
Word press security checklist
bySanjay Dabhoya
 
PDF
I Have My WordPress Site Now What?
byMichele Butcher-Jones
 
PDF
Introduction to WordPress Security
byNile Flores
 
PPTX
Wordpress security issues
byDeepu Thomas
 
PDF
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
PDF
WordPress Security 101 - Meetup Nairobi March 2020
bystk_jj
 
PPTX
Protect Your WordPress From The Inside Out
bySiteGround.com
 
PPTX
WordPress Security Fundamentals - WordCamp Biratnagar 2018
byAbul Khayer
 
PDF
ResellerClub Ctrl+F5 - WordPress Security session
byPratik Jagdishwala
 
PDF
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
byStuartJDavidson.com
 
WordPress Security - WordPress Meetup Copenhagen 2013
byThor Kristiansen
 
WordPress Plugins and Security
byThink Media Inc.
 
WordCamp Mid-Atlantic WordPress Security
byBrad Williams
 
Securing Your WordPress Website - WordCamp GC 2011
byVlad Lasky
 
Securing Your WordPress Website by Vlad Lasky
bywordcampgc
 
WordPress End-User Security
byDre Armeda
 
WordPress Security and Best Practices
byRobert Vidal
 
WordPress Security - 12 WordPress Security Fundamentals
byfindingsimple
 
Making & Keeping WordPress Secure
byChad Warner
 
WordPress Security
byBrad Williams
 
Word press security checklist
bySanjay Dabhoya
 
I Have My WordPress Site Now What?
byMichele Butcher-Jones
 
Introduction to WordPress Security
byNile Flores
 
Wordpress security issues
byDeepu Thomas
 
Word press beirut 9th meetup march
byFadi Nicolas Zahhar
 
WordPress Security 101 - Meetup Nairobi March 2020
bystk_jj
 
Protect Your WordPress From The Inside Out
bySiteGround.com
 
WordPress Security Fundamentals - WordCamp Biratnagar 2018
byAbul Khayer
 
ResellerClub Ctrl+F5 - WordPress Security session
byPratik Jagdishwala
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
byStuartJDavidson.com
 

Recently uploaded

PPTX
Workflow and decision Automation with Flowable
bychakib ch
 
PDF
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
PDF
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
PDF
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PPTX
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
PDF
apidays New York 2025 | AI in Application Security
byapidays
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PDF
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
PPTX
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
PDF
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
PPTX
Celonis Optimizing your future with process
bydevjeremyappleyard
 
PDF
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX
PPTX game guess the logo with a twistppt
byAdrianAnig
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
apidays Paris 2025 | Zero Trust By Design
byapidays
 
PPTX
apidays Paris 2025 | Building Agentic Workflows
byapidays
 
Workflow and decision Automation with Flowable
bychakib ch
 
TrustArc Webinar - From Trends to Action: Fitting AI Governance into Privacy Ops
byTrustArc
 
Odoo Implementation Checklist: A Strategic ERP Blueprint for Business-Ready D...
byBANIBRO IT SOLUTION
 
Effortless Distributed Systems with Aspire.pdf
byParticular Software
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
Microsoft Azure News - February 2026 - BAUG
byDaniel Toomey
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
Security-Fails-in-the-Gaps-Between-Systems.pptx.pdf
byOhhproJunction
 
apidays New York 2025 | AI in Application Security
byapidays
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
HOW TO OVERCOME THE THREATS OF ARTIFICIAL INTELLIGENCE AGAINST HUMANITY.pdf
byFaga1939
 
GenerationAI Paris 2025 | AI in Tech: Beyond Expectations, Into Execution
byapidays
 
Empower your IT team with cloud-based PC management using Dell Management Por...
byPrincipled Technologies
 
Celonis Optimizing your future with process
bydevjeremyappleyard
 
NTG -Company Profile_Software_Vendor_Company_in_MENA
byMustafa Kuğu
 
PPTX game guess the logo with a twistppt
byAdrianAnig
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
apidays Paris 2025 | Zero Trust By Design
byapidays
 
apidays Paris 2025 | Building Agentic Workflows
byapidays
 

WordPress Security 101

  • 1.
    Security 101 ~ Improving the security of your WordPress installation ~ @manifestphil manifestbozeman.com
  • 2.
    Why would anyonehack me? It's not personal, but there are several motivating factors… ■ For attention ■ Profit scams ■ Own one, own them all… ■ To steal information "All I wanted was to sell my cupcakes online!" Most website hacks are performed by automated computer programs, and are not directed at your website personally. However, the bigger you are, the more worthwhile it becomes for a hacker to invest time, energy and resources.
  • 3.
    Favorite WordPress SecurityBreaches There are certain types of hacks that target WordPress specifically: ■ Defacement / Hacktavism ■ SEO Hijacking ■ Affiliate/Malicious Redirects ■ Backdoors ■ Drive-by Downloads Don't become a Canadian pharmacy!
  • 4.
    What is security,exactly? ■ Security is about risk reduction. There is no silver bullet. ■ Security is never absolute. ■ To think you will never be Security is all about not being an easy target. infected is like saying you'll never be sick. ■ Detection is the key! Sometimes security means simply having a plan for what we will do in a worst case scenario… Play "what if?" Security means different things for different types of organizations. Like tourists, it's best avoid being "that guy".
  • 5.
    So what's theproblem? ■ The ecosystem/environment ■ Access control ■ Software vulnerabilities ■ Extensibility Keeping your installation current is the easiest security improvement you can make. Feature The Wordpress core is in fact very v3.5.1 Security secure. When an issue arises, the core team is quick to patch the vulnerability, and push that to end Major users.
  • 6.
    Start by securingyour own computer… ■ Good, up-to-date antivirus software ■ Keep your own software up to date ■ Know where you're surfing the web And getting a good web host. ■ Not much you can do if you're using a shared host. ■ Consider a dedicated / VPS environment or go with a managed host. ● What security does my host use? ● What kind of reputation do they have? ● What will they do if you get hacked? A managed WordPress host doesn't mean you'll be any safer, but it does mean you'll have resources to lean on.
  • 7.
    Change your passwords…like yesterday. ■ Hard to guess. Hard for a brute force attack to succeed. ■ Avoid any combination of your name, company name, username, etc. ■ Don't use dictionary words; in any language. ■ Stop using the same password for everything. Email, DB, Admin, FTP. My daughter is Emery. 07152013 She likes dogs! MdiE.07152013Sld! 1Password KeyPassX
  • 8.
    You need abackup plan. Or two. ■ Clean backups mean you never need to start from scratch. ■ Backup your database, content, themes. ○ Specialized installations may need more, e.g. custom plugins, .htaccess, etc. ■ Backup to multiple locations. ○ Backups stored on your primary server cannot be trusted. ○ Hard drives fail. Homes burn down. Offices are burglarized. ■ Backup frequency ○ Depends on how much work or information you stand to lose. ■ Manual vs. Automatic Backup Buddy - $75 VaultPress - $15/mo. WP to Dropbox - FREE
  • 9.
    Control the accessto your site. ■ Connect using sFTP, SSH or FTP-SSL. ■ Login to wp-admin using SSL (https: Reading //mydomain.com/wp-admin) Recommendation ■ Your FTP username/password should Check out the eBook, Locking Down not be the same as your WordPress WordPress, by Michael admin username/password. Pick. ■ Least Privileged It's available as a free download at CodePoet. ○ Everyone doesn't need to be an admin. com ○ Every user should have own access. What's in a free ○ You don't need to log in as admin theme? ○ The focus is on the role, not their name When you search Google ○ Kill generic accounts for free or cheap themes you're probably going to ■ Blacklist known bad bots and users create a security vulnerability. Go with more reputable sources.
  • 10.
    Setting up yourWordPress installation ■ Turn off directory listings Maintainability Tips ■ Kill PHP execution If you have plugins installed that you do not use, delete them! ■ Deny access to wp-config.php Did you purchase or download ■ Ensure file permissions are correct a theme? Use child themes to allow the main theme to be updated without breaking your ○ Directories should be 755 layout. ○ Files should be 644 ■ Properly configure wp-config Developer Tips ○ Disable theme/plugin editing via admin Following WordPress code standards when developing a ○ Force SSL for admin login and use theme will ensure that client updates don't break the site. ○ Add secret keys Because you're a ninja-coder, ■ Remove the admin account you can confidently allow your customer access to keep WordPress updated. ■ Change the database table prefix Help your clients setup ■ Use trusted sources for themes and plugins automatic backups, please!
  • 11.
    Turn off DirectoryListings Where does it go? What does it do? /.htaccess Prevents the Apache web server from displaying a list of all the files in a directory. Should be added to the . htaccess file in your WordPress root directory.
  • 12.
    Kill PHP Execution Wheredoes it go? What does it do? /wp-content/uploads/.htaccess Prevents PHP code from being executed in these two /wp-includes/.htaccess directories. Many backdoor access scripts disguise themselves in these locations. If neither of these locations has an existing .htaccess file, you may need to create it. Full instructions »
  • 13.
    Deny access towp-config.php Where does it go? What does it do? /.htaccess Prevents any direct access by users to the wp-config.php file. Full instructions » For the extra cautious You can also use Apache's .htaccess file to "whitelist" only certain IP addresses that should be allowed to access your /wp-admin directory. Here's directions on how!
  • 14.
    Disable editing viaWP admin Where does it go? What does it do? /wp-config.php Removes the ability to edit theme or plugin files via the WordPress admin panel.
  • 15.
    Setup Unique Keys& Salts Where does it go? What does it do? /wp-config.php Ensures better encryption of information stored in your browser's cookies. How do I get these keys? Use the online generator and copy-paste them into your file.
  • 16.
    Force SSL usefor wp-admin Where does it go? What does it do? /wp-config.php Forces all WP Admin connections to be routed through SSL.
  • 17.
    Hide login errormessages Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing whether the username or password is incorrect.
  • 18.
    Remove the WPversion number Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Removes the WordPress version number from the HTML generated by your website. (And the RSS feed too!) While you're at it… Delete the readme.txt file and wp-config-sample.php files in your WordPress root directory. You can safely delete the install.php file located in your wp-admin folder as well.
  • 19.
    Remove author usernamefrom comments Where does it go? /wp-content/themes/your-theme/functions.php What does it do? Prevents hackers from seeing the username of the post author.
  • 20.
    Remove the adminaccount Steps 1. Create a new user. The e-mail address associated with each user must be unique. 2. Click delete on the admin account. You'll be presented with this screen. 3. Assign all of the posts to the new user that you created and confirm the deletion. 4. If needed, change your email address back to your primary contact. Not geeky enough? Alternatively, create a new user and run the following SQL command.
  • 21.
    Change your databasetable prefix Why you should care Many SQL injection attacks assume that your database prefix will be wp_ Don't make the hacker's job easy! On a new installation WordPress allows you to set the table prefix when installing a new site. On existing sites You'll either need to change things in the database and wp-config.php directly, or use a plugin to help you. For heaven's sake Make a backup of your site database before trying to change table prefix names.
  • 22.
    WordPress powers 22%of new active websites, in the U.S. It powers 17% of the top million websites in the world. Use the power of this vast community and keep WordPress updated! @manifestphil manifestbozeman.com
  • 23.
    Site Security Tools Documentation, etc. ■ Securi Site Scanner ■ WP Codex ■ Google Safe Browsing ■ Perishable Press 5G Blacklist ■ Bots vs. Browsers ■ How anyone can hack your WP site in less than 5 minutes ■ iSecLab.org - Wepawet (and what you can do…) ■ Unmask Parasites ■ Protecting /wp-admin using Apache ■ Smashing Magazine ■ What to do if you're hacked Plugin Recommendations ■ Limit Login Attempts ■ WP Security Scan ■ Duo Two-Factor Authentication ■ WP File Monitor Plus ■ Theme Check ■ Akismet
  • 24.
    Resources for themeand plugin developers ■ Data validation and sanitization in WordPress ■ Andrew Nacin: Y U No Code Well ■ Understanding WordPress Capabilities and Nonces ■ WordPress Plugin Development Best Practices ■ StackExchange: WordPress Answers ■ WP Hackers Mailing List