SecurityConsiderations For W ordP ress Presented by Suzette Franck
Hosting Questions➔ Are SFTP or SSH Offered?➔ Are PHP (5.2.4+) & MySQL (5.0+) at Latest Versions?➔ Do They Have 24/7 Phone Support?➔ How Have They Handled Past Security Breaches And Down Times?➔ Is There An Uptime Guarantee?➔ Do They Do Backups? How Often?
Making WordPress More Secure➔ Update Core When Updates Available ASAP ➔ .1 Upgrades Are Security & Bug Fixes ➔ 1. Upgrades Are New Features➔ Carefully Update Plugins (Backup First!)➔ Use SFTP or SSH, not FTP➔ Use Strong Passwords
Account B P est ractices➔ Delete Default “Admin” Account➔ Unique Accounts for Each Person➔ No Sharing Of Accounts and Passwords➔ Do Not Store Your Credentials In Clear Text (No Stickies, Excel, or Notepad)➔ Principle of Least Privilege/Role Based Access Controls➔ Always Use Strong Passwords
WordPress Roles➔ Super Admin - Network Administration (Multi-User Sites)➔ Administrator - Access To All➔ Editor - Other Users Posts➔ Author - Own Posts Only➔ Contributor - Submit But Not Publish➔ Subscriber - Manage Their Own Profile*Members Plugin - Add and Change Roles
Strong Passwords➔ a=4 e=3 s=5 i=1 o=0 Is Not Secure!!!!➔ Combination of Uppercase and Lowercase Letters, Numbers & Special Characters➔ Passwords Should Be Pass Phrases (8-15 characters minimum)➔ Change Passwords Often & Never Share (like a Tooth Brush!)➔ Use A Password Manager (i.e. LastPass or KeePass)
P Data Security Standard CI➔ Follows Common Sense Best Security Practices➔ Handled Through The Payment Processor That Accepts Credit Cards (PayPal or 3 rd Party Shopping Cart)➔ Requires Credit Card and Client Information To Be Stored And Transmitted Securely (HTTPS/SSL)➔ Strong Secure Passwords Changed Often
Ive Been Hacked!!!➔ Stay Calm, Breathe➔ Isolate the Infection – Take Site Offline➔ Change All Passwords➔ Update Clients – Phone Calls Are Best➔ Cure The Problem or Hand Off➔ Restore Service➔ Analyze Cause and Prevent Future Infections