7 Ways to Secure YourWordPress Website –without any PluginsTan Kian AnnWordPress Wednesdays – 24 April 2013
Please don’t copy, lah.Will put up the slides for you to refer to,share on WPUG Facebook.
#1. Set a Strong Password
Question:What is the most commonpassword used today?
Set your password to “incorrect”.So when you key in wrongly, thecomputer will tell you“Your password is incorrect.”
Set a Strong Password• password• 123456• 12345678• abc123• qwerty• monkey• letmein• dragon• 111111• baseball• iloveyou• tr...
Set a Strong Password• Mix uppercase, lowercase, numbers, symbols.• Balance “secure” and “easy to remember”.• E.g. Queenst...
Set a Strong Password• Or use a password manager– KeePass– 1Password– Roboform– LastPass– … many more
#2. Don’t use “Admin” as username
Don’t use “Admin” as username
Don’t use “Admin” as usernameIf you already have “admin” as username:1. Log in as “admin”.2. Create a new administrator ac...
Don’t use “Admin” as usernamePreferably:1. Don’t use a dictionary word.2. Don’t use popular names.3. Don’t use your name.
#3. Use a Different Table Prefix
Use a Different Table Prefix
Use a Different Table PrefixIf you already have “wp_” as the databaseprefix:1. I know, no plugins but…http://wordpress.org...
#4. Set Proper File Permissions
Set Proper File Permissions• Best practice:– All files – 644 or 640– All directories – 755 or 750– wp-config.php – 400• Us...
#5. Hide WordPress Info
Hide WordPress Info• Remove these files:– license.txt– readme.html
Hide WordPress Info
Hide WordPress Info• Hide generator statement• Inside wp-content/themes/<yourtheme>/functions.php,add this line:remove_act...
#6. Update your secret keys
Update your secret keysInside wp-config.php – these secret keys adds anextra layer of security.
Update your secret keys• Introduced recently– WordPress 2.6 (Jul 08): AUTH_KEY, SECURE_AUTH_KEY,LOGGED_IN_KEY– WordPress 2...
#7. Keep all files up to date
Keep all files up to date
Keep all files up to date• 3 things to keep updated:– WordPress core– Plugins– Themes• Done quickly thru the WordPress bac...
Conclusion: 7 Ways1. Set a Strong Password2. Don’t use “Admin” as username3. Use a Different Table Prefix4. Set Proper Fil...
Good to know, better to have itimplemented!
Referencehttp://codex.wordpress.org/Hardening_WordPress
Thank You!Tan Kian Ann+65 96195806tankianann@gmail.comhttp://www.facebook.com/tankianann
Upcoming SlideShare
Loading in …5
×

7 ways to Secure your WordPress Website - Without Using Any Plugins

853 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
853
On SlideShare
0
From Embeds
0
Number of Embeds
11
Actions
Shares
0
Downloads
0
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

7 ways to Secure your WordPress Website - Without Using Any Plugins

  1. 1. 7 Ways to Secure YourWordPress Website –without any PluginsTan Kian AnnWordPress Wednesdays – 24 April 2013
  2. 2. Please don’t copy, lah.Will put up the slides for you to refer to,share on WPUG Facebook.
  3. 3. #1. Set a Strong Password
  4. 4. Question:What is the most commonpassword used today?
  5. 5. Set your password to “incorrect”.So when you key in wrongly, thecomputer will tell you“Your password is incorrect.”
  6. 6. Set a Strong Password• password• 123456• 12345678• abc123• qwerty• monkey• letmein• dragon• 111111• baseball• iloveyou• trustno1• 1234567• sunshine• master• 123123• welcome• shadow• ashley• football• jesus• michael• ninja• mustang• Password1Source: http://gizmodo.com/25 most common passwords (2012)
  7. 7. Set a Strong Password• Mix uppercase, lowercase, numbers, symbols.• Balance “secure” and “easy to remember”.• E.g. Queenstown street 45, blk 700 #17-44 –Qb700#17_44• E.g. Imagination is more important thanknowledge (Albert Einstein), born 1897 –iimitk*AE*1897
  8. 8. Set a Strong Password• Or use a password manager– KeePass– 1Password– Roboform– LastPass– … many more
  9. 9. #2. Don’t use “Admin” as username
  10. 10. Don’t use “Admin” as username
  11. 11. Don’t use “Admin” as usernameIf you already have “admin” as username:1. Log in as “admin”.2. Create a new administrator account using adifferent username.3. Log out of “admin”.4. Log in using the new account you created.5. Delete the “admin” account. You can attributethe existing posts to the new account.
  12. 12. Don’t use “Admin” as usernamePreferably:1. Don’t use a dictionary word.2. Don’t use popular names.3. Don’t use your name.
  13. 13. #3. Use a Different Table Prefix
  14. 14. Use a Different Table Prefix
  15. 15. Use a Different Table PrefixIf you already have “wp_” as the databaseprefix:1. I know, no plugins but…http://wordpress.org/extend/plugins/change-table-prefix/2. Or if you want to do it yourself…http://www.wpbeginner.com/wp-tutorials/how-to-change-the-wordpress-database-prefix-to-improve-security/
  16. 16. #4. Set Proper File Permissions
  17. 17. Set Proper File Permissions• Best practice:– All files – 644 or 640– All directories – 755 or 750– wp-config.php – 400• Usually can be set using an FTP program, orweb hosting control panel.
  18. 18. #5. Hide WordPress Info
  19. 19. Hide WordPress Info• Remove these files:– license.txt– readme.html
  20. 20. Hide WordPress Info
  21. 21. Hide WordPress Info• Hide generator statement• Inside wp-content/themes/<yourtheme>/functions.php,add this line:remove_action(wp_head, wp_generator);
  22. 22. #6. Update your secret keys
  23. 23. Update your secret keysInside wp-config.php – these secret keys adds anextra layer of security.
  24. 24. Update your secret keys• Introduced recently– WordPress 2.6 (Jul 08): AUTH_KEY, SECURE_AUTH_KEY,LOGGED_IN_KEY– WordPress 2.7 (Dec 08): NONCE_KEY– WordPress 3.0 (Jun 10): AUTH_SALT, SECURE_AUTH_SALT,LOGGED_IN_SALT, NONCE_SALT• Before WordPress 2.6 – non-existent.(Remember, wp-config is not touched when youupdate WordPress)• Generate these at:https://api.wordpress.org/secret-key/1.1/salt/
  25. 25. #7. Keep all files up to date
  26. 26. Keep all files up to date
  27. 27. Keep all files up to date• 3 things to keep updated:– WordPress core– Plugins– Themes• Done quickly thru the WordPress backend!• Remove unused files – themes, plugins etc.• Remember to do a backup before performingdoing an update!
  28. 28. Conclusion: 7 Ways1. Set a Strong Password2. Don’t use “Admin” as username3. Use a Different Table Prefix4. Set Proper File Permissions5. Hide WordPress Info6. Update your secret keys7. Keep all files up to date
  29. 29. Good to know, better to have itimplemented!
  30. 30. Referencehttp://codex.wordpress.org/Hardening_WordPress
  31. 31. Thank You!Tan Kian Ann+65 96195806tankianann@gmail.comhttp://www.facebook.com/tankianann

×