wordpress security briefing
Post on 08-May-2015
256 Views
Preview:
TRANSCRIPT
WordPress Security BriefingHow To Keep Your WordPress Site Secure
WP ApprenticePresented by
Who is this guy?
Founder WPApprentice.com
Web Developer 16 years
CMS specialist
Using WP since v. 0.9
Manage 30 + WP sites
Overview of todays session
The current state of web & WordPress security
Hacking risks
How sites get hacked
How to tell if your site has been hacked
Security best practices
Recommended plugins & security services
WordPress in the news
It’s not just WordPress
the web is becoming a very bad neighborhood
Is WordPress secure?
Linux - Operating System
Apache - Web Server
MySQL - Database Server
PHP - Scripting language
Built on layers of technology
WordPress itself has layers
WordPress Core
WordPress Themes
WordPress Plugins
What are the risks?
What’s the worst that can happen?
Site defaced
Content modified
Content injection (spam)
Site deleted
Backdoor installed - hackers your your site to attack others
Malware distribution from your website
What’s the worst that can happen?
Damage to your reputation
Damage to your visitors computers
Damage to your relationship with your customers
Site removed from Google and other search engines
Possible legal liabilities depending on information exposed or lost
Why would anyone hack MY website?
“I just installed WordPress on a new domain.
I have zero traffic, in fact I’m still setting up my website”
What are the chances?
This isn’t about you or your website - most attacks are automated
Don’t take hacking personally - hackers don’t
They see your server as an asset for future hacking activity
The hacker perspective
How websites get hacked
How websites get hacked
Weak password
Outdated software
Use of insecure FTP
Shared web host / bad file permissions
Security weakness in plugin
Security weakness in theme
Security weakness in WP (these are patched very quickly)
How to tell if your site has been hacked
Google: site:yourdomainname.com
http://www.google.com/safebrowsing/diagnostic?site=yourdomain.com
http://www.google.com/webmasters/
http://sucuri.net
http://sucuri.net
WordPress Security Best Practices
Backups are the only sure way to protect your website
Schedule database backups daily
Schedule full site backups weekly
Be sure to backup your /wp-content/uploads folder
Move backup files off your server
http://wpapprentice.com/blog/preparing-for-a-wordpress-disaster/
Backup Regularly
http://ithemes.com/backupbuddy/
http://vaultpress.com
Never name an account “Admin” or any variation
Don’t post from an account with admin privileges
Create an account specifically for posting - assign Editor role
WordPress user setup
Use a strong password (and don’t re-use passwords)
http://agilebits.com/onepassword
Check file and folder permissions on your server
Update WordPress, Plugins, and Themes asap
http://managewp.com
http://infinitewp.com
Delete what you don’t use (plugins and themes)
Avoid free plugins and themes from sketchy sources
Don’t install outdated plugins
Plugins & Security Services
http://cloudflare.com
How to fix a hacked site
How to fix your hacked site
Reinstall fresh copy of WordPress
Rebuild site from a clean backup
Or, hire a professional (Sucuri does this)
Getting off the blacklist
Google Webmaster Tools
Sucuri will do this as part of cleanup service
This is too much work!
Use WordPress.com and don’t worry
http://wordpress.com
Q & A
Thank You
top related