WordPress Security BriefingHow To Keep Your WordPress Site Secure

WP ApprenticePresented by

Who is this guy?

Founder WPApprentice.com

Web Developer 16 years

CMS specialist

Using WP since v. 0.9

Manage 30 + WP sites

Overview of todays session

The current state of web & WordPress security

Hacking risks

How sites get hacked

How to tell if your site has been hacked

Security best practices

Recommended plugins & security services

WordPress in the news

It’s not just WordPress

the web is becoming a very bad neighborhood

Is WordPress secure?

Linux - Operating System

Apache - Web Server

MySQL - Database Server

PHP - Scripting language

Built on layers of technology

WordPress itself has layers

WordPress Core

WordPress Themes

WordPress Plugins

What are the risks?

What’s the worst that can happen?

Site defaced

Content modified

Content injection (spam)

Site deleted

Backdoor installed - hackers your your site to attack others

Malware distribution from your website

What’s the worst that can happen?

Damage to your reputation

Damage to your visitors computers

Damage to your relationship with your customers

Site removed from Google and other search engines

Possible legal liabilities depending on information exposed or lost

Why would anyone hack MY website?

“I just installed WordPress on a new domain.

I have zero traffic, in fact I’m still setting up my website”

What are the chances?

This isn’t about you or your website - most attacks are automated

Don’t take hacking personally - hackers don’t

They see your server as an asset for future hacking activity

The hacker perspective

How websites get hacked

How websites get hacked

Weak password

Outdated software

Use of insecure FTP

Shared web host / bad file permissions

Security weakness in plugin

Security weakness in theme

Security weakness in WP (these are patched very quickly)

How to tell if your site has been hacked

Google: site:yourdomainname.com

http://www.google.com/safebrowsing/diagnostic?site=yourdomain.com

http://www.google.com/webmasters/

http://sucuri.net

http://sucuri.net

WordPress Security Best Practices

Backups are the only sure way to protect your website

Schedule database backups daily

Schedule full site backups weekly

Be sure to backup your /wp-content/uploads folder

Move backup files off your server

http://wpapprentice.com/blog/preparing-for-a-wordpress-disaster/

Backup Regularly

http://ithemes.com/backupbuddy/

http://vaultpress.com

Never name an account “Admin” or any variation

Don’t post from an account with admin privileges

Create an account specifically for posting - assign Editor role

WordPress user setup

Use a strong password (and don’t re-use passwords)

http://agilebits.com/onepassword

Check file and folder permissions on your server

Update WordPress, Plugins, and Themes asap

http://managewp.com

http://infinitewp.com

Delete what you don’t use (plugins and themes)

Avoid free plugins and themes from sketchy sources

Don’t install outdated plugins

Plugins & Security Services

http://cloudflare.com

How to fix a hacked site

How to fix your hacked site

Reinstall fresh copy of WordPress

Rebuild site from a clean backup

Or, hire a professional (Sucuri does this)

Getting off the blacklist

Google Webmaster Tools

Sucuri will do this as part of cleanup service

This is too much work!

Use WordPress.com and don’t worry

http://wordpress.com

Q & A

Thank You