Securing WordPress Presented by: Rachel Baker Freelance Web Developer @rachelbaker www.rachelbaker.me Founder of Plugged In Consulting www.pluggedinconsulting.com

Getting to Know WordPress Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 Image Credit: farmtowngrl via http://media.photobucket.com/image/recent/farmtowngrl/

L A M P Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 inux pache ySQL HP

Database Tables Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 = + Code Files WordPress

WP-Content Folder Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012

WP-Admin Folder Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012

WP-Includes Folder Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012

WP-Content Folder Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012

Take Ownership of Your Website Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012

Limit Access to Your Site Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012

Use Strong P@$$w0rdz! Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 Image Credit: formalfallacy via http://www.flickr.com/photos/formalfallacy/2057169454/

Do NOT Use Public Wifi Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 Image Credit: codebutler via http://codebutler.github.com/firesheep/tc12/#22

Stay Up To Date Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012

Remove Unused Themes & Plugins Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 Image Credit: mydoorsign via http://www.mydoorsign.com/Housekeeping-Clean-Signs/

Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 Image Credit: ilovegkr via http://www.ilovegkr.com/pages/fungames/colouri.html No, sir! That is wrong. Do you know where I can get a Facebook plugin for my blog?

Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 Image Credit: ilovegkr via http://www.ilovegkr.com/pages/fungames/colouri.html No, sir! That is wrong. Do you know where I can get a Facebook plugin for my blog?

Reviewing Plugins Research the Plugin Developer: How many plugins have they developed? When was the last time they updated their plugins? Are they responsive to support requests for their plugin? Do they work with WordPress professionally? Are they helpful to others in the WordPress Support Forums? Check the plugin against WP Engine’s Disallowed Plugins List: http://support.wpengine.com/disallowed-plugins/ Review the Plugin Code for Correct Use of: Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 WordPress Plugin API hooks, actions and filters WordPress Settings API for plugin options WPDB database class and query methods Sanitization on any data input fields Nonces instead of browser cookies

Reviewing Themes Research the Theme Developer: How many themes have they developed? When was the last time they updated their theme? Are they responsive to support requests for their theme? Do they work with WordPress professionally? What level of support is included along with any premium theme? Check the Theme Code: Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 Are the theme files organized? Do I know the purpose of every file included in the theme? Does the theme cause any Debug mode errors? Theme Check Plugin: http://wordpress.org/extend/plugins/theme-check/ Theme Authenticity Checker (TAC) Plugin: http://wordpress.org/extend/plugins/tac/

Move the WP-Config File to the Directory Above Your Public HTML Folder Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012

Secure WP-Includes with .htaccess Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 https://gist.github.com/3092744 Secured .htaccess File with WP-Config Added:

Are You Putting the Engine from a Yugo Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 ...into a BMW?

Use a Quality Hosting Company Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 Image Credit: chaosmanorreviews via http://www.chaosmanorreviews.com/open_archives/jep_column-318-b.php

Fun Questions to Ask Web Hosting Companies Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 1. What distribution/version of Linux do your servers run? 2. What version Apache, MySQL and PHP do your servers run? 3. Do you have a written policy regarding patching and updating your servers? 4. What steps do you take to make sure my hosting account is safe from other accounts on the same server? 5. Do you have a written backup policy? 6. How many hosting accounts do you stuff into each server?

Practice Safe WordPressing Secured .htaccess File: https://gist.github.com/3092744 Locking Down WordPress eBook: http://build.codepoet.com/2012/07/10/locking-down-wordpress/ Sucuri Security: http://sucuri.net/ Wordfence Security Plugin: http://wordpress.org/extend/plugins/wordfence/ Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 Hardening WordPress: http://codex.wordpress.org/Hardening_WordPress