Introduction to Security and Backups
Suzette Franck #wclax @suzette_franckIntroduction to backupsand security1by Suzette FranckSeptember 5, 2012
View Slide
Suzette Franck #wclax @suzette_francktwitter: @suzette_franck2Front-end Developerat WebDevStudios
Suzette Franck #wclax @suzette_franckwhat we will cover1. top vulnerabilities and risks2. prevention3. getting hacked4. backups5. resources3
Suzette Franck #wclax @suzette_franckTop vulnerabilities1. Virus-free computer2. Weak or compromised passwords3. Outdated server software4. Unreliable hosting5. Plugin or theme (bad or maliciouscoding)4
Suzette Franck #wclax @suzette_franckwhy do hackers hack?1. gain your server’s resources2. something malicious or spammy3. promote propoganda4. make money5. spread viruses6. because they can7. yes, big or small, everyone is a target5
Suzette Franck #wclax @suzette_franckAm i at risk? yes!1. use internet2. have passwords3. own a website6
Suzette Franck #wclax @suzette_francksteps to reduce risks?1. prevention is the best medicine2. best password practices3. get good hosting4. know your plugin and theme sources5. keep software updated7
Suzette Franck #wclax @suzette_franckpassword management!1. complicated passwords2. don’t use FTP, use SFTP or SSH3. different passwords for everything4. use a password manager (Lastpass)5. practice least privilege6. access only what is needed and when7. remove old accounts8
Suzette Franck #wclax @suzette_franckpassword creation!1. never use “password”2. don’t use pet or children’s names3. uppercase letters, lowercase letters,numbers, special characters4. longer is better than shorter5. use password managers to create andstore new passwords9
Suzette Franck #wclax @suzette_franckchoosing hosting!1. use a reputable web hosting company2. should offer SFTP or SSH access3. pay now for good hosting or pay later for badhosting4. shared hosting or VPS?5. keep server software PHP & MySQL up-to-date (you or host)6. do they have emergency backups? Fees?10
Suzette Franck #wclax @suzette_franckwordpress hosting11
Suzette Franck #wclax @suzette_franckwordpress application!1. update WordPress (1. vs .1 releases)2. don’t login with admin, create newaccount3. each user should have their own account4. use the user roles - admin, editor5. always practice least privilege6. remove unused accounts12
Suzette Franck #wclax @suzette_franckwordpress application!1. limit login attempts plugin2. file and folder permissions1. files: 644 read write execute2. folders: 7553. don’t use: 7773. move wp-config.php up a directory (not multisite)4. wp-config.php: define(‘FORCE_SSL_LOGIN’, true);5. define(‘FORCE_SSL_ADMIN’, true);6. wp-config.php add secret keys13
Suzette Franck #wclax @suzette_franckplugin and theme safety!1. know your sources (WordPress.org) 2. backup, then update plugins andthemes3. test on a local or development server4. delete inactive plugins and themes5. use as few plugins as it takes to get thejob done14
Suzette Franck #wclax @suzette_franckYou’ve been hacked!1. reduce reinfection: clean up, restore, ortake down site ASAP2. don’t get google blacklisted3. hire experts, like Sucuri4. restore site from recent backup5. does your host offer emergency backups?6. time matters!15
Suzette Franck #wclax @suzette_franckbackups!1. hacked sites may be cleaned, but…2. usually can not undo damage done3. updates to software may break sites4. maintaining backups is essential5. set up an automatic schedule6. know how to do a manual backup7. backup files as well as database16
Suzette Franck #wclax @suzette_franckmanual database backup17!1. login to PHPMyAdmin2. export to .sql using default settings or 3. install “WP Migrate DB” plugin4. configure and run plugin
Suzette Franck #wclax @suzette_franckusing phpmyadmin18
Suzette Franck #wclax @suzette_franckUsing wp migrate db19!1. install and configure WP Migrate DB byDelicious Brains
Suzette Franck #wclax @suzette_franckmanual database backup20!1. uncheck compress with .gzip & copy
Suzette Franck #wclax @suzette_franckbackup your files, too!21!1. Filezilla or other SFTP client
Suzette Franck #wclax @suzette_franckautomatic backups22
Suzette Franck #wclax @suzette_franckbackup essentials231. backup files and db before updates! 2. don’t store backups on your server3. schedule backups based on how muchinformation you’re willing to lose4. test backups periodically5. keep backups accessible for emergencies6. http://codex.wordpress.org/WordPress_Backups
Suzette Franck #wclax @suzette_franckresources1. http://blog.sucuri.net/2. WordPress.tv WordCamp Sessions:1. Dre Armeda2. Brad Williams3. Tony Perez3. Google (recent articles)4. “Locking Down WordPress” (Code Poet)24
Suzette Franck #wclax @suzette_franckquestions?25follow me on twitter:@suzette_franck