Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordPress Security Tips

WordPress Security Tips

WordPress Security Tips - Chris Burgess
Melbourne WordPress Meetup July 2012

Chris Burgess

July 11, 2012
Tweet

More Decks by Chris Burgess

Other Decks in Technology

Transcript

  1. WordPress is popular Basic WordPress Security Tips With WordPress being

    one of the most popular web publishing platforms, it means that it's also a popular target for web-based attacks. Most of these attacks are automated and seek out old versions of WordPress, using default settings, vulnerable plug-ins and themes or incorrect file permissions and weak passwords.
  2. Defaults are bad Change the Default Settings This is an

    easy one and helps put you a little higher than most of the lower hanging fruit. All you need to do is to change the default administrator username and default table prefix (anything other then wp_) at the time of installation. The simple solution is to always make sure you stay up to date with a current version. The WordPress developers are quick to push out a security fix, so make sure you take advantage of these updates. Most of these attacks are automated and seek out old versions of WordPress, using default settings, vulnerable plug-ins and themes or incorrect file permissions and weak passwords.
  3. Ain’t no love A compromised site can have numerous serious

    ramifications such as losing search engine rankings or being excluded from the search engine results pages altogether. Search engines and anti-virus systems can also alert users that a site is "unsafe". Not a good look!
  4. Not just plugins Vulnerable Plug-ins and Themes The popularity of

    WordPress has attracted an entire eco-system of developers and market places. Within these market places (and the broader web) there are vastly varying qualities of plug-ins and themes. I usually recommend users look for popular themes and plug-ins because not only are they most likely to be of a higher quality but they are also more likely to be updated and supported. Personally, I use a mixture of both free and commercial plugins and themes.
  5. Perms Incorrect File Permissions This is something you want to

    get right, it's a very common reason (along with old versions of WordPress) why sites are exploited. I always get advice from a particular web host on this if I'm unsure and recommend you do the same, since every host can be different. If you're using a package management feature such as cPanel/Fantastico/Easy Apps (where installing WordPress is a one-click process), these options are usually taken care of for you (such ashttp://faq.ventraip.com.au/questions...l+Wordpress%3F). The following assumes that you're managing your own permissions in a shared environment. It's also worth noting that VentraIP also have a "Permission Fixer" which can be handy if you mess things up and need to revert to default permissions (see http://faq.ventraip.com.au/questions...er+error%27%3F).
  6. Write to me A typical WordPress installation requires that the

    following files and directories are writable: /.htaccess /wp-content/uploads/ /wp-content/themes/name-of-theme (if you wish to edit in the Dashboard) /wp-content/uploads/
  7. Tip of the day TIP: .htaccess is just a way

    of configuring web server options at the directory and file level. On Unix-based systems, files beginning with a period are hidden so make sure you have your FTP/SCP/SFTP client software set to "show hidden files.
  8. “Practically Paranoid” Good Overall Security Choose good passwords. This one

    may seem obvious, however, it’s commonly overlooked. This applies not only to your WordPress password but your SFTP/SCP/FTP and hosting account password too. Always use long passwords. The longer and more complex the better. I always recommend people think in terms of "passphrases" rather than passwords. A good password management tool is also a great help. Make regular backups of your files and your database. Not if but *when* something goes wrong, a current backup will save your skin. You can get both free and commercial plugins (or services, see the next point) that can cater to any backup option you can dream of. Also, always only used trusted secure networks and secure protocols for your web and email traffic. Internet kiosks or free wifi may be tempting but make sure you understand the risks.
  9. Value your assets WordPress Security Services There are many services

    that specialise in keeping your WordPress site updated and monitored for security issues such as VaultPress and Securi. There are also hosted WordPress services that offer security and backup options as part of their plans. Also take a look at WordFence and WebsiteDefender. There are numerous services that provide backup and security scanning, but there is a lot of overlap so shop around.
  10. Summary In summary, adhere to good security practices such as

    using strong passwords, make sure your WordPress installation and configuration is correct and keep your version of WordPress (including plugins and themes) regularly updated. Chris Burgess @chrisburgess