Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing WordPress

Securing WordPress

Presentation on WordPress Security to the Chicago Northside WordPress Meetup Group

Rachel Baker

July 11, 2012
Tweet

More Decks by Rachel Baker

Other Decks in Programming

Transcript

  1. Securing WordPress Presented by: Rachel Baker Freelance Web Developer @rachelbaker

    www.rachelbaker.me Founder of Plugged In Consulting www.pluggedinconsulting.com
  2. Getting to Know WordPress Rachel Baker - Chicago Northside WordPress

    Meetup Group - July 2012 Image Credit: farmtowngrl via http://media.photobucket.com/image/recent/farmtowngrl/
  3. L A M P Rachel Baker - Chicago Northside WordPress

    Meetup Group - July 2012 inux pache ySQL HP
  4. Use Strong P@$$w0rdz! Rachel Baker - Chicago Northside WordPress Meetup

    Group - July 2012 Image Credit: formalfallacy via http://www.flickr.com/photos/formalfallacy/2057169454/
  5. Do NOT Use Public Wifi Rachel Baker - Chicago Northside

    WordPress Meetup Group - July 2012 Image Credit: codebutler via http://codebutler.github.com/firesheep/tc12/#22
  6. Remove Unused Themes & Plugins Rachel Baker - Chicago Northside

    WordPress Meetup Group - July 2012 Image Credit: mydoorsign via http://www.mydoorsign.com/Housekeeping-Clean-Signs/
  7. Rachel Baker - Chicago Northside WordPress Meetup Group - July

    2012 Image Credit: ilovegkr via http://www.ilovegkr.com/pages/fungames/colouri.html No, sir! That is wrong. Do you know where I can get a Facebook plugin for my blog?
  8. Rachel Baker - Chicago Northside WordPress Meetup Group - July

    2012 Image Credit: ilovegkr via http://www.ilovegkr.com/pages/fungames/colouri.html No, sir! That is wrong. Do you know where I can get a Facebook plugin for my blog?
  9. Reviewing Plugins Research the Plugin Developer: How many plugins have

    they developed? When was the last time they updated their plugins? Are they responsive to support requests for their plugin? Do they work with WordPress professionally? Are they helpful to others in the WordPress Support Forums? Check the plugin against WP Engine’s Disallowed Plugins List: http://support.wpengine.com/disallowed-plugins/ Review the Plugin Code for Correct Use of: Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 WordPress Plugin API hooks, actions and filters WordPress Settings API for plugin options WPDB database class and query methods Sanitization on any data input fields Nonces instead of browser cookies
  10. Reviewing Themes Research the Theme Developer: How many themes have

    they developed? When was the last time they updated their theme? Are they responsive to support requests for their theme? Do they work with WordPress professionally? What level of support is included along with any premium theme? Check the Theme Code: Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 Are the theme files organized? Do I know the purpose of every file included in the theme? Does the theme cause any Debug mode errors? Theme Check Plugin: http://wordpress.org/extend/plugins/theme-check/ Theme Authenticity Checker (TAC) Plugin: http://wordpress.org/extend/plugins/tac/
  11. Move the WP-Config File to the Directory Above Your Public

    HTML Folder Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012
  12. Secure WP-Includes with .htaccess Rachel Baker - Chicago Northside WordPress

    Meetup Group - July 2012 https://gist.github.com/3092744 Secured .htaccess File with WP-Config Added:
  13. Are You Putting the Engine from a Yugo Rachel Baker

    - Chicago Northside WordPress Meetup Group - July 2012 ...into a BMW?
  14. Use a Quality Hosting Company Rachel Baker - Chicago Northside

    WordPress Meetup Group - July 2012 Image Credit: chaosmanorreviews via http://www.chaosmanorreviews.com/open_archives/jep_column-318-b.php
  15. Fun Questions to Ask Web Hosting Companies Rachel Baker -

    Chicago Northside WordPress Meetup Group - July 2012 1. What distribution/version of Linux do your servers run? 2. What version Apache, MySQL and PHP do your servers run? 3. Do you have a written policy regarding patching and updating your servers? 4. What steps do you take to make sure my hosting account is safe from other accounts on the same server? 5. Do you have a written backup policy? 6. How many hosting accounts do you stuff into each server?
  16. Practice Safe WordPressing Secured .htaccess File: https://gist.github.com/3092744 Locking Down WordPress

    eBook: http://build.codepoet.com/2012/07/10/locking-down-wordpress/ Sucuri Security: http://sucuri.net/ Wordfence Security Plugin: http://wordpress.org/extend/plugins/wordfence/ Rachel Baker - Chicago Northside WordPress Meetup Group - July 2012 Hardening WordPress: http://codex.wordpress.org/Hardening_WordPress