Securing WordPress

Transcript

1. Charleston WordPress h"p://wpchs.org Twi"er:  @wpchs Our  Partners #wpchs Thank you

   to . . . Tuesday, December 13, 11

2. WordPress Setup and Security Michael Carnell - @carnellm Tuesday, December

   13, 11

3. Let’s Talk Hosting Tuesday, December 13, 11

4. The Not So Good GoDaddy - common back end database

   that isn’t secured well and suffers from performance overload, poor support Brinkster - has been hacked numerous times FreeHostia - slow, free account is very limited, always pushing the upsell Tuesday, December 13, 11

5. For the Good Times DreamHost - Not always the cheapest,

   but good and good support. But watch CPU usage as they will cut off processes. MediaTemple - Again, not cheap, but very stable and secure. Monitors scripts. BlueHost HostGator Tuesday, December 13, 11

6. The Basic Rules Do your research - http://www.michaelcarnell.com/hosting Check their

   own support forums Is there a free trial or money back guarantee? None of this really applies to WordPress.com If you are hosting yourself, that is a different set of issues Tuesday, December 13, 11

7. The Dirty Details for WordPress Tuesday, December 13, 11

8. Install Correctly While installing (most will use OneClick) . .

   . Consider your directory? Do you use the standard? Root? Consider altering the database name if your install allows. Make database username and password long and cryptic. Store them away not to be used. Don’t user redundant info - admin name same as username, same as blog name, etc... Tuesday, December 13, 11

9. Double Check the Install File level tasks to be done

   via FTP . . . Delete ..\wp-admin\install.php In wp-config.php, add the optional security keys - http://api.wordpress.org/secret-key/1.1/ Add index.php, a blank file to all plugin and theme directories if it isn’t already there Check the file directory privileges (if you are comfortable) Tuesday, December 13, 11

10. Post Install Setup Create new admin user with strong password

    Change Admin password and make a subscriber Why not delete?? Make your main admin’s display name different from login name Change setting to allow editing by outside packages if wanted - but know what you are doing Change “permalink” structure (thank you WP 3.3!) Demo Time Again.... Tuesday, December 13, 11

11. After Setup Before Live Themes ... not this session! Plugins

    that you should have: Askimet - AntiSpam, comes with the install Block Bad Queries - blocks code injection through queries Search Meter - What are your visitors looking for, but also shows extraneous search injections SecureWordPress - basically a security audit AntiVirus or another such Demo Time Again! Tuesday, December 13, 11

12. Simple Backup for WP Your content is your responsibility, not

    your hosts. Great a GMail account or use your current one with custom address such as “yourname [email protected]” Make a filter that auto files away all email coming in to that address. Database - WP-DB-Backup Images & Themes - WordPress Backup Tuesday, December 13, 11

13. Michael Carnell http://www.MichaelCarnell.com @carnellm on Twitter Slides and further info

    available on... Sophisticated Secure Websites http://www.DesignTechWeb.com Tuesday, December 13, 11

14. Q & A Tuesday, December 13, 11

15. Some Other Business WordPress 3.3 is Out! (Wanna demo?) CiviCRM

    now working with WordPress in Alpha WordCamp Atlanta - February 3 & 4 http://2012.atlanta.wordcamp.org Next Meeting, January 10 - Until then, don’t forget the updates on WPChs.org Tuesday, December 13, 11

16. Charleston WordPress h"p://wpchs.org Twi"er:  @wpchs Our  Partners #wpchs Thank you

    to . . . Tuesday, December 13, 11