Presentation to YYC Bloggers Meetup on Plugins and Securing WordPress.
Geared to the beginner/average user. A presentation and discussion about the basic steps to better manage your WordPress site/blog.
2. Assumptions
• 80%
– of you here tonight used a one-step install via
your host or had someone else install and set up
your blog
– of you use a custom theme or framework
– of are completely unaware of how unsecure your
WP install is
– have experienced a glitch or site problem after
installing a plugin
3. Assumptions
• Everyone here knows of, of has heard of,
custom themes (purchased or free)
• Several of you will know of frameworks
– Thesis
– Genesis
– Headway
4. Plugins
• Which are my selects?
• How many should you have?
• What are the risks?
5. My Selects
• Akismet • Social Sharing Toolkit
• Broken Link Checker • WordPress SEO (Joost)
• CommentLuv • WP Security Scan
– Disqus or LiveFyre • WP Editorial
• Google Analytics for Calendar
Wordpress (Joost/adv) • WP Super Cache
• Limit Login Attempts – W3 Total Cache
• Secure WordPress
6. Other Plugins
• WP Touch (paid) • Google Analytics (basic)
• Redirection (301) • Quick Cache
• Restricted Site Access • SimpleReach Slide
• nrelate Related • Sharebar
Content
• Search Everything
• Contact Form 7 • White Label CMS
• Gravity Forms (paid)
7. Security Plugin
• Better WP Security*
– Clean installs ideal
– Create backup
– Shared hosting could
run out of RAM or
CPU resources
– Force SSL for admin
– Not recommended
for the faint of heart!
8. Install and Remove
• P3
– Plugin Performance Profiler
• Theme-Check
– Tests your theme for vulnerabilities and bad code
• Remove all unused themes and plugins!
• Update your plugins regularly please!
9. How many plugins?
• Too many can slow down your site
• Avoid the shiny plugin syndrome
• Plugins add code – limiting the # of plugins
limits potential security holes
• Shared hosting is not a friendly environment
for a site with lots of plugins
10. Fun for me vs Good for the user?
• Plugins make our lives easier
• So before you add another plugin ask yourself
– Do I need the functionality or ‘want it’?
– Will it help my readers?
– Will my business/site grow by adding it?
11. Backups – easy peasy right?
• Install a plugin and you’re good to go!
• WRONG!
• Backing up your dB isn’t enough
• Disaster can strike at any time
• Backup your whole site (files) regularly
• Store the files in the cloud or on a thumbdrive
12. Backup Plugins
• WP Security
– Has manual backup built in
• WP DB Backup
– Doesn’t work for me on GoDaddy
• Wordpress Database Backup (database only)
• Wordpress Backup Plugin (files, images, plugs)
13. Backup
• Most plugins only ‘backup’ your dB.
• What about restoring?
– It can be a nightmare, trust me!
• Premium $$
– blogVault
– BackupBuddy
– VaultPress (real-time)
15. Securing WordPress
• Remove the admin account
• Install the basic security plugins
• Remove unused themes and plugins
• Update WP, Plugins, and Themes regularly
• Have an admin user account for maintenance
• Have an editor account for posting
• Never display the “post” author name
17. Securing WordPress
• Connect via FTP? Switch to FTP-SSL or FTPS if
your hosting allows for it. Home or coffee
shop, it’s a good practice.
• When logging in to wp-admin from anywhere
but home/office, use an
editor/author/contributor account. Limits the
risk of interception of an admin account login.
18. Securing WordPress
• File Permissions (via ftp)
– CHMOD all files to 644
– CHMOD all directories/folders to 755
– CHMOD wp-config.php to 750
– CHMOD wp-content/ to 644 (777 for updates)
• Change the dB prefix from wp_ (WP Security)
• Use strong passwords, and not the same as
your gmail, etc.
19. Securing Wordpress (only for pros)
• Move your wp-config.php file
For example:
public_html/wordpress/wp-config.php
Can be moved to:
public_html/wp-config.php
• Move your wp-content directory
Once you have moved your directory you will need to make some adjustments to your wp-config.php
file. Add the following lines:
define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );
define( 'WP_CONTENT_URL', 'http://example/blog/wp-content');
You may also need to define the new location for your plug-ins here by adding these lines to the file:
define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );
define( 'WP_PLUGIN_URL', 'http://example/blog/wp-content/plugins');
20. Securing WordPress
• Create an .htaccess file in /wp-admin/
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
21. Securing WordPress wp-config.php
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link
https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secret-
key service}
* You can change these at any point in time to invalidate all
existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', 'hr+t*O/I&B&J2nwMU44d');
define('SECURE_AUTH_KEY', 'j9drDhHcQ 2@ FXGXjj=');
define('LOGGED_IN_KEY', 'M)NxB1-IMrMOvzfUg&!m');
define('NONCE_KEY', 'DVHBzX!*IEcyJs wb/$I');
define('AUTH_SALT', '#3CGx3fk0RWgnk5598xt');
define('SECURE_AUTH_SALT', '5jRxpF=yV)@bwgDdWC9_');
define('LOGGED_IN_SALT', 'vTqj1RZ=y=-Nf#wg-aBW');
define('NONCE_SALT', 'hFW_D-R!$O2y)Xr*xm14');
22. Securing WordPress
• Use your google webmaster tools
• Check for keyword significance, crawl errors,
malware reports.
• If your keyword significance reports unusual
pharma, adult or similar spam words your site
likely has been hacked (cloaked).
• Fetch your site as a google bot (tools) and see
if your site is cloaked to appear different to
google bot.
23. Hacked?
1. Take down your site/blog
2. Why? Because most hacks are executed with
scripts that attach to many files in your site.
3. Just put up a maintenance page. Don’t
announce you have been hacked.
4. Run you security plugins? You installed them
right?!
24. Hacked?
5. Change your WordPress, MySQL and
hosting/ftp username and password.
6. Check all your header and footer files for any
suspicious code, JavaScript, links, etc.
7. Happy it all looks ok/clean? Turn it back on.
8. If this fails to work, then it’s time for a clean
install. Got those backup files? Backup dB?
25. Defcon 5
• Configure your wp-admin for SSL
• Requires a SSL cert
• Tricky but can be done
• Ideal would be SSL for the whole site
• Challenge is plugins can’t be secured
• This will be my next project/attempt
26. Best protection?
• Backup dB
• Backup files, images, plugins
• Install security plugins
• Complex passwords
• Avoid ‘admin’ login from unsecured locations
• Limit number of plugins
• Update plugins and Wordpress
• You will be hacked at some point.