6. My Plugin Selects
• Akismet
• CommentLuv
– Disqus or LiveFyre
• Google Analytics for
Wordpress (Yoast)
• Wordpress SEO (Yoast)
– Use all the settings!
• Optimize Database
after Deleting
Revisions
• Swiftype Search
• Relevanssi
• Gravity Forms
• Contact Form 7
8. Install and Remove
• P3
– Plugin Performance Profiler
• Theme-Check
– Tests your theme for vulnerabilities and bad code
• Remove all unused themes and plugins!
• Update your plugins regularly please!
9. How many plugins?
• Too many can slow down your site
• Avoid the shiny plugin syndrome
• Plugins add code – limiting the # of plugins
limits potential security holes
• Shared hosting is not a friendly environment
for a site with lots of plugins
10. Fun for me vs Good for the user?
• Plugins make our lives easier
• So before you add another plugin ask yourself
– Do I need the functionality or ‘want it’?
– Will it help my readers?
– Will my business/site grow by adding it?
• Paid or Free????
11. Backups – easy peasy right?
•
•
•
•
•
•
Install a plugin and you’re good to go!
WRONG!
Backing up your dB isn’t enough
Disaster can strike at any time
Backup your whole site (files) regularly
Store the files in the cloud or on a thumbdrive
12. Backup Plugins
• WP Security
– Has manual and auto dB backup built in
• WP DB Backup
– Doesn’t work for me on GoDaddy
• Wordpress Database Backup (database only)
• Wordpress Backup Plugin (files, images, plugs)
13. Backup
• Most plugins only ‘backup’ your dB.
• What about restoring?
– It can be a nightmare, trust me!
• Premium $$
– blogVault
– BackupBuddy
– VaultPress (real-time)
– SyncSage (local company)
14. Securing WordPress
•
•
•
•
•
•
•
Remove the admin account
Install the basic security plugins
Remove unused themes and plugins
Update WP, Plugins, and Themes regularly
Have an admin user account for maintenance
Have an editor account for posting
Never display the “post” author name
16. Securing WordPress
• Connect via FTP? Switch to FTP-SSL or FTPS if
your hosting allows for it. Home or coffee
shop, it’s a good practice.
• When logging in to wp-admin from anywhere
but home/office, use an
editor/author/contributor account. Limits the
risk of interception of an admin account login.
17. Securing WordPress
• File Permissions (via ftp)
– CHMOD all files to 644
– CHMOD all directories/folders to 755
– CHMOD wp-config.php to 750
– CHMOD wp-content/ to 644 (777 for updates)
• Change the dB prefix from wp_ (WP Security)
• Use strong passwords, and not the same as
your gmail, etc.
18. Securing Wordpress (only for pros)
• Move your wp-config.php file
For example:
public_html/wordpress/wp-config.phpCan be moved to:
public_html/wp-config.php
• Move your wp-content directory
Once you have moved your directory you will need to make some adjustments to your wp-config.php
file. Add the following lines:
define( 'WP_CONTENT_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content' );
define( 'WP_CONTENT_URL', 'http://example/blog/wp-content');
You may also need to define the new location for your plug-ins here by adding these lines to the file:
define( 'WP_PLUGIN_DIR', $_SERVER['DOCUMENT_ROOT'] . '/blog/wp-content/plugins' );
define( 'WP_PLUGIN_URL', 'http://example/blog/wp-content/plugins');
19. Securing WordPress
• Create an .htaccess file in /wp-admin/
# BEGIN WordPress
RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
# END WordPress
20. Securing WordPress wp-config.php
/**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link
https://api.wordpress.org/secret-key/1.1/salt/ WordPress.org secretkey service}
* You can change these at any point in time to invalidate all
existing cookies. This will force all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY',
'hr+t*O/I&B&J2nwMU44d');
define('SECURE_AUTH_KEY', 'j9drDhHcQ 2@ FXGXjj=');
define('LOGGED_IN_KEY',
'M)NxB1-IMrMOvzfUg&!m');
define('NONCE_KEY',
'DVHBzX!*IEcyJs wb/$I');
define('AUTH_SALT',
'#3CGx3fk0RWgnk5598xt');
define('SECURE_AUTH_SALT', '5jRxpF=yV)@bwgDdWC9_');
define('LOGGED_IN_SALT',
'vTqj1RZ=y=-Nf#wg-aBW');
define('NONCE_SALT',
'hFW_D-R!$O2y)Xr*xm14');
21. Securing WordPress
• Use your google webmaster tools
• Check for keyword significance, crawl
errors, malware reports.
• If your keyword significance reports unusual
pharma, adult or similar spam words your site
likely has been hacked (cloaked).
• Fetch your site as a google bot (tools) and see
if your site is cloaked to appear different to
google bot.
22. Hacked?
1. Take down your site/blog
2. Why? Because most hacks are executed with
scripts that attach to many files in your site.
3. Just put up a maintenance page. Don’t
announce you have been hacked.
4. Run you security plugins? You installed them
right?!
23. Hacked?
5. Change your WordPress, MySQL and
hosting/ftp username and password.
6. Check all your header and footer files for any
suspicious code, JavaScript, links, etc.
7. Happy it all looks ok/clean? Turn it back on.
8. If this fails to work, then it’s time for a clean
install. Got those backup files? Backup dB?
24. Best protection?
•
•
•
•
•
•
•
•
Backup dB
Backup files, images, plugins
Install security plugins
Complex passwords
Avoid ‘admin’ login from unsecured locations
Limit number of plugins
Update plugins and Wordpress
You will be hacked at some point.