This was a 45 minute presentation given to the Calgary WordPress Meetup group on April 23, 2013 on WordPress Security along with additional tips and tricks on password best practices.
Meetup: http://www.meetup.com/The-Calgary-WordPress-Meetup-Group/
Presenter: http://rexroar.com
3. If you don’t follow password best
practices, your hacked
WordPress account could lead to
other compromised accounts
4. What’s at risk?
• Redirect visitors to a completely different
website
• Compromise shared hosting server and infect
other sites
• Phish for sensitive info
• Hijack links
• Blacklisted by Google and other search engines
• And more…
5.
6. Things you can do
• Keep your core, themes & plugins updated
• Remove unused themes & plugins from
server
• Remove the WP version number
• Select a good username
• Never write as an Administrator
• Create & use a strong password
• Secure WordPress further
7. Keep up-to-date
• The majority of hacked WordPress sites
are not updated!
• Before ever making updates, ensure you
backup your database AND content
• Use a plugin like Backup Buddy to
automate the task or other free options
• Update WordPress, themes & plugins
8. Clean up your house
• Remove unused themes (twentyten, etc)
• Remove inactive plugins from WordPress
and the server
• Don’t keep .sql files (or other backups)
stored on your server
9. Remove the WP version number
http://www.wpbeginner.com/wp-tutorials/the-right-way-to-remove-wordpre
10. Select a good username
• Never use ‘admin’ or ‘administrator’ as
your username
• Never use the sitename as your username
• If you have one of these, get rid of it…now
• Your personal name is OK, but your
password needs to be strong
11. Never write as an Admin user
• In no time at all a username can be
determined
• If a post is written as an admin, half the
job is already done
12. Create & use a strong password
When creating a password, do NOT use:
• Your birthdate, • Only numbers or
wedding anniversary, letters
or dates of birth of • A short, easy to
your children or remember password
spounse • The word ‘password’
• Your name, • No words found in a
username, company dictionary*
name, names of your
children
• Your SIN number
13. Create & use a strong password
When creating a password, do use:
• At least 10 characters
• A mix of numbers, upper and lower case letters
and special characters
• A password you have never used before
• Consider ‘salting’ your password
• Have a system or mnemonic
14. Create & use a strong password
Consider a multi-word combo password
Credit: http://xkcd.com/936/
15. Create & use a strong password
Consider a multi-word combo password
• More likely to be remembered
• Words must be random
• Words must not relate
• Upper & lower cases still matter
• Add a number or two
• Special character as well
16. Create & use a strong password
DO NOT store your password in an obvious
place!
• NOT on a sticky note on your monitor
• NOT in your daily planner
Use a Password Keeper
• LastPass.com
• AgileBits.com/OnePassword
17. Create & use a strong password
Don’t panic, password recovery is built in!
18. Create & use a strong password
Password Generator
• www.StrongPasswordGenerator.com
• www.random.org/passwords/
Test your password
• www.PasswordMeter.com
• www.grc.com/haystack.htm
19. Secure WordPress further
Four free plugins you can use to secure WP
• Limit login attempts
• Better WP security
• Wordfence
• WP-Security scan
All are located in the WordPress plugin
repository