http://thewebtrainer.com: This presentation covers how to secure your WordPress blog. There are some simple but important steps you can take to make your WordPress blog air tight!

1. Just how safe is your
WordPress site?
Rick Nielsen
TheWebTrainer.com

2. Who Am I ??
●
Started Mach10 Design in 1998
●
Built over 400 websites since 1998
●
Began hosting websites in 2000
●
Hosted over 3000 websites
●
Started using WordPress in 2008
●
Google Apps reseller in 2008
●
Started The Web Trainer LLC 2009
●
Over 100 WordPress sites
●
First Product Launch Oct 7, 2010
●
TheWebTrainerSystem.com

3. The Purpose of this Presentation…
…is to scare the wp_crap out of you!

4. The Purpose of this Presentation…
…and then make it all better again!

5. What We Will Cover
●
Do I really need to do all this?
●
What to look at first
●
Examples of Link Injection Hack
●
How to secure your WordPress Site: Basics
●
How to secure your WordPress Site: Advanced
●
Plugins that help

6. Do I Really Need To Secure WP?
●
“There is nothing valuable on my blog.”
●
“I only have 20 people a month that visit my site.”
●
“I thought it was already secure?”
●
“What moron hacker would bother my site?”
●
“I'm already secure. I turned off comments.”
YES!!!

7. What To Look At First
●
Start with your hosting company
●
Are they well known?
●
Do they have a good reputation?
●
Is it a Linux or Windows environment?
●
Do they offer a Control Panel?
●
Avoid hosting at “Johnny's Hosting/Pet
Grooming/Coin Laundromat Inc.”

8. Securing WordPress
LET THE FUN BEGIN!!!

9. WordPress Hidden Link Injection
Hacker bots look for known exploits
(SQL Injection, folder perms, etc).
This allows them to insert spam files/links into
your WordPress Themes, plugins, and core files.
Before, it would be used to take your site down, but now
they use it to post spam links.
(Mostly hijacking the/wp-admin/upload.php)

10. Link Injection Example

11. CSS Hides the SPAM
<b style=“display:none”>Any text you want to hide</b>

12. Basic WP Security

13. DO NOT USE ADMIN ACCOUNT
●
Create a new account
●
Make the username very unique
●
Assign the new account an Administrator role
●
Log out and log back in with new account
●
Delete original admin account
●
Make it hard on the hacker! If they already know
your username that’s half the battle

14. Use Secure Passwords
●
News FLASH! 123456 or
abcdefg are not good
passwords!!!!
●
Use strong passwords to
protect your website from
dictionary attacks
●
Not just for WordPress, but
also FTP, MySQL, etc
●
Great resource:
goodpassword.com
●
Creates random passwords

15. Keep WP and Plugins Updated
●
Update WP Core Code
●
Keep Theme files
current
●
Keep all plugins
current
●
Do not use out-dated
plugins

16. Advanced WP Security

17. What folder permissions to use?
●
Files should be set to 644
●
Folders should be set to 755
●
If you can’t upload, increase
privileges (ie 775, 777)
●
Permission levels vary
depending on server
configuration

18. How to Change Permissions
●
Use your FTP client: Dreamweaver, FileZilla
●
Use cPanel “File Manager”
●
The “Uber Geeks” can use shell access for a good
time on a Friday night!

19. Remove WP Version from Header
●
Viewing source on most WP sites reveal the version they are
running
●
<meta name="generator" content="WordPress 2.8" /> <!-- leave this for stats -->
●
This helps hackers find vulnerable WP blogs running older
versions
●
<meta name="generator" content="WordPress <?php bloginfo('version'); ?>" /><!-- leave
this for stats please -->
●
Themes and plugins might also display versions in your
header.

20. Use Secret Keys
●
A secret key is a hashing salt which makes your site harder to hack
by adding random elements to the password.
●
Edit wp-config.php
●
Visit this URL to get your secret keys:
https://api.wordpress.org/secret-key/1.1
Before
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
After
define('AUTH_KEY', '<6R=V1:Hak 6x0`yZ*teE PaG-kw9;|5yS]f%*D0VV+stO9lq?QuV]VR*dy,ggZB');
define('SECURE_AUTH_KEY', 'MduY%x#o!P?6n`[4LU~Ca/,:_mMp++j|om3J`8A{-qStd WVGvaa),9|U{n({>FB');
define('LOGGED_IN_KEY', '`l:8,+O+@Z,!7F+. = )YmhGaYjV6@~rq:1W0^/uK& MSoo==v(a EOM}oM;4J,V');
define('NONCE_KEY', 'KOWQmp~[[z{+Q=n(7-ZlI/+:#Rw-1l|2GSNrpO +VX6)tYN)Bj;s3yy4:OQTD9`r');

21. Change WordPress Table Prefix
●
Edit wp-config.php before installing WordPress
●
Change the prefix wp_ to something unique:
/**
* WordPress Database Table prefix.
*
* You can have multiple installations in one database if you give each a unique
* prefix. Only numbers, letters, and underscores please!
*/
$table_prefix = ‘zztop_';
●
All database tables will now have a unique prefix (ie
zztop_posts)

22. .htaccess lockdown
●
Create a .htaccess file in your wp-admin directory
●
Add the following lines of code
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "Access Control"
AuthType Basic
order deny,allow
deny from all
#IP address to Whitelist
allow from 67.123.83.59
●
Only a user with the IP 67.123.83.59 can access
wp-admin

23. Other WP Security Tips
●
Move the wp-content Directory
●
Move the wp-config.php file
●
Hide your plugins folder (add index.php)
●
Check Google Web Master tools to see if your
site has been compromised and it will tell you
why.
●
Backup, backup, backup and..oh ya...BACKUP!!

24. Recommended Security Plugins

25. WP Security Plugins
●
WP Security Scan
●
WordPress Exploit Scanner
●
WordPress File Monitor
●
Login Lockdown Plugin

26. And if you STILL get HACKED?
Give Up and Join the Circus!

27. Contact Info
Rick Nielsen
rick@thewebtrainer.com
http://thewebtrainer.com
Everywhere around the web: thewebtrainer