SlideShare uma empresa Scribd logo

Top Ten WordPress Security Tips for 2012

Brad Williams
Brad Williams

My list of the Top Ten W

TecnologiaNegócios
1 de 35
Baixar para ler offline
BY BRAD WILLIAMS
Brad Williams Co-Founder WebDevStudios.com Co-Author Professional WordPress & Professional WordPress Plugin Development Co-Organizer WordCamp Philly Co-Host WP Late Night
FOR WORDPRESS Top Ten WordPress Security Tips
FOR WORDPRESS 1 Update Update Update Keep WordPress Updated! Minor WordPress versions ( ie 3.3.x ) do NOT add new features. They contain bug fixes and security patches
FOR WORDPRESS 1 Update Update Update Update Those Plugins! The plugin Changelog tab makes it very easy to view what has changed in a new plugin version
FOR WORDPRESS 1. Update Update Update NO EXCUSES! UPDATE!
FOR WORDPRESS 2. Use Secret Keys Some secrets should remain secrets
FOR WORDPRESS 2. Use Secret Keys A secret key is a hashing salt which makes your site harder to hack by adding random elements to the cookies WordPress creates. 1. Edit wp-config.php BEFORE AFTER define('AUTH_KEY', 'put your unique phrase here'); define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H'); define('AUTH_SALT', 'put your unique phrase here'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6'); 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt
FOR WORDPRESS Do you login with username admin?
FOR WORDPRESS
FOR WORDPRESS 3. Delete the Admin user account Change the admin username in MySQL: UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin'; Or create a new account with administrator privileges. 1. Create a new account. Make the username very unique 2. Set account to Administrator role 3. Log out and log back in with new account 4. Delete admin account WordPress will allow you to reassign all content written by admin to an account of your choice.
FOR WORDPRESS 3. Delete the Admin user account WordPress lets you set the username during the installation process! DON'T USE ADMIN!
FOR WORDPRESS 3. Delete the Admin user account Knowing your username is half the battle. Don't make it easy on the hackers.
FOR WORDPRESS 4. File and Folder Permissions What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default settings above If your host requires 777…SWITCH HOSTS!
FOR WORDPRESS 4. File and Folder Permissions Or via SSH with the following commands find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ;
FOR WORDPRESS 5. Move wp-config.php WordPress features the ability to move the wp-config.php file one directory above your WordPress root If WordPress is located here: public_html/wordpress/wp-config.php You can move your wp-config.php file to here public_html/wp-config.php WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory This makes it nearly impossible for anyone to access your wp-config.php file from a browser as it now resides outside of your website’s root directory
FOR WORDPRESS 6. Lock Down WP Login and WP Admin
FOR WORDPRESS 6. Lock Down WP Login and WP Admin Add the code below to wp-config.php to force SSL (https) on login define('FORCE_SSL_LOGIN', true); Add the code below to wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true); Using SSL (https) on all admin screens in WordPress will encrypt all data transmitted with the same encryption as online shopping
FOR WORDPRESS 6. Lock Down WP Login and WP Admin 1. Create an .htaccess file in your wp-admin directory 2. Add the following lines of code: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.* Only a user with the IP 67.123.83.59 or 123.123.123.* can access wp-admin
FOR WORDPRESS 7. Use Trusted Sources for Themes & Plugins WPMU.org reviewed the top 10 results for “free wordpress themes” on Google. Out of the ten sites reviewed 1. Safe: 1 2. Iffy: 1 3. Avoid: 8 Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
FOR WORDPRESS 7. Use Trusted Sources for Themes & Plugins The only safe site reviewed was WordPress.org Most themes included base64() encoded text links to promote various servies Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
FOR WORDPRESS 8. Be Secure Locally Think of your local environment as if it was a medieval castle and you’re the queen or king. Your kingdom must be protected! Keep your computer up to date • Ensure you’re patching or installing updates ASAP • Automatic updates rock! Install an anti-virus solution • Ensure you’re keeping definitions current • Automatic updates aren’t a bad idea here either! Yes, personal firewalls still apply!
FOR WORDPRESS 8. Be Secure Locally It’s your information, but who’s watching & listening? You may be a network geek at home, but what happens at Starbucks? Your Internet Connection Use SSL whenever possible, especially on an unverified connection. • HTTPS is a great way to ensure your transactions & traffic are traveling with security in mind. Connecting To Your Site(s) Consider using sFTP or SSH vs. FTP •Still widely marketed, but did you know your credentials are passed unencrypted when using FTP? •If unavoidable, do not allow anonymous logins, limit connections, practice least privilege. •Don’t store your credentials in your FTP client.
FOR WORDPRESS 9. Use a Trusted Host You get what you pay for…
FOR WORDPRESS 9. Use a Trusted Host At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you. Your Lovely Host • Cheap doesn’t always mean best, or safe! • How many sites on their network are blacklisted for malware reasons? • What version of software do they run and how often do they update? • How are account credentials stored & who has access?
FOR WORDPRESS 9. Use a Trusted Host Only use a trusted host that clearly states their security policies. Bonus points if they specialize in WordPress specific hosting!
FOR WORDPRESS 10. Use Common Sense • Use a strong password • BAD: bradisawesome • GOOD: SCrEE79joLly$ • A=@, E=3, S=$, O=0 (This is not unique, they know this) • Update passwords regularly (Monthly, make a schedule) • Know your admins, limit number of accounts (WP, FTP, Hosting, etc) • Backup, Backup, Backup (Use BackupBuddy for scheduled backups)
FOR WORDPRESS Plugins & Services
FOR WORDPRESS Login Lockdown http://wordpress.org/extend/plugins/login-lockdown/
FOR WORDPRESS BulletProof Security • .htaccess lockdown rules for various directories (root, wp- admin, etc) • Security status scanner for folder/file permissions and file checks • Very well documented http://wordpress.org/extend/plugins/bulletproof-security/
FOR WORDPRESS Secure WordPress • Hides login error messages • Adds index.php to /themes and /plugins to prevent directory listing • Removes WP, plugin, and theme update notices for non-admins • and more! http://wordpress.org/extend/plugins/secure-wordpress/
FOR WORDPRESS Exploit Scanner • Scans your files and database for potentially malicious code • Does not remove code, only detects it http://wordpress.org/extend/plugins/exploit-scanner/
FOR WORDPRESS http://Sucuri.net • Free Website Malware Scanner: http://sitecheck.sucuri.net/scanner/ • Website monitoring • Hack cleanup services • Sucuri Security Plugin • Free to clients • Web Application Firewall • Integrity Monitoring • Auditing • Hardening http://Sucuri.net
FOR WORDPRESS • Security Related Articles • http://codex.wordpress.org/Hardening_WordPress • http://blog.sucuri.net/2012/04/lockdown-wordpress-a-security-webinar-with-dre-armeda.html • http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the-hacker-and-ensure-your-site-is- locked.html • http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-know-when-engaging-a-web- malware-company.html • Clean a Hacked Site • http://codex.wordpress.org/FAQ_My_site_was_hacked • http://www.marketingtechblog.com/wordpress-hacked/ • Support Forums • Hacked: http://wordpress.org/tags/hacked • Malware: http://wordpress.org/tags/malware
Brad Williams brad@webdevstudios.com Blog: strangework.com Twitter: @williamsba IRC: WDS-Brad Professional WordPress Second Edition coming December 2012!

Recomendados

Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityBrad Williams
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011Dre Armeda
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 

Recomendados

Securing WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanSecuring WordPress by Jeff Hoffman
Securing WordPress by Jeff HoffmanJeff Hoffman
 
WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009WordPress Security Updated - NYC Meetup 2009
WordPress Security Updated - NYC Meetup 2009Brad Williams
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
WordPress Security
WordPress SecurityWordPress Security
WordPress SecurityBrad Williams
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011WordPress End-User Security - WordCamp Las Vegas 2011
WordPress End-User Security - WordCamp Las Vegas 2011Dre Armeda
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
WordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaWordCamp Chicago 2011 - WordPress End User Security - Dre Armeda
WordCamp Chicago 2011 - WordPress End User Security - Dre ArmedaDre Armeda
 
WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPressDre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basicsamiable_indian
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupJohn Carcutt
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 
Joomla! on Heroku
Joomla! on HerokuJoomla! on Heroku
Joomla! on HerokuYireo
 
Joomla! security
Joomla! securityJoomla! security
Joomla! securityYireo
 
Website security
Website securityWebsite security
Website securityAkhilesh Kant
 
Locking down word press
Locking down word pressLocking down word press
Locking down word pressZachary Russell
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!Dougal Campbell
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best PracticesWordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best PracticesBrecht Ryckaert
 
WordPress Security Tips
WordPress Security TipsWordPress Security Tips
WordPress Security TipsCatch Themes
 
WordPress Performance optimization
WordPress Performance optimizationWordPress Performance optimization
WordPress Performance optimizationBrecht Ryckaert
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
7. mastering wordpress
7. mastering wordpress7. mastering wordpress
7. mastering wordpressMoreNiche
 
WordCamp North Canton - WordPress & Podcasting
WordCamp North Canton - WordPress & PodcastingWordCamp North Canton - WordPress & Podcasting
WordCamp North Canton - WordPress & PodcastingDustin Hartzler
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 

Mais conteúdo relacionado

Mais procurados

WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009Brad Williams
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPressDre Armeda
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013Thor Kristiansen
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupJohn Carcutt
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityTiia Rantanen
 
Joomla! on Heroku
Joomla! on HerokuJoomla! on Heroku
Joomla! on HerokuYireo
 
Joomla! security
Joomla! securityJoomla! security
Joomla! securityYireo
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best PracticesWordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best PracticesBrecht Ryckaert
 
WordPress Security Tips
WordPress Security TipsWordPress Security Tips
WordPress Security TipsCatch Themes
 
WordPress Performance optimization
WordPress Performance optimizationWordPress Performance optimization
WordPress Performance optimizationBrecht Ryckaert
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites Catch Themes
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your JoomlaSiteGround.com
 
7. mastering wordpress
7. mastering wordpress7. mastering wordpress
7. mastering wordpressMoreNiche
 
WordCamp North Canton - WordPress & Podcasting
WordCamp North Canton - WordPress & PodcastingWordCamp North Canton - WordPress & Podcasting
WordCamp North Canton - WordPress & PodcastingDustin Hartzler
 

Mais procurados (20)

WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009WordPress Security - WordCamp NYC 2009
WordPress Security - WordCamp NYC 2009
 
Lockdown WordPress
Lockdown WordPressLockdown WordPress
Lockdown WordPress
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Google Hacking Basics
Google Hacking BasicsGoogle Hacking Basics
Google Hacking Basics
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
 
WordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress SecurityWordCamp Finland 2015 - WordPress Security
WordCamp Finland 2015 - WordPress Security
 
Joomla! on Heroku
Joomla! on HerokuJoomla! on Heroku
Joomla! on Heroku
 
Joomla! security
Joomla! securityJoomla! security
Joomla! security
 
Website security
Website securityWebsite security
Website security
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best PracticesWordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
WordPress Meetup Ieper - 15/03/2018 - WordPress Security Best Practices
 
WordPress Security Tips
WordPress Security TipsWordPress Security Tips
WordPress Security Tips
 
WordPress Performance optimization
WordPress Performance optimizationWordPress Performance optimization
WordPress Performance optimization
 
Building Secure WordPress Sites
Building Secure WordPress Sites Building Secure WordPress Sites
Building Secure WordPress Sites
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 
8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla8 Simple Ways to Hack Your Joomla
8 Simple Ways to Hack Your Joomla
 
7. mastering wordpress
7. mastering wordpress7. mastering wordpress
7. mastering wordpress
 
WordCamp North Canton - WordPress & Podcasting
WordCamp North Canton - WordPress & PodcastingWordCamp North Canton - WordPress & Podcasting
WordCamp North Canton - WordPress & Podcasting
 

Semelhante a Top Ten WordPress Security Tips for 2012

WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityBrad Williams
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security TipsLalit Nama
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and SecurityThink Media Inc.
 
WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011Dre Armeda
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksFaraz Ahmed
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wildrebelpixel
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonBastian Grimm
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening StepsPlasterdog Web Design
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wildrebelpixel
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010Brad Williams
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentalsfindingsimple
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignJudy Wilson
 

Semelhante a Top Ten WordPress Security Tips for 2012 (20)

WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
WordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress SecurityWordCamp Mid-Atlantic WordPress Security
WordCamp Mid-Atlantic WordPress Security
 
Wordpress Security Tips
Wordpress Security TipsWordpress Security Tips
Wordpress Security Tips
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011WordPress End-User Security - Orange County WordCamp 2011
WordPress End-User Security - Orange County WordCamp 2011
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & Tricks
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The WildWord Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
WordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, LondonWordPress Optimization & Security - LAC 2013, London
WordPress Optimization & Security - LAC 2013, London
 
WordPress Security Guide
WordPress Security GuideWordPress Security Guide
WordPress Security Guide
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010WordPress Security - WordCamp Boston 2010
WordPress Security - WordCamp Boston 2010
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
Up and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web DesignUp and Running with WordPress - Site Shack Nashville Web Design
Up and Running with WordPress - Site Shack Nashville Web Design
 

Mais de Brad Williams

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015Brad Williams
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyBrad Williams
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Brad Williams
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressBrad Williams
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress CodeBrad Williams
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application FrameworkBrad Williams
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012Brad Williams
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for BeginnersBrad Williams
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress PluginBrad Williams
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesBrad Williams
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentBrad Williams
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPBrad Williams
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressBrad Williams
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfBrad Williams
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceWebsite Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceBrad Williams
 
Advanced Thesis Techniques and Tricks
Advanced Thesis Techniques and TricksAdvanced Thesis Techniques and Tricks
Advanced Thesis Techniques and TricksBrad Williams
 

Mais de Brad Williams (17)

From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
From Freelance to Agency: Hiring Employee Number One - WordCamp London 2015
 
Hiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to AgencyHiring Employee Number One: From Freelancer to Agency
Hiring Employee Number One: From Freelancer to Agency
 
Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014Writing Secure WordPress Code WordCamp NYC 2014
Writing Secure WordPress Code WordCamp NYC 2014
 
How to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPressHow to Make a Native Mobile App with WordPress
How to Make a Native Mobile App with WordPress
 
Writing Secure WordPress Code
Writing Secure WordPress CodeWriting Secure WordPress Code
Writing Secure WordPress Code
 
Using WordPress as an Application Framework
Using WordPress as an Application FrameworkUsing WordPress as an Application Framework
Using WordPress as an Application Framework
 
WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012WordPress Security from WordCamp NYC 2012
WordPress Security from WordCamp NYC 2012
 
WordPress Multisite
WordPress MultisiteWordPress Multisite
WordPress Multisite
 
WordPress for Beginners
WordPress for BeginnersWordPress for Beginners
WordPress for Beginners
 
Creating Your First WordPress Plugin
Creating Your First WordPress PluginCreating Your First WordPress Plugin
Creating Your First WordPress Plugin
 
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and TaxonomiesSurviving the Zombie Apocalypse using Custom Post Types and Taxonomies
Surviving the Zombie Apocalypse using Custom Post Types and Taxonomies
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
Spooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WPSpooky WordPress: Disturbingly Brilliant Uses of WP
Spooky WordPress: Disturbingly Brilliant Uses of WP
 
Custom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPressCustom Post Types and Taxonomies in WordPress
Custom Post Types and Taxonomies in WordPress
 
Top 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard OfTop 20 WordPress Plugins You've Never Heard Of
Top 20 WordPress Plugins You've Never Heard Of
 
Website Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online PresenceWebsite Design Dos and Don’ts for a Successful Online Presence
Website Design Dos and Don’ts for a Successful Online Presence
 
Advanced Thesis Techniques and Tricks
Advanced Thesis Techniques and TricksAdvanced Thesis Techniques and Tricks
Advanced Thesis Techniques and Tricks
 

Último

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024Stephanie Beckett
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfMounikaPolabathina
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.Curtis Poe
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 

Último (20)

New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024What's New in Teams Calling, Meetings and Devices March 2024
What's New in Teams Calling, Meetings and Devices March 2024
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
What is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdfWhat is DBT - The Ultimate Data Build Tool.pdf
What is DBT - The Ultimate Data Build Tool.pdf
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.How AI, OpenAI, and ChatGPT impact business and software.
How AI, OpenAI, and ChatGPT impact business and software.
 
Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 

Top Ten WordPress Security Tips for 2012

  • 2. Brad Williams Co-Founder WebDevStudios.com Co-Author Professional WordPress & Professional WordPress Plugin Development Co-Organizer WordCamp Philly Co-Host WP Late Night
  • 3. FOR WORDPRESS Top Ten WordPress Security Tips
  • 4. FOR WORDPRESS 1 Update Update Update Keep WordPress Updated! Minor WordPress versions ( ie 3.3.x ) do NOT add new features. They contain bug fixes and security patches
  • 5. FOR WORDPRESS 1 Update Update Update Update Those Plugins! The plugin Changelog tab makes it very easy to view what has changed in a new plugin version
  • 6. FOR WORDPRESS 1. Update Update Update NO EXCUSES! UPDATE!
  • 7. FOR WORDPRESS 2. Use Secret Keys Some secrets should remain secrets
  • 8. FOR WORDPRESS 2. Use Secret Keys A secret key is a hashing salt which makes your site harder to hack by adding random elements to the cookies WordPress creates. 1. Edit wp-config.php BEFORE AFTER define('AUTH_KEY', 'put your unique phrase here'); define('AUTH_KEY', '*8`:Balq!`,-j.JTl~sP%&>@ON,t(}S6)IG|nG1JIfY(,y=][-3$!N6be]-af|BD'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'q+i-|3S~d?];6$[$!ZOXbw6c]0 !k/,UxOod>fqV!sWCkvBihF2#hI=CDt_}WaH1'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'D/QoRf{=&OC=CrT/^Zq}M9MPT&49^O}G+m2L{ItpX_jh(-I&-?pkeC_SaF0nw;m+'); define('NONCE_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'oJo8C&sc+ C7Yc,W1v o5}.FR,Zk!J<]vaCa%2D9nj8otj5z8UnJ_q.Q!hgpQ*-H'); define('AUTH_SALT', 'put your unique phrase here'); define('AUTH_SALT', 'r>O/;U|xg~I5v.u(Nq+JMfYHk.*[p8!baAsb1DKa8.0}q/@V5snU1hV2eR!|whmt'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', '3s1|cIj d7y<?]Z1n# i1^FQ *L(Kax)Y%r(mp[DUX.1a3!jv(;P_H6Q7|y.!7|-'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', '`@>+QdZhD!|AKk09*mr~-F]/F39Sxjl31FX8uw+wxUYI;U{NWx|y|+bKJ*4`uF`*'); define('NONCE_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'O+#iqcPw#]O4TcC%Kz_DAf:mK!Zy@Zt*Kmm^C25U|T!|?ldOf/l1TZ6Tw$9y[M/6'); 2. Visit this URL to get your secret keys: https://api.wordpress.org/secret-key/1.1/salt
  • 9. FOR WORDPRESS Do you login with username admin?
  • 11. FOR WORDPRESS 3. Delete the Admin user account Change the admin username in MySQL: UPDATE wp_users SET user_login='hulkster' WHERE user_login='admin'; Or create a new account with administrator privileges. 1. Create a new account. Make the username very unique 2. Set account to Administrator role 3. Log out and log back in with new account 4. Delete admin account WordPress will allow you to reassign all content written by admin to an account of your choice.
  • 12. FOR WORDPRESS 3. Delete the Admin user account WordPress lets you set the username during the installation process! DON'T USE ADMIN!
  • 13. FOR WORDPRESS 3. Delete the Admin user account Knowing your username is half the battle. Don't make it easy on the hackers.
  • 14. FOR WORDPRESS 4. File and Folder Permissions What folder permissions should you use? Good Rule of Thumb: • Files should be set to 644 • Folders should be set to 755 Start with the default settings above If your host requires 777…SWITCH HOSTS!
  • 15. FOR WORDPRESS 4. File and Folder Permissions Or via SSH with the following commands find [your path here] -type d -exec chmod 755 {} ; find [your path here] -type f -exec chmod 644 {} ;
  • 16. FOR WORDPRESS 5. Move wp-config.php WordPress features the ability to move the wp-config.php file one directory above your WordPress root If WordPress is located here: public_html/wordpress/wp-config.php You can move your wp-config.php file to here public_html/wp-config.php WordPress automatically checks the parent directory if a wp-config.php file is not found in your root directory This makes it nearly impossible for anyone to access your wp-config.php file from a browser as it now resides outside of your website’s root directory
  • 17. FOR WORDPRESS 6. Lock Down WP Login and WP Admin
  • 18. FOR WORDPRESS 6. Lock Down WP Login and WP Admin Add the code below to wp-config.php to force SSL (https) on login define('FORCE_SSL_LOGIN', true); Add the code below to wp-config.php to force SSL (https) on all admin pages define('FORCE_SSL_ADMIN', true); Using SSL (https) on all admin screens in WordPress will encrypt all data transmitted with the same encryption as online shopping
  • 19. FOR WORDPRESS 6. Lock Down WP Login and WP Admin 1. Create an .htaccess file in your wp-admin directory 2. Add the following lines of code: AuthUserFile /dev/null AuthGroupFile /dev/null AuthName "Access Control" AuthType Basic order deny,allow deny from all #IP address to Whitelist allow from 67.123.83.59 allow from 123.123.123.* Only a user with the IP 67.123.83.59 or 123.123.123.* can access wp-admin
  • 20. FOR WORDPRESS 7. Use Trusted Sources for Themes & Plugins WPMU.org reviewed the top 10 results for “free wordpress themes” on Google. Out of the ten sites reviewed 1. Safe: 1 2. Iffy: 1 3. Avoid: 8 Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
  • 21. FOR WORDPRESS 7. Use Trusted Sources for Themes & Plugins The only safe site reviewed was WordPress.org Most themes included base64() encoded text links to promote various servies Source: http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
  • 22. FOR WORDPRESS 8. Be Secure Locally Think of your local environment as if it was a medieval castle and you’re the queen or king. Your kingdom must be protected! Keep your computer up to date • Ensure you’re patching or installing updates ASAP • Automatic updates rock! Install an anti-virus solution • Ensure you’re keeping definitions current • Automatic updates aren’t a bad idea here either! Yes, personal firewalls still apply!
  • 23. FOR WORDPRESS 8. Be Secure Locally It’s your information, but who’s watching & listening? You may be a network geek at home, but what happens at Starbucks? Your Internet Connection Use SSL whenever possible, especially on an unverified connection. • HTTPS is a great way to ensure your transactions & traffic are traveling with security in mind. Connecting To Your Site(s) Consider using sFTP or SSH vs. FTP •Still widely marketed, but did you know your credentials are passed unencrypted when using FTP? •If unavoidable, do not allow anonymous logins, limit connections, practice least privilege. •Don’t store your credentials in your FTP client.
  • 24. FOR WORDPRESS 9. Use a Trusted Host You get what you pay for…
  • 25. FOR WORDPRESS 9. Use a Trusted Host At the end of the day, hosting providers market the world. You in turn, should have opportunity to know how they’re going to protect you. Your Lovely Host • Cheap doesn’t always mean best, or safe! • How many sites on their network are blacklisted for malware reasons? • What version of software do they run and how often do they update? • How are account credentials stored & who has access?
  • 26. FOR WORDPRESS 9. Use a Trusted Host Only use a trusted host that clearly states their security policies. Bonus points if they specialize in WordPress specific hosting!
  • 27. FOR WORDPRESS 10. Use Common Sense • Use a strong password • BAD: bradisawesome • GOOD: SCrEE79joLly$ • A=@, E=3, S=$, O=0 (This is not unique, they know this) • Update passwords regularly (Monthly, make a schedule) • Know your admins, limit number of accounts (WP, FTP, Hosting, etc) • Backup, Backup, Backup (Use BackupBuddy for scheduled backups)
  • 29. FOR WORDPRESS Login Lockdown http://wordpress.org/extend/plugins/login-lockdown/
  • 30. FOR WORDPRESS BulletProof Security • .htaccess lockdown rules for various directories (root, wp- admin, etc) • Security status scanner for folder/file permissions and file checks • Very well documented http://wordpress.org/extend/plugins/bulletproof-security/
  • 31. FOR WORDPRESS Secure WordPress • Hides login error messages • Adds index.php to /themes and /plugins to prevent directory listing • Removes WP, plugin, and theme update notices for non-admins • and more! http://wordpress.org/extend/plugins/secure-wordpress/
  • 32. FOR WORDPRESS Exploit Scanner • Scans your files and database for potentially malicious code • Does not remove code, only detects it http://wordpress.org/extend/plugins/exploit-scanner/
  • 33. FOR WORDPRESS http://Sucuri.net • Free Website Malware Scanner: http://sitecheck.sucuri.net/scanner/ • Website monitoring • Hack cleanup services • Sucuri Security Plugin • Free to clients • Web Application Firewall • Integrity Monitoring • Auditing • Hardening http://Sucuri.net
  • 34. FOR WORDPRESS • Security Related Articles • http://codex.wordpress.org/Hardening_WordPress • http://blog.sucuri.net/2012/04/lockdown-wordpress-a-security-webinar-with-dre-armeda.html • http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the-hacker-and-ensure-your-site-is- locked.html • http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-know-when-engaging-a-web- malware-company.html • Clean a Hacked Site • http://codex.wordpress.org/FAQ_My_site_was_hacked • http://www.marketingtechblog.com/wordpress-hacked/ • Support Forums • Hacked: http://wordpress.org/tags/hacked • Malware: http://wordpress.org/tags/malware
  • 35. Brad Williams brad@webdevstudios.com Blog: strangework.com Twitter: @williamsba IRC: WDS-Brad Professional WordPress Second Edition coming December 2012!