WordPress 

Security




Simple things you can do to keep your 
WordPress site secure

WordPress is secure





It's you who makes it insecure.

Don't use 'admin' as the username




Pretty straightforward, right?

Strong Passwords, please


  • Should contain uppercase & lowercase letters, numbers and symbols (like ! and $)

  • Don't use the same password for all your services (Website, Twitter, Facebook)

  • Making a super complex password and writing it down, is better than having one you can remember in your head.



Choose correct permissions


NOT EVERYONE NEEDS FULL ACCESS!


  • Administrator access in WordPress
  • Root access FTP/SSH
  • Full access in Control Panel 

Lockdown your login form


  • Blocks IP after 3 failed attempts

  • Great for people manually trying to hack you

  • Plugin - http://wordpress.org/plugins/limit-login-attempts/

Keep WordPress up to date


  • 3.7 introduced automatic updates for security releases.

  • If you're running 3.9 at the moment, you're doing it wrong. Latest release is 3.9.1 - update now!

  • "But I'm scared I might break something"
    WordPress is extremely backwards compatible, if things are breaking every time you update then you have a bigger problem.

Take care when installing plugins


  • Don't go installing all the plugins

  • Keep your plugins up to date - plugin authors release security updates too.

  • Check feedback for the plugin - lots of reviews & 5 stars is a good indicator

  • Deactivate (and remove) any plugins you are not using.

Same is true for themes too.

Pick a good host


  • Does your host tell you to set permissions to 777?

  • Are they proactive against security risks?

  • Do they blog about security and send information?

  • Are they responsive on social networks?

 


Secure your environment


  • Use SFTP over FTP
  • Disable file editing in WP
  • Use SSL
  • Add .htaccess rules to lockdown files & folders
  • Check for malware (changed files)
  • Backup your site

Secure your code


  • Check permissions before performing action
    current_user_can('edit_posts')

  • Sanitize all user inputs to prevent SQL injection
    sanitize_text_field( $_POST['title'] );

  • Escape data to protect the end user from XSS
    esc_html( $title );

  • Use nonces to prevent Cross Site Request Forgery (CSRF)
    wp_create_nonce()
  • Security through obscurity.


    • Rename 'admin' username to something else
    • Change table prefix from 'wp_'
    • Lock down folders by .htaccess
    • Limit wp-admin by IP address

                    False economy?

          • Removing WP Version
          • Change location of wp-content

                    You can run but you can't hide

    Use two factor authentication


    There are three types of authentication widely used today

      1. Something the user knows - i.e. a password
      2. Something the user is - unique (biometrics)
      3. Something the user has - a possession (iPhone)

    Google Two Factor Authentication

    https://wordpress.org/plugins/google-authenticator/

    Questions?


    WordPress Security

    By Steven Jones

    WordPress Security

    WordPress North East - 20th May 2014

    • 2,515