Published on March 17, 2014
WORDPRESS SECURITY IS LIKE
A HHAM SANDWICH For WordPress users
• More than 20% of websites are using WordPress • This makes WordPress a target for hackers NOT IF, BUT WHEN • Without protection, it’s not a question of if you will be hacked, but when
SO HOW CAN YOU BE PROTECTED?
THINK HHAM SANDWICH Hosting Hardening Access Maintenance
• The trouble with sharing • Shared hosting (multi-tenancy) is akin to cubicles in an ofﬁce—gain access to the ofﬁce, and with a little effort, you have access to all the cubes • Because shared servers must support many applications, server software is often out of date, which means hackers can exploit security holes in old software, holes that were plugged by yet to be implemented updates HOSTING
DEDICATED WP HOSTS ARE BETTER • Server software is kept up-to-date because the server is only expected to support one type of application software: WordPress
DEDICATED WP HOSTS ARE BETTER • Dedicated WP hosting performs better, it’s optimized to support WordPress’ speciﬁc requirements
DEDICATED WP HOSTS ARE BETTER • Built in backups and security scanning, usually nightly
DEDICATED WP HOSTS ARE BETTER • Quality control over plugins—known vectors and server thrashers aren’t allowed
HARDENING Make it hard for the hackers’ bots and they move on (some of these suggestions may require a developer)
HARDENING • Shut down the theme and plugin “Editor” • Disallow the theme and plugin editor by adding the following to wp-conﬁg.php: deﬁne( 'DISALLOW_FILE_EDIT', true );
HARDENING • Set permissions on your wp-content and themes directories to 755 • Set permissions on ﬁles to 644 • Install the BruteProtect plugin to block brute force attacks
HARDENING • Change the database preﬁx • In the WP-conﬁg.php ﬁle change the ﬁle preﬁx from “wp_” to “wp_randomlettersandnumbers_” • Or “randomlettersandnumbers_” • This is best accomplished during the initial install of WordPress • Or use the Change DB Preﬁx plugin on an older site
HARDENING • Use the Disable Comments plugin to turn off post comments if they aren’t required, which closes several attack vectors • Install Better WP Security for one-stop shop security (some setup required)
ACCESS • You need ten Admins? Really? • Use the to create a custom user role, Manager or Web Master the same capabilities as an Admin but without the ability to add or delete plugins and themes, two common vectors for hackers
ACCESS • Delete the admin user if it exists
ACCESS • U/P: admin/password123? Really? • Use the Enforce Strong Passwords plugin to, well, force users to use strong passwords • Consider two-factor authentication using the Google Authenticator plugin
ACCESS • Force administration over SSL—this is important if the dashboard will be accessed on public WiFi networks • Install an SSL certiﬁcate and add the following to the wp-conﬁg.php ﬁle: • require_once(ABSPATH . 'wp-settings.php'); deﬁne('FORCE_SSL_LOGIN', true); deﬁne('FORCE_SSL_ADMIN', true);
MAINTENANCE Keep WordPress Seriously, keep WordPress and all plugins up to date
MAINTENANCE • Delete all unused plugins and themes—this is very important, old plugins and themes are a common vector for hackers • Use a staging site to test new plugins and make theme adjustments
MAINTENANCE • If it’s not provided by the host, install a backup plugin, and remote location • Scan the site periodically (nightly?) using a service like
• Do these things and the chances you will be hacked are greatly reduced OR THIS… ! FOLLOW THESE STEPS AND THE CHANCES OF GETTING HACKED WILL BE GREATLY REDUCED
THANKYOU! Red8 Interactive San Francisco, CA St. Louis, MO ! James Hipkin email@example.com 415.789.3685
Canvas Prints at Affordable Prices make you smile.Visit http://www.shopcanvasprint...
30 Días en Bici en Gijón organiza un recorrido por los comercios históricos de la ...
Con el fin de conocer mejor el rol que juega internet en el proceso de compra en E...
With three established projects across the country and seven more in the pipeline,...
Retailing is not a rocket science, neither it's walk-in-the-park. In this presenta...
This presentation reviews the four key areas that affect WordPress security, the four areas that users need to consider to keep their sites safe: hosting ...
WordPress Security is like a HHAM Sandwich An overview of WordPress security targeted at beginning and intermediate users. Some light coding required.
See who you know at Red8 Interactive, ... We've developed an approach we call the HHAM Sandwich: ... WordPress Security is like a HHAM Sandwich.
... "Chris Lema doesn’t sell you on himself. ... He helps companies leverage WordPress, and helps WordPress companies. Search; Images; Maps; Play ...
General Manager at Potbelly Sandwich Works Past Assistant Manager at Potbelly Sandwich Works, Shift lead at Potbelly Sandwich Works, Server at Red Lobster, ...
WordPress Security is Like a HHAM Sandwich Jason Yingling: How to Find, Choose, and Install The Best Theme for You! Michael R. Hunter: Customizing the ...