Philip Hess

GETTING STARTED WITH WORDPRESS HOSTING AND SECURITY

The EndBegin With

• Not really necessary• But www.mydomain.com looks better than…• www.mysite.hostingcompany.com or• www.hostingcompany.com/~mysite/

• I use PairNic.com• Local, in the south side• Clean interface (but somewhat dated)• Ad free

DOMAIN NAME

• What kind of site you want will determine what kind of hosting is best.

• eCommerce

• Medical/Professional

• Education

• Hobby

HOSTING

• eCommerce

• Security

• Credit card processing

• Not down during shopping times

HOSTING

• Medical/Professional

• Security

• HIPPA requirements

HOSTING

HOSTING

• Education

• Security

• FERPA requirements

HOSTING

• Hobby

• Security against hacking

• Personal embarrassment

HOSTING

• My short list

• www.wordpress.com

• www.pair.com

• www.asmallorange.com

• Select the best host you can afford

HOSTING

• Who I chose and why

• cPanel – used it before, familiar with it

• One click install of WordPress

• $35.00/year – cheapest hosting I’ve found

• Even a Raspberry Pi would cost more

SECURITY

• If it’s on the internet someone will be trying to hack it

• Change the admin account to something else

• Don’t use admin, administrator, your name, any part of your site name

• Use the admin account to administer your site and nothing else

• Use a separate account to post content

SECURITY

• Learn how to secure WordPress

• Hardening WordPress

• WordFence Security Learning Center

• Google is your BFF – but verify

• Learn how to use the security features of your server – most likely Linux (LAMP)

• Apache (web server) security features

• .htacess files

SECURITY

• .htaccess files

• You can protect the .htaccess file itself by adding the following lines to the file:

<files .htaccess>

order allow,deny

deny from all

</files>

SECURITY

• .htaccess

• Limiting access to /wp-admin/

<LIMIT GET>

order deny,allow

deny from all

allow from ww.xx.yy.zz replace with own IP address

</LIMIT>

SECURITY

• .htaccess

• Disable directory browsing

• Options –Indexes

• Disable PHP execution (/wp-content/uploads/)

• <files *.php>

• deny from all

• </Files>

SECURITY

• Editing the wp-config.php file

• Automatically update WordPress core files

• define( 'WP_AUTO_UPDATE_CORE', true );

• Disallow editing of PHP from within WordPress

• define('DISALLOW_FILE_EDIT', true);

• Supressing PHP run time errors

• error_reporting (0);

• @ini_set ('display_errors', 0);

SECURITY

• Use HTTPS if you have an eCommerce site or collect any sort of data from customers/visitors

• Will need a “certificate” in this case, an extra annual charge

• Good idea to use this for login on to your site

• Generate new WordPress security keys

• https://api.wordpress.org/secret-key/1.1/

• Keep your own computer clean and safe

CONTROL PANELS

• Help you manage your site without using the command line

• Home Grown

• Plesk

• cPanel

INSTALLING WORDPRESS

• From control panel

• Easy

• Default options

• Can install and delete as often as you wish

• Change the table_prefix

INSTALLING WORDPRESS

• Manually

• From the command line

• Change the table_prefix

INSTALLING WORDPRESS

• Themes – Changes the appearance of WordPress site

• There are thousands!

• Get from a reputable site

• WordPress.org

• Don’t limit yourself to just a theme based on a keyword

• Only one theme can be active at a time

• Theme checkers – checks for hidden malware

INSTALLING WORDPRESS

• Plugins – Adds or changes features of your WordPress site

• There are thousands!

• Get from reputable sources or develop own

• Take time to review and try them out before deciding

• Look at the last time it was updated

• Potential security issues

• Deactivate/delete plugins not being used

INSTALLING WORDPRESS

• Security Plugins

• There are hundreds!

• Look for one that is updated frequently

• Free vs. paid

SUMMARY

• What I’m doing…

• Theme – using a theme designed for hosting services

• Plugins – none except for WordFence

• Reviewing and evaluating several others

• Security

• WordFence free – may upgrade to paid

• .htaccess to block IP addresses identified by WordFence

SUMMARY

• Security

• Unique logins for site admin and content

• Password protecting /wp-admin/ directory

• Blocking access from all but a few selected IP adresses

SUMMARY

• Security (cont)

• Limit access to /wp-admin/ directory to just my IP address

• Changes every few days though

• Sanitizing output of WordPress

• Modifying WordPress core files

RESOURCES

• Hosting

• www.wordpress.com

• www.pair.com

• www.asmallorange.com

RESOURCES

• WordPress

• WordPress Codex

• codex.wordpress.org

• WordPress Themes

• wordpress.org/themes/

• WordPress Plugins

• wordpress.org/plugins/

• WordPress Lessons

• codex.wordpress.org/WordPress_Lessons

RESOURCES

• Security

• Hardening WordPress

• codex.wordpress.org/Hardening_WordPress

• WordFence

• www.wordfence.com

• WordFence Security Learning Center

• https://www.wordfence.com/learn/