Ithemes presentation
-
Upload
jason-yingling -
Category
Internet
-
view
4.054 -
download
1
Transcript of Ithemes presentation
WordPress Security using iThemes Security
Jason Yingling | Lead DeveloperRed8 Interactive | red8interactive.com
@jason_yingling | jasonyingling.me
WordPress Hosting
• Support for latest software• Optimized for running
WordPress• Malware scanning• Work with WordPress 24/7• Backups
Hardening
• Protecting your site from common security risks– Don’t use the ‘admin’ username– Strong passwords– Hide the login area– Brute Force Protection– 404 Protection– Malware scanning
Access
• Minimize number of administrators• Remove file editing from dashboard• Two Factor Authentication
Global Settings
• Write to wp-config.php
• Emails for lockout notifications, file change warnings, etc.
Global Settings
• Enables blacklisting repeat offenders• Good idea to switch these up from the
defaults
Global Settings• Enables blacklisting repeat offenders• Good idea to switch these up from the
defaults
Away Mode
• Allows for disabling access to the dashboard between certain hours
• Do you really need to be able to edit 24/7?
• Taking a vacation
Banned Users
• Enable HackRepair.com’s blacklist feature
• Enable Ban Users• Permanently bans
attackers IPs
Brute Force Protection
• Limit the number of bad login attempts before temporarily locking out the offending host
Brute Force Protection
• Switch it up from the default
• 4 Max Login Attempts Per Host
• 9 Max Login Attempts Per User
• 6 Minutes to Remember Bad Login
Database Backups
• Sends a database backup via email or stores on server
• Plugins– BackupBuddy– BackWPUp– WPmudev Snapshot– VaultPress
File Change Detection
• Allows you to include and exclude specific files that may change often
• Helpful to see what files were changed if an attack happens
Hide Login Area
• Change login url from /wp-admin
• Makes it more difficult for attacker to find login area
• Avoid using iThemes default /wplogin
System Tweaks
• Some of this may be performed by your host
• Good idea to have on unless you know something conflicts on your site
iThemes Security Pro• More password
options• Password
generator on user profile
• Password expiration
• Force password change
Locked yourself out?
• Login to your database via phpMyAdmin or a program like Sequel Pro
• Navigate to the itsec_lockouts table• Delete the row with your IP
Locked yourself out?
• Disable plugin via FTP• Navigate to /wp-content/plugins• Rename the ithemes-security plugin directory