WordPress Security: Get it or Lose It - DaytonWP January 2013 MeetUp

Nathan Driver

WordPress Security

Presenter

Presentation Notes

This presentation demonstrates the new capabilities of PowerPoint and it is best viewed in Slide Show. These slides are designed to give you great ideas for the presentations you’ll create in PowerPoint 2011! For more sample templates, click the File menu, and then click New From Template. Under Templates, click Presentations.

Who Am I

Media – Marketing - Geek

@natedriver

linkedin.com/in/ndriver

nathandriver.com

WP Security: 3 Sections

…and everything in between

Basic Settings

PLUGINS

Advanced

Settings

Basic Settings: Noob

Starting with the basics

Change the table prefix It Is NOT that difficult

Stop using ADMIN Do not make easy for hackers to ‘guess’ your username

WP Security: Basic Settings

DON’T MAKE

IT EASY


• A strong password: • has at least 15 characters; • has uppercase letters; • has lowercase letters; • has numbers; • has symbols, such as ` ! " ? $ ? % ^ & * ( ) _ - + = { [ } ] : ; @ ' ~ # | \ < , > . ?

/ • is not like your previous passwords; • is not your name; • is not your login; • is not your friend’s name; • is not your family member’s name; • is not a dictionary word; • is not a common name; • is not a keyboard pattern, such as qwerty, asdfghjkl, or 12345678.



UPDATE – UPDATE - UPDATE

You see it – do something about it!

Plugins: Help Yourself

They’re there to help make your life easier

WP Security: Plugins

BACKUP – BACKUP - BACKUP

VaultPress http://vaultpress.com

Brute Force


Limit Login Attempts: http://wordpress.org/extend/plugins/limit-login-attempts/


WP Security Scan: 1. Passwords 2. File Permissions 3. Database security 4. Version hiding 5. WordPress admin protection/security 6. Removes WP Generator META tag from

core code


Better WP Security • Remove the meta “Generator” tag • Change the urls for WordPress dashboard including login, admin,

and more • Completely turn off the ability to login for a given time period (away

mode) • Remove theme, plugin, and core update notifications from users

who do not have permission to update them • Remove Windows Live Write header information • Remove RSD header information • Rename “admin” account • Change the ID on the user with ID 1 • Change the WordPress database table prefix • Change wp-content path • Removes login error messages • Display a random version number to non administrative users

anywhere version is used

Advanced: Watch Yourself

Behind the scenes

phpMyAdmin -> Database -> …users

WP Security: Advanced Settings

Alternative steps: •Create a new user •Give them admin rights •Log out •Log in under new user •Delete “admin” account



Folder Permissions

• All directories should be 755 or 750. • All files should be 644 or 640. Exception: wp-

config.php should be 600 to prevent other users on the server from reading it.

• No directories should ever be given 777, even upload directories. Since the php process is running as the owner of the files, it gets the owners permissions and can write to even a 755 directory.


Get rid of WordPress version

Fix by placing either one in the functions of your theme •remove_action(‘wp_head’,’wp_generator’); •function remove_wp_version() { return ‘’; }

This can be found • Header.php {header meta} • Readme.html file

Nathan Driver Media – Marketing – Geek

@natedriver www.nathandriver.com

Get It or Lose It

WordPress Security:

WordPress Security: Get it or Lose It - DaytonWP January 2013 MeetUp

Technology

Transcript of WordPress Security: Get it or Lose It - DaytonWP January 2013 MeetUp