do less work by securing your wordpress site from hackers
DESCRIPTION
Save yourself from future headaches by making sure the sites you create are secure. This guideline was created to following the Pareto principle! I started by looking for the 20 percent of efforts that would account for 80 percent of the results! Its so simple that it seems a bit more like 1% effort for 95% results! You will learn the basics of securing your site in this presentation!TRANSCRIPT
Do Less Work
By Securing Your WordPress Site From Hackers
Thomas Howard
Wordpress Statistics• 60+ Million Wordpress
Sites• 22% of top 10 million
websites powered by WP• 73% of the 40,000 top
WP sites running vulnerable version
• Basic Vulnerabilities found in 50 Top WP Plugins
22%
78%
Top 10 Million Sites
WordpressNot-Word-press
The 80/20 Rule of WP Security
• Pareto Principle - Roughly 80% of the effects come from 20% of the causes
• How can we prevent the most amount of attacks with the least amount of work?
WordPress Attack Vectors
41%
29%
22%
8%
Attack Vectors
HostingThemePluginPassword
• 41% were hacked through a security vulnerability on their hosting platform
• 29% were hacked via a security issue in the WordPress theme they were using
• 22% were hacked via a security issue in the WordPress plugins they were using
• 8% were hacked because they had a weak password
Hosting
• Use a trusted host!• Laughing Squid or A
Small Orange for cheap shared hosting
• Get off shared hosting!• Better yet, use
WP Engine and skip the rest of these slides!
Themes
• DON’T use free themes!• Use a trusted source for
themes:– Wordpress.org– Themeforest– WooThemes
• Use a secure theme framework:– Genesis– Thesis
10%
10%
80%
Free Themes on Google
Safe
Questionable
Infected
Secure the WP Installation
• Easiest Way – Use a Security Plugin– iThemes Security
(formally Better WP Security
– Wordfence• Examples using iThemes
Security
Secure DatabaseDon’t use standard wp_ table prefix
Force Secure Passwords
Limit Login Attempts
Change Admin Username & User ID=1
Other Useful (and easy) Tweaks• Enable HackRepair.com's blacklist
feature• Enable 404 detection• Protect System Files• Disable Directory Browsing• Filter Request Methods• Filter Suspicious Query Strings in
the URL• Filter Non-English Characters
(only for English only sites)• Filter Long URL Strings• Remove File Writing Permissions• Disable PHP in Uploads
• Remove WordPress Generator Meta Tag
• Remove the Windows Live Writer header.
• Remove the RSD (Really Simple Discovery) header.
• Reduce Comment Spam (also you should be using Akismet or Disable Comments)
• Display Random Version• Disable XMLRPC (unless use
trackbacks or Jetpack)• Disables a user's author page if
their post count is 0.
Backups!
• Setup automatic backups!
• iThemes Security allows you to schedule backups to be stored on the server and emailed
• Backup Buddy is awesome
• So is ManageWP
Updates!
• Good news! The latest WP automatically updates for security patches!
• Make modifications safely, use child themes.
• Test new updates on development site.
Summary
1. Hosting2. Themes3. Plugins4. Core5. Backup6. Update
Questions?
Learn more atMakeWP.com/wp-security-talk