Do Less Work
By Securing Your WordPress Site From Hackers
Thomas Howard
Wordpress Statistics• 60+ Million Wordpress
Sites• 22% of top 10 million
websites powered by WP• 73% of the 40,000 top
WP sites running vulnerable version
• Basic Vulnerabilities found in 50 Top WP Plugins
22%
78%
Top 10 Million Sites
WordpressNot-Word-press
The 80/20 Rule of WP Security
• Pareto Principle - Roughly 80% of the effects come from 20% of the causes
• How can we prevent the most amount of attacks with the least amount of work?
WordPress Attack Vectors
41%
29%
22%
8%
Attack Vectors
HostingThemePluginPassword
• 41% were hacked through a security vulnerability on their hosting platform
• 29% were hacked via a security issue in the WordPress theme they were using
• 22% were hacked via a security issue in the WordPress plugins they were using
• 8% were hacked because they had a weak password
Hosting
• Use a trusted host!• Laughing Squid or A
Small Orange for cheap shared hosting
• Get off shared hosting!• Better yet, use
WP Engine and skip the rest of these slides!
Themes
• DON’T use free themes!• Use a trusted source for
themes:– Wordpress.org– Themeforest– WooThemes
• Use a secure theme framework:– Genesis– Thesis
10%
10%
80%
Free Themes on Google
Safe
Questionable
Infected
Secure the WP Installation
• Easiest Way – Use a Security Plugin– iThemes Security
(formally Better WP Security
– Wordfence• Examples using iThemes
Security
Secure DatabaseDon’t use standard wp_ table prefix
Force Secure Passwords
Limit Login Attempts
Change Admin Username & User ID=1
Other Useful (and easy) Tweaks• Enable HackRepair.com's blacklist
feature• Enable 404 detection• Protect System Files• Disable Directory Browsing• Filter Request Methods• Filter Suspicious Query Strings in
the URL• Filter Non-English Characters
(only for English only sites)• Filter Long URL Strings• Remove File Writing Permissions• Disable PHP in Uploads
• Remove WordPress Generator Meta Tag
• Remove the Windows Live Writer header.
• Remove the RSD (Really Simple Discovery) header.
• Reduce Comment Spam (also you should be using Akismet or Disable Comments)
• Display Random Version• Disable XMLRPC (unless use
trackbacks or Jetpack)• Disables a user's author page if
their post count is 0.
Backups!
• Setup automatic backups!
• iThemes Security allows you to schedule backups to be stored on the server and emailed
• Backup Buddy is awesome
• So is ManageWP
Updates!
• Good news! The latest WP automatically updates for security patches!
• Make modifications safely, use child themes.
• Test new updates on development site.
Summary
1. Hosting2. Themes3. Plugins4. Core5. Backup6. Update
Questions?
Learn more atMakeWP.com/wp-security-talk