locking down your wordpress site
TRANSCRIPT
Locking Down Your SiteFRANK CORSO
3 Things To Consider No site is 100% secure
Security vs convenience
It isn't WordPress's fault
frankcorso.me @fpcorso
How Common Are Hacks? 30,000 website hack attempts every day
Hacking is automated so one "bot" can attempt to hack dozens of sites every minute
Automated hacking bots do not need a specific target
frankcorso.me @fpcorso
Why Would Someone Hack Your Site?
Get user contact information
Get user credit card information
Insert ads and affiliate links into your site
Use your site's resources to further power the hacking bot
Hold your site hostage
frankcorso.me @fpcorso
Most Common Types Of Hacks Brute Force Attack
SQL Injection Hacks
Cross Site Scripting
frankcorso.me @fpcorso
3 Stages Of Security Protection
Detection
Recovery
frankcorso.me @fpcorso
Stage 1: ProtectionHOW DO YOU PREVENT A HACK?
frankcorso.me @fpcorso
Hosting Do your research!
Ensure your host keeps the server (PHP/MySQL/Linux) updated
Is there support?
Backup/recovery options?
frankcorso.me @fpcorso
User Management Not everyone needs admin access
Do not have an "admin" user
Do not give your account◦ If giving admin access to a developer, create a separate account which can be de-activated
Have a separate account for site admin that does not create posts/pages
frankcorso.me @fpcorso
Passwords Do not use words in your passwords
Do not use short passwords (I use 20 characters!)
Use multiple types of characters
Change passwords regularly
Use different passwords for each site and service
Example: 3)S'Fb2rVa:?Sc-t@~D&
Use a password manager such as LastPass
frankcorso.me @fpcorso
Updates Keep everything up to date
WordPress, plugins, and themes are updated regularly with security updates
PHP, MySQL, and Linux if you control the server
frankcorso.me @fpcorso
File Management Lots of more technical items include:
◦ 404 detection◦ Wp-config.php file permissions◦ Htaccess◦ Setting up time/day to access admin
frankcorso.me @fpcorso
Backups ALWAYS(!!!) have backups
Redundant - hosting and WordPress
Backup to an offsite location◦ Email◦ Amazon SES◦ Google Drive
Regular backups◦ Possibly daily database backups and weekly file backups
Use Backup Buddy or Updraft Plus
frankcorso.me @fpcorso
Use A Security Plugin Many good plugins that will take care of a lot of this for you.
Most security plugins have teams that watch for new trends and update their plugins to help protect your site
Use iThemes Security or Wordfence
frankcorso.me @fpcorso
SSL SSL stands for Secure Sockets Layer and provides a secure connection between internet browsers and websites.
Siteground and Flywheel both include free SSL's!
If you are not on a host that provides free SSL's, purchase one!◦ Starts off at $15 per year
frankcorso.me @fpcorso
Stage 2: DetectionHOW WILL YOU KNOW IF YOUR SITE IS HACKED?
frankcorso.me @fpcorso
Detecting A Hack Watch for file changes
Watch for anything abnormal
Scan your site with a possible malware checker such as virustotal.com
Consider a full site service such as the Website Antivirus by Sucuri
frankcorso.me @fpcorso
Stage 3: RecoveryWHAT DO YOU DO WHEN YOUR SITE IS HACKED?
frankcorso.me @fpcorso
What is your plan? What is the plan in the event of an attack?
Create your plan before you need it!
Who will restore the site from the backup?
Who will scan your site looking for how the attack happened?
Change all your passwords
frankcorso.me @fpcorso
Developer Security
frankcorso.me @fpcorso
Developer Setup Always develop with Debug mode on
◦ define( WP_DEBUG, true );
Use developer plugin such as Query Monitor
frankcorso.me @fpcorso
Important WordPress Functions current_user_can
◦ Checks if user has the correct permission
ABSPATH◦ Checks if the file is being called directly
If ( ! current_user_can( 'moderate_comments' ) ) {
echo 'You do not have permission';
return;
}
If ( ! defined( 'ABSPATH' ) ) exit;
frankcorso.me @fpcorso
Data Validation◦ Never trust user input!◦ Check if the data entered is the
correct data.
intval( $_GET["entered_number"] );
is_email( $_GET["entered_email"] );
if ( ! empty( $random_string ) )
frankcorso.me @fpcorso
Sanitize◦ WordPress has many helper functions
to assist you!sanitize_email( $entered_email );
sanitize_text_field( $entered_text );
frankcorso.me @fpcorso
Escape All Output◦ Ensure all displayed data is secure◦ Again, WordPress has lots of helper
functions
esc_html( $my_html );
esc_url( $my_pic_url );
<ul class="<?php echo esc_attr( $my_class ); ?>">
<a href="#" onclick="<?php echo esc_js( $my_js ); ?>">Click me</a>
frankcorso.me @fpcorso
Use $wpdb◦ If you are doing anything with the database, use the $wpdb abstraction class◦ Has functions for inserting, deleting, updating, querying, and more!
frankcorso.me @fpcorso
Nonces◦ We use nonces to prevent cross site
scripting hacking attempts◦ Nonces are generated numbers used to
verify origin and intent
wp_nonce_field( 'edit_form', 'edit_form_nonce' );
if ( ! wp_verify_nonce( $_POST["edit_form_nonce"], 'edit_form' ) {
return;
}
frankcorso.me @fpcorso
Check out our free WordPress plugin:My WordPress Health Check
frankcorso.me @fpcorso
Check out our free email course on WordPress security:mylocalwebstop.com/freecourse
frankcorso.me @fpcorso
Q & A
frankcorso.me @fpcorso