locking down your wordpress site

Locking Down Your SiteFRANK CORSO

3 Things To Consider No site is 100% secure

Security vs convenience

It isn't WordPress's fault

frankcorso.me @fpcorso

How Common Are Hacks? 30,000 website hack attempts every day

Hacking is automated so one "bot" can attempt to hack dozens of sites every minute

Automated hacking bots do not need a specific target


Why Would Someone Hack Your Site?

Get user contact information

Get user credit card information

Insert ads and affiliate links into your site

Use your site's resources to further power the hacking bot

Hold your site hostage


Most Common Types Of Hacks Brute Force Attack

SQL Injection Hacks

Cross Site Scripting


3 Stages Of Security Protection

Detection

Recovery


Stage 1: ProtectionHOW DO YOU PREVENT A HACK?


Hosting Do your research!

Ensure your host keeps the server (PHP/MySQL/Linux) updated

Is there support?

Backup/recovery options?


User Management Not everyone needs admin access

Do not have an "admin" user

Do not give your account◦ If giving admin access to a developer, create a separate account which can be de-activated

Have a separate account for site admin that does not create posts/pages


Passwords Do not use words in your passwords

Do not use short passwords (I use 20 characters!)

Use multiple types of characters

Change passwords regularly

Use different passwords for each site and service

Example: 3)S'Fb2rVa:?Sc-t@~D&

Use a password manager such as LastPass


Updates Keep everything up to date

WordPress, plugins, and themes are updated regularly with security updates

PHP, MySQL, and Linux if you control the server


File Management Lots of more technical items include:

◦ 404 detection◦ Wp-config.php file permissions◦ Htaccess◦ Setting up time/day to access admin


Backups ALWAYS(!!!) have backups

Redundant - hosting and WordPress

Backup to an offsite location◦ Email◦ Amazon SES◦ Google Drive

Regular backups◦ Possibly daily database backups and weekly file backups

Use Backup Buddy or Updraft Plus


Use A Security Plugin Many good plugins that will take care of a lot of this for you.

Most security plugins have teams that watch for new trends and update their plugins to help protect your site

Use iThemes Security or Wordfence


SSL SSL stands for Secure Sockets Layer and provides a secure connection between internet browsers and websites.

Siteground and Flywheel both include free SSL's!

If you are not on a host that provides free SSL's, purchase one!◦ Starts off at $15 per year


Stage 2: DetectionHOW WILL YOU KNOW IF YOUR SITE IS HACKED?


Detecting A Hack Watch for file changes

Watch for anything abnormal

Scan your site with a possible malware checker such as virustotal.com

Consider a full site service such as the Website Antivirus by Sucuri


Stage 3: RecoveryWHAT DO YOU DO WHEN YOUR SITE IS HACKED?


What is your plan? What is the plan in the event of an attack?

Create your plan before you need it!

Who will restore the site from the backup?

Who will scan your site looking for how the attack happened?

Change all your passwords


Developer Security


Developer Setup Always develop with Debug mode on

◦ define( WP_DEBUG, true );

Use developer plugin such as Query Monitor


Important WordPress Functions current_user_can

◦ Checks if user has the correct permission

ABSPATH◦ Checks if the file is being called directly

If ( ! current_user_can( 'moderate_comments' ) ) {

echo 'You do not have permission';

return;

}

If ( ! defined( 'ABSPATH' ) ) exit;


Data Validation◦ Never trust user input!◦ Check if the data entered is the

correct data.

intval( $_GET["entered_number"] );

is_email( $_GET["entered_email"] );

if ( ! empty( $random_string ) )


Sanitize◦ WordPress has many helper functions

to assist you!sanitize_email( $entered_email );

sanitize_text_field( $entered_text );


Escape All Output◦ Ensure all displayed data is secure◦ Again, WordPress has lots of helper

functions

esc_html( $my_html );

esc_url( $my_pic_url );

<ul class="<?php echo esc_attr( $my_class ); ?>">

<a href="#" onclick="<?php echo esc_js( $my_js ); ?>">Click me</a>


Use $wpdb◦ If you are doing anything with the database, use the $wpdb abstraction class◦ Has functions for inserting, deleting, updating, querying, and more!


Nonces◦ We use nonces to prevent cross site

scripting hacking attempts◦ Nonces are generated numbers used to

verify origin and intent

wp_nonce_field( 'edit_form', 'edit_form_nonce' );

if ( ! wp_verify_nonce( $_POST["edit_form_nonce"], 'edit_form' ) {

return;

}


Check out our free WordPress plugin:My WordPress Health Check


Check out our free email course on WordPress security:mylocalwebstop.com/freecourse


Q & A


locking down your wordpress site

Marketing