locking down your wordpress site

Locking Down Your SiteFRANK CORSO

3 Things To Consider No site is 100% secure

Security vs convenience

It isn't WordPress's fault

frankcorso.me @fpcorso

How Common Are Hacks? 30,000 website hack attempts every day

Hacking is automated so one "bot" can attempt to hack dozens of sites every minute

Automated hacking bots do not need a specific target

frankcorso.me @fpcorso

Why Would Someone Hack Your Site?

Get user contact information

Get user credit card information

Insert ads and affiliate links into your site

Use your site's resources to further power the hacking bot

Hold your site hostage

frankcorso.me @fpcorso

Most Common Types Of Hacks Brute Force Attack

SQL Injection Hacks

Cross Site Scripting

frankcorso.me @fpcorso

3 Stages Of Security Protection

Detection

Recovery

frankcorso.me @fpcorso

Stage 1: ProtectionHOW DO YOU PREVENT A HACK?

frankcorso.me @fpcorso

Hosting Do your research!

Ensure your host keeps the server (PHP/MySQL/Linux) updated

Is there support?

Backup/recovery options?

frankcorso.me @fpcorso

User Management Not everyone needs admin access

Do not have an "admin" user

Do not give your account◦ If giving admin access to a developer, create a separate account which can be de-activated

Have a separate account for site admin that does not create posts/pages

frankcorso.me @fpcorso

Passwords Do not use words in your passwords

Do not use short passwords (I use 20 characters!)

Use multiple types of characters

Change passwords regularly

Use different passwords for each site and service

Example: 3)S'Fb2rVa:?Sc-t@~D&

Use a password manager such as LastPass

frankcorso.me @fpcorso

Updates Keep everything up to date

WordPress, plugins, and themes are updated regularly with security updates

PHP, MySQL, and Linux if you control the server

frankcorso.me @fpcorso

File Management Lots of more technical items include:

◦ 404 detection◦ Wp-config.php file permissions◦ Htaccess◦ Setting up time/day to access admin

frankcorso.me @fpcorso

Backups ALWAYS(!!!) have backups

Redundant - hosting and WordPress

Backup to an offsite location◦ Email◦ Amazon SES◦ Google Drive

Regular backups◦ Possibly daily database backups and weekly file backups

Use Backup Buddy or Updraft Plus

frankcorso.me @fpcorso

Use A Security Plugin Many good plugins that will take care of a lot of this for you.

Most security plugins have teams that watch for new trends and update their plugins to help protect your site

Use iThemes Security or Wordfence

frankcorso.me @fpcorso

SSL SSL stands for Secure Sockets Layer and provides a secure connection between internet browsers and websites.

Siteground and Flywheel both include free SSL's!

If you are not on a host that provides free SSL's, purchase one!◦ Starts off at $15 per year

frankcorso.me @fpcorso

Stage 2: DetectionHOW WILL YOU KNOW IF YOUR SITE IS HACKED?

frankcorso.me @fpcorso

Detecting A Hack Watch for file changes

Watch for anything abnormal

Scan your site with a possible malware checker such as virustotal.com

Consider a full site service such as the Website Antivirus by Sucuri

frankcorso.me @fpcorso

Stage 3: RecoveryWHAT DO YOU DO WHEN YOUR SITE IS HACKED?

frankcorso.me @fpcorso

What is your plan? What is the plan in the event of an attack?

Create your plan before you need it!

Who will restore the site from the backup?

Who will scan your site looking for how the attack happened?

Change all your passwords

frankcorso.me @fpcorso

Developer Security

frankcorso.me @fpcorso

Developer Setup Always develop with Debug mode on

◦ define( WP_DEBUG, true );

Use developer plugin such as Query Monitor

frankcorso.me @fpcorso

Important WordPress Functions current_user_can

◦ Checks if user has the correct permission

ABSPATH◦ Checks if the file is being called directly

If ( ! current_user_can( 'moderate_comments' ) ) {

echo 'You do not have permission';

return;

}

If ( ! defined( 'ABSPATH' ) ) exit;

frankcorso.me @fpcorso

Data Validation◦ Never trust user input!◦ Check if the data entered is the

correct data.

intval( $_GET["entered_number"] );

is_email( $_GET["entered_email"] );

if ( ! empty( $random_string ) )

frankcorso.me @fpcorso

Sanitize◦ WordPress has many helper functions

to assist you!sanitize_email( $entered_email );

sanitize_text_field( $entered_text );

frankcorso.me @fpcorso

Escape All Output◦ Ensure all displayed data is secure◦ Again, WordPress has lots of helper

functions

esc_html( $my_html );

esc_url( $my_pic_url );

<ul class="<?php echo esc_attr( $my_class ); ?>">

<a href="#" onclick="<?php echo esc_js( $my_js ); ?>">Click me</a>

frankcorso.me @fpcorso

Use $wpdb◦ If you are doing anything with the database, use the $wpdb abstraction class◦ Has functions for inserting, deleting, updating, querying, and more!

frankcorso.me @fpcorso

Nonces◦ We use nonces to prevent cross site

scripting hacking attempts◦ Nonces are generated numbers used to

verify origin and intent

wp_nonce_field( 'edit_form', 'edit_form_nonce' );

if ( ! wp_verify_nonce( $_POST["edit_form_nonce"], 'edit_form' ) {

return;

}

frankcorso.me @fpcorso

Check out our free WordPress plugin:My WordPress Health Check

frankcorso.me @fpcorso

Check out our free email course on WordPress security:mylocalwebstop.com/freecourse

frankcorso.me @fpcorso

Q & A

frankcorso.me @fpcorso