RE CARLSON@rehcarlson #WCYYC

@AbtekWeb

BEST PRACTICES IN

SELF-HOSTED WORDPRESS SECURITY & SPEED

THIS TALK IS NOT FOR DEVELOPERS.

Chris WiegmanSecuring Your Code –

WordPress Security for Developers

May 7, 2015 at LoopConf

Las Vegas, NV

https://youtu.be/nuWR_HiBHYc

SECURITY IS HARD.

“IT SHOULD JUST WORK.”

“YOU SHOULD JUST PAY ME.”

plugins

TRAININGIS HARD.

posts

pages

SQL

meta

LOGIN SECURITY

BEST PRACTICES IN LOGIN SECURITY

Never use “admin” as a username, and enforce strong passwords for your users.

Never publish pages or posts using accounts with Administrator-level permission.

Limit login attempts and change /wp-admin/ to something else.

Disable the Dashboard editor in wp-config.php

define('DISALLOW_FILE_EDIT', true);

WordFence

BPS Security

iThemes Security

UPDATE FILE PERMISSIONS

.htaccess

index.php

wp-config.php

wp-blog-header.php

/wp-admin/

/wp-content/

/wp-content/plugins

/wp-content/themes

/wp-content/uploads

/wp-content/upgrade

404 604

400 600

400 600

400 600

705

705

705

705

705

755

Shared hosting providers

won’t allow you to change

Owner permissions.

CUSTOMIZE PHP + .HTACCESS

WHAT IS .HTACCESS?

“ .htaccess files (or “distributed configuration files”) provide a way to make configuration changes on a per-directory basis. A file,

containing one or more configuration directives, is placed in a particular document directory, and the directives apply to that

directory, and all subdirectories thereof. ”

FILES ARE HIDDEN BY DEFAULT

WHAT ELSE CAN YOU DO WITH .HTACCESS?

Define Error Pages – 400, 401, 403, 404, 500

Define caching-specific rules

Restrict users based on IP address

Force browser to use a different index file

Add 301 redirect rules

More info: Tuts+ Article

USING SHARED HOSTING?

Add & customize this code to .htaccess

suPHP_ConfigPath /home/username/

Then upload your customized php.ini file to this directory & set file permissions to 600.

CHECK YOUR SETTINGS IN PHP.INI

PHP Safe Mode: OffPHP Allow URL fopen: OffPHP Allow URL Include: OffPHP Display Errors: OffPHP Display Startup Errors: OffPHP Expose PHP: OffPHP Register Globals: OffPHP MySQL Allow Persistent Connections: OffPHP Output Buffering: OffPHP Max Script Execution Time: 60 SecondsPHP Magic Quotes GPC: OffPHP XML Support: YesPHP IPTC Support: YesPHP Exif Support: No

Other Fun Stuff

memory_limit = 128M

upload_max_filesize = 50M

max_execution_time = 30

DENY ACCESS TO SETTINGS FILES

<FilesMatch "^(wp-config\.php|php\.ini|php5\.ini|readme\.html

|bb-config\.php)">

Order Allow,Deny

Deny from all

#Allow from 192.168.0.1

</FilesMatch>

SECURE YOUR DATABASE

Revoke permissions to DROP, ALTER and GRANT on

production sites, (unless required by your plugins).

FOLLOW BREAKING SECURITY NEWS

THANKS FOR DOWNLOADING!SAVE $100 OFF SECURITY AUDIT SERVICE

CALL 1-844-33-ABTEK FOR DETAILS