WP Site ManagementKeeping your Creation Happy, Healthy,
and Secure
Meagan Hanes @mhanes
WordCamp Hamilton 2016
A Bit About Me
Freelance designer & developer 15+ years
10+ years creating WP sites of all sizes & styles
TheWPCrowd Member
#training teammake.wordpress.org/training
Favourite colour:Rainbow!
Say Hi to my Friend Roy:http://hiroy.club
What is Web Security?
What is Web Security?Protecting your website from malicious threats
Bots, Hackers
Ex-employees
Competing Businesses
Reducing vectors of attack
Plugins and themes
Weak passwords
Unused user accounts
Reducing the risk of an attack
Backups & Security
Why does web security matter?
$$$
Why does web security matter?
Protect your investment
Websites aren’t cheap or easy to build - why risk losing that investment?
Reduce your stress levels, sleep well at night
Web Security = insurance policy for your website
Make your web employees happy
As much as developers love money, they don’t like fixing hacked sites!
Access
Who has access? How do they access the server? Where do they access it from?
Backups
How often are backups made? What’s involved in restoring a backup? Whose job is it?
Check for Updates
What kind of updates? How do I update my site with no risk of it breaking?
ABCs of Website Security
Who has access to your site?What level of access do they need?How do they access your site?
Current Users
Modify their User Role based on what level of access they need1
Encourage server connections with SFTP or SSH vs FTP
Old Users
Delete from Users section of WordPress
* Check Server-level Access As Well! *
1. https://codex.wordpress.org/Roles_and_Capabilities
Access
Dolphin12 is not a password, it’s a Hotmail account.
Not easily guessable- No birth years
Never write it down- LastPass, KeyPass
Never reuse a password
Weird mind tricks work!
Password Reset Links are your friends!
Strong Passwords
When was your last website backup made?Where is that backup?How do you restore your site from a backup?
Manually1
Copy WordPress file directory, export the database, store on a third party server
Automagically2
Via a plugin: UpdraftPlus, BackupBuddy, WP-DB Backup, etc
Via a centralized hub: ManageWP, InfiniteWP
* Test your Backup Restore Routine Tomorrow! *
1. https://codex.wordpress.org/WordPress_Backups
2. http://www.wpbeginner.com/plugins/7-best-wordpress-backup-plugins-compared-pros-and-cons/
Backups
What version of WordPress are you using?What plugins do you have installed and activated on your site? What theme are you using? What themes do you have installed but not active?
Core Updates
Point updates are done automatically (4.5.1 to 4.5.2) -> security patches, etcMajor updates are done manually (4.3 to 4.5) -> get on the most recent version for :)
Plugins and Themes
If you don’t need them, delete them! -> fewer attack vectorsIf they’re old, update them! -> missing features & compatibility with themes/pluginsIf they’ve been modified, get a developer to help!
* Set Up A Staging Server for Maximum Win! *
Check for Updates
Who’s tried logging in to your site, from where, and when?Does your site have any suspicious code? When were site files last modified?
Security Plugins for WordPress
iThemes Security WordFence Sucuri AllInOne WP Security
Limit user login attempts (# of times), geolocation, time of access, IP address
Detect if/when files are changed
Two-factor authentication
Forcing secure passwords
.htaccess monitoring
Blacklists, firewalls, etc
… and more!
* Peace of mind comes at a cost - budget accordingly! *
BONUS: Security Plugins
Question Time!
Meagan Hanes @mhanes
WordCamp Hamilton 2016