Secure Wordpress…Tips and tricks

HaMiD FadaeiDigital Marketing Officer – SEM/SEO Specialist

Telegram : HFadaei

Linkedin : HaMiDFadaei

Twitter : HaMiDFadaei

Web : www.HFadaei.ir

Amazing news

0.7.0 - 2003

CMS

PHP – Linux

Matt Mullenweg - 19

1382

Automattic

173

1200 - 120

Is Wordpress Secure?YES or NO

WORDPRESS

HOSTING

USER

▸ Wordpress Themes (29%)

▸ WordPress Plugins (22%)

▸ WordPress Core

CAUSES:

▸ WP Core, themes, plugins out-of-date

▸ Poorly-written (or maliciously-written) themes or plugins

▸ Popularity of theme or plugin

WORDPRESS VULNERABILITIES51%

themecheck.org

Virustotal.com

Anti-malware …Antivirus

Exploit Scanner

▸ SQL injections

▸ Poor server security

▸ Lack of understanding of WordPress

CHECK FOR:

▸ Recent versions of PHP and MySQL

▸ Malware scanning and other security tools present

▸ Account isolation

▸ WordPress experience

HOSTING VULNERABILITIES41%

sitecheck.sucuri.net

▸ Bad habits

▸ Minimal default password requirements

COMMON PROBLEMS:

▸ The “admin” username

▸ The crummy passwords (12345)

▸ User access levels

USER VULNERABILITIES 8%

Passwordsgenerator.net

User Role Editor

Username Changer

Two-factor Authentication

Integrating a CAPTCHA with the WordPress Login Form

Brute Force Login Protection

Automatic Update

Top usernames being attacked:

admin, Admin, administrator, test, root

Top passwords being tried:

password, 12345678, 123admin, 123abc,

qwerty

▸ Pick a solid hosting company

▸ Evaluate your themes and plugins carefully

▸ Go with those that have been vetted by WordPress

▸ Choose only those that are actively developed and/or supported

▸ Only install what you NEED

▸ Be thoughtful about who/how many should get admin- level access

START SMART

▸ Backup all the things

▸ Your site (or sites with multisite)

▸ Your settings (what themes and plugins you’re using)

▸ Your files

▸ Your database

▸ Aim to save at least 6 months back

BACKUPS

VaultPress

BackupBuddy

WP-DB-Backup

▸ WordPress can be set to do updates automatically

▸ Added after version 3.7

▸ Can be set for core, theme, plugin, and translation updates

▸ Configure auto updates with wp-config (More)

UPDATES

▸ Routine review of environments every 6-12 months:

▸ Themes and plugins not in use

▸ Anything that hasn’t been updated in the last 18-24 months (or more!)

▸ Sites (in a multisite environment) that are no longer active

▸ Checking your backups

▸ Reviewing the configuration of security plugins

MAINTENANCE

▸ Malware scanners

▸ htaccess limitations

▸ File permissions

▸ Security Plugins: iThemes Security, Sucuri ($), Wordfence

▸ Scanning tools: AntiVirus, WP Antivirus Site Protection

▸ Logging and tracking tools: CodeGuard ($), wp_debug_log in wp-config

▸ Theme and plugin evaluators: Theme-Check, Plugin- Check

Other Actions

▸ Not updating

▸ Not cleaning out old themes and plugins

▸ Using popular plugins because they’re popular

▸ Using “admin” accounts

▸ Weak passwords

▸ Bad hosting

AVOID COMMON MISTAKES

1. Stay calm.

2. Get your site back.

3. Clean up the hack.

4. Identify the source of the hack.

AFTER THE HACK…

Get your site back.

▸ try a password reset or database edit

▸ Take a backup of what’s there - files, database, uploads - for later

▸ Remove unknown users and reset all passwords

▸ Change your keys and salts in wp-config

▸ Restore to a known good version of the site (if you have one)

Clean up the hack.

▸ Review your files and database for suspicious elements

▸ When in doubt, reinstall.

▸ New directory, WP install, reinstall all themes and plugins

▸ User accounts with new passwords

▸ Import the content from a clean backup

▸ Check your hosting for other potential damage

Other Actions

▸ Use version control to compare file changes

▸ Get help from your hosting

▸ Check logs

▸ Scan your hosting environment for malware

▸ Scan your personal machine(s) for viruses and malware

▸ Change your password again. including hosting account passwords.

▸ Start over and review all elements for potential security weaknesses

▸ Scan the new site

https://blog.sucuri.net/

https://codex.wordpress.org/configuring_automatic_background_updates

https://codex.wordpress.org/faq_my_site_was_hackedhttps://premium.wpmudev.org/blog/keeping-wordpress-secure-the-ultimate-guide/

http://z9.io/2008/06/08/did-your-wordpress-site-get-hacked/

http://www.cleanpagedesign.co.uk/is-your-wordpress-website-safe-from-hackers/

https://wpsmackdown.com/wordpress-security-user-accounts-passwords/

http://smackdown.blogsblogsblogs.com/2008/06/24/how-to-completely-clean-your-hacked-wordpress-installation/

https://howfreelance.com/blog/2016/02/prevent-wordpress-hacking

https://premium.wpmudev.org/blog/get-off-googles-blacklist/

RESOURCES

HaMiD Fadaei

Telegram : HFadaei

Linkedin : HaMiDFadaei

Twitter : HaMiDFadaei

Web : www.HFadaei.ir