secure wordpress
TRANSCRIPT
Wordpress securityWordpress security
What are we going to talk about?
● Why wordpress security?● How to secure a wordpress site?
Why wordpress security?
Traditional development process
DesignUsability
Security
Result
● Website being hacked● Loss of data● Loss of money
If you think security is expensive, try getting hacked.
Today's development strategy
SecurityUsability Design
Is wordpress vulnerable?
● Obviously yes.● Out of 100% of wordpress websites 73% of wordpress website are vulnerable to attack.
No system is safeNo system is safe
Keep this in mindKeep this in mind
We can't prevent ourself from getting hacked, but can create certain level of difficulty for hackers or attackers.
So what to do.....
How to secure a wordpress siteHow to secure a wordpress site
● Don't use admin account or account that starts with your name as username.
Why?● Solution:
Create a unique account,
assign admin previlidge,
Log out and log in with new account
delet the admin account
Coz if they already know your username there is only half battle.
● Move wp-config.php file
After wordpress 2.6 they added facility to move wp-config.php file one directory above your wordpress root directory.
● Suppose if your wp-config.php is located in
html/wordpress/wp-config.php● Make it
html/wp-config
This make it nearly impossible for anyone to access your wp-config.php file as it now resides outsite of your wordpress's root directory.
● Use secure password.
At the rate of 1,000,000,000 Passwords/sec, cracking a 8 character password composed using 96 characaters takes 83.5 days. [At normal speed]
what if your password length is 12 digit? Or 20 digit?
Protects from dictionary attacks or brute froce attack.
● Use secret keys
Secret keys is a hashing salt which makes your site harder to hack by adding random elements to password.
● Edit wp-config.php file
Visit this url to get your secret keys
http://api.wordpress.org/secret-key/1.1
Update everything
Keep everything upto date.
Modify file permission
Files 644 | Folder 755 | .htaccess 444 |
wp-config.php 444
Control login attempts
Limit login attempts like 60 request/min.
Don't let them try forever.
Avoid nulled theme and plugins
Download theme or plugins after series of research about the author, company, downloads and many more.
Protect wp-admin
password protect wp-admin using ./htaccess and ./htpasswd
http://www.wpbeginner.com/wp-tutorials/how-to-password-protect-your-wordpress-admin-wp-admin-directory/
Disable dashboard edit
define('DISALLOW_FILE_EDIT',ture)
Change login url
You may not be able to make site unhackable but you can make it a nightmare for attacker to hack your site.
OR
● Use plugins.● Various of trusted plugins available.● Wordfence, lockdown wp, Acunetix wp security, wp security scan,rename wp-login.php, block bad queries, malware scanner, Google authenticator [Provides two factor authentication], askimet. And many more
Find me on
Facebook:
pgaijin66
Twitter:
pgaijin66
Linkedin:
pgaijin66
Thank you