simple ways to secure and maintain your wordpress website
TRANSCRIPT
Simple Ways to Secure and Maintain Your
WordPress Website
Rich Plakas Connected Systems
@RichP on Twitter [email protected]
A Little Bit About Me
★ IT Background going back to the days of DOS & Novell
★ Began “messing” with WordPress in 2007.
★ Switched focus from IT to WordPress in 2011-ish
★ I was tired of doing Windoze Updates & changing
Printer Toners.
★ Joined the Austin WordPress Meetup Group In 2012.
★ I love BBQ & Craft Beer.
★ I run www.CraftBeerAustin.com
“Why Would Someone Hack My Site”Sites get Hacked for both Fun & for Profit.
Majority of hacks are automated and target vulnerabilites
rather than your specific your site.
Types of Hackers:
Script Kiddies: generally known as unskilled individuals who
use scripts or programs developed by others to attack
computer systems, networks, and deface websites.
Botnets: collection of Internet-connected programs
communicating with other similar programs in order to perform
tasks...often used to send spam email or participate in
distributed denial-of-service(DoS) attacks.
Botnets are used for profit(holding sites hostage) or for
political reasons.
How Often are Web Sites Hacked?
In 2013, Forbes did an article stating that
Sophos identified 30,000 Web Sites are hacked
every day!http://www.forbes.com/sites/jameslyne/2013/09/06/30000-
web-sites-hacked-a-day-how-do-you-host-yours/
In December 2014, over 100,000 WordPress
sites were hacked due to a security
vulnerability in the Slider Revolution plugin.http://wptavern.com/100000-wordpress-sites-compromised-
using-the-slider-revolution-security-vulnerability
Denial Of Service (DoS) attacksFrom Wikipedia:
In computing, a denial-of-service (DoS) or distributed denial-of-service (DDoS)
attack is an attempt to make a machine or network resource unavailable to its
intended users.
A DoS attack generally consists of efforts to temporarily or indefinitely interrupt
or suspend services of a host connected to the Internet.
As clarification, distributed denial-of-service attacks are sent by two or more
people, or bots, and denial-of-service attacks are sent by one person or
system. As of 2014, the frequency of recognized DDoS attacks had reached an
average rate of 28 per hour.
Perpetrators of DoS attacks typically target sites or services hosted on high-
profile web servers such as banks, credit card payment gateways, and even
root nameservers.
"Stachledraht DDos Attack" by Everaldo Coelho and YellowIcon - All Crystal icons were posted by the author as LGPL on kde-look. Licensed under
LGPL via Wikimedia Commons -
http://commons.wikimedia.org/wiki/File:Stachledraht_DDos_Attack.svg#mediaviewer/File:Stachledraht_DDos_Attack.svg
How do WordPress Sites Get Hacked?
● Outdated version of WordPress.
● Old versions of themes with security vulnerabilities.
● Old versions of plugins with security vulnerabilities.
● Use of easy to crack passwords:
“password” “123456” “qwerty” “11111” “iloveyou” “admin”
First, it’s important to understand that your WordPress
website is a collection of programs(or apps).
Just like your computer, you need to update it regularly,
mainly to get security vulnerabilities patched.
Watch Out for:
Backup - Backup - Backup!!!!!!!!!!
Back up Regularly!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!
Backup your Database, uploads, custom code.
Do a full backup at least weekly.
Do a full backup daily if you change your site
frequently (such as an ecommerce site).
Backup Plugins/Services:
Vaultpress: https://vaultpress.com/
iThemes BackupBuddy:https://ithemes.com/purchase/backupbuddy/
Updraft Plus: https://wordpress.org/plugins/updraftplus/
Best Practices on Securing WordPress
➔Users & Passwords
➔Timely WordPress Core, Theme & Plugin
Upgrades
➔Detect and Recover — Site Statistics
➔Recover from Disaster — Backups
“Trust No One” - Users & Passwords
★ Never ever use the WordPress user “Admin”
with administrator rights.
★ Create new administrator accounts when
working with developers and designers.
★ Delete old accounts not in use.
“Trust No One” - Passwords
★ Use strong passwords with CAPITALS,
numbers and symbols: MyDogF1D08!T#
★ Use a password manager to generate
random passwords: LastPass & 1Password
★ Use two-factor authentication.
Keep WordPress Up to Date!
❏ Keep WordPress Core Version up to date.
❏ Use Only Vetted & Trusted Plugins.
❏ Keep Plugins Up to Date.
❏ Keep Themes Up to Date.
❏ Don’t Rush to Update*.
*Some plugin updates you don’t want to rush into(for
example your ecommerce plugin)
Protect with Plugins & Online Tools
Strengthen WordPress Security
iTheme Security: https://ithemes.com/security/
Brute Protect: https://wordpress.org/plugins/bruteprotect/
Scan & Monitor Your Site
Securi: https://sucuri.net/
Cloudflare: https://www.cloudflare.com/features-security
Google Webmaster Tools: https://www.google.com/webmasters/tools/
Virus Total: https://www.virustotal.com/
Monitor site for anomalies & spikes using Google Analytics.
How to Recover from Disaster
➢ You’ve been backing up right?
➢ Do you know how to access your backups?
➢ Do you know your recovery procedure?
➢ Do a test recovery on a test or development
WordPress.
Protecting Outside of WordPress
Wi-fi Access from Public places like Starbucks
If you are working on your website from an
unsecure Wi-FI network, someone could grab
your data & passwords. (Use a VPN Service)
Keep your computer secure and up to date so it
doesn’t get infected with Malware (another way
your data and password can get stolen)
Special thanks to my friend and security expert:
Chris Wiegman
http://ithemes.com/security
(formerly Better WP Security)
http://www.ChrisWiegman.com
@ChrisWiegman on Twitter