Delivered at the first WordCamp in Charleston, SC, in 2014. This presentation covers some of the best practices in setting up and running your WordPress installation so that you don't get hacked or go down. And, just as important, how to make sure that you can recover if something does happen.

2. Don’t Get Hacked!
WordPress Security
Michael Carnell - @carnellm"
http://www.MichaelCarnell.com
These slides are available at
http://www.MichaelCarnell.com/presentations
or http://slideshare.net/carnellm

3. Who is Michael Carnell?
• Currently programmer at MUSC"
• Web developer since the old days (HTML, ASP)"
• WordPress user since …"
• British car devotee"
• Train and trolley enthusiast"
• Writer / Reader / General Eccentric

4. Why This Presentation?
Because I Don’t Want You!
To Ever Call Me!

5. The Type of Problems
• External “Acts of God”"
• Hard drive failure"
• Someone leaned on the keyboard"
• Collateral Damage"
• DOS (Denial of Service) attacks"
• Shared hosting site hack"
• Direct Attacks"
• Hacking the security of your site"
• Vandalism"
• Hijacking - not just the site itself"
"
In the end, our process is still …

6. Three Phase Approach
• Prevent!
• Correct setup"
• Secure and harden"
• Monitor!
• Alerts of problems or activity"
• Automated actions"
• Recover!
• Backup, backup, backup

7. Before The Setup

8. Secure Your Identity
• Your Domain Name"
• Domain Name Registrar"
• Need not be the same as your host (should not?)"
• Needs to be in YOUR name"
• Privacy? Depends on type of site and you"
• My preferred registrar these
days is Hover.com

9. Hosting - The Not So Good
• GoDaddy - common back end database that
isn’t secured well and suffers from
performance overload, poor support"
• Brinkster - has been hacked numerous times"
• FreeHostia - slow, free account is very limited,
always pushing the upsell"
• Doing it yourself –
the pros and cons …

10. Hosting - The Good Guys
• BlueHost – My current favorite"
• MediaTemple – May not be the cheapest, but
very stable and secure. Monitors scripts"
• HostGator – I have not used them personally,
but have heard good things"
• DreamHost – Used to be good, some still like
them and use them. They are on my “iffy” list.
But watch CPU usage as they will cut off
processes

11. The Basic Rules
• Do your research -
http://www.MichaelCarnell.com/hosting
• Check their own support forums"
• Is there a free trial or money back guarantee?"
• If you are a high traffic site (really), you may
need a dedicated server or upgraded hosting"
• None of this really applies to
WordPress.com

12. The Dirty Details
for WordPress

13. Install Correctly
• While installing (most will use OneClick) . . ."
• Consider your directory? Do you use the standard?
Root?"
• Consider altering the database name if your install
allows"
• Make database username and password long and
cryptic. Store them away not to be used"
• Don’t use redundant info - admin name
same as username, same as blog name, etc...

14. Double Check the Install
• File level tasks to be done via SFTP . . ."
• Delete ..wp-admininstall.php"
• In wp-config.php, add the optional security keys - http://
api.wordpress.org/secret-key/1.1/
• Add index.php, a blank file to all plugin and theme
directories if it isn’t already there"
• Check the file directory privileges(if you are
comfortable)

15. Post Install Setup
• Create new admin user with strong password"
• Change Admin password and give no role
Why not delete??"
• Make your main admin’s display name different from
login name "
• Change setting to allow editing by outside packages
if wanted - but know what you are doing"
• Change “permalink” structure (thank you WP 3.3!)"
• Demo Time Again....

16. As You Build
• Themes and Plug-ins : be safe"
• Consider the source"
• Always be suspicious"
• Again, do you research and ask around"
• Consider Search Engine Visibility (under Settings / Reading)"
• Put up a Coming Soon or Down for Maintenance screen"
• Understand your Discussion Settings

17. Discussion Settings

18. Discussion Settings, part 2

19. Other Hardening
• Disable File Editing – placing this line in wp-config.php is
equivalent to removing the 'edit_themes', 'edit_plugins'
and 'edit_files' capabilities of all users:
" " define('DISALLOW_FILE_EDIT', true);"
• Check out further in depth hardening options at
http://codex.wordpress.org/Hardening_WordPress

20. Security Plugins You Need
• Some more plugins that you should have:"
• Askimet - AntiSpam, comes with the install, you will just need key"
• Block Bad Queries - blocks code injection through queries"
• Acunetix WordPress Security - basically a security audit & fix"
• AntiVirus or another such"
Demo Time Again!

21. Monitor

22. Monitoring Users
• Other plugins to consider:"
• Search Meter - What are your visitors looking for, but also shows
extraneous search injections"
• Limit Login Attempts – Helps protect against dictionary attacks"
• ThreeWP Activity Monitor - Shows who did what and when"
• Demo Time Again!

23. Monitoring The Site"
What do you look like to the world?"
"
How do you know if your site goes down?"
"
• Hit your site regularly with different browsers"
• IE, Chrome, Firefox, mobile"
• Do this while not logged in"
• Google’s tools"
• What does Google see?"
• Fetch As Google (part of Webmaster Tools)"
• Site monitor"
• Such as SiteUptime

24. Who Gets Notified?"
Make sure that the address the monitoring
alerts go to is not tied to the site or what you
are monitoring!
Alert that
site is
down!
Can’t send alert
because the
site is down.

25. After The Storm
(Recovery)

26. The Key To Recovery
Is Good Backup
• Your content is your responsibility, not your host’s"
• They may help you, but not guaranteed"
• The only good backup is an automated one"
• You will forget at the worst time"
• Decide on how much you can afford to lose"
• A manual backup every now and then doesn’t hurt"
• Before or after a big change, back it up"
• Have more than one copy of the backups"
• Different locations"
• Different formats"
• 3-2-1 backup …

27. Simple Backup for WP
• Your content is your responsibility, not your host’s"
• Great a GMail account or use your current one with
custom address such as
“yourname+backups@gmail.com”
• Make a filter that auto files away all email coming in
to that address"
• Database - WP-DB-Backup
• Images & Themes - WordPress Backup "
• Doesn’t hurt to occasionally backup
manually too

28. More Complete
• Use a tool such as UpdraftPlus
• This will backup all files and databases"
• Will transfer those to DropBox, FTP, etc…"
• Keep a document of your settings"
• Custom setting you change"
• Menu options"
• Date that you change things"
• Some screen captures"
• If you are really safe (paranoid?)"
• Create a test / backup site"
• Can also serve as a fail-over

29. Know How To Restore
• You’ve made a backup, do you know how to use it?"
• Test it occasionally"
• Make sure you know what does and doesn’t get recovered and that
you have a work around"
• Do you have a place to use it?"
• Alternative hosting or domain"
• Have you tested on a different server?"
• Is your site directory dependent?"
• Anticipate the worst case"
• Loss of access to GMail?"
• Corrupt backups

30. Stay Up-To-Date
• WordPress 3.9.1 is out "
"
• You will need to update your base software – unless your
host does it for you or you are WordPress.com"
"
• You will also need to update both your plug-ins and
themes
• Test your plug-ins so you can rollback if they don’t work"
• Be careful of what theme updates will do to any
customizations you have made"
• As always, backup first

31. Michael Carnell
@carnellm on Twitter
Slides available on
http://www.MichaelCarnell.com/presentations
Q & A