This document provides best practices for securing a WordPress server. It recommends making regular backups, changing defaults, using strong passwords, updating software, and limiting access. Specific tips include moving wp-config.php out of the webroot, using security plugins, tightening file permissions, disabling unneeded software, and regularly scanning for vulnerabilities. While security is an ongoing process, following these guidelines helps protect a WordPress site.
3. Basic Tips and Gotchas
• Backups, backups, backups.
• Change the defaults
• Use strong passwords
(and password salts!)
• Use SFTP and HTTPS
• Update all the things
• Trust no one.
4.
5. Do I Need To Do All This?
• Probably? - depends on your situation.
• Find a great managed hosting company?
• http://wpdevshed.com/managed-wordpress-hosting/
• Have a good sysadmin - or be one.
6.
7. Good Advice
• Limiting Access - reduce possible entry points
• Containment - minimize potential damage
• Preparation and Knowledge - backups!
• Trusted Sources - download from reputable sites
• http://codex.wordpress.org/Hardening_WordPress
8.
9. Understanding
the
Environment
•
“LAMP”
Environment
–
OS
-‐
Linux
–
Webserver
-‐
Apache
–
Database
-‐
MySQL
–
Scripting
-‐
PHP
•
and…
WordPress!
10. WordPress Security
• Move wp-config.php out of the webroot
• Friends don't let friends use any eval plugins.
• iThemes Security - https://ithemes.com/tutorials/
getting-started-ithemes-security-part-1/
• Wordfence - https://wordpress.org/plugins/wordfence/
• BruteProtect (soon to be JetPack) - https://
wordpress.org/plugins/bruteprotect/
11. OS Level Security
• File permissions
• User groups
• mount / chroot / jail
• Firewalls - csf / lfd
• Virtual Machines
• ...and much more.
http://en.wikipedia.org/wiki/Unix_security
12. Web Server Security
• Turn off indexing
• Disable unnecessary modules
• Use Deny / Allow directives, .htaccess
• Hardening - mod_security, mod_evasive
• Consider using a service like CloudFlare
• http://www.tecmint.com/apache-security-tips/
13. Database security
• User permissions
• Disable remote access
• Change the defaults
• mysql_secure_installation
• http://dev.mysql.com/doc/refman/5.0/en/mysql-secure-
installation.html
14. PHP Security
• suPHP - http://www.suphp.org/Home.html
• Suhosin - back from the dead - https://github.com/
stefanesser/suhosin
• php.ini - disable_functions - http://php.net/manual/en/
ini.core.php#ini.disable-functions
• php.ini - set open_basedir - http://php.net/manual/en/
ini.core.php#ini.open-basedir
17. So You Think You Got
• Don't Panic!
• Contact your host
• Remember those backups I
mentioned?
• Change passwords,
check logs
• Tools - rkhunter, ClamAV,
Linux Malware Detect
• http://codex.wordpress.org/
FAQ_My_site_was_hacked