An overview of WordPress security targeted at beginning and intermediate users. Some light coding required. Talks about hosting, hardening, access and maintenance, the four areas to consider to keep a WordPress site protected from hackers.

1. WORDPRESS SECURITY IS LIKE
A HHAM SANDWICH

2. JAMES HIPKIN
Involved in advertising and
marketing for many years
Started in traditional
advertising
Moved over to direct marketing
Been involved with digital for over ten years
Currently an owner and the Managing
Director at Red8 Interactive

3. More than 20% of
websites are using
WordPress
This makes WordPress
a target for hackers
NOT IF, BUT WHEN
Without protection, it’s not a question of if, but when

4. SO HOW CAN YOU BE PROTECTED?

5. THINK HHAM SANDWICH
Hosting
Hardening
Access
Maintenance

6. SOME CONTEXT
You don’t need to follow every
recommendation presented here to be
secure—there isn’t a silver bullet, but
do something

7. SOME CONTEXT
No site is immune to hacking, no matter
what you do, a dedicated individual, if
they have the skills, can gain access to
virtually any site

8. SOME CONTEXT
“…but my site doesn’t get much traffic.”

9. HOSTING

10. The trouble with sharing
- Because shared servers must support many applications, server
software is often out of date, which means hackers can exploit
security holes in old software, holes that were plugged by yet to be
implemented updates
- Shared hosts are concerned about security, but their solutions are
generic, they aren’t designed specifically for WordPress
HOSTING

11. MANAGED WP HOSTS
It’s all about commitment—since the server
is only supporting one application,
WordPress:
- Server software is kept up-to-date
- Security precautions are specific
- WordPress updates are automatic
- Backups and security scans are automatic
- Quality control over plugins—known
vectors and server thrashers aren’t allowed

12. MANAGED WP HOSTS
But wait, there’s more…
managed WP hosts perform
better, they’re optimized to
support WordPress’ specific
requirements

13. MANAGED WP HOSTS
We use WP Engine
Others you can consider:
- Pagely
- Pressable
- Synthesis

14. HARDENING

15. HARDENING
Make it hard for the hackers’
bots and they will move on
Recommendations can be
added individually, which may
require a developer
Many are included options in
the iThemes Security plugin

16. HARDENING
Shut down the theme and plugin Editor
- Disallow the theme and plugin
editor by adding the following to
wp-config.php:
define( 'DISALLOW_FILE_EDIT',
true );

17. HARDENING
Set permissions on your wp-content
and themes directories to 755
Set permissions on files to 644

18. HARDENING
Hackers will try to add a .php file via wp-includes
and/or wp-content/uploads/ folders.To disable PHP
execution in these directories:
- Create a file in a text editor, call it .htaccess
and add the following code:
<Files *.php>
deny from all
</Files>
- Use FTP to place this file in the
folders

19. HARDENING
Change the database prefix
- In the WP-config.php file change the file prefix from “wp_”
to “wp_randomlettersandnumbers_”
- Or “randomlettersandnumbers_”
- This is best accomplished during the
initial install of WordPress
- Or use iThemes Security or the
Change DB Prefix plugin on an
older site

20. HARDENING
Use the Disable Comments plugin to
turn off post comments if they aren’t
required, which closes several
attack vectors
Use a third party like Disqus to manage
comments so they are off the server

21. HARDENING
Install iThemes Security for one-stop
shop security (some setup required)

22. HARDENING
Install the BruteProtect plugin to block
brute force attacks
Limit Login Attempts is another choice, but
it’s best in combination with other measures

23. ACCESS

24. ACCESS
You need ten Admins? Really?
• Use the User Role Editor
plugin to create a custom
user role, Manager or Web
Master, with the same
capabilities as an Admin
but without the ability to
add or delete plugins and
themes, two common
vectors for hackers

25. ACCESS
U/P: admin/password123? Really?
- Delete the admin user if
it exists
- Use the Enforce Strong
Passwords plugin to, well,
enforce strong passwords

26. ACCESS
Consider two-factor
authentication using the
Google Authenticator plugin
Or Rublon is an excellent
plugin for two-factor
authentication

27. ACCESS
Login Security Solution is
another good choice
Or install CLEF, it replaces
passwords with a simple,
encrypted authentication
using your smart phone

28. ACCESS
Force administration over SSL—this is important if
the dashboard will be accessed by multiple users
over public WiFi networks
- Install an SSL certificate and add the following
to the wp-config.php file:
• require_once(ABSPATH . 'wp-settings.php');
define('FORCE_SSL_LOGIN', true);
define('FORCE_SSL_ADMIN', true);

29. ACCESS
Consider adding a firewall to the site
- Among other benefits, Cloud Flare and
Sucuri will block malicious attacks before
they reach your server
- While not a 100% solution—a firewall
can block access to software
vulnerabilities before they can be fixed
via updates

30. ACCESS
Secure your WiFi
“Over three hours, he
revealed 23 Wi-Fi hotspots,
more than a third of which
were open to snoops or used crackable
WEP instead of the more modern
WPA encryption.”
Coco, modeling the WarKitteh collar.
Photo credit: Gene Bransfield

31. ACCESS
For a less industrial
strength, but still effective
solution consider Cloak, a
personalVPN service for
Apple devices

32. MAINTENANCE

33. MAINTENANCE
Seriously, keep all
WordPress software up
to date
Keep WordPress
and plugins up to date

34. MAINTENANCE
Delete all unused plugins and themes
—this is very important, old plugins and
themes are a common vector for
hackers

35. MAINTENANCE
If it’s not provided by the host, install a
backup plugin
- BackupBuddy and
VaultPress are
good choices
- Store backups in a
remote location

36. MAINTENANCE
Scan the site periodically (nightly?) using
a service like Sucuri

37. MAINTENANCE
Seriously, keep WordPress, themes and
plugins up to date
!
!
And back the site up
frequently to a remote location

38. THIS?

39. Do these things and the chances you will be
hacked are greatly reduced
OR THIS…
FOLLOW THESE
RECOMMENDATIONS
AND THE CHANCES
OF GETTING
HACKED WILL
BE GREATLY
REDUCED

40. THANKYOU!
Red8 Interactive
San Francisco, CA
St. Louis, MO
!
James Hipkin
james@red8interactive.com
415.789.3685
The slides are available on SlideShare:
http://www.slideshare.net/Red8Interactive/hham-for-wp-security