You’ve designed it, you’ve built it, you’ve launched your new website – job done, right?
Nope – your adventure has only begun!
In this session we’ll review what “website security” really means, why it matters, and how exactly to implement basic security best practices such as:
– Controlling user access to your site,
– Using (and managing) strong passwords,
– Applying updates to Core and Plugins,
– Installing and configuring security plugins,
– & How to back up your site easily, effectively, and automatically!
You’ll leave this session with the ABCs of Security – literally!
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
WordPress Site Management - Keeping Your Creation Happy, Healthy and Secure
1. WP Site Management
Keeping your Creation Happy, Healthy,
and Secure
Meagan Hanes @mhanes
WordCamp Hamilton 2016
2. A Bit About Me
Freelance designer &
developer 15+ years
10+ years creating WP
sites of all sizes & styles
TheWPCrowd Member
#training team
make.wordpress.org/training
Favourite colour:
Rainbow!
Say Hi to my Friend
Roy:
http://hiroy.club
4. What is Web Security?
Protecting your website from malicious threats
Bots, Hackers
Ex-employees
Competing Businesses
Reducing vectors of attack
Plugins and themes
Weak passwords
Unused user accounts
Reducing the risk of an attack
Backups & Security
6. Why does web security matter?
Protect your investment
Websites aren’t cheap or easy to build - why risk losing that investment?
Reduce your stress levels, sleep well at night
Web Security = insurance policy for your website
Make your web employees happy
As much as developers love money, they don’t like fixing hacked sites!
7. Access
Who has access? How do they access the server? Where do they access it from?
Backups
How often are backups made? What’s involved in restoring a backup? Whose job is it?
Check for Updates
What kind of updates? How do I update my site with no risk of it breaking?
ABCs of Website Security
8. Who has access to your site?
What level of access do they need?
How do they access your site?
Current Users
Modify their User Role based on what level of access they need1
Encourage server connections with SFTP or SSH vs FTP
Old Users
Delete from Users section of WordPress
* Check Server-level Access As Well! *
1. https://codex.wordpress.org/Roles_and_Capabilities
Access
9. Dolphin12 is not a
password, it’s a
Hotmail account.
Not easily guessable
- No birth years
Never write it down
- LastPass, KeyPass
Never reuse a password
Weird mind tricks work!
Password Reset Links
are your friends!
Strong Passwords
10. When was your last website backup made?
Where is that backup?
How do you restore your site from a backup?
Manually1
Copy WordPress file directory, export the database, store on a third party server
Automagically2
Via a plugin: UpdraftPlus, BackupBuddy, WP-DB Backup, etc
Via a centralized hub: ManageWP, InfiniteWP
* Test your Backup Restore Routine Tomorrow! *
1. https://codex.wordpress.org/WordPress_Backups
2. http://www.wpbeginner.com/plugins/7-best-wordpress-backup-plugins-compared-pros-and-cons/
Backups
11. What version of WordPress are you using?
What plugins do you have installed and activated on your site?
What theme are you using? What themes do you have installed but not active?
Core Updates
Point updates are done automatically (4.5.1 to 4.5.2) -> security patches, etc
Major updates are done manually (4.3 to 4.5) -> get on the most recent version for :)
Plugins and Themes
If you don’t need them, delete them! -> fewer attack vectors
If they’re old, update them! -> missing features & compatibility with themes/plugins
If they’ve been modified, get a developer to help!
* Set Up A Staging Server for Maximum Win! *
Check for Updates
12. Who’s tried logging in to your site, from where, and when?
Does your site have any suspicious code? When were site files last modified?
Security Plugins for WordPress
iThemes Security WordFence Sucuri AllInOne WP Security
Limit user login attempts (# of times), geolocation, time of access, IP address
Detect if/when files are changed
Two-factor authentication
Forcing secure passwords
.htaccess monitoring
Blacklists, firewalls, etc
… and more!
* Peace of mind comes at a cost - budget accordingly! *
BONUS: Security Plugins