BEGINNER AND ADVANCED STEPS FOR WP SECURITY GEORGETOWN WORDPRESS MEETUP 03 APR 2019 @ GEORGETOWN LIBRARY www.BEACON.agency
SCHEDULE AGENDA Why WordPress Security is ● Important 6:00p NETWORKING The Role of Web Hosting ● The Role of Core, Themes, 6:30p SECURITY DISCUSSION ● and Plugins 8:00p Q&A WordPress Security in Easy ● 8:30p NETWORKING Steps Advanced WordPress Security ● 9:00p Done! Fixing a Hacked Site ● www.BEACON.agency
ABOUT ME- ED PERRY PRESIDENT, THE BEACON AGENCY ED@BEACONAGENCY.NET @THEEDPERRY LINKEDIN.COM/IN/EDTECH www.BEACON.AGENCY
SLIDES: WWW.BEACON.AGENCY/WPGT www.BEACON.agency
WORDPRESS SECURITY OVERVIEW www.BEACON.agency
WHY Prevents hacking ● WORDPRESS Loss of time/energy ● Loss of Revenue ● SECURITY IS Loss of Sensitive Data/PII ● IMPORTANT Downtime ● www.BEACON.agency
THE ROLE OF WEB Basic Server Security ● Shared vs Dedicated ● HOSTING VPS ● Managed ● Who You Host With Makes A SSL ● Difference www.BEACON.agency
Avoid Known Vulnerabilities ● THE ROLE OF Core, Theme, and Plugin ● CORE, THEMES, Updates Automatic Core Updates ● AND PLUGINS Automated Updates (with ● backups) Use Supported Themes ● Update them, or pay the price! Avoid Free Versions of Paid ● Plugins www.BEACON.agency
WORDPRESS SECURITY IN EASY STEPS www.BEACON.agency
CHANGE THE Three Methods: ● 1. Create a new admin DEFAULT “ADMIN” username and delete the old USERNAME one. 2. Use the Username Changer plugin Anything but admin. 3. Update username from phpMyAdmin www.BEACON.agency
INSTALL A Choose a plugin ● WORDPRESS VaultPress (with Jetpack) ○ BackupBuddy ○ UpdraftPlus ○ BACKUP Full Backups vs. Snapshots ● Automated Backups, How SOLUTION ● Often? Backups before Updates Back that site up! ● Off-site Storage ● www.BEACON.agency
INSTALL A Sucuri Security ● WORDPRESS Wordfence ● iThemes Security SECURITY PLUGIN ● Follow the Instructions / Read ● the Directions Choose Wisely... www.BEACON.agency
ENABLE WEB APPLICATION Sucuri ● FIREWALL (WAF) CloudFlare ● Paid Services ● “Set and Forget” ● Stop Problems Before They Get To Your Site www.BEACON.agency
USE 2-FACTOR Two types of algorithms ● Time-based One-time Password ○ AUTHENTICATION (TOTP) HMAC-based One-time Password ○ FOR LOGIN (HOTP) Two Factor Authentication ● Plugin All The Cool Kids Are Doing It... Supports Google ● Authenticator and more Don’t use SMS or Email ● www.BEACON.agency
DISABLE Spamy, Fake, and Annoying ● Settings > Discussion ● TRACKBACKS Uncheck “Allow link ● notifications from other blogs What Have You Done For Me (pingbacks and trackbacks)” Lately? www.BEACON.agency
Human Interface Form ● Akismet Anit-Spam ● DISCOURAGE Captcha Plugins (there are ● many) SPAMMERS Some Contact Form Plugins ● already include as an option Add a human touch. Disable Comments ● Or outsource comments to ● Disqus www.BEACON.agency
DON’T ADD SECURITY Decreases security because ● QUESTIONS TO the answers are almost always public data! LOGIN Don’t use them. Period. ● Nope. Just nope. www.BEACON.agency
ADVANCED WORDPRESS SECURITY www.BEACON.agency
You can easily do this by adding DISABLE FILE the following code in your wp-config.php file. EDITING Lock it down. www.BEACON.agency
disable PHP file execution ● where it’s not needed e.g. /wp-content/uploads/ DISABLE PHP FILE Open a text editor ● EXECUTION Save as “.htaccess” in ● No php, no cry. /wp-content/uploads/ can also be done with specific ● directories using`php.ini`if host allows www.BEACON.agency
LIMIT LOGIN Easily done with Plugins ● Login LockDown Plugin ● ATTEMPTS Wordfence Security Plugin ● Limit number of login ● attempts Three strikes and you’re Block invalid Usernames ● (locked) out. www.BEACON.agency
Change Table Prefix in ● CHANGE wp-config.php from “wp_” to something else like this WORDPRESS “wp_a123456_” Change all Database Tables ● Name DATABASE PREFIX Change all Database Tables ● Name Search the options table for any ● NOTE: This can break your site if other fields that is using “wp_ “ this is not done properly. Only Search the usermeta for all fields ● proceed if you feel comfortable that is using “wp_” with your coding skills. Backup and Done ● www.BEACON.agency
Only if SSL is enforced ● Can be done in Cpanel OR: ● Create a .htpasswd file using ● PW PROTECT this generator Upload this file outside your ● WP-ADMIN AND /public_html/ directory Create a .htaccess file and ● LOGIN upload it in /wp-admin/ Add this and save: ● Extra PWs for extra safety. www.BEACON.agency
Open the .htaccess file in ● your root directory DISABLE Add the following line at the ● DIRECTORY end of the .htaccess file INDEX/BROWSE Save and upload .htaccess file ● Reveal nothing. back to your site www.BEACON.agency
Open functions.php file ● Add this code: ● DISABLE LOGIN HINTS Change the “What the heck ● NOTE: This can break your site if are you doing?! Back off!” this is not done properly and may message to better fit your affect future core updates. mood. www.BEACON.agency
FIXING A HACKED SITE www.BEACON.agency
YOU’VE BEEN Archive current site directory ● and database for forensic HACKED analysis Restore from backups ● (hopefully?) Now What? Malware Scan and removal ● www.BEACON.agency
Update Plugins and Core ● Verify permissions are YOU’VE BEEN ● minimal (most malware HACKED makes things 777) Force PW change at next login ● Change admin PW ● Cleaning up. Change DB PW and secret ● keys www.BEACON.agency
THANKS FOR JOINING ME! GOT QUESTIONS? EMAIL: ED@BEACONAGENCY.NET TWITTER: @THEEDPERRY www.BEACON.agency
Recommend
More recommend
