beginner and advanced steps for wp security
play

BEGINNER AND ADVANCED STEPS FOR WP SECURITY RHODE ISLAND WORDPRESS - PowerPoint PPT Presentation

BEGINNER AND ADVANCED STEPS FOR WP SECURITY RHODE ISLAND WORDPRESS MEETUP 11 Sept. 2018 @ Stillwater Books www.BEACON.agency SCHEDULE AGENDA Why WordPress Security is Important 6:00p NETWORKING The Role of Web Hosting The Role


  1. BEGINNER AND ADVANCED STEPS FOR WP SECURITY RHODE ISLAND WORDPRESS MEETUP 11 Sept. 2018 @ Stillwater Books www.BEACON.agency

  2. SCHEDULE AGENDA Why WordPress Security is ● Important 6:00p NETWORKING The Role of Web Hosting ● The Role of Core, Themes, 6:30p SECURITY DISCUSSION ● and Plugins 8:00p Q&A WordPress Security in Easy ● 8:30p NETWORKING Steps Advanced WordPress Security ● 9:00p Done! Fixing a Hacked Site ● www.BEACON.agency

  3. ABOUT ME- ED PERRY PRESIDENT, THE BEACON AGENCY ED@BEACONAGENCY.NET @THEEDPERRY LINKEDIN.COM/IN/EDTECH www.BEACON.AGENCY

  4. SLIDES: WWW.BEACON.AGENCY/WPRI www.BEACON.agency

  5. WORDPRESS SECURITY OVERVIEW www.BEACON.agency

  6. WHY Prevents hacking ● WORDPRESS Loss of time/energy ● Loss of Revenue ● SECURITY IS Loss of Sensitive Data/PII ● IMPORTANT Downtime ● www.BEACON.agency

  7. THE ROLE OF WEB Basic Server Security ● Shared vs Dedicated ● HOSTING VPS ● Managed ● Who You Host With Makes A SSL ● Difference www.BEACON.agency

  8. Avoid Known Vulnerabilities ● THE ROLE OF Core, Theme, and Plugin ● CORE, THEMES, Updates Automatic Core Updates ● AND PLUGINS Automated Updates (with ● backups) Use Supported Themes ● Update them, or pay the price! Avoid Free Versions of Paid ● Plugins www.BEACON.agency

  9. WORDPRESS SECURITY IN EASY STEPS www.BEACON.agency

  10. CHANGE THE Three Methods: ● 1. Create a new admin DEFAULT “ADMIN” username and delete the old USERNAME one. 2. Use the Username Changer plugin Anything but admin. 3. Update username from phpMyAdmin www.BEACON.agency

  11. INSTALL A Choose a plugin ● WORDPRESS VaultPress (with Jetpack) ○ BackupBuddy ○ UpdraftPlus ○ BACKUP Full Backups vs. Snapshots ● Automated Backups, How SOLUTION ● Often? Backups before Updates Back that site up! ● Off-site Storage ● www.BEACON.agency

  12. INSTALL A Sucuri Security ● WORDPRESS Wordfence ● iThemes Security SECURITY PLUGIN ● Follow the Instructions / Read ● the Directions Choose Wisely... www.BEACON.agency

  13. ENABLE WEB APPLICATION Sucuri ● FIREWALL (WAF) CloudFlare ● Paid Services ● “Set and Forget” ● Stop Problems Before They Get To Your Site www.BEACON.agency

  14. USE 2-FACTOR Two types of algorithms ● Time-based One-time Password ○ AUTHENTICATION (TOTP) HMAC-based One-time Password ○ FOR LOGIN (HOTP) Two Factor Authentication ● Plugin All The Cool Kids Are Doing It... Supports Google ● Authenticator and more Don’t use SMS or Email ● www.BEACON.agency

  15. DISABLE Spamy, Fake, and Annoying ● Settings > Discussion ● TRACKBACKS Uncheck “Allow link ● notifications from other blogs What Have You Done For Me (pingbacks and trackbacks)” Lately? www.BEACON.agency

  16. Human Interface Form ● Akismet Anit-Spam ● DISCOURAGE Captcha Plugins (there are ● many) SPAMMERS Some Contact Form Plugins ● already include as an option Add a human touch. Disable Comments ● Or outsource comments to ● Disqus www.BEACON.agency

  17. DON’T ADD SECURITY Decreases security because ● QUESTIONS TO the answers are almost always public data! LOGIN Don’t use them. Period. ● Nope. Just nope. www.BEACON.agency

  18. ADVANCED WORDPRESS SECURITY www.BEACON.agency

  19. You can easily do this by adding DISABLE FILE the following code in your wp-config.php file. EDITING Lock it down. www.BEACON.agency

  20. disable PHP file execution ● where it’s not needed e.g. /wp-content/uploads/ DISABLE PHP FILE Open a text editor ● EXECUTION Save as “.htaccess” in ● No php, no cry. /wp-content/uploads/ can also be done with specific ● directories using`php.ini`if host allows www.BEACON.agency

  21. LIMIT LOGIN Easily done with Plugins ● Login LockDown Plugin ● ATTEMPTS Wordfence Security Plugin ● Limit number of login ● attempts Three strikes and you’re Block invalid Usernames ● (locked) out. www.BEACON.agency

  22. Change Table Prefix in ● CHANGE wp-config.php from “wp_” to something else like this WORDPRESS “wp_a123456_” Change all Database Tables ● Name DATABASE PREFIX Change all Database Tables ● Name Search the options table for any ● NOTE: This can break your site if other fields that is using “wp_ “ this is not done properly. Only Search the usermeta for all fields ● proceed if you feel comfortable that is using “wp_” with your coding skills. Backup and Done ● www.BEACON.agency

  23. Only if SSL is enforced ● Can be done in Cpanel OR: ● Create a .htpasswd file using ● PW PROTECT this generator Upload this file outside your ● WP-ADMIN AND /public_html/ directory Create a .htaccess file and ● LOGIN upload it in /wp-admin/ Add this and save: ● Extra PWs for extra safety. www.BEACON.agency

  24. Open the .htaccess file in ● your root directory DISABLE Add the following line at the ● DIRECTORY end of the .htaccess file INDEX/BROWSE Save and upload .htaccess file ● Reveal nothing. back to your site www.BEACON.agency

  25. Open functions.php file ● Add this code: ● DISABLE LOGIN HINTS Change the “What the heck ● NOTE: This can break your site if are you doing?! Back off!” this is not done properly and may message to better fit your affect future core updates. mood. www.BEACON.agency

  26. FIXING A HACKED SITE www.BEACON.agency

  27. YOU’VE BEEN Archive current site directory ● and database for forensic HACKED analysis Restore from backups ● (hopefully?) Now What? Malware Scan and removal ● www.BEACON.agency

  28. Update Plugins and Core ● Verify permissions are YOU’VE BEEN ● minimal (most malware HACKED makes things 777) Force PW change at next login ● Change admin PW ● Cleaning up. Change DB PW and secret ● keys www.BEACON.agency

  29. THANKS FOR JOINING ME! Got Questions? Email me: Ed@BeaconAgency.net www.BEACON.agency

Recommend


More recommend