Upload
others
View
6
Download
0
Embed Size (px)
Citation preview
WordPress Setup and Security
Michael Carnell - [email protected]
WP is a Target
Constantly …
Where Threats Come From
• Threat #1 – Hijacks: such domain name piracy
• Threat #2 – Hacks: such as code exploitation or brute force login attacks
• Threat #3 – Acts of Gods and Humans: Such as drive failures and goof-ups
• Then … we will talk details
Protection Against Hijacks
• Own your own domain name
• Use reputable domain name service
• Strong passwords and account info
• Protect your own email, seriously
• Recommendations – Different registrar & host
Protect Against Hack Attacks
• Use a good host
• Strong passwords on everything
• Best practices on install, setup and maintenance
• Get rid of Admin and ID #1
• Recommendation: IThemes Security Plug-In
Protect Against Gods & Humans
• Be careful of who you let have access
• Be careful of what you install
• Backups are YOUR responsibility
• Have multiple backups, 3-2-1 strategy
• Recommendation: Updraft Backup Plug-In
Let’s Talk Names and Hosting
Before You Even Start
• Your Domain Name
• Domain Name Registrar
• Need not be the same as your host (should not?)
• Needs to be in YOUR name
• Privacy? Depends on type of site and you
• My preferred registrar these days is Hover.com
The Not So Good
GoDaddy – in the past suffered from common back end database, performance overload, poor support … getting better - but still upsell.
Brinkster - has been hacked numerous times
FreeHostia - slow, free account is very limited, always pushing the upsell
Doing it yourself …
For the Simple SitesDreamHost / BlueHost / HostGator – OK and inexpensive to start, and you can grow. But, watch CPU usage as they will cut off processes.
SiteGround – Inexpensive and can expand. Supports the WP community
WPEngine – Not cheap, but good. Again, understands WP and supports the community.
Lots of others out there - you get what you pay for, it is always a balance
The Basic Rules
Do your research – Google and ask around but watch out for paid / affiliate links and reviews
Check the provider’s own support forums
Is there a free trial or money back guarantee?
If you are a high traffic site (really), you need a dedicated server
None of this really applies to WordPress.com
The Dirty Detailsfor WordPress
Install Correctly
While installing (most will use OneClick) . . .
Consider your directory? Do you use the standard? Root?
Consider altering the database name if your install allows
Make database username and password long and cryptic. Store them away not to be used
Don’t user redundant info - admin name same as username, same as blog name, etc...
Post Install Setup
Create new admin user with strong password
Change Admin password and give “no role”Why not delete??
Make your main admin’s display name different from login name
Change setting to allow editing by outside packages if wanted - but know what you are doing
Change “permalink” structure
As You Build• Themes and Plug-ins : be safe
• Consider the source
• Always be suspicious
• Again, do you research and ask around
• Consider Search Engine Visibility (under Settings / Reading)
• Put up a Coming Soon or Down for Maintenance screen
• Understand your Discussion Settings
Other Hardening• Let the iThemes Security plug-in do this ….
• Disable File Editing – placing this line in wp-config.php is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users:
define('DISALLOW_FILE_EDIT', true);
• Check out further in depth hardening options at
http://codex.wordpress.org/Hardening_WordPress
Double Check the Install
File level tasks to be done via SFTP . . .
Delete ..\wp-admin\install.php
In wp-config.php, add the optional security keys -http://api.wordpress.org/secret-key/1.1/
Add index.php, a blank file to all plugin and theme directories if it isn’t already there
Check the file directory privileges (if you are comfortable)
Security Plugins You NeedSome more plugins that you should have:
iThemes Security - security audit and lockdown
Akismet – To combat spam, now part of JetPackcomes with the install, you will just need key
Block Bad Queries - blocks code injection through queries
AntiVirus or another such
Simple Backup for WP
Your content is your responsibility, not your host’s
Many options, I like Updraft Plus – does database, files, can store in many different ways
Easily store to free DropBox or other account
Doesn’t hurt to occasionally backup manually too
Make sure you know how to restore / recover
Stay Up-To-DateEven with auto-updates, you will need to update your base software – unless your host does it for you
You will also need to update both your plug-ins and themes.
Test your plug-ins so you can rollback if they don’t work
Be careful of what theme updates will do to any customizations you have made
As always, backup first
Additional Security • Two factor authentication - a hassle but worth the
risk if your site is important
• Use VPN to administer your blog when in public - I like https://www.tunnelbear.com/ lots of others
• Make sure your device is secure so that you aren't the breach - anti-virus, etc ...
• Monitor your site’s status – JetPack or SiteUptime.com
• Get alerts and notices at a non-dependent email!
Michael Carnellhttp://www.MichaelCarnell.com
@carnellm on Twitter
http://www.JustBritish.com
Q & A