Smart WordPressers, Foolish Choices

Smart WordPressers,Foolish Choices

December 4, 2013

Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025

Smart WordPressers, Foolish Choices

Lots of smart people use WordPress to publish their Web site, but many make simple mistakes that end up biting them later.

This presentation will walk you through five of the most common foolish choices people make, and show you better, easier, less expensive ways to do the same things.


About Your Presenter

Jason A. LefkowitzPresident, Rogue Repairman Productions

WordPress developer since 2009PHP developer since 2001Web developer since 1995

Questions? Write to me! Email: [email protected]: @jalefkowit

mailto:[email protected]

https://twitter.com/jalefkowit


Failure to Listen


Look familiar?

Failure To Listen


Failure to Listen

● WordPress and code running on its platform (themes/plugins) will tell you when they need to be updated

● Keeping everything up to date makes your site more secure, improves performance, and adds useful features

● So why not do this simple, free thing?


SelfUpdating WordPress

● As of version 3.7, WordPress can update itself in the background

● Will only apply security and maintenance updates, not new feature releases

● Can be selectively disabled in WP configuration● Automatically disabled if you use any kind of version control

system


Letting Yourself Go


Letting Yourself Go

● There are 28,164 plugins in the WordPress plugin directory● “Let's install all of them!”


Plugins and Themes: Use Sparingly

WordPress does not enforce any limitations on what plugins and themes can do. So:

● Each addon you install is a potential security hole● One poorly written addon can slow down your whole site● Plugins can behave like themes, and themes like plugins● Plugins and themes can conflict with each other (!)● Plugins and themes can conflict with WordPress core (!!!)


Plugins and Themes: Use Sparingly

Using addons wisely:● Use only those addons that you absolutely must use● Look for addons that do one thing well

– Beware of “AllInOne” addons● Look for addons that are:

– Under active development– Rated highly in the WordPress.org Plugin Repository– Flagged as compatible with your version of WordPress


Breaking Confidences



● A major cause of security compromises is insecure handling of authentication credentials (i.e. usernames and passwords).

● The login form is like the lock on your front door – be careful who you give keys to, and how you hand them over.



There are several sets of credentials that can be used to compromise a WordPress site.

● WordPress backend credentials● Web hosting control panel credentials● MySQL database credentials● Server login (SSH) credentials● File transfer (FTP) credentials

Losing control of any of these can lead to getting hacked!



Managing WordPress users securely:● Don't share user accounts – give each user their own● Limit full (“admin”) privileges to only those users who actually need

them● Don't transfer credentials over insecure channels, like email● When people leave your group/organization, delete their user

accounts



“What do you mean, email isn't secure?”● Emails are sent in unencrypted plain text● Emails pass through many servers between the sender and the

destination● Email accounts are frequently hacked/compromised



A word about FTP:

DON'T.



FTP is completely insecure.● No encryption – usernames and passwords are sent to the server “in the

clear”

Safe, secure, free alternatives exist.● SFTP/FTPS

If your web host requires you to use FTP – get a better web host!



For bonus security points:● Use SSL to encrypt the WordPress backend● Use a web host that supports publickey authentication● Remove or rename the default “admin” user account


“I Can Fix Him”


“I Can Fix Him”

● There are a wide variety of premade themes for WordPress available

● Many are tempted to take a premade theme and “hack” it● “It would be perfect if it just had this one feature...”

● This never ends happily


“I Can Fix Him”

Why not hack a thirdparty theme?● Thirdparty themes frequently have lots of features builtin – these

can interact with your hacks in weird/unpredictable ways● Your hacks can get deleted if the theme vendor distributes updates via

the WordPress updater● If you try to avoid losing your hacks by never updating the theme, you

could miss out on important security patches


“I Can Fix Him”

Better approaches include:● Using a thirdparty theme that offers safe ways to extend it

– WP customization tools: widgets, custom menus, theme customizer– Themespecific customization tools: options panels

● Building a custom theme from scratch● Extending a thirdparty theme as a “child theme”

– You only write the specific code you need– All other elements are “inherited” from the parent theme


Being Unprepared


Being Unprepared

The biggest enemy of the WordPress site administrator:

Success!


Being Unprepared

● WordPress stores all the content and preferences in a database – MySQL

● When a page is requested, it has to rummage through that database and assemble all the parts of the page for the visitor

● This can result in each page request running dozens (or more!) of queries against the database

● Then multiply that times a large number of visitors, and...


Being Unprepared


Being Unprepared

How to defend against being overwhelmed by traffic:● Use plugins sparingly● Use a caching plugin

– WP Super Cache, W3 Total Cache● Use a content cache

– Varnish, Redis, Memcached● Use a content delivery network (CDN)

– Amazon S3/CloudFront, Rackspace Cloud Files


Thank You!

Jason A. LefkowitzPresident, Rogue Repairman Productions

Questions? Write to me! Email: [email protected]: @jalefkowit

“Technology sucks. We make it suck less.”

mailto:[email protected]

https://twitter.com/jalefkowit