Upload
marshall-stevenson
View
606
Download
1
Tags:
Embed Size (px)
DESCRIPTION
This was a 45 minute presentation given to the Calgary WordPress Meetup group on April 23, 2013 on WordPress Security along with additional tips and tricks on password best practices. Meetup: http://www.meetup.com/The-Calgary-WordPress-Meetup-Group/ Presenter: http://rexroar.com
Citation preview
Do you use the same password on
multiple sites?
If you don’t follow password best practices, your hacked
WordPress account could lead to other compromised accounts
What’s at risk?
• Redirect visitors to a completely different website
• Compromise shared hosting server and infect other sites
• Phish for sensitive info• Hijack links• Blacklisted by Google and other search engines• And more…
Things you can do
• Keep your core, themes & plugins updated• Remove unused themes & plugins from
server• Remove the WP version number• Select a good username• Never write as an Administrator• Create & use a strong password• Secure WordPress further
Keep up-to-date
• The majority of hacked WordPress sites are not updated!
• Before ever making updates, ensure you backup your database AND content
• Use a plugin like Backup Buddy to automate the task or other free options
• Update WordPress, themes & plugins
Clean up your house
• Remove unused themes (twentyten, etc)
• Remove inactive plugins from WordPress and the server
• Don’t keep .sql files (or other backups) stored on your server
Remove the WP version number
http://www.wpbeginner.com/wp-tutorials/the-right-way-to-remove-wordpress-version-number/
Select a good username
• Never use ‘admin’ or ‘administrator’ as your username
• Never use the sitename as your username
• If you have one of these, get rid of it…now
• Your personal name is OK, but your password needs to be strong
Never write as an Admin user
• In no time at all a username can be determined
• If a post is written as an admin, half the job is already done
Create & use a strong password
• Your birthdate, wedding anniversary, or dates of birth of your children or spounse
• Your name, username, company name, names of your children
• Your SIN number
• Only numbers or letters
• A short, easy to remember password
• The word ‘password’• No words found in a
dictionary*
When creating a password, do NOT use:
Create & use a strong password
• At least 10 characters• A mix of numbers, upper and lower case letters
and special characters• A password you have never used before• Consider ‘salting’ your password• Have a system or mnemonic
When creating a password, do use:
Create & use a strong passwordConsider a multi-word combo password
Credit: http://xkcd.com/936/
Create & use a strong password
• More likely to be remembered
• Words must be random
• Words must not relate
• Upper & lower cases still matter
• Add a number or two
• Special character as well
Consider a multi-word combo password
Create & use a strong password
DO NOT store your password in an obvious place!
• NOT on a sticky note on your monitor
• NOT in your daily planner
Use a Password Keeper
• LastPass.com
• AgileBits.com/OnePassword
Create & use a strong password
Don’t panic, password recovery is built in!
Create & use a strong password
Password Generator
• www.StrongPasswordGenerator.com
• www.random.org/passwords/
Test your password
• www.PasswordMeter.com
• www.grc.com/haystack.htm
Secure WordPress further
Four free plugins you can use to secure WP• Limit login attempts• Better WP security• Wordfence• WP-Security scan
All are located in the WordPress plugin repository
Resources
Sucuri.net
• $89.99/year
• Malware cleanup, monitoring and more
Duo Security
• Free*
• Add two-factor sign in for your installation
Next steps?
• Implement this stuff!!
• Start with the basics– A strong password– A good username– Writing with an editor username
WordCamp Calgary 2013• Tickets on sale April 24
• $40 for two-day conference
• http://2013.calgary.wordcamp.org