Wordpress SecurityClaire Jordan - Spearmint Digital

Why Wordpress Security

● Wordpress is open source

● So is Apache and Linux

● Open source = free, but everyone can see

the code

● Hackers don’t specifically attack your site -

look for vulnerable sites on the internet

Your Server

● Home of your site, security starts here

● VPS vs Shared Hosting

● Use SSH or SFTP to connect

Install Wordpress Correctly

● Don’t use fantastico

● wordpress.org and do a manual install

Replace Security Keys

● It’s like changing your locks

● Setup authentication keys and salts

● Generate new keys at:

http://api.wordpress.org/secret-key/1.1/salt

● Copy and paste into wp-config.php

● Can do on existing site, will just make users

login again.

Replace Security Keys

Change the Table Prefix

● Change table prefixes

● default uses wp_ wp1_ wp2_

● If a new website, do this in wp-config.php

● If existing website it’s harder

● Good tutorial at:

http://wpbeginner.com/wp-tutorials/how-to-change-the-

wordpress-database-prefix-to-improve-security

● Can also do with a plugin

Get Rid of Comment Spam

● Install Akismet

● Shows your site is well managed

● No more spam!

Use Quality Themes and Plugins

● Bad theme or plugin = dangerous code

● Good themes - eg. studiopress, woothemes

● Good plugins - look at reviews

● Limit number of plugins

● Delete anything not in use

Update Everything

● Update wordpress core, plugins and theme

● Updates patch known vulnerabilities

● Check your site often

Good Username and Password

● Hackers only need 2 pieces of info, don’t

give them the first one

● Unique username and password

Good Username and Password

● If you need to change username

http://youtu.be/1R0X-zrtF1k

● Get a good password

www.strongpasswordgenerator.com

● Use a non-admin user for posting, show

author's real name

Limit Login Attempts

● Don’t want hackers to be able to try guess

the password

Backup Your Site

● A few good plugins:○ Vaultpress - backups immediately $15/month

○ Backupbuddy - easy to use, good support, $80 for a

license

○ BackWPup - free plugin, can choose where to

backup to

Suggested Backup Routine

● Using BackWPup

● Backup to dropbox

● Backup everything (theme, files, database,

plugin list)

● Have 3 jobs, 1 for daily, 1 for weekly and 1

for monthly

● Runs each day at 3am

More Security

● Lots more things you can do

● A few examples:○ blank .html files

○ custom .htaccess files

○ limit access to your IP address

○ secure files with passwords

● Security can always be taken to the next

level

Security Plugin

● Install Better WP Security

● Backup your blog

● Needs to change core files

● Use one click protection

● Go through the system status

Security Plugin

● Good tutorial:

http://www.wpbrix.com/wordpress/how-to-secure-

wordpress-with-better-wp-security

Questions?

Feel free to contact me at:

Claire Jordanwww.spearmintdigital.com.auclaire@spearmintdigital.com.au