Philip Hess GETTING STARTED WITH WORDPRESS HOSTING AND SECURITY
Philip Hess
GETTING STARTED WITH WORDPRESS HOSTING AND SECURITY
The EndBegin With
• Not really necessary• But www.mydomain.com looks better than…• www.mysite.hostingcompany.com or• www.hostingcompany.com/~mysite/
• I use PairNic.com• Local, in the south side• Clean interface (but somewhat dated)• Ad free
DOMAIN NAME
• What kind of site you want will determine what kind of hosting is best.
• eCommerce
• Medical/Professional
• Education
• Hobby
HOSTING
• eCommerce
• Security
• Credit card processing
• Not down during shopping times
HOSTING
• Medical/Professional
• Security
• HIPPA requirements
HOSTING
HOSTING
• Education
• Security
• FERPA requirements
HOSTING
• Hobby
• Security against hacking
• Personal embarrassment
HOSTING
• My short list
• www.wordpress.com
• www.pair.com
• www.asmallorange.com
• Select the best host you can afford
HOSTING
• Who I chose and why
• cPanel – used it before, familiar with it
• One click install of WordPress
• $35.00/year – cheapest hosting I’ve found
• Even a Raspberry Pi would cost more
SECURITY
• If it’s on the internet someone will be trying to hack it
• Change the admin account to something else
• Don’t use admin, administrator, your name, any part of your site name
• Use the admin account to administer your site and nothing else
• Use a separate account to post content
SECURITY
• Learn how to secure WordPress
• Hardening WordPress
• WordFence Security Learning Center
• Google is your BFF – but verify
• Learn how to use the security features of your server – most likely Linux (LAMP)
• Apache (web server) security features
• .htacess files
SECURITY
• .htaccess files
• You can protect the .htaccess file itself by adding the following lines to the file:
<files .htaccess>
order allow,deny
deny from all
</files>
SECURITY
• .htaccess
• Limiting access to /wp-admin/
<LIMIT GET>
order deny,allow
deny from all
allow from ww.xx.yy.zz replace with own IP address
</LIMIT>
SECURITY
• .htaccess
• Disable directory browsing
• Options –Indexes
• Disable PHP execution (/wp-content/uploads/)
• <files *.php>
• deny from all
• </Files>
SECURITY
• Editing the wp-config.php file
• Automatically update WordPress core files
• define( 'WP_AUTO_UPDATE_CORE', true );
• Disallow editing of PHP from within WordPress
• define('DISALLOW_FILE_EDIT', true);
• Supressing PHP run time errors
• error_reporting (0);
• @ini_set ('display_errors', 0);
SECURITY
• Use HTTPS if you have an eCommerce site or collect any sort of data from customers/visitors
• Will need a “certificate” in this case, an extra annual charge
• Good idea to use this for login on to your site
• Generate new WordPress security keys
• https://api.wordpress.org/secret-key/1.1/
• Keep your own computer clean and safe
CONTROL PANELS
• Help you manage your site without using the command line
• Home Grown
• Plesk
• cPanel
INSTALLING WORDPRESS
• From control panel
• Easy
• Default options
• Can install and delete as often as you wish
• Change the table_prefix
INSTALLING WORDPRESS
• Manually
• From the command line
• Change the table_prefix
INSTALLING WORDPRESS
• Themes – Changes the appearance of WordPress site
• There are thousands!
• Get from a reputable site
• WordPress.org
• Don’t limit yourself to just a theme based on a keyword
• Only one theme can be active at a time
• Theme checkers – checks for hidden malware
INSTALLING WORDPRESS
• Plugins – Adds or changes features of your WordPress site
• There are thousands!
• Get from reputable sources or develop own
• Take time to review and try them out before deciding
• Look at the last time it was updated
• Potential security issues
• Deactivate/delete plugins not being used
INSTALLING WORDPRESS
• Security Plugins
• There are hundreds!
• Look for one that is updated frequently
• Free vs. paid
SUMMARY
• What I’m doing…
• Theme – using a theme designed for hosting services
• Plugins – none except for WordFence
• Reviewing and evaluating several others
• Security
• WordFence free – may upgrade to paid
• .htaccess to block IP addresses identified by WordFence
SUMMARY
• Security
• Unique logins for site admin and content
• Password protecting /wp-admin/ directory
• Blocking access from all but a few selected IP adresses
SUMMARY
• Security (cont)
• Limit access to /wp-admin/ directory to just my IP address
• Changes every few days though
• Sanitizing output of WordPress
• Modifying WordPress core files
RESOURCES
• Hosting
• www.wordpress.com
• www.pair.com
• www.asmallorange.com
RESOURCES
• WordPress
• WordPress Codex
• codex.wordpress.org
• WordPress Themes
• wordpress.org/themes/
• WordPress Plugins
• wordpress.org/plugins/
• WordPress Lessons
• codex.wordpress.org/WordPress_Lessons
RESOURCES
• Security
• Hardening WordPress
• codex.wordpress.org/Hardening_WordPress
• WordFence
• www.wordfence.com
• WordFence Security Learning Center
• https://www.wordfence.com/learn/