WordPress Security Basics - Melbourne WordPress User Meetup

WordPressSecurityBasics

ChrisBurgess@chrisburgess

BadNews

Thereisnosuchthingasabsolutesecurity.Nothingis100%secure.

GoodNews

Therearemanythingswecandotodrasticallyreducetherisks.

Contextiseverything…

“MostsuccessfulWordPresshackattacksaretypicallytheresultof

humanerror,beitaconfigurationerrororfailingtomaintainWordPress,suchaskeepingcoreandallpluginsupto

date,orinstallinginsecurepluginsetc.”-RobertAbela(@robertabela)

Source:http://www.wpwhitesecurity.com/wordpress-security/statistics-highlight-main-source-wordpress-vulnerabilities/

OverviewTakeSecuritySeriouslyUpdatesThemesandPluginsPasswordsBackupsandMaintenanceHardeningWordPressandSSLwillbecoveredinthefollowingpresentations

TakeSecuritySeriously

DefenseinDepth

Source:http://wptavern.com/

KeepWordPressUpdated

Updates

•  “Patchearlyandpatchoften”•  Thisisanothergoodreasontohaveatesting/stagingenvironment

UseReputablePlugins

UseReputableThemes

Trust

TheWeakestLink

PasswordManagement

•  LastPass,1Password,Roboform,KeePass,Dashlane

•  SecretServer,LastPassEnterprise,PassPack•  UseTwo-factorauthenticationwhereverpossible

PerformRegularBackupsandMaintenance

PrepareforProblems

BackupOptions

•  ServerLevelBackups– cPanel/Plesk– Replication– Snapshots

•  BackupServices•  BackupPlugins•  ManualBackups•  Exports

HardeningWordPress

HardeningWordPress

•  Allinoneplugins:Sucuri,Wordfence,iThemesSecurity

•  Oryoucantakeamoremodularapproach,butchoosewisely

•  SecurityServices•  ManualHardening

GoogleSearchConsole(formerlyWebmasterTools)

HowcanIlearnmore?

VerizonDBIR

http://news.verizonenterprise.com/2015/04/2015-data-breach-report-info/

Resources

•  https://wordpress.org/about/security/•  https://wordpress.org/news/category/security/

•  http://codex.wordpress.org/Hardening_WordPress

•  http://codex.wordpress.org/Brute_Force_Attacks#Protect_Your_Server

Thanks!

ChrisBurgess@chrisburgess