WordPress Setup and Security - files.meetup.comfiles.meetup.com/14526562/WordPress Setup and Security.pdf · DreamHost / BlueHost / HostGator – OK and inexpensive to start, and

WordPress Setup and Security

Michael Carnell - [email protected]

WP is a Target

Constantly …

Where Threats Come From

• Threat #1 – Hijacks: such domain name piracy

• Threat #2 – Hacks: such as code exploitation or brute force login attacks

• Threat #3 – Acts of Gods and Humans: Such as drive failures and goof-ups

• Then … we will talk details

Protection Against Hijacks

• Own your own domain name

• Use reputable domain name service

• Strong passwords and account info

• Protect your own email, seriously

• Recommendations – Different registrar & host

Protect Against Hack Attacks

• Use a good host

• Strong passwords on everything

• Best practices on install, setup and maintenance

• Get rid of Admin and ID #1

• Recommendation: IThemes Security Plug-In

Protect Against Gods & Humans

• Be careful of who you let have access

• Be careful of what you install

• Backups are YOUR responsibility

• Have multiple backups, 3-2-1 strategy

• Recommendation: Updraft Backup Plug-In

Let’s Talk Names and Hosting

Before You Even Start

• Your Domain Name

• Domain Name Registrar

• Need not be the same as your host (should not?)

• Needs to be in YOUR name

• Privacy? Depends on type of site and you

• My preferred registrar these days is Hover.com

The Not So Good

GoDaddy – in the past suffered from common back end database, performance overload, poor support … getting better - but still upsell.

Brinkster - has been hacked numerous times

FreeHostia - slow, free account is very limited, always pushing the upsell

Doing it yourself …

For the Simple SitesDreamHost / BlueHost / HostGator – OK and inexpensive to start, and you can grow. But, watch CPU usage as they will cut off processes.

SiteGround – Inexpensive and can expand. Supports the WP community

WPEngine – Not cheap, but good. Again, understands WP and supports the community.

Lots of others out there - you get what you pay for, it is always a balance

The Basic Rules

Do your research – Google and ask around but watch out for paid / affiliate links and reviews

Check the provider’s own support forums

Is there a free trial or money back guarantee?

If you are a high traffic site (really), you need a dedicated server

None of this really applies to WordPress.com

The Dirty Detailsfor WordPress

Install Correctly

While installing (most will use OneClick) . . .

Consider your directory? Do you use the standard? Root?

Consider altering the database name if your install allows

Make database username and password long and cryptic. Store them away not to be used

Don’t user redundant info - admin name same as username, same as blog name, etc...

Post Install Setup

Create new admin user with strong password

Change Admin password and give “no role”Why not delete??

Make your main admin’s display name different from login name

Change setting to allow editing by outside packages if wanted - but know what you are doing

Change “permalink” structure

As You Build• Themes and Plug-ins : be safe

• Consider the source

• Always be suspicious

• Again, do you research and ask around

• Consider Search Engine Visibility (under Settings / Reading)

• Put up a Coming Soon or Down for Maintenance screen

• Understand your Discussion Settings

Other Hardening• Let the iThemes Security plug-in do this ….

• Disable File Editing – placing this line in wp-config.php is equivalent to removing the 'edit_themes', 'edit_plugins' and 'edit_files' capabilities of all users:

define('DISALLOW_FILE_EDIT', true);

• Check out further in depth hardening options at

http://codex.wordpress.org/Hardening_WordPress

Double Check the Install

File level tasks to be done via SFTP . . .

Delete ..\wp-admin\install.php

In wp-config.php, add the optional security keys -http://api.wordpress.org/secret-key/1.1/

Add index.php, a blank file to all plugin and theme directories if it isn’t already there

Check the file directory privileges (if you are comfortable)

Security Plugins You NeedSome more plugins that you should have:

iThemes Security - security audit and lockdown

Akismet – To combat spam, now part of JetPackcomes with the install, you will just need key

Block Bad Queries - blocks code injection through queries

AntiVirus or another such

Simple Backup for WP

Your content is your responsibility, not your host’s

Many options, I like Updraft Plus – does database, files, can store in many different ways

Easily store to free DropBox or other account

Doesn’t hurt to occasionally backup manually too

Make sure you know how to restore / recover

Stay Up-To-DateEven with auto-updates, you will need to update your base software – unless your host does it for you

You will also need to update both your plug-ins and themes.

Test your plug-ins so you can rollback if they don’t work

Be careful of what theme updates will do to any customizations you have made

As always, backup first

Additional Security • Two factor authentication - a hassle but worth the

risk if your site is important

• Use VPN to administer your blog when in public - I like https://www.tunnelbear.com/ lots of others

• Make sure your device is secure so that you aren't the breach - anti-virus, etc ...

• Monitor your site’s status – JetPack or SiteUptime.com

• Get alerts and notices at a non-dependent email!

Michael Carnellhttp://www.MichaelCarnell.com

@carnellm on Twitter

http://www.JustBritish.com

Q & A