WordPress & WooCommerce Security Best Practices Moderated by Nicole Banks @Incapsula_com Matty Cohen @mattyza
WordPress & WooCommerceSecurity Best Practices
Moderated by
Nicole Banks@Incapsula_com
Matty Cohen@mattyza
© 2016 Imperva, Inc. All rights reserved.
Are you currently a WordPress user?
POLL
2
© 2016 Imperva, Inc. All rights reserved.3
Introduction
• Thanks for joining the webinar
• The webinar will last 30 minutes and will be recorded
• Feel free to submit questions at any time, we will answer as many as we can at the end
• We will send you a copy of the recording and a PDF copy of the slides afterwards
• Any questions or concerns, feel free to submit in the chat or email [email protected]
© 2016 Imperva, Inc. All rights reserved.4
Agenda
1. Introductions
2. Why Security?
3. Tips for the Best WordPress Experience
4. How WooCommerce Can Help?
5. Wrap-Up
6. External Resources
7. Q&A
© 2016 Imperva, Inc. All rights reserved.5
Imperva IncapsulaImperva Incapsula is a cloud-based service that makes websites safer, faster and more reliable. Our mission is to provide every website, regardless of its size, with enterprise-grade website security and performance features that so far have only been affordable to the very largest of websites.
Matty CohenWOOCOMMERCE PRODUCT TEAM LEAD AT AUTOMATTIC
CHAPTER I
Why Security?
Prevention Is Better Than a CureHaving no security breaches is better than having to
fix even one security breach.
Peace of MindIf anything were to go wrong, you know you’re
covered.
Security Is a MindsetConstant vigilance, and a sharp eye for detail.
CHAPTER II
WordPress
What Is WordPress?An open source website creation platform, powering
~26% of the known websites on the internet.
The operating system of the web.
Tip #1: No “admin” UserMake sure your default username is anything other than “admin”, and is an uncommon word or phrase.
If you have a username you use regularly online,you could use that.
Tip #2: Protect wp-adminWith WordPress, it’s possible to have your wp-admin
directory accessible within a certain IP address range, or moved entirely into a private directory on
your server.
Tip #3: Use Unique Table PrefixesBy default, WordPress uses wp_ as the database
table prefix. Adjust this to something unique.
Tip #4: Use Unique Keys and SaltsWithin wp-config.php
Adjust the keys and salts in wp-config.phpto be unique and lengthy.
WordPress offers a secret-key servicefor generating these strings, here:
https://api.wordpress.org/secret-key/1.1/salt/
Tip #5: Regularly Review the InstalledPlugins List for Inactive Plugins
Go through the list of plugins you have on your WordPress, delete any which you aren’t using, and examine those you are using, to see if they are still
required and relevant.
If they aren’t required or relevant,deactivate and remove them.
Tip #6: Enforce Strong Passwords
There is no such thing as a password which is too long.
Enforce the strongest passwords possible, to ensure a more secure environment.
WordPress has a built-in password strength checker.
Tip #7: Limit Login AttemptsUse the Jetpack plugin, and enable its Security feature, to prevent brute force login attempts.
https://jetpack.com/
CHAPTER III
WooCommerce
What Is WooCommerce?The world’s most flexible eCommerce platform.
Powering ~39% of all known online stores.
Powered by WordPress.
Tip #1: Pick a Trusted Web HostEnsure you choose a trusted and secure web host. Invest
in dedicated web hosting, if possible.
http://pressable.co/http://bluehost.com/
http://wordpress.com/vip/
Tip #2: Use Trusted ExtensionsWhen selecting your WooCommerce extensions, be sure
to use trusted extensions from WooCommerce.com.
http://woocommerce.com/
Tip #3: Research the ExtensionsIf you use an extension from another source, such as the official WordPress plugin directory, be sure to check the number of installations, the star rating, and when the
extension was last updated.
http://wordpress.org/plugins/
Tip #4: Invest In an SSL certificateEnforce SSL on all checkout-related screens of your WooCommerce. Enable an SSL certificate, and then enable the “Force Secure Checkout” option within
WooCommerce.
Your web host should offer SSL. If not, namecheap.comoffers reasonably priced SSL certificates.
Tip #5: Be Mindful of Private DataThere is a high risk in storing a user’s private information.
If you’d prefer not to do this, you could use an off-site payment gateway, instead of storing a credit card auth
token.
Tip #6: Check Permissions WhenConnecting to External Services
If you decide to share information with an external service, be sure to check the permissions this service
requires, and reach out to them if you feel the service is requesting too many permissions.
For example, a read-only service doesn’t need write permissions to your WooCommerce.
Tip #7: Regularly Test your CheckoutRegular testing of your checkout, with a security mindset,
minimises the risk that your checkout flow could be compromised, as you are regularly reviewing the
checkout.
Be sure to open your web browser’s “Network” tab when doing these tests, to ensure no information is being
leaked.
“
”DOUG LINDER
A good programmer is someone who always looks both ways before crossing
a one-way street.
Wrap-up
© 2016 Imperva, Inc. All rights reserved.31
In a fun, quiz-based online format, these free training courses give you the technical knowledge and skills to identify and block different types of DDoS attacks.
www.DDoSBootcamp.com
DDoS Protection BootcampDDoS Protection Mastery Starts Here
Thanks
Matty Cohen@mattyza