Locking Down Your WordPress Site
-
Upload
frank-corso -
Category
Marketing
-
view
42 -
download
3
Transcript of Locking Down Your WordPress Site
![Page 1: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/1.jpg)
Locking Down Your SiteFRANK CORSO
![Page 2: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/2.jpg)
3 Things To Consider No site is 100% secure
Security vs convenience
It isn't WordPress's fault
frankcorso.me @fpcorso
![Page 3: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/3.jpg)
How Common Are Hacks? 30,000 website hack attempts every day
Hacking is automated so one "bot" can attempt to hack dozens of sites every minute
Automated hacking bots do not need a specific target
frankcorso.me @fpcorso
![Page 4: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/4.jpg)
Why Would Someone Hack Your Site?
Get user contact information
Get user credit card information
Insert ads and affiliate links into your site
Use your site's resources to further power the hacking bot
Hold your site hostage
frankcorso.me @fpcorso
![Page 5: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/5.jpg)
Most Common Types Of Hacks Brute Force Attack
SQL Injection Hacks
Cross Site Scripting
frankcorso.me @fpcorso
![Page 6: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/6.jpg)
3 Stages Of Security Protection
Detection
Recovery
frankcorso.me @fpcorso
![Page 7: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/7.jpg)
Stage 1: ProtectionHOW DO YOU PREVENT A HACK?
frankcorso.me @fpcorso
![Page 8: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/8.jpg)
Hosting Do your research!
Ensure your host keeps the server (PHP/MySQL/Linux) updated
Is there support?
Backup/recovery options?
frankcorso.me @fpcorso
![Page 9: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/9.jpg)
User Management Not everyone needs admin access
Do not have an "admin" user
Do not give your account◦ If giving admin access to a developer, create a separate account which can be de-activated
Have a separate account for site admin that does not create posts/pages
frankcorso.me @fpcorso
![Page 10: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/10.jpg)
Passwords Do not use words in your passwords
Do not use short passwords (I use 20 characters!)
Use multiple types of characters
Change passwords regularly
Use different passwords for each site and service
Example: 3)S'Fb2rVa:?Sc-t@~D&
Use a password manager such as LastPass
frankcorso.me @fpcorso
![Page 11: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/11.jpg)
Updates Keep everything up to date
WordPress, plugins, and themes are updated regularly with security updates
PHP, MySQL, and Linux if you control the server
frankcorso.me @fpcorso
![Page 12: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/12.jpg)
File Management Lots of more technical items include:
◦ 404 detection◦ Wp-config.php file permissions◦ Htaccess◦ Setting up time/day to access admin
frankcorso.me @fpcorso
![Page 13: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/13.jpg)
Backups ALWAYS(!!!) have backups
Redundant - hosting and WordPress
Backup to an offsite location◦ Email◦ Amazon SES◦ Google Drive
Regular backups◦ Possibly daily database backups and weekly file backups
Use Backup Buddy or Updraft Plus
frankcorso.me @fpcorso
![Page 14: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/14.jpg)
Use A Security Plugin Many good plugins that will take care of a lot of this for you.
Most security plugins have teams that watch for new trends and update their plugins to help protect your site
Use iThemes Security or Wordfence
frankcorso.me @fpcorso
![Page 15: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/15.jpg)
SSL SSL stands for Secure Sockets Layer and provides a secure connection between internet browsers and websites.
Siteground and Flywheel both include free SSL's!
If you are not on a host that provides free SSL's, purchase one!◦ Starts off at $15 per year
frankcorso.me @fpcorso
![Page 16: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/16.jpg)
Stage 2: DetectionHOW WILL YOU KNOW IF YOUR SITE IS HACKED?
frankcorso.me @fpcorso
![Page 17: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/17.jpg)
Detecting A Hack Watch for file changes
Watch for anything abnormal
Scan your site with a possible malware checker such as virustotal.com
Consider a full site service such as the Website Antivirus by Sucuri
frankcorso.me @fpcorso
![Page 18: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/18.jpg)
Stage 3: RecoveryWHAT DO YOU DO WHEN YOUR SITE IS HACKED?
frankcorso.me @fpcorso
![Page 19: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/19.jpg)
What is your plan? What is the plan in the event of an attack?
Create your plan before you need it!
Who will restore the site from the backup?
Who will scan your site looking for how the attack happened?
Change all your passwords
frankcorso.me @fpcorso
![Page 20: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/20.jpg)
Developer Security
frankcorso.me @fpcorso
![Page 21: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/21.jpg)
Developer Setup Always develop with Debug mode on
◦ define( WP_DEBUG, true );
Use developer plugin such as Query Monitor
frankcorso.me @fpcorso
![Page 22: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/22.jpg)
Important WordPress Functions current_user_can
◦ Checks if user has the correct permission
ABSPATH◦ Checks if the file is being called directly
If ( ! current_user_can( 'moderate_comments' ) ) {
echo 'You do not have permission';
return;
}
If ( ! defined( 'ABSPATH' ) ) exit;
frankcorso.me @fpcorso
![Page 23: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/23.jpg)
Data Validation◦ Never trust user input!◦ Check if the data entered is the
correct data.
intval( $_GET["entered_number"] );
is_email( $_GET["entered_email"] );
if ( ! empty( $random_string ) )
frankcorso.me @fpcorso
![Page 24: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/24.jpg)
Sanitize◦ WordPress has many helper functions
to assist you!sanitize_email( $entered_email );
sanitize_text_field( $entered_text );
frankcorso.me @fpcorso
![Page 25: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/25.jpg)
Escape All Output◦ Ensure all displayed data is secure◦ Again, WordPress has lots of helper
functions
esc_html( $my_html );
esc_url( $my_pic_url );
<ul class="<?php echo esc_attr( $my_class ); ?>">
<a href="#" onclick="<?php echo esc_js( $my_js ); ?>">Click me</a>
frankcorso.me @fpcorso
![Page 26: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/26.jpg)
Use $wpdb◦ If you are doing anything with the database, use the $wpdb abstraction class◦ Has functions for inserting, deleting, updating, querying, and more!
frankcorso.me @fpcorso
![Page 27: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/27.jpg)
Nonces◦ We use nonces to prevent cross site
scripting hacking attempts◦ Nonces are generated numbers used to
verify origin and intent
wp_nonce_field( 'edit_form', 'edit_form_nonce' );
if ( ! wp_verify_nonce( $_POST["edit_form_nonce"], 'edit_form' ) {
return;
}
frankcorso.me @fpcorso
![Page 28: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/28.jpg)
Check out our free WordPress plugin:My WordPress Health Check
frankcorso.me @fpcorso
![Page 29: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/29.jpg)
Check out our free email course on WordPress security:mylocalwebstop.com/freecourse
frankcorso.me @fpcorso
![Page 30: Locking Down Your WordPress Site](https://reader035.fdocuments.net/reader035/viewer/2022070600/589d1e4f1a28ab61128b6f4b/html5/thumbnails/30.jpg)
Q & A
frankcorso.me @fpcorso