25 Ways to Secure WordPress

Mike Selander

http://bit.ly/1GdE3Ge

30,000 Sites Are Hacked Every Day

And... most are WordPress

And... most are easily preventable

1 Use Strong Passwords

Seriously, do it.

Dashlane
LastPass
1Password

2 Delete the "admin" user

3 Use 2-factor Authentication

Google Authenticator
Duo Security
Two Factor Auth

4 Change Your Login URL

5 Keep Your CPU Clean

Webroot
Avast
AVG

6 Update Everything All the Time

Add to wp-config.php

define( 'WP_AUTO_UPDATE_CORE', true );

7 Delete Unneeded Plugins

8 Take Backups & Store Offsite

Vaultpress
BackupBuddy
BackWPUp
BackUpWordPress

9 Use a Secure Theme

10 Install an Auditing/Logging Plugin

Stream
WP Security Audit Log
Audit Trail

11 Install a Security Plugin

iThemes Security
WordFence*
Bulletproof

*I include this with hesitation. It's one of the most compromised plugins in the entire repo

12 Use SSL for login & admin / whole site

Easy Way
Force SSL

Hard Way

define ( 'FORCE_SSL_ADMIN', true );

.htaccess

RewriteCond %{SERVER_PORT} 80
RewriteRule ^(.*)$ https://example.com/$1 [R=301,L]

13 Server-side Compromise scanning

Sucuri

14 WAF - Web Application Firewall

Sucuri
Ninja Firewall
Cloudflare

15 Disable File Editors

Add to wp-config.php

define( 'DISALLOW_FILE_EDIT', true );

16 Disallow unfiltered HTML

Add to wp-config.php

define( 'DISALLOW_UNFILTERED_HTML', true );

17 Block access to XMLRPC

Add to functions.php (or similar)

add_filter( 'xmlrpc_enabled', '__return_false' );

Add to .htaccess

# START XML RPC BLOCKING

Order Deny,Allow
Deny from all

# FINISH XML RPC BLOCKING

18 Disable Error Reporting

Add to wp-config.php

ini_set('display_errors',0);
error_reporting(E_ALL|E_STRICT);

19 Move wp-config.php

20 Check Your File Permissions

Mass Overwrite

chown www-data:www-data -R *
find . -type d -exec chmod 755 {} \;
find . -type f -exec chmod 644 {} \;

chwon -R www-data:ftp-user wp-content (where ftp-user is what user you are using to upload the files)
chmod -R 775 wp-content

21 Change DB Table Prefix

Starts as wp_
Change to xx_

22 Resalt/Salt WordPress

https://api.wordpress.org/secret-key/1.1/salt/

23 Use an Excellent Host

WP Engine
Pagely
Flywheel

24 Use a Blacklist/IP blocker

25 Disable
pingbacks

SQL Query

update wp_posts set ping_status='closed' where ping_status='open'

Thank you

MikeSelander.com
@Mike_Selander

Old Town Media

http://bit.ly/1GdE3Ge

25 Ways to Secure WordPress

30,000 Sites Are Hacked Every Day

And... most are WordPress

And... most are easily preventable

1

Use Strong Passwords

Seriously, do it.

2

Delete the "admin" user

3

Use 2-factor Authentication

4

Change Your Login URL

5

Keep Your CPU Clean

6

Update Everything All the Time

Add to wp-config.php

7

Delete Unneeded Plugins

8

Take Backups & Store Offsite

9

Use a Secure Theme

10

Install an Auditing/Logging Plugin

11

Install a Security Plugin

12

Use SSL for login & admin / whole site

Easy Way Force SSL

Hard Way

.htaccess

13

Server-side Compromise scanning

14

WAF - Web Application Firewall

15

Disable File Editors

Add to wp-config.php

16

Disallow unfiltered HTML

Add to wp-config.php

17

Block access to XMLRPC

Add to functions.php (or similar)

Add to .htaccess

18

Disable Error Reporting

Add to wp-config.php

19

Move wp-config.php

20

Check Your File Permissions

Mass Overwrite

21

Change DB Table Prefix

Starts as wp_ Change to xx_

22

Resalt/Salt WordPress

23

Use an Excellent Host

24

Use a Blacklist/IP blocker

25

Disablepingbacks

SQL Query

Thank you

Easy Way
Force SSL

Starts as wp_
Change to xx_

Disable
pingbacks