WordPress Security Basics

Steve Grunwell / @stevegrunwell

Play along at home! stevegrunwell.github.io/wordpress-security-basics

Who am I?

Developer @ Buckeye Interactive Senior Web Engineer @ 10up (starting next week)
Facially-haired
Hard-"G" gif curator
Coffee junkie
Tweet-er: @stevegrunwell

Don't worry, it'll be okay

Passwords

Keeping WordPress Current

Major v. Point Releases

Major releases have version numbers like 4.1 and usually contain new features and functionality.

Point releases (4.0.1) fix bugs and patch security holes.

Knowing who to blame

Remember: if core upgrades break your site, it's most likely the theme or plugin that's broken, not core!

Third-party risks

User Management

Security begins at home:

Your site is only as strong as its weakest user!

Restrict user capabilities

Re-evaluate who has access and what level of control they have on your site
Use WordPress roles and capabilities to restrict access
Limit users' capabilities to what's needed and nothing more

Avoid the "admin" username

Scripts and botnets normally target "admin" as it's a default user with full privileges

Removing the default username from your site drastically reduces your risk of "drive-by" attacks

Security through obscurity…

Security plugins

iThemes Security - All-in-one security package
Google Authenticator - Two-factor authentication
Sucuri - Premium, all-in-one security suite

Your mileage with all-in-one plugins may vary

Limit Login Attempts

Temporarily block an IP address after a certain number of failed login attempts
Extremely effective against brute-force attacks
It hasn't been updated for a long time, but still works
wordpress.org/plugins/limit-login-attempts/

Advanced Steps

Set keys and salts

codex.wordpress.org/Editing_wp-config.php#Security_Keys

Moving wp-content

WordPress allows you to move your wp-content/ directory to another location

// Absolute server path
define( 'WP_CONTENT_DIR', dirname( __FILE__ ) . '/content' );

// No trailing slash!
define( 'WP_CONTENT_URL', 'http://example.com/content' );

Another example of security through obscurity

Disable file editing

WordPress constant that will disable the plugin and theme editors

define( 'DISALLOW_FILE_EDIT', true );

…or disable everything, including the plugin installer

define( 'DISALLOW_FILE_MODS', true );

This will break automatic updates!

wp-admin over SSL

Force WordPress to serve login pages over SSL:

define( 'FORCE_SSL_LOGIN', true );

Serve all admin and login pages over SSL:

define( 'FORCE_SSL_ADMIN', true );

Of course, this requires that your site has SSL enabled

Additional Resources

WordPress Security Basicsstevegrunwell.com/blog/wordpress-security-basics
Hardening WordPress (WordPress Codex)codex.wordpress.org/Hardening_WordPress
The Definitive Guide to WordPress Security (Moz)moz.com/blog/the-definitive-guide-to-wordpress-security

Questions?

Steve GrunwellSenior Web Engineer, 10upstevegrunwell.com @stevegrunwell

Slides:stevegrunwell.github.io/wordpress-security-basics

wordpress-security-basics

stevegrunwell

wordpress-security-basics

2 1 (function() { var po = document.createElement('script'); po.type = 'text/javascript'; po.async = true; po.src = 'https://apis.google.com/js/platform.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(po, s); })();