WORDPRESS SECURITY USINGITHEMES SECURITY
JASON YINGLING | LEAD DEVELOPER RED8 INTERACTIVE | RED8INTERACTIVE.COM
@JASON_YINGLING | JASONYINGLING.ME
Page
HHAM
Hosting
Hardening
Access
Maintenance
2
Page
WORDPRESS HOSTING
Support for latest software
Optimized for running WordPress
Malware scanning
Work with WordPress 24/7
Backups
3
Page
HARDENING
Protecting your site from common security risks
• Don’t use the ‘admin’ username
• Strong passwords
• Hide the login area
• Brute Force Protection
• 404 Protection
• Malware scanning
4
Page
ACCESS
Minimize number of administrators
Remove file editing from dashboard
Two Factor Authentication
5
Page
MAINTENANCE
Keep WordPress up to date
Keep plugins up to date
Remove unused themes and plugins
6
PageProject Name
ITHEMES SECURITY
7
Page
ITHEMES LANDING PAGE
Broken down into high priority, medium priority, and low priority
8
Page
GLOBAL SETTINGS
Write to wp-config.php
Emails for lockout notifications, file change warnings, etc.
9
Page
GLOBAL SETTINGS
Error messages to display to locked out users
10
Page
GLOBAL SETTINGS
Enables blacklisting repeat offenders
Good idea to switch these up from the defaults
11
Page
GLOBAL SETTINGS
Enables blacklisting repeat offenders
Good idea to switch these up from the defaults
12
Page
404 DETECTION
Blocks attacker for scanning for known vulnerabilities
13
Page
AWAY MODE
Allows for disabling access to the dashboard between certain hours
Do you really need to be able to edit 24/7?
Taking a vacation
14
Page
BANNED USERS
Enable HackRepair.com’s blacklist feature
Enable Ban Users
Permanently bans attackers IPs
15
Page
BRUTE FORCE PROTECTION
Limit the number of bad login attempts before temporarily locking out the offending host
16
Page
BRUTE FORCE PROTECTION
Switch it up from the default
4 Max Login Attempts Per Host
9 Max Login Attempts Per User
6 Minutes to Remember Bad Login
17
Page
DATABASE BACKUPS
Sends a database backup via email or stores on server
Plugins
• BackupBuddy
• BackWPUp
• WPmudev Snapshot
• VaultPress
18
Page
FILE CHANGE DETECTION
Allows you to include and exclude specific files that may change often
Helpful to see what files were changed if an attack happens
19
Page
HIDE LOGIN AREA
Change login url from /wp-admin to /something-else
Makes it difficult for attacker to find login area
Avoid using iThemes default /wplogin
20
Page
SSL
Requires SSL setup on server
Allows you to force SSL for Dashboard
21
Page
STRONG PASSWORDS
Enables you to force strong passwords for users for certain user roles
22
Page
SYSTEM TWEAKS
Some of this may be performed by your host
Good idea to have on unless you know something conflicts on your site
23
Page
WORDPRESS TWEAKS
24
Page
WORDPRESS TWEAKS
25
Page
WORDPRESS TWEAKS
26
Page
ADVANCED SETTINGS
Change name of ‘admin’ user
Change user with id of 1
27
Page
ADVANCED SETTINGS
Change WordPress salts
28
Page
ADVANCED SETTINGS
Change name of wp-content directory
Not necessary on most WP specific hosts
29
Page
ADVANCED SETTINGS
Change database prefix to make your tables harder to find
30
Page
ITHEMES SECURITY PRO
Allow you to temporarily bump a users access
31
Page
ITHEMES SECURITY PRO
More password options
Password generator on user profile
Password expiration
Force password change
32
Page
ITHEMES SECURITY PRO
Use Google’s reCAPTCHA for login, registration, and commenting
33
Page
ITHEMES SECURITY PRO
Allow users to setup Two Factor Authentication using Google Authenticator app
34
Page
ITHEMES SECURITY PRO
Log user activities at a certain role such as login, saving content, and more
35
Page
LOCKED YOURSELF OUT?
Login to your database via phpMyAdmin or a program like Sequel Pro
Navigate to the itsec_lockouts table
Delete the row with your IP
36
Page
LOCKED YOURSELF OUT?
Disable plugin via FTP
Navigate to /wp-content/plugins
Rename the ithemes-security plugin directory
37
Page
QUESTIONS?
Jason Yingling | Red8 Interactive
@jason_yingling
http://jasonyingling.me
38