Do Less Work

By Securing Your WordPress Site From Hackers

Thomas Howard

Wordpress Statistics

• 60+ Million Wordpress Sites

• 22% of top 10 million websites powered by WP

• 73% of the 40,000 top WP sites running vulnerable version

• Basic Vulnerabilities found in 50 Top WP Plugins

22%

78%

Top 10 Million Sites

WordpressNot-Word-press

The 80/20 Rule of WP Security

• Pareto Principle - Roughly 80% of the effects come from 20% of the causes

• How can we prevent the most amount of attacks with the least amount of work?

WordPress Attack Vectors

41%

29%

22%

8%

Attack Vectors

HostingThemePluginPassword

• 41% were hacked through a security vulnerability on their hosting platform

• 29% were hacked via a security issue in the WordPress theme they were using

• 22% were hacked via a security issue in the WordPress plugins they were using

• 8% were hacked because they had a weak password

Hosting

• Use a trusted host!• Laughing Squid or A

Small Orange for cheap shared hosting

• Get off shared hosting!• Better yet, use

WP Engine and skip the rest of these slides!

Themes

• DON’T use free themes!• Use a trusted source for

themes:– Wordpress.org– Themeforest– WooThemes

• Use a secure theme framework:– Genesis– Thesis

10%

10%

80%

Free Themes on Google

Safe

Questionable

Infected

Secure the WP Installation

• Easiest Way – Use a Security Plugin– iThemes Security

(formally Better WP Security

– Wordfence

• Examples using iThemes Security

Secure DatabaseDon’t use standard wp_ table prefix

Force Secure Passwords

Limit Login Attempts

Change Admin Username & User ID=1

Other Useful (and easy) Tweaks• Enable HackRepair.com's

blacklist feature• Enable 404 detection• Protect System Files• Disable Directory Browsing• Filter Request Methods• Filter Suspicious Query Strings in

the URL• Filter Non-English Characters

(only for English only sites)• Filter Long URL Strings• Remove File Writing Permissions• Disable PHP in Uploads

• Remove WordPress Generator Meta Tag

• Remove the Windows Live Writer header.

• Remove the RSD (Really Simple Discovery) header.

• Reduce Comment Spam (also you should be using Akismet or Disable Comments)

• Display Random Version• Disable XMLRPC (unless use

trackbacks or Jetpack)• Disables a user's author page if

their post count is 0.

Backups!

• Setup automatic backups!

• iThemes Security allows you to schedule backups to be stored on the server and emailed

• Backup Buddy is awesome

• So is ManageWP

Updates!

• Good news! The latest WP automatically updates for security patches!

• Make modifications safely, use child themes.

• Test new updates on development site.

Summary

1. Hosting2. Themes3. Plugins4. Core5. Backup6. Update

Questions?

Learn more atMakeWP.com/wp-security-talk