View Prezi Presentation
Most WordPress security issues revolve around the use of plugins and themes. Timthumb.php was a file that was included in many wordpress themes and plugins. Many developers use timthumb.php to resize images to fit their website. Since the vulnerability on TimThumb was released last year, it is estimated that a couple of million wordpress sites got compromised. This vulnerability would allow the arbitrary upload of files to a site. One of my websites was compromised so I moved security to the top of my list of priorities when making a site.
Best Practices
Update WordPress and any plugins asap – not updating is the biggest vulnerability
Change the admin default login name
Change the login path (plugin)
Include a custom database prefix on install
Always do your updates
Use as few plugins as possible
Make sure your plugins are safe (only download from known sources – like www.wordpress.org)
Don’t just disable plugins. Remove them.
Use strong passwords
Remove/replace wordpress version.
Hold comments for moderation in discussion settings or
User must have an approved login before making any comments
Use an anti-spam tool (Akismet, Captcha)
If others have access make sure they use strong passwords
Do not use the same password
Change passwords periodically
Backup site regularly (I use Backupbuddy for auto backups)
Site Malware and Blacklist Scan
Sucuri Scanner - online scanner. They also sell a 9.99 plugin scanner.
Top WordPress Security Plugins
Bulletproof Security (locks .htaccess files)
WordPress Website Security Protection: BulletProof Security protects your WordPress website from XSS, RFI, CRLF, CSRF, Base64, Code Injection and SQL Injection hacking attempts. One-click .htaccess WordPress security protection. Protects wp-config.php, bb-config.php, php.ini, php5.ini, install.php and readme.html with .htaccess security protection. One-click Website Maintenance Mode (HTTP 503). Additional website security checks: DB errors off, file and folder permissions check… System Info: PHP, MySQL, OS, Memory Usage, IP, Max file sizes… Built-in .htaccess file editing, uploading and downloading.
WordPress Firewall 2 (locks .php files, tracks ip addresses of attach)
This plugin intelligently whitelists and blacklists pathological-looking phrases, based on which field they appear within, in a page request (unknown/numeric parameters vs. known post bodies, comment bodies, etc.). Its purpose is not to replace prompt and responsible upgrading, but rather to mitigate 0-day attacks and let bloggers sleep better at night.
Ultimate Security Checker (best scanner – seeks out malicious code)
Our plugin identifies security problems with your WordPress Installation. It scans your blog for hundreds of known threats, then gives you a security “grade” based on how well you have protected yourself. You can fix the problems yourself, or you can use our help to do it for you automatically.
Login Lockdown
Login LockDown records the IP address and timestamp of every failed login attempt. If more than a certain number of attempts are detected within a short period of time from the same IP range, then the login function is disabled for all requests from that range. This helps to prevent brute force password discovery. Currently the plugin defaults to a 1 hour lock out of an IP block after 3 failed login attempts within 5 minutes. This can be modified via the Options panel. Admisitrators can release locked out IP ranges manually from the panel.
Wp Email Guard
WP Email Guard protects your email addresses included on any post or page from being crawled by spammers. It converts every email written within your post body into a JavaScript code, so the emails is readable and can be clicked by humans only.
WordPress File Monitor
Monitors your WordPress installation for added/deleted/changed files. When a change is detected an email alert can be sent to a specified address.
Growmap Anti Spambot Plugin
This plugin will add a client side generated checkbox to your comment form asking users to confirm that they are not a spammer. It is a lot less trouble to click a box than it is to enter a captcha and because the box is genereated via client side javascript that bots cannot see, it should stop 99% of all automated spam bots.
Live a Secure Life
1Password – secure password storage software
Password for Mac can create strong, unique passwords for you, remember them, and restore them, all directly in your web browser. You can also securely store Secure Notes, Software Licenses, Credit Cards, Attachments, and much much more.
Run Malware/Virus scans often on your system
Hardening WordPress – WordPress document on securing a site.
Companies like Reputation.com offer an array of tools and services that can monitor, protect or repair your online presence.
