Security by Brad Williams [LIVEBLOG]

A little about Brad Williams’ Security talk:

Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.

We’ll be getting started about 9am PST.

UPDATED: Here are Brad’s slides.

Jonathan Dingman June 1, 20139:43 am

that’s a wrap!

Thanks Brad

Jonathan Dingman June 1, 20139:42 am

Plug for http://www.Dradcast.com – first live Dradcast later today.

Jonathan Dingman June 1, 20139:42 am

Check the date. If you’re looking for security and the post is 5 years old, probably better to look somewhere else.

Jonathan Dingman June 1, 20139:42 am

Maintainn is another great service. Monthly fee, they regularly update plugins and site, if something breaks, they help with that.

Jonathan Dingman June 1, 20139:41 am

Sucuri.net offers a free scan, go scan your site today.

http://sitecheck.sucuri.net/scanner/

Jonathan Dingman June 1, 20139:40 am

BulletProof security is another good one.

Jonathan Dingman June 1, 20139:40 am

Update your passwords regularly. Monthly is best.

“Login lockdown” is a good WordPress security plugin.

Jonathan Dingman June 1, 20139:39 am

Use a trusted host. You get what you pay for.

[Again, WPForce.com recommends WPengine.com]

Jonathan Dingman June 1, 20139:38 am

Be locally secure. Don’t infect your own website.

Jonathan Dingman June 1, 20139:38 am
Jonathan Dingman June 1, 20139:36 am

Use trusted sources for Themes and Plugins.

Jonathan Dingman June 1, 20139:32 am

another good one…

Lock down WP Login and WP Admin

WordPress SSL:

define(‘FORCE_SSL_LOGIN’, true);
define(‘FORCE_SSL_ADMIN’, true);

Good way to ensure that wp-admin is served over SSL.

Jonathan Dingman June 1, 20139:31 am

Moving your wp-config.php file up one directory can add security, because WordPress will look one directory up.

[Jonathan: I wasn’t aware of these, looks pretty cool – I’ll have to check this out]

Jonathan Dingman June 1, 20139:29 am

Brad talking about one setup where they completely lock down all WordPress files to read-only and all media uploads go directly to their CDN

[WPForce.com recommends MaxCDN.com]

Jonathan Dingman June 1, 20139:24 am

WordPress file and folder permissions.

“If you’re not comfortable with these, talk to your host”

Good rule of thumb:

Files should be set to 644
Folder should be set to 755

If your host requires 777…SWITCH HOSTS!

[WPForce.com recommends WPEngine.com]

Jonathan Dingman June 1, 20139:22 am

“Delete the Admin user account”

Jonathan Dingman June 1, 20139:21 am

Brad: Don’t use “admin” as your username.

Jonathan Dingman June 1, 20139:21 am

“anyone using the ‘admin’ username”?

[no hands go up]

Jonathan Dingman June 1, 20139:21 am

Refreshing that URL will provide random secure strings.

Uploading them won’t break your site, but will kick you out and login again.

Jonathan Dingman June 1, 20139:19 am

Secret keys.

Use them.

Resource reference: http://api.wordpress.org/secret-key/1.1/salt

Jonathan Dingman June 1, 20139:18 am

Brad talking about Changelogs for WordPress plugins.

These are great so you can see what has actually been updated. Maybe they added a feature you don’t really need, but if there’s a security flaw and you need to update immediately, it should be more obvious.

Jonathan Dingman June 1, 20139:18 am

WordPress has different kinds of releases. Major releases and minor releases.

Major releases have new features.

“I don’t even think about minor updates, always do them”

Minor updates are security updates and, just as they are, minor updates.

I’ve never had a site break from a minor update.

Jonathan Dingman June 1, 20139:17 am

Brad talking about some web hosts, like WP Engine, which offer a 1-click staging environment. create a staging environment, run an upgrade, see if it works, then push back to production.

Jonathan Dingman June 1, 20139:16 am

WordPress security….

update update update, always stay up to update.

“KEEP WORDPRESS UPDATED!”

Jonathan Dingman June 1, 20139:15 am

Talking about link injections, using display:none and having lots of spammy links that aren’t visible to the eye.

Jonathan Dingman June 1, 20139:15 am

[Brandon’s phone just got a call..from Blair Williams… Brad: “should I take it? we’re not related”]

Jonathan Dingman June 1, 20139:13 am

Brad is going over a specific WordPress link injection hack.

Jonathan Dingman June 1, 20139:12 am

Hack example, link injections. insert spam files, links, spam links, into WordPress themes, plugins, and core files.

Jonathan Dingman June 1, 20139:10 am

Malware stats…

403MM unique variants of malware in 2011
140% growth from the year before, 2010

Jonathan Dingman June 1, 20139:09 am

WordPress stats
73MM sites are powered by WordPress
18% of all sites run on WordPress
22 out of every 100 new domains launch with WordPress
Projected 300-500MM WordPress powered sites by 2015

Jonathan Dingman June 1, 20139:08 am

700MM sites as of May 2012, 300MM in 2011, projected to be 1B+ by the end of 2013

Jonathan Dingman June 1, 20139:06 am

Topics to go over today.

Security stats
Example WordPress hack
Top security tips
Recommended plugins & services
WordPress resources

Jonathan Dingman June 1, 20139:04 am

Brandon’s done, Brad is walking up. (And Dre is close behind him…but Dre’s not speaking ;)

Jonathan Dingman June 1, 20138:59 am

Shout out to Dradcast, happening later today – http://dradcast.com

Jonathan Dingman June 1, 20138:58 am

Brandon is giving an intro to the day, lunch, etc.

Jonathan Dingman June 1, 20138:58 am

People are settled in and we’re getting started