A little about Brad Williams’ Security talk:
Learn how to keep your WordPress-powered website secure from hackers and exploits. Brad Williams from WebDevStudios.com shows examples of hacked sites, shares tips and plugins for keeping WordPress secure, and talks about his experiences with WordPress and security.
We’ll be getting started about 9am PST.
UPDATED: Here are Brad’s slides.
that’s a wrap!
Check the date. If you’re looking for security and the post is 5 years old, probably better to look somewhere else.
Maintainn is another great service. Monthly fee, they regularly update plugins and site, if something breaks, they help with that.
BulletProof security is another good one.
Update your passwords regularly. Monthly is best.
“Login lockdown” is a good WordPress security plugin.
Be locally secure. Don’t infect your own website.
Use trusted sources for Themes and Plugins.
another good one…
Lock down WP Login and WP Admin
Good way to ensure that wp-admin is served over SSL.
Moving your wp-config.php file up one directory can add security, because WordPress will look one directory up.
[Jonathan: I wasn’t aware of these, looks pretty cool – I’ll have to check this out]
Brad talking about one setup where they completely lock down all WordPress files to read-only and all media uploads go directly to their CDN
[WPForce.com recommends MaxCDN.com]
WordPress file and folder permissions.
“If you’re not comfortable with these, talk to your host”
Good rule of thumb:
Files should be set to 644
Folder should be set to 755
If your host requires 777…SWITCH HOSTS!
[WPForce.com recommends WPEngine.com]
“Delete the Admin user account”
Brad: Don’t use “admin” as your username.
“anyone using the ‘admin’ username”?
[no hands go up]
Refreshing that URL will provide random secure strings.
Uploading them won’t break your site, but will kick you out and login again.
Brad talking about Changelogs for WordPress plugins.
These are great so you can see what has actually been updated. Maybe they added a feature you don’t really need, but if there’s a security flaw and you need to update immediately, it should be more obvious.
WordPress has different kinds of releases. Major releases and minor releases.
Major releases have new features.
“I don’t even think about minor updates, always do them”
Minor updates are security updates and, just as they are, minor updates.
I’ve never had a site break from a minor update.
Brad talking about some web hosts, like WP Engine, which offer a 1-click staging environment. create a staging environment, run an upgrade, see if it works, then push back to production.
update update update, always stay up to update.
“KEEP WORDPRESS UPDATED!”
Talking about link injections, using display:none and having lots of spammy links that aren’t visible to the eye.
[Brandon’s phone just got a call..from Blair Williams… Brad: “should I take it? we’re not related”]
Brad is going over a specific WordPress link injection hack.
Hack example, link injections. insert spam files, links, spam links, into WordPress themes, plugins, and core files.
403MM unique variants of malware in 2011
140% growth from the year before, 2010
73MM sites are powered by WordPress
18% of all sites run on WordPress
22 out of every 100 new domains launch with WordPress
Projected 300-500MM WordPress powered sites by 2015
700MM sites as of May 2012, 300MM in 2011, projected to be 1B+ by the end of 2013
Topics to go over today.
Example WordPress hack
Top security tips
Recommended plugins & services
Brandon’s done, Brad is walking up. (And Dre is close behind him…but Dre’s not speaking ;)
Brandon is giving an intro to the day, lunch, etc.
People are settled in and we’re getting started