Secure All the Things!

Speaker: Doug Campbell
Original Post: Sideways8

I’m in the developers room at WordCamp ATL 2013 and listening to talk about security. Here are a few notes.

My favorite point so far is the speakers point that WordPress is usually not the weak point when a website is hacked. Its usually a plugin, javascript library, several or some other means of entry.

Keep in mind, shared hosting also means shared security. So, when you are on shared hosting the 100+ sites on that server can impact how secure your site is.

How do Hackers get in? Known exploits, brute force password hacking, network scanners, wifi vulnerabilities (be careful at coffee shops poeple!), automated tools, rootkits.

What do you do to keep your site safe? 3 Words. Update. Update. Update. In other words, keep your stuff up to date! Update the core, Update plugins, Update Themes.

Some good plugins and tools to think about using:

  • Hotfix Plugin
  • WP Security Scanner
  • Login Lockdown
  • BulletProof Security

Delete plugins and themes that you are not using, even if it is disabled.

What do you do when your site is hacked:

Now every PHP file on your site is suspect. So you need to nuke the site and start over. Download WordPress core and re-build the site. Same with your plugins and same with your themes.

Reinstall your database from backups. If a database has been hacked, then cleaning up your files will only help temporarily The hacker will just get back in and mess stuff up again.

About Site backups:

What do I need to have backed up?

  • Database – your content is your most valuable thing.
  • Uploaded media
  • Custom themes and plugins
  • wp-config.php
  • keep a list of your installed third party plugins

Make sure you have a history of backups. If your site has been hacked and then backed up you have just backed up your hacked site.

Other Good Plugins and whatnot:

  • Backup Buddy
  • VaultPress
  • WordPress backup to dropbox
  • WordFence

Other Notes:

Make sure to have secure passwords.

Make your passwords long. A longer password of just simple dictionary words is actually harder for a hacker to crack, for example “correct horse battery staple” is better than “Tr0ub4dor &3″ because it is longer and therefore harder for a computer to guess with a brute force attack.