WPcast.fm

The Professional WordPress Podcast

  • Episodes
  • Reviews
  • About
  • Subscribe
  • Contact

The Essential Guide To WordPress Security: Bulletproofing Your Install – WPCAST011

August 20, 2014

In this episode, we discuss the nature of WordPress security, and steps to take in order to make your site secure.

http://media.blubrry.com/wpcast/wpcast.fm/wp-content/blogs.dir/483/files/episodes/WPCAST011.mp3

Podcast: Play in new window | Download (Duration: 25:29 — 23.4MB)

The Changelog

  • Thanks Jafo the Great, Martin Bishop, and Richard Patey for the 5-star reviews
  • WordPress 4.0 launching August 27: media grid, improved plugin install experience
  • Chrome extensions and security holes (don’t use Awesome Screenshot!)

The Core

  • Bumped up security on our list of topics thanks to Jafo’s email
  • Doug’s blog post: http://efficientwp.com/the-80-20-of-wordpress-security
  • Why is security a concern?
    • No static html, using a database and PHP, so there will be inherent security holes
    • WordPress is open source – hackers can reverse engineer exploits from security patches
    • Random attacks, you’re probably not being targeted specifically
  • Common security problems:
    • TimThumb script included in some themes and plugins had vulnerabilities
    • No protection against brute force attacks out of the box
    • SQL injection (relevant xkcd comic), XSS (cross-site scripting)
  • What you should do:
    • If you’re not using managed hosting, install one of the following plugins:
      • iThemes Security (formerly called Better WP Security)
      • or Wordfence Security
      • or BruteProtect
    • More configurations on wp-config.php, .htaccess, robots.txt, and file/folder permissions
    • Use strong passwords (use a password manager to store complex passwords)
    • Use SSL for wp-login.php (but it’s more work to set up)
    • Upgrade frequently – either yourself or use a service like WP Curve
    • Choose themes and plugins carefully and go back and check ratings and updates
    • Managed hosting:
      • WP Engine (affiliate link, David uses)
      • Synthesis (Doug uses)
      • Flywheel (Doug uses and highly recommends)
    • Make regular backups (see episode 7)
    • Sucuri for malware scanning and protection

Tips & Tricks

  • Eye Dropper – Chrome extension for getting color codes
  • Private Internet Access – secure VPN, $40/year
http://media.blubrry.com/wpcast/wpcast.fm/wp-content/blogs.dir/483/files/episodes/WPCAST011.mp3

Podcast: Play in new window | Download (Duration: 25:29 — 23.4MB)

Thanks for listening! If you liked this episode, please leave us a review in iTunes.

We’d love for you to comment below, or leave us a voicemail or message with your feedback.

Filed Under: Podcast • Tagged With: better wp security, ithemes security, managed hosting, security, ssl, vpn, wordfence security

Recommendations

Disclosure: Some of the links mentioned throughout the site are affiliate links, meaning we may receive commissions for purchases made through them. We only recommend products and services that we’ve used ourselves.

Copyright © 2023 WPcast.fm. All rights reserved. Brought to you by and .