The Essential Guide To WordPress Security: Bulletproofing Your Install – WPCAST011

In this episode, we discuss the nature of WordPress security, and steps to take in order to make your site secure.

The Changelog

• Thanks Jafo the Great, Martin Bishop, and Richard Patey for the 5-star reviews
• WordPress 4.0 launching August 27: media grid, improved plugin install experience
• Chrome extensions and security holes (don’t use Awesome Screenshot!)

The Core

• Bumped up security on our list of topics thanks to Jafo’s email
• Doug’s blog post: http://efficientwp.com/the-80-20-of-wordpress-security
• Why is security a concern?
  • No static html, using a database and PHP, so there will be inherent security holes
  • WordPress is open source – hackers can reverse engineer exploits from security patches
  • Random attacks, you’re probably not being targeted specifically
• Common security problems:
  • TimThumb script included in some themes and plugins had vulnerabilities
  • No protection against brute force attacks out of the box
  • SQL injection (relevant xkcd comic), XSS (cross-site scripting)
• What you should do:
  • If you’re not using managed hosting, install one of the following plugins:
    • iThemes Security (formerly called Better WP Security)
    • or Wordfence Security
    • or BruteProtect
  • More configurations on wp-config.php, .htaccess, robots.txt, and file/folder permissions
  • Use strong passwords (use a password manager to store complex passwords)
  • Use SSL for wp-login.php (but it’s more work to set up)
  • Upgrade frequently – either yourself or use a service like WP Curve
  • Choose themes and plugins carefully and go back and check ratings and updates
  • Managed hosting:
    • WP Engine (affiliate link, David uses)
    • Synthesis (Doug uses)
    • Flywheel (Doug uses and highly recommends)
  • Make regular backups (see episode 7)
  • Sucuri for malware scanning and protection

Tips & Tricks

• Eye Dropper – Chrome extension for getting color codes
• Private Internet Access – secure VPN, $40/year