WordPress End-User Security

presented by Dre Armeda, @dremeda & Brad Williams, @williamsba

• Keep your version of WordPress, and plugins, updated. At all times. It’s not always for new features, or tools, it can be for security patches and fixes.
• Change the database prefix. Change it from wp_ to something unique. For example: $table_prefix=’wp_’; to $table_prefix=’dreday_’;
• Use secret keys, which is in your wp-config.php file. URL: https://api.wordpress.org/secret-key/1.1/salt
• Lock down your WP Login and WP Admin access. You can add: define(‘FORCE_SSL_LOGIN’, true); and define(‘FORCE_SSL_ADMIN’, true); OR create an .htaccess file where you allow only through IP addresses (make sure that you update it every 2 to 4 weeks as your IP address changes that frequently).
• You can move the wp-config.php file from public_html/wordpress/wp-config.php to /public_html/wp-config.php
• Disable the WP Generator Tag (people still don’t do this??)
• WPMU.org reviewed the top 10 results for “free wordpress themes” on Google. Out of the top 10 – Safe: 1. Iffy: 1. Avoid: 8. Use: WordPress Theme chooser, woothemes, themelab, theme hybrid, themeshaper.
• Do not use. Admin as your login. 3.0 lets you set the admin username during the installation process.
• Files should be set to 644. folders should be set to 755. If your host requires 777… SWITCH HOSTS!
• 70% of all WP sites are infected with malware due to software that hasn’t been updated.
• wordpress.org/extend/plugins/wp-time-machine/

No related posts.