WCPHX – WP Security for Users

By Tony Perez | January 29, 2011 |

Just had a great time listening to @dremeda and @williamsba talk about security for us, the users. In case you missed my flurry of tweets, here are some of the tidbits they presented:

Some Facts:

– 70% of infections right now are coming from folks working off outdated platforms

– 17% of the market out there is using their first name as the password – #epicfail

10 Easy tips to help you become more secure:

1. Update, Update, then Update some more

– So Simple, yet so many folks refuse or allow it to become an oversight

2. Change DB Table prefix

3. Use secret keys

  • You can do this in wp-config.php, you generate secret keys from there; reach out to Dre or Brad for details

4. Lockdown WP Admin and Login

  • You can add ssl in your wp-config.php using something like this: define(‘force_ssl_login’, true); I might have got that wrong, so once again, reach out to Brad and / or Dre
  • Use .htaccess in your wp-admin directory

5. Move wp-config.php from the default location

  • Didn’t know this myself, cool

6. Disable WP Generator Tag

  • In case you’re wondering about this, this is where it tells folks what version of a software you’re using. Someone can run a query that says “Show Users that use WP 2.6”. Now they can attack you with known vulnerabilities with that version. Disable it folks.

7. Use trusted sources for themes and logins

  • wpmu.org had a great article on this, I’ll have to look it back up and post it here as part of this. In short, just because you go to Google and search ‘Free Themes’ it doesn’t mean they are trusted sources – Do you really want to sell Viagra on your site?

8. Delete the Admin user

  • In 3.0 you can now change this on install, if you don’t, change it at some point. People look for folks with user name admin.

9. File and Folder Permissions

  • Set File to 644 an Folder to 775, if your host requires something else, find a new host

10. Update Update and Update again after that

  • Can’t stress enough

Check out their slide deck:

WordPress End-User Security

View more presentations from Dre Armeda.

Alright folks, this is all I got. Hope it helps. Once again, thanks to the WP app for the iPad for making this post possible.

Posted in Business

Leave a Comment