08.20.2014 - By David Hehenberger and Doug Yuen
In this episode, we discuss the nature of WordPress security, and steps to take in order to make your site secure.
The Changelog
* Thanks Jafo the Great, Martin Bishop, and Richard Patey for the 5-star reviews
* WordPress 4.0 launching August 27: media grid, improved plugin install experience
* Chrome extensions and security holes (don’t use Awesome Screenshot!)
The Core
* Bumped up security on our list of topics thanks to Jafo’s email
* Doug’s blog post: http://efficientwp.com/the-80-20-of-wordpress-security
* Why is security a concern?
* No static html, using a database and PHP, so there will be inherent security holes
* WordPress is open source – hackers can reverse engineer exploits from security patches
* Random attacks, you’re probably not being targeted specifically
* Common security problems:
* TimThumb script included in some themes and plugins had vulnerabilities
* No protection against brute force attacks out of the box
* SQL injection (relevant xkcd comic), XSS (cross-site scripting)
* What you should do:
* If you’re not using managed hosting, install one of the following plugins:
* iThemes Security (formerly called Better WP Security)
* or Wordfence Security
* or BruteProtect
* More configurations on wp-config.php, .htaccess, robots.txt, and file/folder permissions
* Use strong passwords (use a password manager to store complex passwords)
* Use SSL for wp-login.php (but it’s more work to set up)
* Upgrade frequently – either yourself or use a service like WP Curve
* Choose themes and plugins carefully and go back and check ratings and updates
* Managed hosting:
* WP Engine (affiliate link, David uses)
* Synthesis (Doug uses)
* Flywheel (Doug uses and highly recommends)
* Make regular backups (see episode 7)
* Sucuri for malware scanning and protection
Tips & Tricks
* Eye Dropper – Chrome extension for getting color codes
* Private Internet Access – secure VPN, $40/year