The Essential Guide To WordPress Security: Bulletproofing Your Install – WPCAST011

In this episode, we discuss the nature of WordPress security, and steps to take in order to make your site secure.

The Changelog

* Thanks Jafo the Great, Martin Bishop, and Richard Patey for the 5-star reviews

* WordPress 4.0 launching August 27: media grid, improved plugin install experience

* Chrome extensions and security holes (don’t use Awesome Screenshot!)

The Core

* Bumped up security on our list of topics thanks to Jafo’s email

* Doug’s blog post: http://efficientwp.com/the-80-20-of-wordpress-security

* Why is security a concern?

* No static html, using a database and PHP, so there will be inherent security holes

* WordPress is open source – hackers can reverse engineer exploits from security patches

* Random attacks, you’re probably not being targeted specifically

* Common security problems:

* TimThumb script included in some themes and plugins had vulnerabilities

* No protection against brute force attacks out of the box

* SQL injection (relevant xkcd comic), XSS (cross-site scripting)

* What you should do:

* If you’re not using managed hosting, install one of the following plugins:

* iThemes Security (formerly called Better WP Security)

* or Wordfence Security

* or BruteProtect

* More configurations on wp-config.php, .htaccess, robots.txt, and file/folder permissions

* Use strong passwords (use a password manager to store complex passwords)

* Use SSL for wp-login.php (but it’s more work to set up)

* Upgrade frequently – either yourself or use a service like WP Curve

* Choose themes and plugins carefully and go back and check ratings and updates

* Managed hosting:

* WP Engine (affiliate link, David uses)

* Synthesis (Doug uses)

* Flywheel (Doug uses and highly recommends)

* Make regular backups (see episode 7)

* Sucuri for malware scanning and protection

Tips & Tricks

* Eye Dropper – Chrome extension for getting color codes

* Private Internet Access – secure VPN, $40/year