With close to 23 percent of the web now running on WordPress, WordPress Security is becoming increasingly important. This video of Jesse Friedman’s (from BruteProtect) presentation “WordPress Security” at Boston WordPress Meetup covers several areas of concerns.
Jesse starts with 2 myths about WordPress Security:
1. Almost Everybody thinks that they are free from attach and not vulnerable. Websites, regardless of size, are attacked all the time
2. WordPress is not secure. WordPress core is completely secure, insecurities come when you add to it – i.e. plugins, widgets, etc. The number one place to be aware of is your password.
It’s important to accept that you will never be 100% secure. Attacks can come from your service provider, bad ftp security and a host of other places.
The most common type of attacks are:
2. Link Injection
4. Drive-by downloads
6. Botnet Attacks
Botnet attacks are the most common. Hackers run a script to log into your site without care of what kind of site it is. To access your account they attempt to figure out your username and password. Once that is done they can unleash malicious code or what ever it is that they are trying to do. To help secure your site, make sure you are using a very secure password! For WordPress Security you can change the url of your admin page so that it’s harder to even find the page to login in the first place.
Direct attacks are the other thing that you need to worry about. You should be aware of your weakness and have a plan for them.
Here are some areas to be aware of for direct attacks on:
1. Public WiFi
3. Hosting environment
4. Plugins (active & inactive)
5. Themes (active & inactive)
6. Keep core up to date.
Some of the Basic Protections for WordPress Security can use are:
1. Keep core up to date
2. Keep Plugins up to date
3. Keep Themes up to date
4. Only use plugins you trust
5. Don’t give people more access than they need
6. Don’t send your passwords through email
Jesse goes on to give more suggestions and recomendations. It’s a great presentation on WordPress Security.