Keeping your web site secure

an overview of web & WordPress security

A presentation for WordPress Findhorn, May 2013, by Mark Rowatt Anderson

to view slides, use the left/right & up/down keys; press `esc` for a view of all slides

Overview

  • Why bother?
  • Everyday security
  • Keeping WordPress secure
  • Useful tools
  • Q&A

Why Bother?

Some common attacks

  • Brute force
  • Code exploits
  • Denial of service
  • Trojans
  • WiFi sniffing
Beware... just because your site works OK doesn't mean you haven't been compromised!

Everyday security

  • Really, really, very important!
  • Good passwords
  • Keep software updated
  • Robust backups
  • Anti-virus etc
  • Keep your email doubly secure
  • Be sensible

What makes a good password?

How good are these?

  1. password
  2. 147258
  3. p@$$w0rd
  4. correct-horse-battery-staple
  5. tbontbtitq
  6. Tr0ub4dor&3

And the winners are...

  1. correct-horse-battery-staple - 550 years to crack
  2. Tr0ub4dor&3 - 3 days to crack (and harder to remember)

What makes a strong password?

It's all about entropy

Comic from xkcd

Spooky

Comic from dilbert.com

Can a good password be bad?

  • Yes if you reuse it
  • Never, ever, ever use the same password on different systems

Better passwords

Do the two step

  • available on all Gmail & Google Apps accounts
  • WordPress plugin
  • also on many third party services
  • other alternatives

WordPress security basics

  • Use good passwords!
  • Don't use admin username
  • Limit admin access
  • Only use reputable themes & plugins
  • Keep WordPress, plugins, themes up to date
  • Automated, regular backups
  • Use a good quality web host

Your webhost matters

  • Are they secure?
  • Do they optimise for WordPress
  • You get what you pay for (usually)
  • Just because it's good...
    doesn't mean it's good for you

Backup your site

  • Backup files & DB
  • Make sure it's automatic
  • Don't (only) backup on your server

Some options

Beware of using WordPress export for backup

More tech, but helpful

  • Two step passwords
  • .htaccess security
  • File permissions
  • DISALLOW_FILE_EDIT
  • Update wp-config security keys
  • Use https for admin
  • Use a CDN

See WordPress codex for more info.

All too complex?

from dilbert.com

... get a security expert

Is my site clean?

sitecheck.sucuri.net

Useful resources

Useful plugins

Wrap Up

  • Staying secure is a journey
  • You are only as secure as the weakest link
  • Practice good password hygiene
  • Use good up to date software
  • Back up
  • Be aware, but not paranoid
    (unless the FBI is really after you)

Future Meetings

Third thursday of month

Next meeting 20 June

  • Plugins
  • Hosting
  • Widgets
  • Ecommerce

Thanks for listening

Mark Rowatt Anderson

http://rowatt.com/

(0797) 123 1239