Keeping your web site secure
an overview of web & WordPress security
A presentation for WordPress Findhorn, May 2013, by Mark Rowatt Anderson
to view slides, use the left/right & up/down keys; press `esc` for a view of all slides
Overview
- Why bother?
- Everyday security
- Keeping WordPress secure
- Useful tools
- Q&A
Why Bother?
- Money
- Brand & reputation
- Be a good citizen
- It's your identity & your digital life
- It can happen to you
- Prevention is way better than the cure
Some common attacks
- Brute force
- Code exploits
- Denial of service
- Trojans
- WiFi sniffing
Beware... just because your site works OK doesn't mean you haven't been compromised!
Everyday security
- Really, really, very important!
- Good passwords
- Keep software updated
- Robust backups
- Anti-virus etc
- Keep your email doubly secure
- Be sensible
What makes a good password?
How good are these?
- password
- 147258
- [email protected]$$w0rd
- correct-horse-battery-staple
- tbontbtitq
- Tr0ub4dor&3
And the winners are...
- correct-horse-battery-staple - 550 years to crack
- Tr0ub4dor&3 - 3 days to crack (and harder to remember)
What makes a strong password?
It's all about entropy
Comic from xkcd
Spooky
Comic from dilbert.com
Can a good password be bad?
- Yes if you reuse it
- Never, ever, ever use the same password on different systems
Better passwords
Do the two step
- available on all Gmail & Google Apps accounts
- WordPress plugin
- also on many third party services
- other alternatives
WordPress security basics
- Use good passwords!
- Don't use admin username
- Limit admin access
- Only use reputable themes & plugins
- Keep WordPress, plugins, themes up to date
- Automated, regular backups
- Use a good quality web host
Your webhost matters
- Are they secure?
- Do they optimise for WordPress
- You get what you pay for (usually)
- Just because it's good...
doesn't mean it's good for you
Backup your site
- Backup files & DB
- Make sure it's automatic
- Don't (only) backup on your server
Some options
- BackWPup (free)
- VaultPress (paid)
- CodeGuard (paid)
Beware of using WordPress export for backup
More tech, but helpful
- Two step passwords
- .htaccess security
- File permissions
- DISALLOW_FILE_EDIT
- Update wp-config security keys
- Use https for admin
- Use a CDN
See WordPress codex for more info.
All too complex?
from dilbert.com
... get a security expert
Is my site clean?
- Better WP Security
- Backup services like VaultPress & CodeGuard
Useful resources
- Diceware password generator
- Sucuri (& their blog)
- AgileBits Blog
Useful plugins
- Login & authentication
- Backup
- BackWPup (free)
- VaultPress (paid)
- CodeGuard (paid)
- Scanning & other
Wrap Up
- Staying secure is a journey
- You are only as secure as the weakest link
- Practice good password hygiene
- Use good up to date software
- Back up
- Be aware, but not paranoid
(unless the FBI is really after you)
Future Meetings
Third thursday of month
Next meeting 20 June
- Plugins
- Hosting
- Widgets
- Ecommerce
Thanks for listening
Mark Rowatt Anderson
(0797) 123 1239