WordPress Security Notes

David Wilemski: An introduction to WordPress security

Zero Day Vulnerability in many WordPress Themes

Distributed WordPress admin account cracking

Change “wp_” table prefix to avoid automatic SQL injection

Delete admin user

Use SSL in wp-admin

Linux file permissions – 755 folders, 644 files

Change wp-config.php secrets

Stealth login

Restrict access to wp-admin by IP address

Limit login attempts

Duo two factor authentication

Backups: WP-DB-backup (email) or PressBackup (S3)

Backup infected site for analysis

Restore from known good backup

Check wordress logs (Codex recommends OSSEC)

Don’t assume plugins are safe – check reviews and downloads

Ottopress – How to cope with a hacked site “here’s what the website guy will be doing, if he knows his business…”

FAQ: My site was hacked

Vaultpress backup service


Bad Behavior anti spam plugin

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s