OC WordPress Security/Maintenance Talk.
We gave a presentation on maintaining and securing your WordPress installation at this month’s OC WordPress meetup. These are our notes from our presentation.
Maintenance
Regular database backups & optimizations
- Download and install WP-DBManager (http://wordpress.org/extend/plugins/wp-dbmanager/)
- Move /wp-content/plugins/wp-dbmanager/htaccess.txt to /wp-content/backup-db/.htaccess (be sure to change file name)
- Navigate to Database -> DB Options, scroll to the Automatic Scheduling section at the bottom of the page
- Configure frequency and email address for database backups (select Gzip “Yes” option)
- Configure frequency of database optimization
- Click “Save Changes”
How to backup your site before upgrading
- Download your wp-content directory (usually via FTP)
- Export your database to a local file using WP-DBManager
Upgrading to 3.0
- Download & unzip the latest stable release of WordPress (http://wordpress.org/download/)
- Make a backup (refer to previous step
- Install/Activate & enable the Maintenance Mode plugin (http://wordpress.org/extend/plugins/maintenance-mode/)
- Delete the wp-admin & wp-includes folders
- Upload everything EXCEPT the wp-content folder to your website
- Upload the new TwentyTen theme to wp-content/themes/
- When all files are done uploading, visit your WordPress admin (http://example.com/wp-admin/)
- Click on the “Upgrade WordPress Database” button, then the subsequent “Continue” button.
Security
.htaccess stuff
- Don’t allow directory indexes put
Options All -Indexesin your .htaccess file
Using .htaccess to protect wp-admin – wp-admin level .htaccess
Method 1 – IP Blocking: put the following in the .htaccess file in your wp-admin folder
order deny,allow
allow from 0.0.0.0 # This is your static IP (must be static IP, if dynamic, you may have to change this often)
allow from 12.345.678.90 (for multiple users or IPs)
deny from all
note: find your ip by going to http://whatismyip.com
Method 2 – Password Protection
Step 1: Create your .htpasswd file (set FTP to “show invisible files”) (http://www.htaccesstools.com/htpasswd-generator/)
Step 2: Upload your .htpasswd files to your FTP
Step 3: Open your .htaccess file or create a new one if it doesn’t exist in /wp-admin and paste in the following:
<Files ~ ".(php)$">
AuthUserFile /path/to/.htpasswd # must be absolute path from root (check your host for this info)
AuthType Basic
AuthName "restricted"
Order Deny,Allow
Deny from all
Require valid-user
Satisfy any
</Files>
No search engines for WP folders:
In robots.txt: Disallow: /wp-* (create a robots.txt at the root level if one does not exist)
Protect against brute force attacks: (http://wordpress.org/extend/plugins/login-lockdown/)
Change username from “admin”
- Option 1 – Fresh 3.0 install: set username during install process
- Option 2 – Database Query: update tableprefix_users set user_login=’newuser’ where user_login=’admin’; (usually via phpMyAdmin)
Tip: Only use editor and below user roles for publishing
Change your table prefix from default “wp_”
- Option 1 – Fresh install: change the table prefix during the install process
- Option 2 – Current install: change table prefix variable in the config file and update the database table names (usually via phpMyAdmin; requires that database user have ALTER permissions)
Tip: Correct file permissions (Security Scan Plugin)
Protect against Spam Comments/Email Obfuscation
- Akismet
- Cookies for Comments (plugin)
- SpamShiv! (plugin)
Tip: Don’t host with GoDaddy or Network Solutions =)
Twitter Comments
|
shescookin Thanks for this great info #ocwpRT @thinkpressblog: OC WordPress Security/Maintenance Talk. http://think-press.com/yl3 (via @prettylink) |
| Re-Tweet | Reply | View Tweet |
|
thinkpressblog OC WordPress Security/Maintenance Talk. http://think-press.com/yl3 (via @prettylink) |
| Re-Tweet | Reply | View Tweet |
[...] See the article here: OC WordPress Security/Maintenance Talk. [...]