Who Should Read This Book
This eBook is targeted primarily for the business community as consumers of web design, marketing and development solution providers. It is also of value to those same solution providers such that better understanding of these topics and the issues presented and will help them to better serve their customers.
Table of Contents - 21 pages
- Who Should Read This Book
- Help! My Site Has Been Hacked
- Stay Calm
- Check your Local Machine
- Check with your hosting provider
- Change your passwords
- Change your secret keys
- Make another backup
- Do some research
- Check your .htaccess file for hacks
- Consider a fresh start
- Restore core WordPress files from a clean download
- Upgrade Next
- Change your passwords AGAIN!
- Review your security strategies
- Backup, Backup, Backup
- How do you find backdoors?
- What does added code look like
- Disguising the Hack
- Base64 Encoding
- Stealth Code Example
- How do you find backdoors?
- I'm not technical, how do I protect myself?
- Overview of Security Basics
- Your Hosting Provider
- Security Strategies
- What do you need to secure?
- WordPress Security Issues
- Disable File Editing
- Firewall Plugins
- Plugins that need write access
- Code execution plugins
- Security Through Obscurity
- WordPress Security Plugins
- Plugin Protection
- Theme Protection
- File Vulnerabilities
- General Security Tools
- Spam and Virus Management
- AnitVirus for WordPress
- Fast Secure Contract Form
- Wrap It Up
- Appendix A
- About the Authors
Sample excerpt from ebook
Overview of Security Basics
Security is not about having a perfectly secure website. This might be possible in theory, but not practical in practice, unless that is all you want to do with your life. It would also require that you have complete control of every aspect of your hosting hardware, software, as well as your website files, of which most small business owners do not. The security requirements can be different for each website so it is important to understand the basic security concepts so that you can apply these to your individual needs. You aren't the DOD (Depart of Defense) and you also don't have their budget, therefore your needs will be a bit more modest.
Your Hosting Provider
Security begins with your hosting providers hardware and system. A secure server should protect and balance the privacy, integrity and availability of the resources (your website) that it delivers to the users of your website.
Qualities of a trusted hosting provider might include:
- Willingness to discusses your security concerns and which security features and processes they offer with their hosting.
- Provide the most recent stable versions of all server software.
- Provide reliable methods for backup and recovery.
Good security focuses on three very basic concepts. At each level of reviewing your security each of these concepts should be part of that strategy. They are:
- Controlling and Limiting access - Making smart choices that reduce possible entry points available to a malicious person.
- Containment - Your system should be configured to minimize the amount of damage that can be done in the event that it is compromised.
- Preparation and knowledge - Keeping backups and knowing the state of your WordPress installation at regular intervals. Having a plan to backup and recover your installation in the case of catastrophe can help you get back online faster in the case of a problem.
What do you need to secure?
Until you spend some time thinking about security, it is easy to think that all the security efforts only happen AT your website. This is not the case and this attitude would expose your site to a host of vulnerabilities. Let's review all of the components you need to consider.
- Your computer and its software – Make sure the computer you use to manage your site is free of spyware, malware, and virus infections. No amount of security on the rest of the components below will make the slightest difference if there is a keylogger on YOUR computer.
- Your website software (in this case WordPress) - Like many modern software packages, WordPress is updated regularly to address new security issues that may arise. Improving software security is always an ongoing concern, and to that end you should always keep up to date with the latest version of WordPress. Older versions of WordPress are not maintained with security updates.
- Your web server hardware and software. - Review with your hosting provider their security policies. Specifically how they keep their system up to date, their firewalls, and other security strategies.
- The Network - The network on both ends -- the WordPress server side and the client network side -- should be trusted. That means updating firewall rules on your home router and being careful about what networks you work from. An Internet cafe where you are sending passwords over an unencrypted connection, wireless or otherwise, is not a trusted network.
- Passwords – Understand the concept of a STRONG password. Basically mixing case, numbers, letters and other symbols (-,+,!,#). A strong password is necessary not just to protect your website content. A hacker who gains access to your administrator account is able to install malicious scripts that can potentially compromise your entire server.
- File management software (FTP, SFTP, HTTPS). FTP is fundamentally insecure. You should be using SFTP at the least or a HTTPS file manager to access you site files.
- Your Site's file permissions – Most webservers will control the file permissions of your site for you. Limiting access to specific system users to limit access to those files in your site folder. This is part of the containment strategy. If you do have the ability to change permissions do that with caution and with an understanding of how that might compromise your system.
- You Site's Database – Most hosting services limit access to your database to a specific user id and password. The strength of your password is important. If you do have direct control of your database you should review the literature on securing your database.