Start learning with our library of video tutorials taught by experts. Get started

WordPress 3: Developing Secure Sites
Illustration by

Auditing your site


From:

WordPress 3: Developing Secure Sites

with Jeff Starr

Video: Auditing your site

In the screencast, we're going to do sort of a live security audit on our demo site. This walkthrough will hit the most important points and provide a good overview that should help bring together a lot of what we've been talking about in this screencast series. So let's start in the Admin area and go to the Settings menu and click on the General link. The thing to look at on this page is right here, Anyone can register. We don't want to enable this right now.

Watch this entire course now—plus get access to every course in the library. Each course includes high-quality videos taught by expert instructors.

Become a member
please wait ...
WordPress 3: Developing Secure Sites
2h 36m Intermediate Jun 27, 2011

Viewers: in countries Watching now:

This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.

Topics include:
  • Backing up and restoring your site
  • Setting up strong passwords
  • Choosing trusted plugins and themes
  • Protecting the configuration file and the admin directory
  • Securing the login page
  • Fighting comment spam
  • Blocking access and detecting hacks
  • Finding and reporting vulnerabilities
Subjects:
Developer Web CMS Web Development
Software:
WordPress
Author:
Jeff Starr

Auditing your site

In the screencast, we're going to do sort of a live security audit on our demo site. This walkthrough will hit the most important points and provide a good overview that should help bring together a lot of what we've been talking about in this screencast series. So let's start in the Admin area and go to the Settings menu and click on the General link. The thing to look at on this page is right here, Anyone can register. We don't want to enable this right now.

If it's ever required later and we know what we're doing, then yes, we can allow anyone to register. But for now, it's important to understand that this enables people to register for your site and gain access to the Admin area. Also take a look at New User Default Role, and leave this set to Subscriber, unless you have a good reason to do so otherwise. After looking at this area, then go to the Discussion screen by clicking the Discussion link and look at this area right here, Before a comment appears.

An administrator must always approve the comment is a good idea. Likewise, Comment author must have previously approved comment. Either that or having them both checked is a good idea, especially when you're first starting out. As you begin to fine-tune your discussion settings and know what you want to do then come back in and take a look, and you can change that to whatever you want. It's important to be aware that this setting exists, and you want to take a look at that.

Next, click on the Privacy link, and take a look at your site's visibility. Would you like to block search engines or allow search engines? For this demo site, I am blocking the search engines because I do not want to diminish my page rank. However, if you have a public site that you're trying to promote and bring traffic to, make sure that this setting is set at allow search engines. Once you have that taken care of, then click on over to the Users menu and click on the Users link.

Take a look at the users that are registered for your site and keep an eye on the number of administrators that you have. When possible, keep your administrators down to one, or as few as possible. If you see an administrator that should not be an administrator, check their name and then change the role using this dropdown menu. Once we've looked at the Users page, let's go to the Plugins menu, and take a look at the plug-ins that we have installed. Here we should see no inactive or obsolete plug-ins, plug-ins that are no longer used. Just clear them out, deactivate them, uninstall them, and remove them.

You should only keep plug-ins around if you're going to be using them. So take a look at your plug-ins and make sure to keep that area nice and clean. Once we are done in the Admin area, let's go to our FTP/file editor and take a look at the wp-config.php file. The two things that we want to look for are the configuration keys right here, your Authentication Unique Keys as they're called. Make sure you have got those in place, and also make sure that you have a custom table prefix for your database.

We discussed all of this in previous screencasts in this tutorial series. We also want to make sure that our wp-config file is protected with htaccess. So let's open the root htaccess file for our site, and we see right here, one of the first things that we do is we protect the wp-config file. Once we've finished with the FTP/ fille editor, the next step is to look at the database and make sure that we have our custom prefix in place and working properly. We do. All of our WordPress tables are prefixed with our custom prefix.

Next, let's return to the htaccess file and look at some of the other things that we have incorporated into the security strategy for this particular web site. We've disabled directory listings. We are preventing hotlinking, or stealing of our content. We are blocking what's called no- referrer spam, and we have implemented a strong firewall with the 5G firewall with these last five sections here. And lastly, we block unwanted proxy visits using this slice of htaccess code and a small slice of PHP included in our header.php file for our theme.

Again, all of this is discussed in previous screencasts. Lastly, let's open our functions.php file and scroll down to make sure that we're removing the version numbers and preventing WordPress from telling people what version it is. At the end of our functions.php file, we have our code in place here. So, everything is set, but remember, there is no such thing as perfect security. Always assume that someone or something can get past your best defenses.

Even so, this screencast demonstrates some of the key things to look for in a well-secured WordPress site.

There are currently no FAQs about WordPress 3: Developing Secure Sites.

 
Share a link to this course

What are exercise files?

Exercise files are the same files the author uses in the course. Save time by downloading the author's files instead of setting up your own files, and learn by following along with the instructor.

Can I take this course without the exercise files?

Yes! If you decide you would like the exercise files later, you can upgrade to a premium account any time.

Become a member Download sample files See plans and pricing

Please wait... please wait ...
Upgrade to get access to exercise files.

Exercise files video

How to use exercise files.

Learn by watching, listening, and doing, Exercise files are the same files the author uses in the course, so you can download them and follow along Premium memberships include access to all exercise files in the library.
Upgrade now


Exercise files

Exercise files video

How to use exercise files.

For additional information on downloading and using exercise files, watch our instructional video or read the instructions in the FAQ.

This course includes free exercise files, so you can practice while you watch the course. To access all the exercise files in our library, become a Premium Member.

join now Upgrade now

Are you sure you want to mark all the videos in this course as unwatched?

This will not affect your course history, your reports, or your certificates of completion for this course.


Mark all as unwatched Cancel

Congratulations

You have completed WordPress 3: Developing Secure Sites.

Return to your organization's learning portal to continue training, or close this page.


OK
Become a member to add this course to a playlist

Join today and get unlimited access to the entire library of video courses—and create as many playlists as you like.

Get started

Already a member?

Become a member to like this course.

Join today and get unlimited access to the entire library of video courses.

Get started

Already a member?

Exercise files

Learn by watching, listening, and doing! Exercise files are the same files the author uses in the course, so you can download them and follow along. Exercise files are available with all Premium memberships. Learn more

Get started

Already a Premium member?

Exercise files video

How to use exercise files.

Ask a question

Thanks for contacting us.
You’ll hear from our Customer Service team within 24 hours.

Please enter the text shown below:

The classic layout automatically defaults to the latest Flash Player.

To choose a different player, hold the cursor over your name at the top right of any lynda.com page and choose Site preferencesfrom the dropdown menu.

Continue to classic layout Stay on new layout
Exercise files

Access exercise files from a button right under the course name.

Mark videos as unwatched

Remove icons showing you already watched videos if you want to start over.

Control your viewing experience

Make the video wide, narrow, full-screen, or pop the player out of the page into its own window.

Interactive transcripts

Click on text in the transcript to jump to that spot in the video. As the video plays, the relevant spot in the transcript will be highlighted.

Are you sure you want to delete this note?

No

Notes cannot be added for locked videos.

Thanks for signing up.

We’ll send you a confirmation email shortly.


Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

Keep up with news, tips, and latest courses with emails from lynda.com.

Sign up and receive emails about lynda.com and our online training library:

Here’s our privacy policy with more details about how we handle your information.

   
submit Lightbox submit clicked
Terms and conditions of use

We've updated our terms and conditions (now called terms of service).Go
Review and accept our updated terms of service.