Auditing your site
Video: Auditing your siteIn the screencast, we're going to do sort of a live security audit on our demo site. This walkthrough will hit the most important points and provide a good overview that should help bring together a lot of what we've been talking about in this screencast series. So let's start in the Admin area and go to the Settings menu and click on the General link. The thing to look at on this page is right here, Anyone can register. We don't want to enable this right now.
- Next steps
Viewers: in countries Watching now:
This course explains how to secure self-hosted WordPress sites, including site configuration, code modification, and the use of free plug-ins. Beginning with the basics of site security, author Jeff Starr explains how to harden a WordPress site by configuring authentication keys, setting proper file permissions, and removing version numbers. The course shows how to implement a firewall, prevent automated spam, and control proxy access, and concludes with a series of advanced tips and site security best practices.
- Backing up and restoring your site
- Setting up strong passwords
- Choosing trusted plugins and themes
- Protecting the configuration file and the admin directory
- Securing the login page
- Fighting comment spam
- Blocking access and detecting hacks
- Finding and reporting vulnerabilities
Auditing your site
In the screencast, we're going to do sort of a live security audit on our demo site. This walkthrough will hit the most important points and provide a good overview that should help bring together a lot of what we've been talking about in this screencast series. So let's start in the Admin area and go to the Settings menu and click on the General link. The thing to look at on this page is right here, Anyone can register. We don't want to enable this right now.
If it's ever required later and we know what we're doing, then yes, we can allow anyone to register. But for now, it's important to understand that this enables people to register for your site and gain access to the Admin area. Also take a look at New User Default Role, and leave this set to Subscriber, unless you have a good reason to do so otherwise. After looking at this area, then go to the Discussion screen by clicking the Discussion link and look at this area right here, Before a comment appears.
An administrator must always approve the comment is a good idea. Likewise, Comment author must have previously approved comment. Either that or having them both checked is a good idea, especially when you're first starting out. As you begin to fine-tune your discussion settings and know what you want to do then come back in and take a look, and you can change that to whatever you want. It's important to be aware that this setting exists, and you want to take a look at that.
Next, click on the Privacy link, and take a look at your site's visibility. Would you like to block search engines or allow search engines? For this demo site, I am blocking the search engines because I do not want to diminish my page rank. However, if you have a public site that you're trying to promote and bring traffic to, make sure that this setting is set at allow search engines. Once you have that taken care of, then click on over to the Users menu and click on the Users link.
Take a look at the users that are registered for your site and keep an eye on the number of administrators that you have. When possible, keep your administrators down to one, or as few as possible. If you see an administrator that should not be an administrator, check their name and then change the role using this dropdown menu. Once we've looked at the Users page, let's go to the Plugins menu, and take a look at the plug-ins that we have installed. Here we should see no inactive or obsolete plug-ins, plug-ins that are no longer used. Just clear them out, deactivate them, uninstall them, and remove them.
You should only keep plug-ins around if you're going to be using them. So take a look at your plug-ins and make sure to keep that area nice and clean. Once we are done in the Admin area, let's go to our FTP/file editor and take a look at the wp-config.php file. The two things that we want to look for are the configuration keys right here, your Authentication Unique Keys as they're called. Make sure you have got those in place, and also make sure that you have a custom table prefix for your database.
We discussed all of this in previous screencasts in this tutorial series. We also want to make sure that our wp-config file is protected with htaccess. So let's open the root htaccess file for our site, and we see right here, one of the first things that we do is we protect the wp-config file. Once we've finished with the FTP/ fille editor, the next step is to look at the database and make sure that we have our custom prefix in place and working properly. We do. All of our WordPress tables are prefixed with our custom prefix.
Next, let's return to the htaccess file and look at some of the other things that we have incorporated into the security strategy for this particular web site. We've disabled directory listings. We are preventing hotlinking, or stealing of our content. We are blocking what's called no- referrer spam, and we have implemented a strong firewall with the 5G firewall with these last five sections here. And lastly, we block unwanted proxy visits using this slice of htaccess code and a small slice of PHP included in our header.php file for our theme.
Again, all of this is discussed in previous screencasts. Lastly, let's open our functions.php file and scroll down to make sure that we're removing the version numbers and preventing WordPress from telling people what version it is. At the end of our functions.php file, we have our code in place here. So, everything is set, but remember, there is no such thing as perfect security. Always assume that someone or something can get past your best defenses.
Even so, this screencast demonstrates some of the key things to look for in a well-secured WordPress site.
There are currently no FAQs about WordPress 3: Developing Secure Sites.