Show Notes
In this WP-Tonic round-table we look at WordPress and security with an excellent panel of WordPress community experts.
Our panel this week:
Brian Jackson from https://woorkup.com/ and https://kinsta.com/
Sallie Goetsch from https://wpfangirl.com/
Jackie D'Elia from https://jackiedelia.com/
Jonathan Denwood from https://www.wp-tonic.com/
John Locke from Lockedown SEO
Episode 140 Table of Contents
0:00 Podcast intros
1:50 WordPress Security – 18+ Steps to Lock Down Your Site
https://kinsta.com/blog/wordpress-security
3:12 Learning From Buggy WordPress Wp-login Malware
https://blog.sucuri.net/2016/10/learning-buggy-wordpress-wp-login-malware.html
6:49 Updating your WordPress plugins is one of the most important things you can do
10:22 Test all plugin and theme updates on a staging server
12:25 Surviving Electmageddon: Protecting against a wave of DNS outages
https://www.wordfence.com/blog/2016/11/surviving-electmageddon-protecting-wave-dns-outages/
(DDoS attacks and advantages of having a secondary DNS server)
17:34 Securing WordPress from the Start
https://ithemes.com/2016/11/02/securing-wordpress/
21:29 It's a good idea to have redundant backups for your website. You can't have enough of these.
24:35 What is one WordPress security tip that you should use right from the start?
25:48 Brian has a story about what sort of long-lasting damage to your SEO a single hack can produce.
27:20 Cleaning Up a Massive Negative SEO Attack with Web CEO
https://woorkup.com/cleaning-negative-seo-attack-web-ceo/
29:52 Changing the default login URL can prevent automated attacks. Also, always use strong passwords.
31:11 Always check your code for hidden backlinks to spam sites.
32: 35 We discuss Negative SEO.
33:12 Linkpocalypse Now – The Horror of Negative SEO
http://www.jacobking.com/negative-seo-truth
35:05 Limit the login attempts people can make to prevent a brute force attack. Consider two-factor authentication for logins.
36:16 Deactivate and delete any themes and plugins you're not using. Don't use the automatic WordPress install scripts that your hosting company provides.
38:24 Many people use weak passwords, and that's why they get hacked.
40:37 Install an audit log so you can see what activity is happening on your site. Clients will often be freaked out by how often the site is scanned.
42:25 Don't use themes where plugins are bundled into the theme (like on ThemeForest)
https://www.lockedownseo.com/why-we-shouldnt-bundle-wordpress-plugins-in-themes/
43:37 Do not allow everyone on your site to have Administrator access
46:15 XML-RPC: What is it? Why should you limit it's use? HOw do hackers use it?
49:03 Be careful about using public Wi-Fi to FTP or login to your site. Always use HTTPS on your site to encrypt your password when logging in publicly.
52:01 Use a virus scan on your own computer. Your computer can be an attack vector. Keep your version of PHP and MySQL versions up to date on your hosting account.
53:48 Shared hosting is not the most secure option for hosting. Large companies with internal IT departments are also prime for attack.
57:43 How much resistance is there with getting clients on board with WordPress security best practices?
1:02:44 If possible, use a service like LastPass to use strong passwords.
https://www.lastpass.com/
1:03:40 Podcast outros
===============
Other lInks mentioned during the show:
Maximum Overdrive (imdb)
http://www.imdb.com/title/tt0091499/
rmoov - The Backlink Removal Tool That Helps You Clean Up Bad Links
https://www.rmoov.com/index.php
Unmasked: What 10 million passwords reveal about the people who choose them
https://wpengine.com/unmasked/
WP White Security
https://www.wpwhitesecurity.com/
WP Security Audit Log
https://www.wpsecurityauditlog.com/
Co-Authors Plus
https://wordpress.org/plugins/co-authors-plus/
iThemes Security
https://ithemes.com/security/
Google Authenticator
https://wordpress.org/plugins/google-authenticator/
WP Clef
https://wordpress.org/plugins/wpclef/
KeyCDN
https://www.keycdn.com/
===============
For bonus content on this episode, go to the WP-Tonic website:
https://www.wp-tonic.com/podcast/140-best-practices-for-wordpress-security/
===================
Subscribe to WP-Tonic on iTunes
https://itunes.apple.com/us/podcast/wp-tonic-wordpress-podcast/id893083124?mt=2
===================
WP-Tonic is a both a WordPress maintenance and support service, and publisher of a twice weekly WordPress podcast where we talk with some of the most successful people in WordPress development, business, and online marketing.