Our panel this week:
Brian Jackson from https://woorkup.com/ and https://kinsta.com/
Sallie Goetsch from https://wpfangirl.com/
Jackie D’Elia from https://jackiedelia.com/
Jonathan Denwood from https://www.wp-tonic.com/
John Locke from https://www.lockedowndesign.com
Episode 140 Table of Contents
0:00 Podcast intros
1:50 WordPress Security – 18+ Steps to Lock Down Your Site
3:12 Learning From Buggy WordPress Wp-login Malware
6:49 Updating your WordPress plugins is one of the most important things you can do
10:22 Test all plugin and theme updates on a staging server
12:25 Surviving Electmageddon: Protecting against a wave of DNS outages
(DDoS attacks and advantages of having a secondary DNS server)
17:34 Securing WordPress from the Start
21:29 It’s a good idea to have redundant backups for your website. You can’t have enough of these.
24:35 What is one WordPress security tip that you should use right from the start?
25:48 Brian has a story about what sort of long-lasting damage to your SEO a single hack can produce.
27:20 Cleaning Up a Massive Negative SEO Attack with Web CEO
29:52 Changing the default login URL can prevent automated attacks. Also, always use strong passwords.
31:11 Always check your code for hidden backlinks to spam sites.
32: 35 We discuss Negative SEO.
33:12 Linkpocalypse Now – The Horror of Negative SEO
35:05 Limit the login attempts people can make to prevent a brute force attack. Consider two-factor authentication for logins.
36:16 Deactivate and delete any themes and plugins you’re not using. Don’t use the automatic WordPress install scripts that your hosting company provides.
38:24 Many people use weak passwords, and that’s why they get hacked.
40:37 Install an audit log so you can see what activity is happening on your site. Clients will often be freaked out by how often the site is scanned.
42:25 Don’t use themes where plugins are bundled into the theme (like on ThemeForest)
43:37 Do not allow everyone on your site to have Administrator access
46:15 XML-RPC: What is it? Why should you limit it’s use? HOw do hackers use it?
49:03 Be careful about using public Wi-Fi to FTP or login to your site. Always use HTTPS on your site to encrypt your password when logging in publicly.
52:01 Use a virus scan on your own computer. Your computer can be an attack vector. Keep your version of PHP and MySQL versions up to date on your hosting account.
53:48 Shared hosting is not the most secure option for hosting. Large companies with internal IT departments are also prime for attack.
57:43 How much resistance is there with getting clients on board with WordPress security best practices?
1:02:44 If possible, use a service like LastPass to use strong passwords.
1:03:40 Podcast outros
1:06:35 YouTube bonus content begins.
1:06:47 HTTP security headers and SSL.
1:10:45 Recommendations for two factor authentication.
1:15:38 Changing your salt keys in wp-config.
1:17:27 Preventing hotlinking to images to save your bandwidth.
1:19:30 Does CloudFlare or firewalls slow down your site? Why would you want to use a service like CloudFlare?
Other lInks mentioned during the show:
Maximum Overdrive (imdb)
rmoov – The Backlink Removal Tool That Helps You Clean Up Bad Links
Unmasked: What 10 million passwords reveal about the people who choose them
WP White Security
WP Security Audit Log
Optimus – WordPress Image Optimizer
Subscribe to WP-Tonic on iTunes