Upload
jason-lefkowitz
View
429
Download
3
Embed Size (px)
Citation preview
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Smart WordPressers, Foolish Choices
Lots of smart people use WordPress to publish their Web site, but many make simple mistakes that end up biting them later.
This presentation will walk you through five of the most common foolish choices people make, and show you better, easier, less expensive ways to do the same things.
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
About Your Presenter
Jason A. LefkowitzPresident, Rogue Repairman Productions
WordPress developer since 2009PHP developer since 2001Web developer since 1995
Questions? Write to me! Email: [email protected]: @jalefkowit
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Look familiar?
Failure To Listen
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Failure to Listen
● WordPress and code running on its platform (themes/plugins) will tell you when they need to be updated
● Keeping everything up to date makes your site more secure, improves performance, and adds useful features
● So why not do this simple, free thing?
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
SelfUpdating WordPress
● As of version 3.7, WordPress can update itself in the background
● Will only apply security and maintenance updates, not new feature releases
● Can be selectively disabled in WP configuration● Automatically disabled if you use any kind of version control
system
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Letting Yourself Go
● There are 28,164 plugins in the WordPress plugin directory● “Let's install all of them!”
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Plugins and Themes: Use Sparingly
WordPress does not enforce any limitations on what plugins and themes can do. So:
● Each addon you install is a potential security hole● One poorly written addon can slow down your whole site● Plugins can behave like themes, and themes like plugins● Plugins and themes can conflict with each other (!)● Plugins and themes can conflict with WordPress core (!!!)
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Plugins and Themes: Use Sparingly
Using addons wisely:● Use only those addons that you absolutely must use● Look for addons that do one thing well
– Beware of “AllInOne” addons● Look for addons that are:
– Under active development– Rated highly in the WordPress.org Plugin Repository– Flagged as compatible with your version of WordPress
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Breaking Confidences
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Breaking Confidences
● A major cause of security compromises is insecure handling of authentication credentials (i.e. usernames and passwords).
● The login form is like the lock on your front door – be careful who you give keys to, and how you hand them over.
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Breaking Confidences
There are several sets of credentials that can be used to compromise a WordPress site.
● WordPress backend credentials● Web hosting control panel credentials● MySQL database credentials● Server login (SSH) credentials● File transfer (FTP) credentials
Losing control of any of these can lead to getting hacked!
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Breaking Confidences
Managing WordPress users securely:● Don't share user accounts – give each user their own● Limit full (“admin”) privileges to only those users who actually need
them● Don't transfer credentials over insecure channels, like email● When people leave your group/organization, delete their user
accounts
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Breaking Confidences
“What do you mean, email isn't secure?”● Emails are sent in unencrypted plain text● Emails pass through many servers between the sender and the
destination● Email accounts are frequently hacked/compromised
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Breaking Confidences
A word about FTP:
DON'T.
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Breaking Confidences
FTP is completely insecure.● No encryption – usernames and passwords are sent to the server “in the
clear”
Safe, secure, free alternatives exist.● SFTP/FTPS
If your web host requires you to use FTP – get a better web host!
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Breaking Confidences
For bonus security points:● Use SSL to encrypt the WordPress backend● Use a web host that supports publickey authentication● Remove or rename the default “admin” user account
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
“I Can Fix Him”
● There are a wide variety of premade themes for WordPress available
● Many are tempted to take a premade theme and “hack” it● “It would be perfect if it just had this one feature...”
● This never ends happily
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
“I Can Fix Him”
Why not hack a thirdparty theme?● Thirdparty themes frequently have lots of features builtin – these
can interact with your hacks in weird/unpredictable ways● Your hacks can get deleted if the theme vendor distributes updates via
the WordPress updater● If you try to avoid losing your hacks by never updating the theme, you
could miss out on important security patches
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
“I Can Fix Him”
Better approaches include:● Using a thirdparty theme that offers safe ways to extend it
– WP customization tools: widgets, custom menus, theme customizer– Themespecific customization tools: options panels
● Building a custom theme from scratch● Extending a thirdparty theme as a “child theme”
– You only write the specific code you need– All other elements are “inherited” from the parent theme
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Being Unprepared
The biggest enemy of the WordPress site administrator:
Success!
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Being Unprepared
● WordPress stores all the content and preferences in a database – MySQL
● When a page is requested, it has to rummage through that database and assemble all the parts of the page for the visitor
● This can result in each page request running dozens (or more!) of queries against the database
● Then multiply that times a large number of visitors, and...
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Being Unprepared
How to defend against being overwhelmed by traffic:● Use plugins sparingly● Use a caching plugin
– WP Super Cache, W3 Total Cache● Use a content cache
– Varnish, Redis, Memcached● Use a content delivery network (CDN)
– Amazon S3/CloudFront, Rackspace Cloud Files
Rogue Repairman Productions | Alexandria, VA | [email protected] | 703.542.4025
Thank You!
Jason A. LefkowitzPresident, Rogue Repairman Productions
Questions? Write to me! Email: [email protected]: @jalefkowit
“Technology sucks. We make it suck less.”