WordPress & WooCommerceSecurity Best Practices

Moderated by

Nicole Banks@Incapsula_com

Matty Cohen@mattyza

© 2016 Imperva, Inc. All rights reserved.

Are you currently a WordPress user?

POLL

2

© 2016 Imperva, Inc. All rights reserved.3

Introduction

• Thanks for joining the webinar

• The webinar will last 30 minutes and will be recorded

• Feel free to submit questions at any time, we will answer as many as we can at the end

• We will send you a copy of the recording and a PDF copy of the slides afterwards

• Any questions or concerns, feel free to submit in the chat or email Nicole@Incapsula.com

© 2016 Imperva, Inc. All rights reserved.4

Agenda

1. Introductions

2. Why Security?

3. Tips for the Best WordPress Experience

4. How WooCommerce Can Help?

5. Wrap-Up

6. External Resources

7. Q&A

© 2016 Imperva, Inc. All rights reserved.5

Imperva IncapsulaImperva Incapsula is a cloud-based service that makes websites safer, faster and more reliable. Our mission is to provide every website, regardless of its size, with enterprise-grade website security and performance features that so far have only been affordable to the very largest of websites.

Matty CohenWOOCOMMERCE PRODUCT TEAM LEAD AT AUTOMATTIC

CHAPTER I

Why Security?

Prevention Is Better Than a CureHaving no security breaches is better than having to

fix even one security breach.

Peace of MindIf anything were to go wrong, you know you’re

covered.

Security Is a MindsetConstant vigilance, and a sharp eye for detail.

CHAPTER II

WordPress

What Is WordPress?An open source website creation platform, powering

~26% of the known websites on the internet.

The operating system of the web.

Tip #1: No “admin” UserMake sure your default username is anything other than “admin”, and is an uncommon word or phrase.

If you have a username you use regularly online,you could use that.

Tip #2: Protect wp-adminWith WordPress, it’s possible to have your wp-admin

directory accessible within a certain IP address range, or moved entirely into a private directory on

your server.

Tip #3: Use Unique Table PrefixesBy default, WordPress uses wp_ as the database

table prefix. Adjust this to something unique.

Tip #4: Use Unique Keys and SaltsWithin wp-config.php

Adjust the keys and salts in wp-config.phpto be unique and lengthy.

WordPress offers a secret-key servicefor generating these strings, here:

https://api.wordpress.org/secret-key/1.1/salt/

Tip #5: Regularly Review the InstalledPlugins List for Inactive Plugins

Go through the list of plugins you have on your WordPress, delete any which you aren’t using, and examine those you are using, to see if they are still

required and relevant.

If they aren’t required or relevant,deactivate and remove them.

Tip #6: Enforce Strong Passwords

There is no such thing as a password which is too long.

Enforce the strongest passwords possible, to ensure a more secure environment.

WordPress has a built-in password strength checker.

Tip #7: Limit Login AttemptsUse the Jetpack plugin, and enable its Security feature, to prevent brute force login attempts.

https://jetpack.com/

CHAPTER III

WooCommerce

What Is WooCommerce?The world’s most flexible eCommerce platform.

Powering ~39% of all known online stores.

Powered by WordPress.

Tip #1: Pick a Trusted Web HostEnsure you choose a trusted and secure web host. Invest

in dedicated web hosting, if possible.

http://pressable.co/http://bluehost.com/

http://wordpress.com/vip/

Tip #2: Use Trusted ExtensionsWhen selecting your WooCommerce extensions, be sure

to use trusted extensions from WooCommerce.com.

http://woocommerce.com/

Tip #3: Research the ExtensionsIf you use an extension from another source, such as the official WordPress plugin directory, be sure to check the number of installations, the star rating, and when the

extension was last updated.

http://wordpress.org/plugins/

Tip #4: Invest In an SSL certificateEnforce SSL on all checkout-related screens of your WooCommerce. Enable an SSL certificate, and then enable the “Force Secure Checkout” option within

WooCommerce.

Your web host should offer SSL. If not, namecheap.comoffers reasonably priced SSL certificates.

Tip #5: Be Mindful of Private DataThere is a high risk in storing a user’s private information.

If you’d prefer not to do this, you could use an off-site payment gateway, instead of storing a credit card auth

token.

Tip #6: Check Permissions WhenConnecting to External Services

If you decide to share information with an external service, be sure to check the permissions this service

requires, and reach out to them if you feel the service is requesting too many permissions.

For example, a read-only service doesn’t need write permissions to your WooCommerce.

Tip #7: Regularly Test your CheckoutRegular testing of your checkout, with a security mindset,

minimises the risk that your checkout flow could be compromised, as you are regularly reviewing the

checkout.

Be sure to open your web browser’s “Network” tab when doing these tests, to ensure no information is being

leaked.

“

”DOUG LINDER

A good programmer is someone who always looks both ways before crossing

a one-way street.

Wrap-up

© 2016 Imperva, Inc. All rights reserved.31

In a fun, quiz-based online format, these free training courses give you the technical knowledge and skills to identify and block different types of DDoS attacks.

www.DDoSBootcamp.com

DDoS Protection BootcampDDoS Protection Mastery Starts Here

Thanks

Matty Cohen@mattyza