Brad Williams: WordPress Security
Brad Williams talks about how to keep your WordPress-powered website secure from hackers and exploits.
Slides from the presentation are available here.
Video Production by Arthur Cormon of TV McGill.
Video details
- Date publishedJuly 11, 2009
This work is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.
9 responses
-
Great Talk
sshing and chmod-ing files right now!
Thanks a whole heap – very useful information!
-
really great talk, thank you Brad for very important information about security.
-
Lots of good suggestions that I intend to look into further. Thanks Brad.
One glaring error in the wp-config.php stuff though. The file should really be in the directory above public_html/, not in public_html/ itself. If WordPress is installed directly in public_html/ then you’re all set.
But if, like me, you’re using a folder like wordpress/ to organize things, you need WordPress to look 2 levels up. The simple solution is to modify wp-config.php with something like this: require_once(ABSPATH . ‘../../secret.php’); just before the require for wp-settings.php. Put secret.php above your public_html folder and move all the password stuff to there.
-
Nathan, would you mind fleshing that out a bit with a pseudo example?
Thanks for dealing with the case of sub folder which WP seems to have neglected.
-
-
@mugger I’ve been meaning to do a blog post about my particular setup. Actually I’m planning to setup a new blog on WordPress coding, just need to make the time to do it. When I do, I’ll post here again.
-
Thanks for the kind words everybody! Actually the wp-config.php file can exist in one of two places by default: either the root WordPress directory or one level above that directory. WordPress will look in both spots before throwing an error.
-
@mugger I’m prepping a base setup that can be readily cloned… http://hg.nathany.com/wp-base/src/ It has an my wp-config as well as secret-sample as a template for creating ../secret.php (up a level).
An accompanying blog post should be up in a few days. Right now I’m waiting for DNS for vogsphere.org.I’d also like to review Brad’s video and get those suggestions into my base setup.
@Brad Maybe something is different between our configs, but for me, ABSPATH points to the /wordpress/ folder inside public_html (webroot, htdocs, you get the idea ). WordPress looks in the ABSPATH folder and one directory up, which in my case is the public_html/wordpress/ folder and the public_html/ folder. Hence, my little workaround to drop a file two levels up from ABSPATH so its not inside public_html.
If ABSPATH is defined differently for you, as the actual public_html/ folder, I’d sure like to understand what I’m doing differently.
-
But if, like me, you’re using a folder like wordpress/ to organize things, you need WordPress to look 2 levels up. The simple solution is to modify wp-config.php with something like this: require_once(ABSPATH . ‘../../secret.php’); just before the require for wp-settings.php. Put secret.php above your public_html folder and move all the password stuff to there.
-
One glaring error in the wp-config.php stuff though. The file should really be in the directory above public_html/, not in public_html/ itself. If WordPress is installed directly in public_html/ then you’re all set.
Leave a Reply