4. Filling out cards Slide 4 your evaluation and criticism is welcomed! presentation: Was the material presented in a way that you found engaging and could appreciate? utility: Did you get value out of the presentation? technical depth: Did you find that the technical aspects of the presentation were appropriate and useful? any other comments: I love feedback!
6. Tools of the talk Slide 6 WordPress 2.8 the eponymous blogging/publishing app {{14RRW}} FTP client transfer files to and from remote locations {{15eCh}} ssh client / PuTTY connect to remote shells {{15eEA}} shell access helpful but not strictly necessary
7. What’s this talk about? Slide 7 start-to-finish installation of WordPress 2.8 an introduction to WordPress 2.8 basics of the Unix environment, permissions open questions security power tips, common errors
8. WordPress 2.8 Slide 8 better IIS support for Windows hosts better security better administrative usability widgets API {{15h2u}} minor cosmetic improvements with comments, posts better automation smarter interoperability between plugins, less conflicts
9. Basic installation steps Slide 9 DOWNLOAD go to wordpress.org DATABASES configure with your host UNZIP go to wordpress.org CONFIGURE WORDPRESS edit wp-config.php LOG IN all done!
12. Security basics: file permissions Slide 12 read determine which actions can be taken on files or directories permissions write execute
13. Security basics: file permissions Slide 13 read missing permission denies request write permissions execute result sum the value of active permissions to produce a summary result
15. Security basics: user categories Slide 15 owner files belong to both a specific user called the owner and a group categories group world is the set of all users that is not the owner or the group world
16. Putting permissions together Slide 16 categories index.html owner world group read write permissions execute result
17. Files differ from directories Slide 17 categories wordpress/ owner world group list write permissions go to result
21. Security power tips Slide 21 wrong / unreadable permissions drw-r--r-- 7 bob bob 4096 Jun 10 20:32 wp-admin/ -rw-r--r-- 1 bob bob2341 May 20 11:32 wp-load.php -rw-r--r-- 1 bob bob 21019 Jun 3 17:15 wp-login.php insecure permissions drwxrwxrwx7 bob bob 4096 Jun 10 20:32 wp-admin/ -rw-r--r-- 1 bob bob2341 May 20 11:32 wp-load.php -rw-r--r-- 1 bob bob 21019 Jun 3 17:15 wp-login.php find . –type d –perm 0777 –print0 | xargs -0 chmod 755
22. Security power tips Slide 22 avoid meta-generator strings ... <head> <!-- header.php --> <meta content=“WordPress <?phpbloginfo(‘version’); ?>” name=“generator”/> </head> ... defend your wp-admin folder and site configuration limit access by IP address using .htaccess AskApache Password Protect Login Lockdown plugin {{15ff3}} {{15fc2}} {{15fg6}}
23. Security power tips Slide 23 if possible, use SFTP or SSH instead of FTP transmitting over FTP is not at all secure your host may not support SFTP, but all should allow shell access to savvy users update early and often Wordpress Automatic Upgrade Plugin Instant Upgrade plugin {{15foD}} {{15foO}}
24. Security power tips Slide 24 perform regular and frequent backups separate your WP database from other information and data avoids DoS issues trivial for determined attackers to overwhelm most entry-level databases
25. Security power tips Slide 25 prevent search robots from crawling // In robots.txt: Disallow: /path/to/wordpress/wp-* {{15fDZ}} prevent casual browsing of directories // In .htaccess Options All -Indexes {{15fBq}}