WordPress is one of the most popular content management systems (CMS) in use today. According to Web Technology Surveys, WordPress, Joomla, and Drupal account for 70 percent of of all CMS usage, with WordPress by far the most used of the three. But CMS platforms, by virtue of their open-source frameworks, are extremely vulnerable to cyber attacks, especially DDoS attacks. If you’re thinking about building an online store, or better securing the one you already have, you won’t want to miss a special webinar on WordPress e-commerce security best practices, brought to you by WooCommerce and Imperva Incapsula. WooCommerce from Automattic is one of the leading e-commerce WordPress platforms. Use it to build your online store and scale your business quickly and easily. Find out how when you register to hear WooCommerce e-commerce expert Matt Cohen provide you with best practices for securing your site, and tips on how to protect your user data and payment information. Here’s just some of what you’ll learn during this presentation: - Preparing to set up your online store: What to do first. - How to get the best security for your WordPress site. - How to choose a payment gateway, and the various options available to you. - Maintaining the security of your online store for the long term.

1. WordPress & WooCommerce
Security Best Practices
Moderated by
Nicole Banks
@Incapsula_com
Matty Cohen
@mattyza

2. © 2016 Imperva, Inc. All rights reserved.
Are you currently a WordPress user?
POLL
2

3. © 2016 Imperva, Inc. All rights reserved.3
Introduction
• Thanks for joining the webinar
• The webinar will last 30 minutes and will be recorded
• Feel free to submit questions at any time, we will answer as many
as we can at the end
• We will send you a copy of the recording and a PDF copy of the
slides afterwards
• Any questions or concerns, feel free to submit in the chat or email
Nicole@Incapsula.com

4. © 2016 Imperva, Inc. All rights reserved.4
Agenda
1. Introductions
2. Why Security?
3. Tips for the Best WordPress Experience
4. How WooCommerce Can Help?
5. Wrap-Up
6. External Resources
7. Q&A

5. © 2016 Imperva, Inc. All rights reserved.5
Imperva Incapsula
Imperva Incapsula is a cloud-based service that makes websites safer, faster
and more reliable. Our mission is to provide every website, regardless of its
size, with enterprise-grade website security and performance features that so
far have only been affordable to the very largest of websites.

6. Matty Cohen
WOOCOMMERCE PRODUCT TEAM LEAD AT AUTOMATTIC

7. CHAPTER I
Why Security?

8. Prevention Is Better Than a Cure
Having no security breaches is better than having to fix even
one security breach.

9. Peace of Mind
If anything were to go wrong, you know you’re covered.

10. Security Is a Mindset
Constant vigilance, and a sharp eye for detail.

11. CHAPTER II
WordPress

12. What Is WordPress?
An open source website creation platform, powering
~26% of the known websites on the internet.
The operating system of the web.

13. Tip #1: No “admin” User
Make sure your default username is anything other than “admin”, and is
an uncommon word or phrase.
If you have a username you use regularly online,
you could use that.

14. Tip #2: Protect wp-admin
With WordPress, it’s possible to have your wp-admin directory
accessible within a certain IP address range, or moved entirely into a
private directory on your server.

15. Tip #3: Use Unique Table Prefixes
By default, WordPress uses wp_ as the database table
prefix. Adjust this to something unique.

16. Tip #4: Use Unique Keys and Salts
Within wp-config.php
Adjust the keys and salts in wp-config.php
to be unique and lengthy.
WordPress offers a secret-key service
for generating these strings, here:
https://api.wordpress.org/secret-key/1.1/salt/

17. Tip #5: Regularly Review the Installed
Plugins List for Inactive Plugins
Go through the list of plugins you have on your WordPress, delete any
which you aren’t using, and examine those you are using, to see if they
are still required and relevant.
If they aren’t required or relevant,
deactivate and remove them.

18. Tip #6: Enforce Strong Passwords
There is no such thing as a password which is too long.
Enforce the strongest passwords possible, to ensure a more
secure environment.
WordPress has a built-in password strength checker.

19. Tip #7: Limit Login Attempts
Use the Jetpack plugin, and enable its Security feature, to
prevent brute force login attempts.
https://jetpack.com/

20. CHAPTER III
WooCommerce

21. What Is WooCommerce?
The world’s most flexible eCommerce platform.
Powering ~39% of all known online stores.
Powered by WordPress.

22. Tip #1: Pick a Trusted Web Host
Ensure you choose a trusted and secure web host. Invest in
dedicated web hosting, if possible.
http://pressable.co/
http://bluehost.com/
http://wordpress.com/vip/

23. Tip #2: Use Trusted Extensions
When selecting your WooCommerce extensions, be sure to use
trusted extensions from WooCommerce.com.
http://woocommerce.com/

24. Tip #3: Research the Extensions
If you use an extension from another source, such as the official
WordPress plugin directory, be sure to check the number of
installations, the star rating, and when the extension was last
updated.
http://wordpress.org/plugins/

25. Tip #4: Invest In an SSL certificate
Enforce SSL on all checkout-related screens of your WooCommerce. Enable an
SSL certificate, and then enable the “Force Secure Checkout” option within
WooCommerce.
Your web host should offer SSL. If not, namecheap.com
offers reasonably priced SSL certificates.

26. Tip #5: Be Mindful of Private Data
There is a high risk in storing a user’s private information.
If you’d prefer not to do this, you could use an off-site payment gateway, instead
of storing a credit card auth token.

27. Tip #6: Check Permissions When
Connecting to External Services
If you decide to share information with an external service, be sure to check the
permissions this service requires, and reach out to them if you feel the service is
requesting too many permissions.
For example, a read-only service doesn’t need write permissions to your
WooCommerce.

28. Tip #7: Regularly Test your Checkout
Regular testing of your checkout, with a security mindset, minimises the risk that
your checkout flow could be compromised, as you are regularly reviewing the
checkout.
Be sure to open your web browser’s “Network” tab when doing these tests, to
ensure no information is being leaked.

29. “
”
DOUG LINDER
A good programmer is someone who always
looks both ways before crossing a one-way
street.

30. Wrap-up

31. © 2016 Imperva, Inc. All rights reserved.31
In a fun, quiz-based online format, these free training courses give you the
technical knowledge and skills to identify and block different types of DDoS attacks.
www.DDoSBootcamp.com
DDoS Protection Bootcamp
DDoS Protection Mastery Starts Here

32. Thanks
Matty Cohen
@mattyza