WordPress Security from WordCamp Montreal

Over the weekend I had the pleasure of attending WordCamp Montreal. I gave a presentation on WordPress Security at the event. You can view my slideshow presentation below:

Enjoy this post? Be sure to subscribe to my RSS feed and my WordPress Tips and Tricks Newsletter! Also check out my WordPress books: Professional WordPress Third Edition & Professional WordPress Plugin Development


  1. Thanks for mentioning WordPress File Monitor in your presentation. Please let me know if you think of any enhancements that would improve it.

    • thanks for the awesome plugin Matt! Everyone really liked it! It’s a standard weapon in our arsenal now

  2. Actually, you’re probably a good person to ask this question. I’m not an SEO expert, but one of the suggestions for the plugin has been this — If there is an active alert, block the search engines from scanning the site. Once the admin has cleared the alert, allow search engines to crawl again.

    Obviously if I added it, this would be an option that the admin could turn on or off.

    My real question here though is, do you think something like this could be useful? It is basically going after the idea that if the search engines were being held at bay while an attack had occurred, you might miss some of the damage done from them dropping you from results, etc.

    If it would be useful in this way, do you know the safest header to return to a crawler that says, “hey, nothing here to see, but check back in a little bit!”

    (I have some ideas on the headers that could be sent, but since it looks like Search Engines were included in your presentation, I’m interested to hear your thoughts)

    A fear of mine is causing damage from a false positive. I have my exclude directories set pretty intelligently, but still, if I modify my theme or something, I get an alert from it (as I should), do I really want my site to not be crawled while it waits for me to clear it? Maybe the idea, completely, is overkill.

  3. I like that idea, but I would set it to only block search engines based on a keyword list, so if the word “cialis” pops up in a file it would lockdown. That is not an option you want a false positive on like you said.

    I think the HTTP status code should be a 503.

  4. Thanks, I like the keyword list idea. I might try to work that in.

    Appreciate it.

  5. I really appreciate these slides, so I decided to implement your wp-config.php point. I hope you visit my blog (in sign), read the article, and express your opinion leaving me a comment.