Have WordPress security questions? #askDre!


Dre Armeda is, without question, one of the top WordPress security professionals in the world. Dre runs Sucuri Security[ref]Or Sucuri Shecurity if you prefer.[/ref] and I’m lucky enough to co-host a podcast with he and Brad Williams called WP Late Night. But you probably already know all that, so why am I telling you all of this now?

It’s because there just isn’t enough Dre Armeda on the internet. Yet.

Very soon the show you see promoted above, #askDre, will debut. It will of course feature your favorite taco loving, Harley driving, malware smashing member of the WordPress community answering all of your security questions in handily little video form. Security question? Have a confusing security conundrum you have a question about? No problem. Dre smash.

Now we just need your questions to, you know, get started. Drop your security questions for Dre into the comments below or, even better, tweet them to us using the #askDre hashtag. Like I did here, for example:

Security is an important topic, and one that I want to be a topic of conversation a bit more at WPCandy. Partnering with Dre and doing this show makes perfect sense, and I’m excited to see him drop knowledge on everyone (especially me) each week.

Get those questions (either #askDre on Twitter or below in the comments) in soon so we can get to work making an awesome new show for you!

12 thoughts on “Have WordPress security questions? #askDre!

    • That’s great feedback but really not on topic. How can we help with some awesome security tips? 😀

      • Due to the ease of use of eCommerce on WP (specifically WooCommerce) I’ve found my
        self running several e-shops in what feels like a very short space of time.

        The old sites I made never really seemed like targets and as long as I had everything backed up regularly, then it was all good.

        Now my clients money is involved it’s a different matter entirely!

        So one thing I’d like to see is a security check list for eCommerce on WP.


  1. Well… these are the things I do, wondering if there are some more magic tricks I can put on my installation checklist for better security

    – use a good long ftp admin and password
    – use a good long wp admin name and password, don’t use default
    – use a different dbname than the name of the domain
    – use wp security keys
    – change deafult db table prefix
    – install block bad queries plugin
    – install login lockdown plugin
    – get rid of readme files with wp versions
    – ger rid of wp versions in header
    – htaccess /wp-admin and wp-login
    – install update notifier so I am aware of updates on multiple sites
    – keep stuff up2date including WP
    – kill the readme files everytime I update
    – do the robots.txt stuff
    – check if all folders have empty index.html or htaccess that stuff so folders ain’t browsable
    – use perishable 3g / 4g / 5g + blacklist… although experience some issues with that from time to time.
    – automated backups on domain

    Maybe I’m overdoing it, but I’ve never had a compromised website… so there must be something working here right?

    Love to hear what is not necessary or what you are missing. Or if you want more info on something in the list, I’d be glad to provide explanation, links or info about it.

    With Regards,

  2. The biggest security no-no I’ve noticed is people not properly protecting the wp-content folder, specifically the /wp-contents/uploads/

    Most plugins store uploads and other information in this folder including backup programs.

    Why do you think the core does not place a blank index.php in this folder like the other folders in wp-content incase apache indexing is active?

    • Hi there John…

      Never occurred to me… good question. Do you punt a Silence is Golden in there?

      Think I’ll start doing this.


      • I block it via apache. You can set the – Indexes directive. Their are several other ways to block it.
        If you don’t have access you can just copy the index.php from the wp-content folder.

  3. I have a shared hosting account that offers shared SSL, but it doesn’t work with WordPress (at least for this host, Hostmonster). The sites I’m running on this host are mainly informational small business or nonprofit sites. Any ecommerce transactions are handled offsite, by PayPal. I’m probably most concerned about WordPress account credentials being intercepted.

    I’ve used the Semisecure Login Reimagined, but the author has abandoned it. I know there’s also the Chap Secure Login plugin. Are plugins like these acceptable alternatives to SSL? If not, what do you recommend?

Comments are closed.