Securing WordPress the Right Way
Southwest Florida WordPress Meetup
About me
- Senior Web Engineer - 10up
- HigherEd Developer
- Southern Illinois University
- St. Edward's University
- Teacher
- Educator
Overview
- Protect your site with some simple services and tools
- Detect when something goes wrong
- Easily Recover from disaster
Why Bother?
- Protect your data
- Protect your privacy
Protect your customers
Layers of Security
- The Network
internet traffic before it gets to your sites - The Server
your host and the computer your host uses to store, process and send your website - The Application
The software that actually runs your sites
Securing Your Computer
Wifi Pineapple
Use Your OS
- Firewall
- Disk Encryption
- Account Protection
Use a VPN
- Accessing resources without encryption can allow a hacker to intercept your credentials
- If you share passwords with your website getting it elsewhere can compromise your website
- VPN (Virtual Private Network) encrypts all traffic between your computer and its services
- Very important on most wifi
- Examples
- Cloak - https://www.getcloak.com
- TunnelBear - https://www.tunnelbear.com
http://zed0.co.uk/crossword/
Use Unique Passwords
- If one site is hacked the passwords will be tried elsewhere
- Passwords for every login you use should be unique
- Password managers are easier than traditional passwords
- 1Password - https://1password.com
- Lastpass - https://lastpass.com
https://xkcd.com/936/
Install Antivirus
- Even in 2017 Antivirus still has its uses:
- Fix problems when they arise
- Cover for “bad practices”
- Avast - https://www.avast.com
Use a Privacy Screen
- Much information can be gathered from your screen
- Protects against eavesdroppers
- Conferences are great places for stealing secrets
- 3M Privacy Screen
Use Browser Extensions
- Can protect against XSS (Cross-site Scripting )and CSRF (Cross-site Request Forgery)
- Ad-block
- Do not track
- Duck Duck Go
Improving Network Security
Add a Firewall
- A firewall sits between your website and the internet
- Takes in and analyzes all traffic attempting to get to your website
- Examples:
- Sucuri - http://sucuri.net
- CloudFlare - https://www.cloudflare.com
Use Https
- The “s” in https stands for secure
- It uses SSL to encrypt your browser’s connection with your website
- Prevents attackers from intercepting important information
- Examples*:
- NameCheap - https://www.namecheap.com
- LetsEncrypt - https://letsencrypt.org
* Some hosts require you use their certificates and/or have extra fees associated with SSL encryption.
Protect Your Domains
- Increase TTL (time to live) to at least 86400 (1 day)
- Use two-factor on ALL possible accounts
- Authy - https://www.authy.com
- Jetpack - https://jetpack.com
Secure Your Server
Avoid FTP
- FTP, by itself, is unencrypted - your credentials can be intercepted
- Use SSH (SFTP - SSH File Transfer Protocol) - encrypts your connection like https
- Most hosts have it but you must often ask to activate
- Key-pair certificates (instead of passwords) make it even stronger [and easier]
Avoid Unlimited
- Many hosts sell “unlimited” accounts that can host multiple sites
- If one site is compromised they are all compromised
- Use separate accounts for separate websites
Use Hardening Services
- Often only applies to VPS or a dedicated server
- Can greatly increase your website’s security by blocking attackers before they get to your website software
- Fail2ban - actively watches errors logs and blocks users accordingly.
- Requires a plugin to write failed logins and other events to error logs
- Server firewall - allows users access only to the services they need when they need them
Secure the Application
[Almost] Too Late to Protect
- Once an attacker gets to your application prevention (which should prevent them from getting to your application) is often too late
- Focus turns to two functions:
- Detection - detect that a problem is there
- Recovery - act accordingly to mitigate damage and/or restore your site
Keeping Up to Date
- Know when updates are available and perform updates
- ManageWP - https://managewp.com
- iThemes Sync - https://ithemes.com/sync/
- MainWP - https://mainwp.com
- Know when plugins/themes/core have a problem
- WP Security Bloggers - http://www.wpsecuritybloggers.com
- Sucuri - https://sucuri.net
- Threatpost - https://threatpost.com/
Last Line of Defense
- Prevent brute-force (password guessing) Harden configuration
- Prevent access to import info (usernames, etc)
- Enforce "Best practices"
- Examples:
- Jetpack (Brute Protect) - http://jetpack.me
- iThemes Security - http://ithemes.com/security
Detect Attacks
- You know your site better than anyone
- Is it running slow?
- Are users reporting problems?
- Does it look different?
- Are there extra logins, content, changes, etc?
- Is there a spike in traffic or spam?
External Detection Tools
- Tools that watch your site from afar and report problems
- Run independently of your site (can’t fall victim to the attack)
- Examples
- Jetpack - http://jetpack.me
- New Relic - https://newrelic.com
- Google Webster Tools - https://www.google.com/ webmasters
Internal Detection Tools
- Watch user actions:
- Stream - https://wp-stream.com
- iThemes Security - https://ithemes.com/security/
- Detect file changes:
- iThemes Security - https://ithemes.com/security/
Make a Backup
- The first step of recovery is having something to recover to
- Backups should not be stored with your website
- Examples
- VaultPress - https://vaultpress.com
- BackupBuddy - https://ithemes.com/purchase/backupbuddy/
Verify Your Backup!
Know Who to Call
- Unless your a developer you probably don’t want to clean a hacked site yourself
- Examples:
- Sucuri - https://sucuri.net
- HackRepair.com - http://hackrepair.com