Securing WordPress the Right Way

Southwest Florida WordPress Meetup

https://slides.chriswiegman.com/swfl0217

Chris Wiegman / @chris

About me

  • Senior Web Engineer - 10up
  • HigherEd Developer
    • Southern Illinois University
    • St. Edward's University
  • Teacher
  • Educator
About Chris Wiegman

Overview

  • Protect your site with some simple services and tools
  • Detect when something goes wrong
  • Easily Recover from disaster

Why Bother?

  • Protect your data
  • Protect your privacy


Protect your customers

Layers of Security

  1. The Network
    internet traffic before it gets to your sites
  2. The Server
    your host and the computer your host uses to store, process and send your website
  3. The Application
    The software that actually runs your sites

Securing Your Computer

Wifi Pineapple
Wifi Pineapple

Use Your OS

  • Firewall
  • Disk Encryption
  • Account Protection

Use a VPN

  • Accessing resources without encryption can allow a hacker to intercept your credentials
  • If you share passwords with your website getting it elsewhere can compromise your website
  • VPN (Virtual Private Network) encrypts all traffic between your computer and its services
    • Very important on most wifi
  • Examples
Adobe Password Crossword
http://zed0.co.uk/crossword/

Use Unique Passwords

  • If one site is hacked the passwords will be tried elsewhere
  • Passwords for every login you use should be unique
  • Password managers are easier than traditional passwords
Adobe Password Crossword
https://xkcd.com/936/

Install Antivirus

  • Even in 2017 Antivirus still has its uses:
    • Fix problems when they arise
    • Cover for “bad practices”
  • Avast - https://www.avast.com

Use a Privacy Screen

  • Much information can be gathered from your screen
  • Protects against eavesdroppers
  • Conferences are great places for stealing secrets
  • 3M Privacy Screen

Use Browser Extensions

  • Can protect against XSS (Cross-site Scripting )and CSRF (Cross-site Request Forgery)
  • Ad-block
  • Do not track
  • Duck Duck Go

Improving Network Security

Add a Firewall

Use Https

  • The “s” in https stands for secure
  • It uses SSL to encrypt your browser’s connection with your website
  • Prevents attackers from intercepting important information
  • Examples*:


* Some hosts require you use their certificates and/or have extra fees associated with SSL encryption.

Protect Your Domains

Secure Your Server

Avoid FTP

  • FTP, by itself, is unencrypted - your credentials can be intercepted
  • Use SSH (SFTP - SSH File Transfer Protocol) - encrypts your connection like https
    • Most hosts have it but you must often ask to activate
    • Key-pair certificates (instead of passwords) make it even stronger [and easier]

Avoid Unlimited

  • Many hosts sell “unlimited” accounts that can host multiple sites
  • If one site is compromised they are all compromised
  • Use separate accounts for separate websites

Use Hardening Services

  • Often only applies to VPS or a dedicated server
  • Can greatly increase your website’s security by blocking attackers before they get to your website software
  • Fail2ban - actively watches errors logs and blocks users accordingly.
    • Requires a plugin to write failed logins and other events to error logs
  • Server firewall - allows users access only to the services they need when they need them

Secure the Application

[Almost] Too Late to Protect

  • Once an attacker gets to your application prevention (which should prevent them from getting to your application) is often too late
  • Focus turns to two functions:
    • Detection - detect that a problem is there
    • Recovery - act accordingly to mitigate damage and/or restore your site

Keeping Up to Date

Last Line of Defense

  • Prevent brute-force (password guessing) Harden configuration
  • Prevent access to import info (usernames, etc)
  • Enforce "Best practices"
  • Examples:

Detect Attacks

  • You know your site better than anyone
    • Is it running slow?
    • Are users reporting problems?
    • Does it look different?
    • Are there extra logins, content, changes, etc?
    • Is there a spike in traffic or spam?

External Detection Tools

  • Tools that watch your site from afar and report problems
  • Run independently of your site (can’t fall victim to the attack)
  • Examples
    • Jetpack - http://jetpack.me
    • New Relic - https://newrelic.com
    • Google Webster Tools - https://www.google.com/ webmasters

Internal Detection Tools

Make a Backup

Verify Your Backup!

Know Who to Call

Questions?

Thank You

https://slides.chriswiegman.com/swfl0217

Chris Wiegman / @chris