How to Take Your WordPress Site Security to the Next Level

Rochester WordPress Meetup

http://cfw.cx/wproc0521

Chris Wiegman / @chris

About me

  • Senior Software Engineer- WP Engine
  • iThemes Security (Better WP Security)
  • St. Edward's University
  • Privacy
  • Developer Experience
  • Aviation
About Chris Wiegman

Overview

  • Protect your site with some simple services and tools
  • Detect when something goes wrong
  • Easily Recover from disaster

Why Bother?

  • Protect your data
  • Protect your privacy


Protect your customers

Layers of Security

  1. The Network
    internet traffic before it gets to your sites
  2. The Server
    your host and the computer your host uses to store, process and send your website
  3. The Application
    The software that actually runs your sites

Securing Your Computer

Wifi Pineapple
Wifi Pineapple

Use Your OS

  • Firewall
  • Disk Encryption
  • Account Protection

Use a VPN

  • Accessing resources without encryption can allow a hacker to intercept your credentials
  • If you share passwords with your website getting it elsewhere can compromise your website
  • VPN (Virtual Private Network) encrypts all traffic between your computer and its services
    • Very important on most wifi
  • Examples
Adobe Password Crossword
http://zed0.co.uk/crossword/

Use Unique Passwords

  • If one site is hacked the passwords will be tried elsewhere
  • Passwords for every login you use should be unique
  • Password managers are easier than traditional passwords

Use 2-factor Authentication (2FA)

  • "What you know" and "What you have"
  • Can often be implemented with your password manager
  • Hardware keys are the best
Adobe Password Crossword
https://xkcd.com/936/

Use a Privacy Screen

  • Much information can be gathered from your screen
  • Protects against eavesdroppers
  • Conferences are great places for stealing secrets
  • 3M Privacy Screen

Use Browser Extensions

  • Can protect against XSS (Cross-site Scripting )and CSRF (Cross-site Request Forgery)
  • Can block ads
  • Can remove trackers
  • Duck Duck Go - protect your search history

Upgrade Your DNS

  • Can protect against XSS (Cross-site Scripting )and CSRF (Cross-site Request Forgery)
  • Can block Ads
  • Can reduce tracking by other devices
  • Can prevent malware throughout your network
  • NextDNS

Improving Network Security

Add a Firewall

Use Https

  • The “s” in https stands for secure
  • It uses SSL to encrypt your browser’s connection with your website
  • Prevents attackers from intercepting important information
  • Examples*:


* Some hosts require you use their certificates and/or have extra fees associated with SSL encryption.

Protect Your Domains

Secure Your Server

Avoid FTP

  • FTP, by itself, is unencrypted - your credentials can be intercepted
  • Use SSH (SFTP - SSH File Transfer Protocol) - encrypts your connection like https
    • Most hosts have it but you must often ask to activate
    • Key-pair certificates (instead of passwords) make it even stronger [and easier]

Avoid "Unlimited" Accounts

  • Many hosts sell “unlimited” accounts that can host multiple sites
  • If one site is compromised they are all compromised
  • Use separate accounts for separate websites

Use Hardening Services

  • Often only applies to VPS or a dedicated server
  • Can greatly increase your website’s security by blocking attackers before they get to your website software
  • Fail2ban - actively watches errors logs and blocks users accordingly.
    • Requires a plugin to write failed logins and other events to error logs
  • Server firewall - allows users access only to the services they need when they need them

Secure the Application

[Almost] Too Late to Protect

  • Once an attacker gets to your application prevention (which should prevent them from getting to your application) is often too late
  • Focus turns to two functions:
    • Detection - detect that a problem is there
    • Recovery - act accordingly to mitigate damage and/or restore your site

Keeping Up to Date

Last Line of Defense

  • Prevent brute-force (password guessing) Harden configuration
  • Prevent access to import info
  • Enforce "Best practices"
  • Plugins to help:

Detect Attacks

  • You know your site better than anyone
    • Is it running slow?
    • Are users reporting problems?
    • Does it look different?
    • Are there extra logins, content, changes, etc?
    • Is there a spike in traffic or spam?

External Detection Tools

  • Tools that watch your site from afar and report problems
  • Run independently of your site (can’t fall victim to the attack)
  • Examples
    • Jetpack - http://jetpack.me
    • New Relic - https://newrelic.com
    • Google Search Console - https://search.google.com/search-console/about

Internal Detection Tools

Make a Backup

Verify Your Backup!

Know Who to Call

Questions?

Thank You

http://cfw.cx/wproc0521

Chris Wiegman / @chris