About me
- Senior Software Engineer- WP Engine
- iThemes Security (Better WP Security)
- St. Edward's University
- Privacy
- Developer Experience
- Aviation
Overview
- Protect your site with some simple services and tools
- Detect when something goes wrong
- Easily Recover from disaster
Why Bother?
- Protect your data
- Protect your privacy
Protect your customers
Layers of Security
- The Network
internet traffic before it gets to your sites
- The Server
your host and the computer your host uses to store, process and send your website
- The Application
The software that actually runs your sites
Use Your OS
- Firewall
- Disk Encryption
- Account Protection
Use a VPN
- Accessing resources without encryption can allow a hacker to intercept your credentials
- If you share passwords with your website getting it elsewhere can compromise your website
- VPN (Virtual Private Network) encrypts all traffic between your computer and its services
- Very important on most wifi
- Examples
Use Unique Passwords
- If one site is hacked the passwords will be tried elsewhere
- Passwords for every login you use should be unique
- Password managers are easier than traditional passwords
Use 2-factor Authentication (2FA)
- "What you know" and "What you have"
- Can often be implemented with your password manager
- Hardware keys are the best
Use a Privacy Screen
- Much information can be gathered from your screen
- Protects against eavesdroppers
- Conferences are great places for stealing secrets
-
3M
Privacy
Screen
Use Browser Extensions
- Can protect against XSS (Cross-site Scripting )and CSRF (Cross-site Request Forgery)
- Can block ads
- Can remove trackers
- Duck Duck Go - protect your search history
Upgrade Your DNS
- Can protect against XSS (Cross-site Scripting )and CSRF (Cross-site Request Forgery)
- Can block Ads
- Can reduce tracking by other devices
- Can prevent malware throughout your network
- NextDNS
Improving Network Security
Add a Firewall
- A firewall sits between your website and the internet
- Takes in and analyzes all traffic attempting to get to your website
- Examples:
Use Https
- The “s” in https stands for secure
- It uses SSL to encrypt your browser’s connection with your website
- Prevents attackers from intercepting important information
- Examples*:
* Some hosts require you use their certificates and/or have extra fees associated with SSL
encryption.
Protect Your Domains
- Increase TTL (time to live) to at least 86400 (1 day)
- Don't share your domain registration account with other services, especially email
- Use two-factor on ALL possible accounts
Avoid FTP
- FTP, by itself, is unencrypted - your credentials can be intercepted
- Use SSH (SFTP - SSH File Transfer Protocol) - encrypts your connection like https
- Most hosts have it but you must often ask to activate
- Key-pair certificates (instead of passwords) make it even stronger [and easier]
Avoid "Unlimited" Accounts
- Many hosts sell “unlimited” accounts that can host multiple sites
- If one site is compromised they are all compromised
- Use separate accounts for separate websites
Use Hardening Services
- Often only applies to VPS or a dedicated server
- Can greatly increase your website’s security by blocking attackers before they get to your
website
software
- Fail2ban - actively watches errors logs and blocks users accordingly.
- Requires a plugin to write failed logins and other events to error logs
- Server firewall - allows users access only to the services they need when they need them
[Almost] Too Late to Protect
- Once an attacker gets to your application prevention (which should prevent them from getting to
your
application) is often too late
- Focus turns to two functions:
- Detection - detect that a problem is there
- Recovery - act accordingly to mitigate damage and/or restore your site
Keeping Up to Date
- Know when updates are available and perform updates
- Know when plugins/themes/core have a problem
Last Line of Defense
- Prevent brute-force (password guessing) Harden configuration
- Prevent access to import info
- Enforce "Best practices"
- Plugins to help:
Detect Attacks
- You know your site better than anyone
- Is it running slow?
- Are users reporting problems?
- Does it look different?
- Are there extra logins, content, changes, etc?
- Is there a spike in traffic or spam?
External Detection Tools
- Tools that watch your site from afar and report problems
- Run independently of your site (can’t fall victim to the attack)
- Examples
- Jetpack - http://jetpack.me
- New Relic - https://newrelic.com
- Google Search Console - https://search.google.com/search-console/about
Internal Detection Tools
- Watch user actions:
- Detect file changes:
Make a Backup
- The first step of recovery is having something to recover to
- Backups should not be stored with your website
- Examples
Know Who to Call
- Unless your a developer you probably don’t want to clean a hacked site yourself
- Examples: