How to Take Your WordPress Site Security to the Next Level
Rochester WordPress Meetup
About me
- Senior Software Engineer- WP Engine
- iThemes Security (Better WP Security)
- St. Edward's University
- Privacy
- Developer Experience
- Aviation
Overview
- Protect your site with some simple services and tools
- Detect when something goes wrong
- Easily Recover from disaster
Why Bother?
- Protect your data
- Protect your privacy
Protect your customers
Layers of Security
- The Network
internet traffic before it gets to your sites - The Server
your host and the computer your host uses to store, process and send your website - The Application
The software that actually runs your sites
Securing Your Computer
Wifi Pineapple
Use Your OS
- Firewall
- Disk Encryption
- Account Protection
Use a VPN
- Accessing resources without encryption can allow a hacker to intercept your credentials
- If you share passwords with your website getting it elsewhere can compromise your website
- VPN (Virtual Private Network) encrypts all traffic between your computer and its services
- Very important on most wifi
- Examples
- ProtonVPN - https://protonvpn.com/
- Algo* - https://github.com/trailofbits/algo
http://zed0.co.uk/crossword/
Use Unique Passwords
- If one site is hacked the passwords will be tried elsewhere
- Passwords for every login you use should be unique
- Password managers are easier than traditional passwords
- 1Password - https://1password.com
- Bitwarden - https://bitwarden.com
Use 2-factor Authentication (2FA)
- "What you know" and "What you have"
- Can often be implemented with your password manager
- Hardware keys are the best
- Yubikey - https://www.yubico.com
- Can do much more than just 2FA
https://xkcd.com/936/
Use a Privacy Screen
- Much information can be gathered from your screen
- Protects against eavesdroppers
- Conferences are great places for stealing secrets
- 3M Privacy Screen
Use Browser Extensions
- Can protect against XSS (Cross-site Scripting )and CSRF (Cross-site Request Forgery)
- Can block ads
- Can remove trackers
- Duck Duck Go - protect your search history
Upgrade Your DNS
- Can protect against XSS (Cross-site Scripting )and CSRF (Cross-site Request Forgery)
- Can block Ads
- Can reduce tracking by other devices
- Can prevent malware throughout your network
- NextDNS
Improving Network Security
Add a Firewall
- A firewall sits between your website and the internet
- Takes in and analyzes all traffic attempting to get to your website
- Examples:
- Sucuri - http://sucuri.net
- CloudFlare - https://www.cloudflare.com
Use Https
- The “s” in https stands for secure
- It uses SSL to encrypt your browser’s connection with your website
- Prevents attackers from intercepting important information
- Examples*:
- Gandi - https://www.gandi.net
- LetsEncrypt - https://letsencrypt.org
* Some hosts require you use their certificates and/or have extra fees associated with SSL encryption.
Protect Your Domains
- Increase TTL (time to live) to at least 86400 (1 day)
- Don't share your domain registration account with other services, especially email
- Use two-factor on ALL possible accounts
- Two-Factor - https://wordpress.org/plugins/two-factor/
- Wordfence - https://www.wordfence.com/
Secure Your Server
Avoid FTP
- FTP, by itself, is unencrypted - your credentials can be intercepted
- Use SSH (SFTP - SSH File Transfer Protocol) - encrypts your connection like https
- Most hosts have it but you must often ask to activate
- Key-pair certificates (instead of passwords) make it even stronger [and easier]
Avoid "Unlimited" Accounts
- Many hosts sell “unlimited” accounts that can host multiple sites
- If one site is compromised they are all compromised
- Use separate accounts for separate websites
Use Hardening Services
- Often only applies to VPS or a dedicated server
- Can greatly increase your website’s security by blocking attackers before they get to your website software
- Fail2ban - actively watches errors logs and blocks users accordingly.
- Requires a plugin to write failed logins and other events to error logs
- Server firewall - allows users access only to the services they need when they need them
Secure the Application
[Almost] Too Late to Protect
- Once an attacker gets to your application prevention (which should prevent them from getting to your application) is often too late
- Focus turns to two functions:
- Detection - detect that a problem is there
- Recovery - act accordingly to mitigate damage and/or restore your site
Keeping Up to Date
- Know when updates are available and perform updates
- Automatic Updates
- Wordfence - https://www.wordfence.com/
- MainWP - https://mainwp.com
- Your host's update service
- Know when plugins/themes/core have a problem
- WP Security Bloggers - http://www.wpsecuritybloggers.com
- Wordfence Blog - https://www.wordfence.com/blog/
- Threatpost - https://threatpost.com/
Last Line of Defense
- Prevent brute-force (password guessing) Harden configuration
- Prevent access to import info
- Enforce "Best practices"
- Plugins to help:
- Wordfence - https://www.wordfence.com/
Detect Attacks
- You know your site better than anyone
- Is it running slow?
- Are users reporting problems?
- Does it look different?
- Are there extra logins, content, changes, etc?
- Is there a spike in traffic or spam?
External Detection Tools
- Tools that watch your site from afar and report problems
- Run independently of your site (can’t fall victim to the attack)
- Examples
- Jetpack - http://jetpack.me
- New Relic - https://newrelic.com
- Google Search Console - https://search.google.com/search-console/about
Internal Detection Tools
- Watch user actions:
- Stream - https://wp-stream.com
- iThemes Security - https://ithemes.com/security/
- Detect file changes:
- Wordfence - https://www.wordfence.com/
Make a Backup
- The first step of recovery is having something to recover to
- Backups should not be stored with your website
- Examples
- VaultPress - https://vaultpress.com
- BackupBuddy - https://ithemes.com/purchase/backupbuddy/
Verify Your Backup!
Know Who to Call
- Unless your a developer you probably don’t want to clean a hacked site yourself
- Examples:
- Sucuri - https://sucuri.net
- HackRepair.com - http://hackrepair.com
- Wordfence - https://www.wordfence.com/