A Common Sense Approach to Website Security
Hi I'm Aaron
I'm the founder and owner of Linchpin a Digital Agency based here in little Rhody.
I'm an Entrepreneur, Plugin Developer, Workaholic, Lover of Process that makes sense + automation for busy work.
Popularity makes it an easier target
- Similar to Android, Windows users vs other OSes
- More opportunity to cast a wider net for exploits
- Easier barrier of entry allows for novices to "deploy" code in the wild.
- Allows for "zombie sites" to sit dormant and not updated / maintained.
* wordpress.org plugin and theme repo.
* Community Trusted. Commercial Plugins.
* Developers / Vendors you have hired
Semi Wild West
Random Google Searches
Many ways to
No One Source
High scrutinized and secure codebase but will always be a target based on it's usage
Plugins and Themes
Not all themes and plugins are created equally
Or Maintained Equally
Research and Upkeep
Can help keep your site secure.
It's a lot to think about for site owners, freelancers or even smaller agency
Woah that's a lot of stuff!
What else can I do?
If I don't want to do all that stuff?
A Layered Approach to Security
How difficult is it going to be for me to implement this feature.
How difficult is it going to be to the end user.
How difficult for admins
Can either the client or I afford this feature
Getting help is
Managing WordPress is only part of the problem
At any Level or specialty
Alleviates many of the challenges of maintaining secure infrastructure.
So you don't have to and some also manage WordPress
- iThemes Security
- Bullet Proof
Having a Disaster Recovery Plan
Backups and Restore Points
Many Managed and Non Managed hosting providers have this as an option
There are TONS of free and premium plugins in the WordPress.org repo that have this functionality
On Going Battle
- sucuri blog
- wordfence blog
- wpengine blog
Some times it's easy as following a few of YOUR OWN trusted sources
Remove unused plugins
active and innactive
Keeping Up to Date
Core, Themes, Plugins
You can give each update more scrutiny. You have an opportunity to pick and choose what gets updated. You know step by step what is updated and when
More hands off. Automated updates can some times go wrong and you don't know when it happens
define( 'WP_AUTO_UPDATE_CORE', true ); For plugins, use: add_filter( 'auto_update_plugin', '__return_true' ); For themes, use: add_filter( 'auto_update_theme', '__return_true' );
Other Auto Update Solution
- JetPack / WordPress.com
Active Uptime Monitoring
- Jetpack Site Monitoring
Securing Your Logins
Brute Force Protection (JetPack Protect, WordFence, and Others)
2 Factor Authentication (Google Authenticator, Duo 2FA, Authy, LastPass
Tell me you're not still using "admin"
Monitoring Attack Attempts
Audit and Code Reviews
Some times things get missed
Web Application Firewalls
- WordFence (Premium)
- Sucuri WAF