A Common Sense Approach to Website Security

Hi I'm Aaron

I'm the founder and owner of Linchpin a Digital Agency based here in little Rhody.

 

I'm an Entrepreneur, Plugin Developer, Workaholic, Lover of Process that makes sense + automation for busy work.

  1. The Challenges

  2. Tackling them

  3. Continual Battle

WordPress

and it's

overwhelming popularity

Popularity makes it an easier target

  • Similar to Android, Windows users vs other OSes
  • More opportunity to cast a wider net for exploits
  • Easier barrier of entry allows for novices to "deploy" code in the wild.
  • Allows for "zombie sites" to sit dormant and not updated / maintained.

Trust Sources

* wordpress.org plugin and theme repo.

* Community Trusted. Commercial Plugins.

* Developers / Vendors you have hired

Semi Wild West

Bulk "stores"

Random Google Searches

Random gists

Stack Overflows

 

Many ways to

extend WordPress

No One Source

is infallible

Regardless

WordPress Core

High scrutinized and secure codebase but will always be a target based on it's usage

Plugins and Themes

Not all themes and plugins are created equally

Or Maintained Equally

Mistakes Happen

Inexperienced Novices

Oversight

Negligence

Research and Upkeep

Can help keep your site secure.

 

more on this later

WordPress

Basic Security

Starts Here

https://codex.wordpress.org/Hardening_WordPress

It's a lot to think about for site owners, freelancers or even smaller agency

Woah that's a lot of stuff!

What else can I do?

If I don't want to do all that stuff?

A Layered Approach to Security

Benefit

More Security!

Burden

How difficult is it going to be for me to implement this feature.

 

How difficult is it going to be to the end user.

 

How difficult for admins

Budget

Can either the client or I afford this feature

Getting help is

OK

Managed Hosting

Managing WordPress is only part of the problem

Managed Hosting

At any Level or specialty

Alleviates many of the challenges of maintaining secure infrastructure.

 

So you don't have to and some also manage WordPress

Security Plugins

  • Sucuri
  • iThemes Security
  • Bullet Proof

Having a Disaster Recovery Plan

Backups and Restore Points

Many Managed and Non Managed hosting providers have this as an option

There are TONS of free and premium plugins in the WordPress.org repo that have this functionality

On Going Battle

Staying Informed

  • wpvulndb.com
  • sucuri blog
  • wordfence blog
  • wpengine blog
  • wptavern
  • threatpost
  • arstechnica

Some times it's easy as following a few of YOUR OWN trusted sources

House Keeping

Remove unused plugins

active and innactive

Keeping Up to Date

Core, Themes, Plugins

Manual

You can give each update more scrutiny. You have an opportunity to pick and choose what gets updated. You know step by step what is updated and when

Automated

More hands off. Automated updates can some times go wrong and you don't know when it happens

You Maniac

define( 'WP_AUTO_UPDATE_CORE', true );
For plugins, use:

add_filter( 'auto_update_plugin', '__return_true' );
For themes, use:

add_filter( 'auto_update_theme', '__return_true' );

Other Auto Update Solution

  • JetPack / WordPress.com
  • MainWP
  • ManageWP

Active Uptime Monitoring

  • StatusCake
  • Pingdom
  • Jetpack Site Monitoring

Performance Monitoring

New Relic

Securing Your Logins

  • Strong Usernames/Passwords

  • Brute Force Protection (JetPack Protect, WordFence, and Others)

  • 2 Factor Authentication (Google Authenticator, Duo 2FA, Authy, LastPass

  • Tell me you're not still using "admin"

Monitoring Attack Attempts

Audit and Code Reviews

Some times things get missed

Web Application Firewalls

  • WordFence (Premium)
  • Sucuri WAF
  • Cloudflare
  • Barracuda

  • StackPath

  • AND MORE!

Did I miss anything?

Developercentric

You escape and sanitize khed?

Or What?

I can do a whole session on just this

Already Hacked?

What next!

Did you already have backups?

Potentially Scan using Sucuri or another Solution

Manual File Inspection