A Common Sense Approach to Website Security

Hi I'm Aaron
I'm the founder and owner of Linchpin a Digital Agency based here in little Rhody.
I'm an Entrepreneur, Plugin Developer, Workaholic, Lover of Process that makes sense + automation for busy work.

-
The Challenges
-
Tackling them
-
Continual Battle

WordPress
and it's
overwhelming popularity

Popularity makes it an easier target
- Similar to Android, Windows users vs other OSes
- More opportunity to cast a wider net for exploits
- Easier barrier of entry allows for novices to "deploy" code in the wild.
- Allows for "zombie sites" to sit dormant and not updated / maintained.

Trust Sources
* wordpress.org plugin and theme repo.
* Community Trusted. Commercial Plugins.
* Developers / Vendors you have hired
Semi Wild West
Bulk "stores"
Random Google Searches
Random gists
Stack Overflows
Many ways to
extend WordPress

No One Source
is infallible
Regardless

WordPress Core
High scrutinized and secure codebase but will always be a target based on it's usage

Plugins and Themes
Not all themes and plugins are created equally

Or Maintained Equally

Mistakes Happen
Inexperienced Novices
Oversight
Negligence

Research and Upkeep
Can help keep your site secure.
WordPress
Basic Security

Starts Here
It's a lot to think about for site owners, freelancers or even smaller agency

Woah that's a lot of stuff!

What else can I do?
If I don't want to do all that stuff?

A Layered Approach to Security

Benefit
More Security!
Burden
How difficult is it going to be for me to implement this feature.
How difficult is it going to be to the end user.
How difficult for admins
Budget
Can either the client or I afford this feature
Getting help is
OK

Managed Hosting
Managing WordPress is only part of the problem

Managed Hosting
At any Level or specialty
Alleviates many of the challenges of maintaining secure infrastructure.
So you don't have to and some also manage WordPress

Security Plugins
- Sucuri
- iThemes Security
- Bullet Proof

Having a Disaster Recovery Plan
Backups and Restore Points
Many Managed and Non Managed hosting providers have this as an option
There are TONS of free and premium plugins in the WordPress.org repo that have this functionality

On Going Battle

Staying Informed
- wpvulndb.com
- sucuri blog
- wordfence blog
- wpengine blog
- wptavern
- threatpost
- arstechnica
Some times it's easy as following a few of YOUR OWN trusted sources

House Keeping
Remove unused plugins
active and innactive

Keeping Up to Date
Core, Themes, Plugins

Manual
You can give each update more scrutiny. You have an opportunity to pick and choose what gets updated. You know step by step what is updated and when
Automated
More hands off. Automated updates can some times go wrong and you don't know when it happens

You Maniac
define( 'WP_AUTO_UPDATE_CORE', true );
For plugins, use:
add_filter( 'auto_update_plugin', '__return_true' );
For themes, use:
add_filter( 'auto_update_theme', '__return_true' );

Other Auto Update Solution
- JetPack / WordPress.com
- MainWP
- ManageWP

Active Uptime Monitoring
- StatusCake
- Pingdom
- Jetpack Site Monitoring

Performance Monitoring
New Relic

Securing Your Logins
-
Strong Usernames/Passwords
-
Brute Force Protection (JetPack Protect, WordFence, and Others)
-
2 Factor Authentication (Google Authenticator, Duo 2FA, Authy, LastPass
-
Tell me you're not still using "admin"
Monitoring Attack Attempts
-
Sucuri Security
Audit and Code Reviews
Some times things get missed
Web Application Firewalls
- WordFence (Premium)
- Sucuri WAF
- Cloudflare
- Barracuda
-
StackPath
-
AND MORE!