A Common Sense Approach to Website Security
Hi I'm Aaron
I'm the founder and owner of Linchpin a Digital Agency based here in little Rhody.
I'm an Entrepreneur, Plugin Developer, Workaholic, Lover of Process that makes sense + automation for busy work.
-
The Challenges
-
Tackling them
-
Continual Battle
WordPress
and it's
overwhelming popularity
Popularity makes it an easier target
- Similar to Android, Windows users vs other OSes
- More opportunity to cast a wider net for exploits
- Easier barrier of entry allows for novices to "deploy" code in the wild.
- Allows for "zombie sites" to sit dormant and not updated / maintained.
Trust Sources
* wordpress.org plugin and theme repo.
* Community Trusted. Commercial Plugins.
* Developers / Vendors you have hired
Semi Wild West
Bulk "stores"
Random Google Searches
Random gists
Stack Overflows
Many ways to
extend WordPress
No One Source
is infallible
Regardless
WordPress Core
High scrutinized and secure codebase but will always be a target based on it's usage
Plugins and Themes
Not all themes and plugins are created equally
Or Maintained Equally
Mistakes Happen
Inexperienced Novices
Oversight
Negligence
Research and Upkeep
Can help keep your site secure.
WordPress
Basic Security
Starts Here
It's a lot to think about for site owners, freelancers or even smaller agency
Woah that's a lot of stuff!
What else can I do?
If I don't want to do all that stuff?
A Layered Approach to Security
Benefit
More Security!
Burden
How difficult is it going to be for me to implement this feature.
How difficult is it going to be to the end user.
How difficult for admins
Budget
Can either the client or I afford this feature
Getting help is
OK
Managed Hosting
Managing WordPress is only part of the problem
Managed Hosting
At any Level or specialty
Alleviates many of the challenges of maintaining secure infrastructure.
So you don't have to and some also manage WordPress
Security Plugins
- Sucuri
- iThemes Security
- Bullet Proof
Having a Disaster Recovery Plan
Backups and Restore Points
Many Managed and Non Managed hosting providers have this as an option
There are TONS of free and premium plugins in the WordPress.org repo that have this functionality
On Going Battle
Staying Informed
- wpvulndb.com
- sucuri blog
- wordfence blog
- wpengine blog
- wptavern
- threatpost
- arstechnica
Some times it's easy as following a few of YOUR OWN trusted sources
House Keeping
Remove unused plugins
active and innactive
Keeping Up to Date
Core, Themes, Plugins
Manual
You can give each update more scrutiny. You have an opportunity to pick and choose what gets updated. You know step by step what is updated and when
Automated
More hands off. Automated updates can some times go wrong and you don't know when it happens
You Maniac
define( 'WP_AUTO_UPDATE_CORE', true );
For plugins, use:
add_filter( 'auto_update_plugin', '__return_true' );
For themes, use:
add_filter( 'auto_update_theme', '__return_true' );Other Auto Update Solution
- JetPack / WordPress.com
- MainWP
- ManageWP
Active Uptime Monitoring
- StatusCake
- Pingdom
- Jetpack Site Monitoring
Performance Monitoring
New Relic
Securing Your Logins
-
Strong Usernames/Passwords
-
Brute Force Protection (JetPack Protect, WordFence, and Others)
-
2 Factor Authentication (Google Authenticator, Duo 2FA, Authy, LastPass
-
Tell me you're not still using "admin"
Monitoring Attack Attempts
-
Sucuri Security
Audit and Code Reviews
Some times things get missed
Web Application Firewalls
- WordFence (Premium)
- Sucuri WAF
- Cloudflare
- Barracuda
-
StackPath
-
AND MORE!