Hardening Your WordPress Installation

Andre LeFort

  • VP of Technology at AODA Online and tbk Creative
  • Over 10 years experience as a Software Engineer (previously at 3M Canada)
  • Leads a team of 7 web developers building websites atop WordPress

Scott Blinch

  • Lead Front End Developer at tbk Creative
  • Technical Mentor and Team Lead for 4 front-end web developers
  • Ensures WordPress websites look great on all devices, load quickly, and are barrier free

What is Security?

About This Presentation

  • Website security is broad, has many varied responsibilities
  • Can get complicated
  • Can very quickly become overwhelming so take it slow
  • Luckily, WordPress gives you a great headstart (mostly)
  • We can't cover everything in a Meetup presentation, so so we're sticking to the high level
  • If we omit or misrepresent something you feel is important, let us know!
  • WordPress Codex: Hardening WordPress
  • Sucuri: How Do Websites Get Hacked?

What is Security?

  • Ensuring your server, files, data, and users' data remain safe and uncompromised
  • Minimizing damage in the event a breach does occur
  • The actions you take in disclosing and patching after the fact
  • Risk reduction - not risk elimination
  • You will never achieve perfect security
  • You will never be finished
  • Stay within reason
  • Don't "set it and forget it" - stay consistent

How Do Websites Get Hacked?

  • Access control
    • Weak passwords, shared passwords
    • Giving users more access than needed
    • Phishing, social engineering, XSS, MITM
  • Software
    • Out of date
    • Known/Unknown vulnerabilities
    • 3rd party services (ad networks)
    • Viruses, malware

How Do I Protect My Website?

  • Stay up to date
    • Update WordPress, plugins, and themes often
    • Keep your operating system, malware scanners, and all other software up to date
    • Keep your server up to date - update the OS, Apache/etc, PHP packages when you can
  • Plugins and themes
    • Uninstall what you are not using
    • Check WPScan often
    • Don't install 'cracked' premium themes and plugins
  • Security plugins (Wordfence, iThemes Security)
    • You can probably just pick 1
    • 4 security plugins does not mean 4 times as secure

How Do I Protect My Website?

  • Make sure all admins are using best password practices
  • Consider SSL
    • You might not need it, but probably should
    • Free certificates are now available, and the process is only getting easier
    • letsencrypt.org is a great place to start
  • Consider a firewall
    • Sucuri - more focus on security but offers CDN services
    • Cloudflare - more focus on CDN but offers security services
    • Both offer automated protection against known abusers, DDoS, etc

How Do I Protect My Website?

  • Backups, backups, backups
    • If it's not backed up, it must not be important
    • Losing data could result in hours of lost work or thousands of lost dollars
    • Make regular backups
    • Make sure you can restore from your backup
    • Even this presentation is backed up
  • Obscurity
    • Make sure your admin usernames aren't obvious (don't just use "admin")
    • Consider anti-dorking (remove "wordpress" and "wp" references from website, move/rename sensitive directories)

How Do I Protect My Website?

  • Hosting
    • Host is not necessarily responsible for your security
    • They build the house, put a lock on the door, but you are the one that locks the door
    • Not all hosts are created equal
    • Shared hosting: usually not great (stay away from anything under EIG, MediaTemple or GoDaddy)
    • VPS or dedicated server if possible especially when storing sensitive information (e.g. AWS, DigitalOcean)
    • At the very least: A host with Protection measures in place specifically for WordPress websites

Questions?

Thank you.

Hardening WordPress

By Scott Blinch

Hardening WordPress

  • 1,800