Hardening Your WordPress Installation
Andre LeFort
- VP of Technology at AODA Online and tbk Creative
- Over 10 years experience as a Software Engineer (previously at 3M Canada)
- Leads a team of 7 web developers building websites atop WordPress
Scott Blinch
- Lead Front End Developer at tbk Creative
- Technical Mentor and Team Lead for 4 front-end web developers
- Ensures WordPress websites look great on all devices, load quickly, and are barrier free
What is Security?
About This Presentation
- Website security is broad, has many varied responsibilities
- Can get complicated
- Can very quickly become overwhelming so take it slow
- Luckily, WordPress gives you a great headstart (mostly)
- We can't cover everything in a Meetup presentation, so so we're sticking to the high level
- If we omit or misrepresent something you feel is important, let us know!
- WordPress Codex: Hardening WordPress
- Sucuri: How Do Websites Get Hacked?
What is Security?
- Ensuring your server, files, data, and users' data remain safe and uncompromised
- Minimizing damage in the event a breach does occur
- The actions you take in disclosing and patching after the fact
- Risk reduction - not risk elimination
- You will never achieve perfect security
- You will never be finished
- Stay within reason
- Don't "set it and forget it" - stay consistent
How Do Websites Get Hacked?
-
Access control
- Weak passwords, shared passwords
- Giving users more access than needed
- Phishing, social engineering, XSS, MITM
-
Software
- Out of date
- Known/Unknown vulnerabilities
- 3rd party services (ad networks)
- Viruses, malware
How Do I Protect My Website?
-
Stay up to date
- Update WordPress, plugins, and themes often
- Keep your operating system, malware scanners, and all other software up to date
- Keep your server up to date - update the OS, Apache/etc, PHP packages when you can
-
Plugins and themes
- Uninstall what you are not using
- Check WPScan often
- Don't install 'cracked' premium themes and plugins
-
Security plugins (Wordfence, iThemes Security)
- You can probably just pick 1
- 4 security plugins does not mean 4 times as secure
How Do I Protect My Website?
- Make sure all admins are using best password practices
-
Consider SSL
- You might not need it, but probably should
- Free certificates are now available, and the process is only getting easier
- letsencrypt.org is a great place to start
-
Consider a firewall
- Sucuri - more focus on security but offers CDN services
- Cloudflare - more focus on CDN but offers security services
- Both offer automated protection against known abusers, DDoS, etc
How Do I Protect My Website?
-
Backups, backups, backups
- If it's not backed up, it must not be important
- Losing data could result in hours of lost work or thousands of lost dollars
- Make regular backups
- Make sure you can restore from your backup
- Even this presentation is backed up
-
Obscurity
- Make sure your admin usernames aren't obvious (don't just use "admin")
- Consider anti-dorking (remove "wordpress" and "wp" references from website, move/rename sensitive directories)
How Do I Protect My Website?
-
Hosting
- Host is not necessarily responsible for your security
- They build the house, put a lock on the door, but you are the one that locks the door
- Not all hosts are created equal
- Shared hosting: usually not great (stay away from anything under EIG, MediaTemple or GoDaddy)
- VPS or dedicated server if possible especially when storing sensitive information (e.g. AWS, DigitalOcean)
- At the very least: A host with Protection measures in place specifically for WordPress websites
Questions?
Thank you.
Hardening WordPress
By Scott Blinch
Hardening WordPress
- 1,800