Hardening Your WordPress Installation

• VP of Technology at AODA Online and tbk Creative
• Over 10 years experience as a Software Engineer (previously at 3M Canada)
• Leads a team of 7 web developers building websites atop WordPress

• Lead Front End Developer at tbk Creative
• Technical Mentor and Team Lead for 4 front-end web developers
• Ensures WordPress websites look great on all devices, load quickly, and are barrier free

What is Security?

About This Presentation

• Website security is broad, has many varied responsibilities
• Can get complicated
• Can very quickly become overwhelming so take it slow
• Luckily, WordPress gives you a great headstart (mostly)
• We can't cover everything in a Meetup presentation, so so we're sticking to the high level
• If we omit or misrepresent something you feel is important, let us know!
• WordPress Codex: Hardening WordPress
• Sucuri: How Do Websites Get Hacked?

What is Security?

• Ensuring your server, files, data, and users' data remain safe and uncompromised
• Minimizing damage in the event a breach does occur
• The actions you take in disclosing and patching after the fact
• Risk reduction - not risk elimination
• You will never achieve perfect security
• You will never be finished
• Stay within reason
• Don't "set it and forget it" - stay consistent

How Do Websites Get Hacked?

• Access control
  • Weak passwords, shared passwords
  • Giving users more access than needed
  • Phishing, social engineering, XSS, MITM
• Software
  • Out of date
  • Known/Unknown vulnerabilities
  • 3rd party services (ad networks)
  • Viruses, malware

How Do I Protect My Website?

• Stay up to date
  • Update WordPress, plugins, and themes often
  • Keep your operating system, malware scanners, and all other software up to date
  • Keep your server up to date - update the OS, Apache/etc, PHP packages when you can
• Plugins and themes
  • Uninstall what you are not using
  • Check WPScan often
  • Don't install 'cracked' premium themes and plugins
• Security plugins (Wordfence, iThemes Security)
  • You can probably just pick 1
  • 4 security plugins does not mean 4 times as secure

How Do I Protect My Website?

• Make sure all admins are using best password practices
• Consider SSL
  • You might not need it, but probably should
  • Free certificates are now available, and the process is only getting easier
  • letsencrypt.org is a great place to start
• Consider a firewall
  • Sucuri - more focus on security but offers CDN services
  • Cloudflare - more focus on CDN but offers security services
  • Both offer automated protection against known abusers, DDoS, etc

How Do I Protect My Website?

• Backups, backups, backups
  • If it's not backed up, it must not be important
  • Losing data could result in hours of lost work or thousands of lost dollars
  • Make regular backups
  • Make sure you can restore from your backup
  • Even this presentation is backed up
• Obscurity
  • Make sure your admin usernames aren't obvious (don't just use "admin")
  • Consider anti-dorking (remove "wordpress" and "wp" references from website, move/rename sensitive directories)

How Do I Protect My Website?

• Hosting
  • Host is not necessarily responsible for your security
  • They build the house, put a lock on the door, but you are the one that locks the door
  • Not all hosts are created equal
  • Shared hosting: usually not great (stay away from anything under EIG, MediaTemple or GoDaddy)
  • VPS or dedicated server if possible especially when storing sensitive information (e.g. AWS, DigitalOcean)
  • At the very least: A host with Protection measures in place specifically for WordPress websites

Questions?

Thank you.