Securing WordPress with Plugins

A brief look at security plugins and what they do

Is WordPress secure?

  • WordPress is about 8/10 out of the box
  • It's thoroughly vetted & tested thanks to the big community
  • Plugins add more complexity to our site, which hackers can exploit
  • WordPress core also has some 'baggage' that make it less secure

YMMV  

Security is not one-size-fits all

  • All websites will have different threat models
  • Most users can expect not to have significant resources devoted to hacking their website
  • Typically need to only defend against common threats
  • A strong password and non-default username can be enough for many simple sites
  • High-value sites will have very different threat models

Security at different points

  • Ideally we'd like to stop all attackers before they get in
  • The best security assumes and plans for failure
  • Best practice to lock down things so that if they do, they cannot do any (or as much) damage

Hardening

Backups
Monitoring

Hardening WordPress

  • Remove access to the code editor!
  • Prevent unlimited login attempts
  • Limit code execution in sensitive directories
  • Prevent user enumeration
  • Remove the default 'admin' user
  • Enforce strong (and unique) passwords

Why not stop them before they reach your site?

WAF - A forcefield for your site

Extra Hardening - WAF

  • Web Application Firewall
  • Analyses the request and block bots etc
  • Stop Attacks before they reach your server
  • Where your WAF lives can make a different
  • Threat of entry vs DDOS require different approaches

My WAF of choice

Backups

Have one.

Practice restoring it if you can...

Monitoring

  • We all don't have time to watch things constantly
  • Most plugins provide monitoring to alert us when things are wrong
  • These can be hit and miss, and need to be configured
  • If it relies on things like file scanning, then your host is important too
  • I recommend Admin Logins if it's not too much noise

Let's look at some plugins...

All-in-one WP Security & Firewall

Sucuri WordPress plugin

Avoiding FUD

Choose what works for you!

Though I like Sucuri the most out of those 3..

Bonus Tip:

  • Free for some basic features, monthly backup
  • Daily backups for $2 USD per month!
  • Uptime Alerts + Security scanning for $2 more

Thanks!

Made with Slides.com