This document discusses practical approaches to WordPress security. It covers securing sites against physical intrusion, code vulnerabilities, and bad actors. Key recommendations include keeping software updated, limiting code access through user roles and SSH keys, enforcing strong passwords and two-factor authentication, reviewing code for vulnerabilities, backing up data, and having a contingency plan. The overall goal is to protect the trust of a site and prevent unauthorized co-opting.
7. #wpvipsec
“Security”
• You have sites
• They have intended purposes
• We want them to focus on those purposes and not be co-opted for other
means
• Preventing this co-opting of your sites is the starting point of security
11. #wpvipsec
What are we securing against?
• Physical intrusion
• Code vulnerabilities
• Server (stack), application, customization
• Vulnerabilities (XSS, SQLi, escalations)
• Bad actors
• Human and not so human
14. #wpvipsec
Why aren’t we talking about physical security?
• Very few of us are managing/running our own datacenter(s)
• Physical security is almost always out of your direct control
• Any reputable hosting solution will have this covered for you
19. #wpvipsec
Keeping Trusted Packages Secure
• Be aware of security releases for important stack software, plugins,
themes
• mailing lists, alerts, regular update checks, etc.
• Have a regular update schedule, or use automated updates
• Use checksums/trusted package managers when applicable!
• Be vigilant - security patches happen for a reason
23. #wpvipsec
What to Look For in Code Review
• Validation, sanitizing, escaping
• Cross-site scripting vulnerabilities
• Smart fetching of remote data
• Outright nasty code - did someone access code who shouldn’t have?
24. #wpvipsec
How to Do Code Review
• Refer to last year’s presentation
• Biggest recent improvement: code review on GitHub
• Protected branches
• Use continuous integration tools and tests!
• No-one merges their own changes?
• Single-dev is both more and less dangerous
28. #wpvipsec
Protecting Against Unsafe Changes
• Code review 😆
• Limiting access to your codebase
• Source control
• Use SSH key pairs, not passwords
• User security!
38. #wpvipsec
Forced Login Protection
• Repeated attempts by bad actors to test logins to your site
• Several pre-packaged service solutions available to help with this
• Jetpack Protect
• Sucuri
• Wordfence
40. #wpvipsec
Two-Step Authentication
• Twice as many steps!
• Requires access to a physical device
• Lots of good solutions
• Jetpack/WordPress.com SSO
• Authy
• Duo
• Best to use an app, not SMS
• Remind users to have their backup codes!
44. #wpvipsec
Reducing Your Administrators
• Only give admin access to people who absolutely need it
• If there is a feature non-admins cannot access and want to:
• Do they really need it?
• Will it give them access to other things they should not have?
• Are they using two-step authentication?
• Consider experimenting with and using custom roles
45. #wpvipsec
Reducing the Damage Users Can Do
• Remember that admins can do EVERYTHING
• Consider custom code restricting or disabling some features:
• Code editors
• Site settings
• Load and activate plugins via code, not UI
• The default user system is great for a large number of WordPress sites,
but it might need some tweaking for your sites or projects
47. #wpvipsec
Data Security
• Limit access to datastores as much as possible
• Limit access to any credentials you need to store as well
• Code review! Again!
• Observe best practices for local security for any local copy of your data
49. #wpvipsec
Backing Up Your Sites
• Database dumps
• sqldump + scripting
• Various backup plugins
• Backup installations
• Hosting provider backups
• What does your host provide?
• Using a “cloud” backup solution
• VaultPress