This document discusses practical approaches to WordPress security. It covers securing sites against physical intrusion, code vulnerabilities, and bad actors. Key recommendations include keeping software updated, limiting code access through user roles and SSH keys, enforcing strong passwords and two-factor authentication, reviewing code for vulnerabilities, backing up data, and having a contingency plan. The overall goal is to protect the trust of a site and prevent unauthorized co-opting.

1. #wpvipsec
Security, The VIP Way
Practical Approaches to WordPress Security

2. #wpvipsec
Hi, I’m Ryan.
• Long-time WordPress user
• Automattician
• WordPress.com VIP’er
• Support Engineer
• Previous talk: WCUS 2016

3. #wpvipsec
Questions? Tweet them out!
#wpvipsec

4. #wpvipsec
Let’s talk about security today.

5. #wpvipsec
Let’s keep it in plain terms.

6. #wpvipsec
When we talk about security,
what do we really mean?

7. #wpvipsec
“Security”
• You have sites
• They have intended purposes
• We want them to focus on those purposes and not be co-opted for other
means
• Preventing this co-opting of your sites is the starting point of security

8. #wpvipsec
Trust.

9. #wpvipsec
Your sites need trust.

10. #wpvipsec
Security protects that trust.

11. #wpvipsec
What are we securing against?
• Physical intrusion
• Code vulnerabilities
• Server (stack), application, customization
• Vulnerabilities (XSS, SQLi, escalations)
• Bad actors
• Human and not so human

12. #wpvipsec
Physical Intrusion

13. #wpvipsec
Physical Intrusion

14. #wpvipsec
Why aren’t we talking about physical security?
• Very few of us are managing/running our own datacenter(s)
• Physical security is almost always out of your direct control
• Any reputable hosting solution will have this covered for you

15. #wpvipsec
Code Vulnerabilities

16. #wpvipsec
Protecting Against Code Vulnerabilities
• Ensuring trusted packages are up-to-date (security releases)
• Controlling code access
• Protecting against unsafe changes

17. #wpvipsec
Security Updates

18. #wpvipsec
SECURITY UPDATES

19. #wpvipsec
Keeping Trusted Packages Secure
• Be aware of security releases for important stack software, plugins,
themes
• mailing lists, alerts, regular update checks, etc.
• Have a regular update schedule, or use automated updates
• Use checksums/trusted package managers when applicable!
• Be vigilant - security patches happen for a reason

20. #wpvipsec
Controlling Code Access

21. #wpvipsec
Code Review!

22. #wpvipsec
WordCamp US 2016 Presentation
https://ryanmarkel.com/wcus2016/

23. #wpvipsec
What to Look For in Code Review
• Validation, sanitizing, escaping
• Cross-site scripting vulnerabilities
• Smart fetching of remote data
• Outright nasty code - did someone access code who shouldn’t have?

24. #wpvipsec
How to Do Code Review
• Refer to last year’s presentation
• Biggest recent improvement: code review on GitHub
• Protected branches
• Use continuous integration tools and tests!
• No-one merges their own changes?
• Single-dev is both more and less dangerous

25. #wpvipsec
A note on plugin security.

26. #wpvipsec
Tide

27. #wpvipsec
Protecting Against Unsafe
Changes

28. #wpvipsec
Protecting Against Unsafe Changes
• Code review 😆
• Limiting access to your codebase
• Source control
• Use SSH key pairs, not passwords
• User security!

29. #wpvipsec
That was a segue!

30. #wpvipsec
Bad Actors

31. #wpvipsec
User Security

32. #wpvipsec
HTTP/HTTPS Interactions

33. #wpvipsec
HTTP/HTTPS Interactions

34. #wpvipsec
Every site needs a certificate.

35. #wpvipsec
Let’s Encrypt
https://letsencrypt.org

36. #wpvipsec
User Security
• Interactions with your instance via browser (generally)
• Login security
• Credentials
• Access levels
• Data security

37. #wpvipsec
Login Security

38. #wpvipsec
Forced Login Protection
• Repeated attempts by bad actors to test logins to your site
• Several pre-packaged service solutions available to help with this
• Jetpack Protect
• Sucuri
• Wordfence

39. #wpvipsec
Passwords are horrible.

40. #wpvipsec
Two-Step Authentication
• Twice as many steps!
• Requires access to a physical device
• Lots of good solutions
• Jetpack/WordPress.com SSO
• Authy
• Duo
• Best to use an app, not SMS
• Remind users to have their backup codes!

41. #wpvipsec
WordPress User Roles

42. #wpvipsec
The Administrator Role

43. #wpvipsec
Don’t have a lot of
Administrators.

44. #wpvipsec
Reducing Your Administrators
• Only give admin access to people who absolutely need it
• If there is a feature non-admins cannot access and want to:
• Do they really need it?
• Will it give them access to other things they should not have?
• Are they using two-step authentication?
• Consider experimenting with and using custom roles

45. #wpvipsec
Reducing the Damage Users Can Do
• Remember that admins can do EVERYTHING
• Consider custom code restricting or disabling some features:
• Code editors
• Site settings
• Load and activate plugins via code, not UI
• The default user system is great for a large number of WordPress sites,
but it might need some tweaking for your sites or projects

46. #wpvipsec
Data Security

47. #wpvipsec
Data Security
• Limit access to datastores as much as possible
• Limit access to any credentials you need to store as well
• Code review! Again!
• Observe best practices for local security for any local copy of your data

48. #wpvipsec
Have a plan for backups.

49. #wpvipsec
Backing Up Your Sites
• Database dumps
• sqldump + scripting
• Various backup plugins
• Backup installations
• Hosting provider backups
• What does your host provide?
• Using a “cloud” backup solution
• VaultPress

50. #wpvipsec
Contingency Planning

51. #wpvipsec
Hope for the best.

52. #wpvipsec
Plan for the worst.

53. #wpvipsec
Questions?

54. #wpvipsec
Thank you.
https://ryanmarkel.com/wcus2017/

55. #wpvipsec
Say hi!
• I’m around all WCUS!
• @ryanmarkel
• https://ryanmarkel.com/