Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Ryan Markel - WordCamp US 2017

1,410 views

Published on

20-minute presentation on WordPress security practices from a member of the WordPress.com VIP team.

Published in: Internet
  • Be the first to comment

Ryan Markel - WordCamp US 2017

  1. 1. #wpvipsec Security, The VIP Way Practical Approaches to WordPress Security
  2. 2. #wpvipsec Hi, I’m Ryan. • Long-time WordPress user • Automattician • WordPress.com VIP’er • Support Engineer • Previous talk: WCUS 2016
  3. 3. #wpvipsec Questions? Tweet them out! #wpvipsec
  4. 4. #wpvipsec Let’s talk about security today.
  5. 5. #wpvipsec Let’s keep it in plain terms.
  6. 6. #wpvipsec When we talk about security, what do we really mean?
  7. 7. #wpvipsec “Security” • You have sites • They have intended purposes • We want them to focus on those purposes and not be co-opted for other means • Preventing this co-opting of your sites is the starting point of security
  8. 8. #wpvipsec Trust.
  9. 9. #wpvipsec Your sites need trust.
  10. 10. #wpvipsec Security protects that trust.
  11. 11. #wpvipsec What are we securing against? • Physical intrusion • Code vulnerabilities • Server (stack), application, customization • Vulnerabilities (XSS, SQLi, escalations) • Bad actors • Human and not so human
  12. 12. #wpvipsec Physical Intrusion
  13. 13. #wpvipsec Physical Intrusion
  14. 14. #wpvipsec Why aren’t we talking about physical security? • Very few of us are managing/running our own datacenter(s) • Physical security is almost always out of your direct control • Any reputable hosting solution will have this covered for you
  15. 15. #wpvipsec Code Vulnerabilities
  16. 16. #wpvipsec Protecting Against Code Vulnerabilities • Ensuring trusted packages are up-to-date (security releases) • Controlling code access • Protecting against unsafe changes
  17. 17. #wpvipsec Security Updates
  18. 18. #wpvipsec SECURITY UPDATES
  19. 19. #wpvipsec Keeping Trusted Packages Secure • Be aware of security releases for important stack software, plugins, themes • mailing lists, alerts, regular update checks, etc. • Have a regular update schedule, or use automated updates • Use checksums/trusted package managers when applicable! • Be vigilant - security patches happen for a reason
  20. 20. #wpvipsec Controlling Code Access
  21. 21. #wpvipsec Code Review!
  22. 22. #wpvipsec WordCamp US 2016 Presentation https://ryanmarkel.com/wcus2016/
  23. 23. #wpvipsec What to Look For in Code Review • Validation, sanitizing, escaping • Cross-site scripting vulnerabilities • Smart fetching of remote data • Outright nasty code - did someone access code who shouldn’t have?
  24. 24. #wpvipsec How to Do Code Review • Refer to last year’s presentation • Biggest recent improvement: code review on GitHub • Protected branches • Use continuous integration tools and tests! • No-one merges their own changes? • Single-dev is both more and less dangerous
  25. 25. #wpvipsec A note on plugin security.
  26. 26. #wpvipsec Tide
  27. 27. #wpvipsec Protecting Against Unsafe Changes
  28. 28. #wpvipsec Protecting Against Unsafe Changes • Code review 😆 • Limiting access to your codebase • Source control • Use SSH key pairs, not passwords • User security!
  29. 29. #wpvipsec That was a segue!
  30. 30. #wpvipsec Bad Actors
  31. 31. #wpvipsec User Security
  32. 32. #wpvipsec HTTP/HTTPS Interactions
  33. 33. #wpvipsec HTTP/HTTPS Interactions
  34. 34. #wpvipsec Every site needs a certificate.
  35. 35. #wpvipsec Let’s Encrypt https://letsencrypt.org
  36. 36. #wpvipsec User Security • Interactions with your instance via browser (generally) • Login security • Credentials • Access levels • Data security
  37. 37. #wpvipsec Login Security
  38. 38. #wpvipsec Forced Login Protection • Repeated attempts by bad actors to test logins to your site • Several pre-packaged service solutions available to help with this • Jetpack Protect • Sucuri • Wordfence
  39. 39. #wpvipsec Passwords are horrible.
  40. 40. #wpvipsec Two-Step Authentication • Twice as many steps! • Requires access to a physical device • Lots of good solutions • Jetpack/WordPress.com SSO • Authy • Duo • Best to use an app, not SMS • Remind users to have their backup codes!
  41. 41. #wpvipsec WordPress User Roles
  42. 42. #wpvipsec The Administrator Role
  43. 43. #wpvipsec Don’t have a lot of Administrators.
  44. 44. #wpvipsec Reducing Your Administrators • Only give admin access to people who absolutely need it • If there is a feature non-admins cannot access and want to: • Do they really need it? • Will it give them access to other things they should not have? • Are they using two-step authentication? • Consider experimenting with and using custom roles
  45. 45. #wpvipsec Reducing the Damage Users Can Do • Remember that admins can do EVERYTHING • Consider custom code restricting or disabling some features: • Code editors • Site settings • Load and activate plugins via code, not UI • The default user system is great for a large number of WordPress sites, but it might need some tweaking for your sites or projects
  46. 46. #wpvipsec Data Security
  47. 47. #wpvipsec Data Security • Limit access to datastores as much as possible • Limit access to any credentials you need to store as well • Code review! Again! • Observe best practices for local security for any local copy of your data
  48. 48. #wpvipsec Have a plan for backups.
  49. 49. #wpvipsec Backing Up Your Sites • Database dumps • sqldump + scripting • Various backup plugins • Backup installations • Hosting provider backups • What does your host provide? • Using a “cloud” backup solution • VaultPress
  50. 50. #wpvipsec Contingency Planning
  51. 51. #wpvipsec Hope for the best.
  52. 52. #wpvipsec Plan for the worst.
  53. 53. #wpvipsec Questions?
  54. 54. #wpvipsec Thank you. https://ryanmarkel.com/wcus2017/
  55. 55. #wpvipsec Say hi! • I’m around all WCUS! • @ryanmarkel • https://ryanmarkel.com/

×