1. #wpvipsec
Security, The VIP Way
Practical Approaches to WordPress Security

2. #wpvipsec
Hi, I’m Ryan.
• Long-time WordPress user
• Automattician
• WordPress.com VIP’er
• Support Engineer
• Previous talk: WCUS 2016

3. #wpvipsec
Questions? Tweet them out!
#wpvipsec

4. #wpvipsec
Let’s talk about security today.

5. #wpvipsec
Let’s keep it in plain terms.

6. #wpvipsec
When we talk about security,
what do we really mean?

7. #wpvipsec
“Security”
• You have sites
• They have intended purposes
• We want them to focus on those purposes and not be co-opted for other
means
• Preventing this co-opting of your sites is the starting point of security

8. #wpvipsec
Trust.

9. #wpvipsec
Your sites need trust.

10. #wpvipsec
Security protects that trust.

11. #wpvipsec
What are we securing against?
• Physical intrusion
• Code vulnerabilities
• Server (stack), application, customization
• Vulnerabilities (XSS, SQLi, escalations)
• Bad actors
• Human and not so human

12. #wpvipsec
Physical Intrusion

13. #wpvipsec
Physical Intrusion

14. #wpvipsec
Why aren’t we talking about physical security?
• Very few of us are managing/running our own datacenter(s)
• Physical security is almost always out of your direct control
• Any reputable hosting solution will have this covered for you

15. #wpvipsec
Code Vulnerabilities

16. #wpvipsec
Protecting Against Code Vulnerabilities
• Ensuring trusted packages are up-to-date (security releases)
• Controlling code access
• Protecting against unsafe changes

17. #wpvipsec
Security Updates

18. #wpvipsec
SECURITY UPDATES

19. #wpvipsec
Keeping Trusted Packages Secure
• Be aware of security releases for important stack software, plugins,
themes
• mailing lists, alerts, regular update checks, etc.
• Have a regular update schedule, or use automated updates
• Use checksums/trusted package managers when applicable!
• Be vigilant - security patches happen for a reason

20. #wpvipsec
Controlling Code Access

21. #wpvipsec
Code Review!

22. #wpvipsec
WordCamp US 2016 Presentation
https://ryanmarkel.com/wcus2016/

23. #wpvipsec
What to Look For in Code Review
• Validation, sanitizing, escaping
• Cross-site scripting vulnerabilities
• Smart fetching of remote data
• Outright nasty code - did someone access code who shouldn’t have?

24. #wpvipsec
How to Do Code Review
• Refer to last year’s presentation
• Biggest recent improvement: code review on GitHub
• Protected branches
• Use continuous integration tools and tests!
• No-one merges their own changes?
• Single-dev is both more and less dangerous

25. #wpvipsec
A note on plugin security.

26. #wpvipsec
Tide

27. #wpvipsec
Protecting Against Unsafe
Changes

28. #wpvipsec
Protecting Against Unsafe Changes
• Code review 😆
• Limiting access to your codebase
• Source control
• Use SSH key pairs, not passwords
• User security!

29. #wpvipsec
That was a segue!

30. #wpvipsec
Bad Actors

31. #wpvipsec
User Security

32. #wpvipsec
HTTP/HTTPS Interactions

33. #wpvipsec
HTTP/HTTPS Interactions

34. #wpvipsec
Every site needs a certificate.

35. #wpvipsec
Let’s Encrypt
https://letsencrypt.org

36. #wpvipsec
User Security
• Interactions with your instance via browser (generally)
• Login security
• Credentials
• Access levels
• Data security

37. #wpvipsec
Login Security

38. #wpvipsec
Forced Login Protection
• Repeated attempts by bad actors to test logins to your site
• Several pre-packaged service solutions available to help with this
• Jetpack Protect
• Sucuri
• Wordfence

39. #wpvipsec
Passwords are horrible.

40. #wpvipsec
Two-Step Authentication
• Twice as many steps!
• Requires access to a physical device
• Lots of good solutions
• Jetpack/WordPress.com SSO
• Authy
• Duo
• Best to use an app, not SMS
• Remind users to have their backup codes!

41. #wpvipsec
WordPress User Roles

42. #wpvipsec
The Administrator Role

43. #wpvipsec
Don’t have a lot of
Administrators.

44. #wpvipsec
Reducing Your Administrators
• Only give admin access to people who absolutely need it
• If there is a feature non-admins cannot access and want to:
• Do they really need it?
• Will it give them access to other things they should not have?
• Are they using two-step authentication?
• Consider experimenting with and using custom roles

45. #wpvipsec
Reducing the Damage Users Can Do
• Remember that admins can do EVERYTHING
• Consider custom code restricting or disabling some features:
• Code editors
• Site settings
• Load and activate plugins via code, not UI
• The default user system is great for a large number of WordPress sites,
but it might need some tweaking for your sites or projects

46. #wpvipsec
Data Security

47. #wpvipsec
Data Security
• Limit access to datastores as much as possible
• Limit access to any credentials you need to store as well
• Code review! Again!
• Observe best practices for local security for any local copy of your data

48. #wpvipsec
Have a plan for backups.

49. #wpvipsec
Backing Up Your Sites
• Database dumps
• sqldump + scripting
• Various backup plugins
• Backup installations
• Hosting provider backups
• What does your host provide?
• Using a “cloud” backup solution
• VaultPress

50. #wpvipsec
Contingency Planning

51. #wpvipsec
Hope for the best.

52. #wpvipsec
Plan for the worst.

53. #wpvipsec
Questions?

54. #wpvipsec
Thank you.
https://ryanmarkel.com/wcus2017/

55. #wpvipsec
Say hi!
• I’m around all WCUS!
• @ryanmarkel
• https://ryanmarkel.com/