A common question in online WordPress forums is: “What plugin should I use to secure my site?” While there are several good security plugins that are a useful part of a security plan, securing a WordPress site requires more than a plugin. While a security plugin is a useful tool, it can give a false sense of security if the entire security landscape is not considered. Not every small business or website owner can afford an expensive, robust security and monitoring system, but there are basic actions that every site owner and user can take to help us all be more secure.
In this session, you’ll learn a framework and some essential actions to provide a basic level of security and “harden” your WordPress website.
2. Who Am I?
• Small Business Owner
• Air Force veteran
• Fixer/Problem Solver/Pitbull
3. WordPress Security?
“What security plugin should I use to
secure my site?”
“Which security plugin is better, XXXXXX or
YYYYYY?”
“Secure your website in 2 minutes by
installing XXXXXX plugin.”
4. WordPress Security?
“What security plugin should I use to
secure my site?”
“Which security plugin is better, XXXXXX or
YYYYYY?”
“Secure your website in 2 minutes by
installing XXXXXX plugin.”
15. • Collaborative effort
• Built using “best
practice” standards and
guidelines
• Checklist
• One-size-fits-all
• Designed to be flexible
NIST Cybersecurity
Framework
16. NIST Cybersecurity
Framework Core
What needs
protection?
What
safeguards
are available?
What techniques can
identify incidents?
Processes to
contain
impacts of
incidents?
Processes to
restore
capabilities?
21. Identify
IDENTIFY Asset Management
• Website – files and database
• Plugins/extensions
• Third party integrations
• Cloud storage, payment processor, accounting
• Users – and what roles?
• Who has access to your data?
22. Identify
IDENTIFY Asset Management
• Website is not just a collection of files and
database
• Do you have a written inventory of:
• Domain registrar
• Web host
• SSL certificate
• What about ways people access the site?
• Computer, mobile device? What about WiFi?
23. Identify
IDENTIFY Asset Management
Risk Assessment
• You need to know what you have, and
know what the threats/vulnerabilities are
• How do you get your “cyber threat
intelligence”?
• US-CERT
• Vendor-specific
• WordPress specific
24. Protect
PROTECT Access Control
• Manage users / roles (does everyone
REALLY need admin access?)
• And no one is named “admin”
• Enforce strong passwords (website AND
devices)
• Two-factor authentication
25. Protect
PROTECT Access Control
Information Protection Procedures
• Update – everything (plugins, core, access
devices)
• Backups – regularly made and tested
• Appropriate actions for known
vulnerabilities
• VPN, SFTP
• Develop and exercise incident response
and recovery plans
26. Protect
PROTECT Access Control
Information Protection Procedures
Protective Technology
• Firewalls – cloud-based, endpoint
• Antivirus / malware scanner on access
devices
• Block brute force login attempts
• Blacklist IPs – or whitelist
• Web server – updated software versions?
Secure file permissions?
27. Detect
• Server
• Application
• Access
• Change – did something get modified?
• Malware scanning
DETECT Security Continuous Monitoring
28. Detect
• Who is getting and assessing alerts?
• Who is taking action?
• Check for blacklisting
• Mxtoolbox
• Google Search Console
DETECT Security Continuous Monitoring
Detection Processes
29. How Are We Looking?
IDENTIFY
Asset Management
Risk Assessment
PROTECT
Access Control
Information Protection Procedures
Protective Technology
DETECT
Security Continuous Monitoring
Detection Processes
TechnologyProcessPeople
30. How Are We Looking?
IDENTIFY
Asset Management
Risk Assessment
PROTECT
Access Control
Information Protection Procedures
Protective Technology
DETECT
Security Continuous Monitoring
Detection Processes
TechnologyProcessPeople
31. Respond
RESPOND Execute Response Plan
• Don’t Panic!
• Major / Minor?
• Quarantine site - preserve log
files
• Notifications
• Failover
32. Respond
RESPOND Execute Response Plan
Analysis & Mitigation
• What happened?
• Investigate notifications – assess impact
• What immediate actions do you need to
take? (put out the fire)
33. Recover
• Restore site from the
backup you created
and tested
(you did do that, right?)
RECOVER Execute Recovery Plan
34. Recover
• Recovery is not just returning to the
pre- incident state
• Hotwash
• Lessons Learned?
RECOVER Execute Recovery Plan
Improvements
36. Takeaways
• Security is more than a plugin
• Not (just) IT!
• Always have backup
• Lessons learned – not burned
KNOWLEDGE
IS OF NO VALUE UNLESS PUT INTO
PRACTICE
37. THANK YOU!
QUESTIONS?
Stacy M. Clements
https://www.linkedin.com/in/stacyclements
https://twitter.com/stacyclements
https://milepost42.com
Editor's Notes
based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk.
Does not tell an organization how much cyber risk is tolerable, nor provide “the one and only” formula for cybersecurity.
Living document - focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time—principles will not.
high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk.
Set of desired cybersecurity activities and outcomes
The activities in the Identify Function are foundational for effective use of the Framework
The activities in the Identify Function are foundational for effective use of the Framework
What is your host doing? Is your server secure?
PHP version / MySQL
Avoid “soup kitchen” servers
File permissions
Prevent php execution in wp-content/uploads
Deny access to wp-config.php
How do I know when something happens?
How do I know when something happens?
Maybe it’s not a big hairy incident
“incident” could be a newly announced vulnerability in plugin – just update it
What happened – and how do we keep it from happening again?
May want to communicate what you’ve done to your customers