Se ha denunciado esta presentación.
Utilizamos tu perfil de LinkedIn y tus datos de actividad para personalizar los anuncios y mostrarte publicidad más relevante. Puedes cambiar tus preferencias de publicidad en cualquier momento.

Ryan Markel - WordCamp US 2017

1.461 visualizaciones

Publicado el

20-minute presentation on WordPress security practices from a member of the WordPress.com VIP team.

Publicado en: Internet
  • Sé el primero en comentar

Ryan Markel - WordCamp US 2017

  1. 1. #wpvipsec Security, The VIP Way Practical Approaches to WordPress Security
  2. 2. #wpvipsec Hi, I’m Ryan. • Long-time WordPress user • Automattician • WordPress.com VIP’er • Support Engineer • Previous talk: WCUS 2016
  3. 3. #wpvipsec Questions? Tweet them out! #wpvipsec
  4. 4. #wpvipsec Let’s talk about security today.
  5. 5. #wpvipsec Let’s keep it in plain terms.
  6. 6. #wpvipsec When we talk about security, what do we really mean?
  7. 7. #wpvipsec “Security” • You have sites • They have intended purposes • We want them to focus on those purposes and not be co-opted for other means • Preventing this co-opting of your sites is the starting point of security
  8. 8. #wpvipsec Trust.
  9. 9. #wpvipsec Your sites need trust.
  10. 10. #wpvipsec Security protects that trust.
  11. 11. #wpvipsec What are we securing against? • Physical intrusion • Code vulnerabilities • Server (stack), application, customization • Vulnerabilities (XSS, SQLi, escalations) • Bad actors • Human and not so human
  12. 12. #wpvipsec Physical Intrusion
  13. 13. #wpvipsec Physical Intrusion
  14. 14. #wpvipsec Why aren’t we talking about physical security? • Very few of us are managing/running our own datacenter(s) • Physical security is almost always out of your direct control • Any reputable hosting solution will have this covered for you
  15. 15. #wpvipsec Code Vulnerabilities
  16. 16. #wpvipsec Protecting Against Code Vulnerabilities • Ensuring trusted packages are up-to-date (security releases) • Controlling code access • Protecting against unsafe changes
  17. 17. #wpvipsec Security Updates
  18. 18. #wpvipsec SECURITY UPDATES
  19. 19. #wpvipsec Keeping Trusted Packages Secure • Be aware of security releases for important stack software, plugins, themes • mailing lists, alerts, regular update checks, etc. • Have a regular update schedule, or use automated updates • Use checksums/trusted package managers when applicable! • Be vigilant - security patches happen for a reason
  20. 20. #wpvipsec Controlling Code Access
  21. 21. #wpvipsec Code Review!
  22. 22. #wpvipsec WordCamp US 2016 Presentation https://ryanmarkel.com/wcus2016/
  23. 23. #wpvipsec What to Look For in Code Review • Validation, sanitizing, escaping • Cross-site scripting vulnerabilities • Smart fetching of remote data • Outright nasty code - did someone access code who shouldn’t have?
  24. 24. #wpvipsec How to Do Code Review • Refer to last year’s presentation • Biggest recent improvement: code review on GitHub • Protected branches • Use continuous integration tools and tests! • No-one merges their own changes? • Single-dev is both more and less dangerous
  25. 25. #wpvipsec A note on plugin security.
  26. 26. #wpvipsec Tide
  27. 27. #wpvipsec Protecting Against Unsafe Changes
  28. 28. #wpvipsec Protecting Against Unsafe Changes • Code review 😆 • Limiting access to your codebase • Source control • Use SSH key pairs, not passwords • User security!
  29. 29. #wpvipsec That was a segue!
  30. 30. #wpvipsec Bad Actors
  31. 31. #wpvipsec User Security
  32. 32. #wpvipsec HTTP/HTTPS Interactions
  33. 33. #wpvipsec HTTP/HTTPS Interactions
  34. 34. #wpvipsec Every site needs a certificate.
  35. 35. #wpvipsec Let’s Encrypt https://letsencrypt.org
  36. 36. #wpvipsec User Security • Interactions with your instance via browser (generally) • Login security • Credentials • Access levels • Data security
  37. 37. #wpvipsec Login Security
  38. 38. #wpvipsec Forced Login Protection • Repeated attempts by bad actors to test logins to your site • Several pre-packaged service solutions available to help with this • Jetpack Protect • Sucuri • Wordfence
  39. 39. #wpvipsec Passwords are horrible.
  40. 40. #wpvipsec Two-Step Authentication • Twice as many steps! • Requires access to a physical device • Lots of good solutions • Jetpack/WordPress.com SSO • Authy • Duo • Best to use an app, not SMS • Remind users to have their backup codes!
  41. 41. #wpvipsec WordPress User Roles
  42. 42. #wpvipsec The Administrator Role
  43. 43. #wpvipsec Don’t have a lot of Administrators.
  44. 44. #wpvipsec Reducing Your Administrators • Only give admin access to people who absolutely need it • If there is a feature non-admins cannot access and want to: • Do they really need it? • Will it give them access to other things they should not have? • Are they using two-step authentication? • Consider experimenting with and using custom roles
  45. 45. #wpvipsec Reducing the Damage Users Can Do • Remember that admins can do EVERYTHING • Consider custom code restricting or disabling some features: • Code editors • Site settings • Load and activate plugins via code, not UI • The default user system is great for a large number of WordPress sites, but it might need some tweaking for your sites or projects
  46. 46. #wpvipsec Data Security
  47. 47. #wpvipsec Data Security • Limit access to datastores as much as possible • Limit access to any credentials you need to store as well • Code review! Again! • Observe best practices for local security for any local copy of your data
  48. 48. #wpvipsec Have a plan for backups.
  49. 49. #wpvipsec Backing Up Your Sites • Database dumps • sqldump + scripting • Various backup plugins • Backup installations • Hosting provider backups • What does your host provide? • Using a “cloud” backup solution • VaultPress
  50. 50. #wpvipsec Contingency Planning
  51. 51. #wpvipsec Hope for the best.
  52. 52. #wpvipsec Plan for the worst.
  53. 53. #wpvipsec Questions?
  54. 54. #wpvipsec Thank you. https://ryanmarkel.com/wcus2017/
  55. 55. #wpvipsec Say hi! • I’m around all WCUS! • @ryanmarkel • https://ryanmarkel.com/

×