We kicked off the new phase with a talk by Tim Nash. Tim works for hosting company 34SP.com who sponsor our meetups (thanks for the pizza!) His job is in doing DevSecOps – in non geek speak, that means thinking about security from the start and getting everyone on board. He’s a regular speaker at WordCamps on the topic of security.
Practical Security Tips for WordPress – the 2018 edition
This was a remixed version of Tim’s talk from last year. I’ll summarize because:
(a) he’ll be delivering this talk again this year, and
(b) you really should hear him live!
Tim covered a lot of topics but his aim was that we should:
Do one thing I say.
Think back to the Panana Papers hack. It started with hackers exploiting a flaw in an out-of-date version of the Revolution Slider plugin. Revolution Slider is a plugin often bundled with themes and guess what: theme vendors often don’t keep it up to date along with the theme files, nor do users realise that there may be newer versions of the slider.
The result of that hack was good for journalists, but imagine it happening to a site that you run? Not so good.
So how can we keep our WordPress sites as secure as possible?
Keep all the WordPress things up to date
WordPress Core updates aren’t just for giving us nice new themes and making the UI look better. They’re also there for security updates.
Some people disable automatic updates which auto-update minor WordPress releases e.g. 4.9.5 to 4.9.6. Don’t!
Tim made a case for auto-updating major releases too e.g. 4.8 to 4.9. I’m not sure I agree, but it’s worth considering.
Get your plugins and themes from the genuine authors. If you find a premium theme or plugin appears free for download, it will be too good to be true, and likely infect your site.
Security plugins – yay or nay?
Tim’s company did an analysis of hacked sites and found that those with a security plugin active were no less likely to be broken into than those without.
The problem is that most of us don’t take the time to configure such plugins properly, so they lure us into a false sense of security.
Watch your user roles
Do you run a site with five Administrators? Do you really need to?
WordPress Admins can do everything on a site, so there should be as few as possible.
Tim recommended downgrading most Admins to Editors.
Anyone who doesn’t complain within the first 24 hours doesn’t need to be an admin.
Or you can create a custom user role with some admin capabilities but not the full range. I’ve written a post on this for WPMU DEV: Power Up Your Users With The User Role Editor Plugin.
Passwords or passphrases?
Long passwords are more secure. But they’re bloody hard to remember.
We’re much better at recalling passphrases – groups of words meshed together.
Ideally the words should be random, but we as humans are so predisposed to pattern matching we’re not good with randomness.
So use one of the passphrase generators online, and use that as the master password for a password manager.
Tim did point out that all major password managers had been hacked at one time or another – though he still uses one. (KeePass, if you’re interested.)
Turn on Two Factor Authentication
Two factor authentication (2FA) brings in an extra barrier to a hacker. As well as entering the correct login credentials they also need a code from something you own, usually your phone, to gain access.
Ahmed Khalifa has a good article on 2FA: Two-Factor Authentication (2FA): What is it & Why Should I Use it?
You can turn on 2FA just for certain users i.e. you can exclude people who aren’t tech-savvy!
One way that hackers gain entry is just hammering the login URL over and over again with different usernames and passwords until they get in.
Ask your host for Fail2Ban to prevent this. If they don’t know what that is then you should switch host!
Logging and monitoring events
Although we’re in the age of GDPR, logging and monitoring what happens on your website is not necessarily a bad thing. As long as you are upfront about what data you collect and discard it regularly, it’s fine to keep tabs on events.
But of course you need to actually check the data you collect to see if a breach has occurred.
I began using SSL last spring, and haven’t regretted it. Google are now saying that websites will be marked as “not secure” from July 2018, so it’s really a must-do.
There’s no difference in encryption between free Let’s Encrypt SSL and pricier Enhanced Validation SSL certificates, so don’t feel you have to shell out.
Backup, backup, backup
You can never have too many backups. But when was the last time you actually checked your backup files? Or did a test restore? Hmm… never?
My favourite quote of the night from Tim:If you're not testing your backups you don't have backups. You have prayers - @tnash Click To Tweet
Disasters happen. Websites get hacked every day. But it doesn’t need to be the end of the world.
Make a disaster recovery plan. Hopefully you won’t ever need it, but if the worst happens you can:
- Remain cool
- Inform those who need to know
- Be more prepared in future.
Keep an eye on the security section of Tim’s site as he will later post the slides of this year’s talk and the video.
And let me know what one thing you’ll be doing to make your WordPress site more secure in the comments, or say what security tips for WordPress you’ve learned.