WordPress Security: Beyond The Plugin
Download as PPTX, PDF1 like256 views
The document emphasizes that WordPress security is a business issue rather than solely an IT concern, advocating for a comprehensive approach that includes technology, processes, and people. It outlines best practices based on the NIST Cybersecurity Framework, covering asset management, risk assessment, access control, incident response, and recovery. The key takeaway is that effective security requires more than just installing plugins; ongoing management and preparedness are essential.
WordPress Security: Beyond The Plugin
- 1. WordPress Security: Beyond The Plugin WordCamp Sacramento 2018 Stacy M. Clements
- 2. Who Am I? • Small Business Owner • Air Force veteran • Fixer/Problem Solver/Pitbull
- 3. WordPress Security? “What security plugin should I use to secure my site?” “Which security plugin is better, XXXXXX or YYYYYY?” “Secure your website in 2 minutes by installing XXXXXX plugin.”
- 4. WordPress Security? “What security plugin should I use to secure my site?” “Which security plugin is better, XXXXXX or YYYYYY?” “Secure your website in 2 minutes by installing XXXXXX plugin.”
- 5. THAT’S NOT HOW THIS WORKS THAT’S NOT HOW ANY OF THIS WORKS
- 9. The solution lies in redefining the problem.
- 11. GAME SCORE Changing The Game
- 12. Changing The Game Security is not an IT issue. It’s a business issue. We can’t eliminate risk. We navigate it. TechnologyProcess People
- 13. So What Can We Do?
- 14. I’m from the government, and I’m here to help.
- 15. • Collaborative effort • Built using “best practice” standards and guidelines • Checklist • One-size-fits-all • Designed to be flexible NIST Cybersecurity Framework
- 16. NIST Cybersecurity Framework Core What needs protection? What safeguards are available? What techniques can identify incidents? Processes to contain impacts of incidents? Processes to restore capabilities?
- 17. Framework Core Elements Functions organize basic cybersecurity activities at the highest level
- 18. Framework Core Elements Categories break down Functions into groups of cybersecurity outcomes
- 19. Framework Core Elements Subcategories get more specific – describing specific outcomes of technical and/or management activities
- 20. Framework Core Elements Informative References are common standards, guidelines, and practices used to achieve these outcomes
- 21. Identify IDENTIFY Asset Management • Website – files and database • Plugins/extensions • Third party integrations • Cloud storage, payment processor, accounting • Users – and what roles? • Who has access to your data?
- 22. Identify IDENTIFY Asset Management • Website is not just a collection of files and database • Do you have a written inventory of: • Domain registrar • Web host • SSL certificate • What about ways people access the site? • Computer, mobile device? What about WiFi?
- 23. Identify IDENTIFY Asset Management Risk Assessment • You need to know what you have, and know what the threats/vulnerabilities are • How do you get your “cyber threat intelligence”? • US-CERT • Vendor-specific • WordPress specific
- 24. Protect PROTECT Access Control • Manage users / roles (does everyone REALLY need admin access?) • And no one is named “admin” • Enforce strong passwords (website AND devices) • Two-factor authentication
- 25. Protect PROTECT Access Control Information Protection Procedures • Update – everything (plugins, core, access devices) • Backups – regularly made and tested • Appropriate actions for known vulnerabilities • VPN, SFTP • Develop and exercise incident response and recovery plans
- 26. Protect PROTECT Access Control Information Protection Procedures Protective Technology • Firewalls – cloud-based, endpoint • Antivirus / malware scanner on access devices • Block brute force login attempts • Blacklist IPs – or whitelist • Web server – updated software versions? Secure file permissions?
- 27. Detect • Server • Application • Access • Change – did something get modified? • Malware scanning DETECT Security Continuous Monitoring
- 28. Detect • Who is getting and assessing alerts? • Who is taking action? • Check for blacklisting • Mxtoolbox • Google Search Console DETECT Security Continuous Monitoring Detection Processes
- 29. How Are We Looking? IDENTIFY Asset Management Risk Assessment PROTECT Access Control Information Protection Procedures Protective Technology DETECT Security Continuous Monitoring Detection Processes TechnologyProcessPeople
- 30. How Are We Looking? IDENTIFY Asset Management Risk Assessment PROTECT Access Control Information Protection Procedures Protective Technology DETECT Security Continuous Monitoring Detection Processes TechnologyProcessPeople
- 31. Respond RESPOND Execute Response Plan • Don’t Panic! • Major / Minor? • Quarantine site - preserve log files • Notifications • Failover
- 32. Respond RESPOND Execute Response Plan Analysis & Mitigation • What happened? • Investigate notifications – assess impact • What immediate actions do you need to take? (put out the fire)
- 33. Recover • Restore site from the backup you created and tested (you did do that, right?) RECOVER Execute Recovery Plan
- 34. Recover • Recovery is not just returning to the pre- incident state • Hotwash • Lessons Learned? RECOVER Execute Recovery Plan Improvements
- 36. Takeaways • Security is more than a plugin • Not (just) IT! • Always have backup • Lessons learned – not burned KNOWLEDGE IS OF NO VALUE UNLESS PUT INTO PRACTICE
- 37. THANK YOU! QUESTIONS? Stacy M. Clements https://www.linkedin.com/in/stacyclements https://twitter.com/stacyclements https://milepost42.com
Editor's Notes
- #16: based on existing standards, guidelines, and practices for organizations to better manage and reduce cybersecurity risk. Does not tell an organization how much cyber risk is tolerable, nor provide “the one and only” formula for cybersecurity. Living document - focuses on questions an organization needs to ask itself to manage its risk. While practices, technology, and standards will change over time—principles will not.
- #17: high-level, strategic view of the lifecycle of an organization’s management of cybersecurity risk. Set of desired cybersecurity activities and outcomes
- #22: The activities in the Identify Function are foundational for effective use of the Framework
- #23: The activities in the Identify Function are foundational for effective use of the Framework
- #27: What is your host doing? Is your server secure? PHP version / MySQL Avoid “soup kitchen” servers File permissions Prevent php execution in wp-content/uploads Deny access to wp-config.php
- #28: How do I know when something happens?
- #29: How do I know when something happens?
- #33: Maybe it’s not a big hairy incident “incident” could be a newly announced vulnerability in plugin – just update it
- #35: What happened – and how do we keep it from happening again? May want to communicate what you’ve done to your customers