Episode: 046
Title: How to Secure WordPress
Aired: August 12, 2017
Featured Segments: How to Secure WordPress
Synopsis:
Justin Dailey, security engineering manager at WP Engine, discusses how to secure WordPress websites.
Follow Us & Stay Informed:
Bret Piatt (left), Justin Dailey (right)
Tweet us: @cybertalkradio, @wpengine, @bpiatt / Stream on iHeartRadio: Android or iOS
Transcript:
00:00:01 [Music] 00:00:23 from the dark let you ladies out you 00:00:26 were listening to cyber talk radio on 00:00:28 news 400 wao 00:00:31 [Music] 00:00:51 welcome to cyber talk radio 00:00:54 I'm your host Bret Pyatt a 20-year 00:00:56 internet security veteran this week 00:00:59 we're going to be talking about one of 00:01:01 the hottest topics on the Internet we 00:01:04 were just discussing before we went on 00:01:05 air I said I think if your Google 00:01:07 profile is a little bit geeky and nerdy 00:01:09 and security enough if you type in the 00:01:12 phrase how to it may just automatically 00:01:15 populate there for you in the search 00:01:16 suggestions the the next thing that 00:01:18 we're going to talk about here with our 00:01:20 guest this week which is how to secure 00:01:21 WordPress for those of you that are not 00:01:24 in the tech side of the world WordPress 00:01:28 is the thing that powers almost a 00:01:30 quarter of the Internet if you're out 00:01:33 there and you go to a website for your 00:01:35 favorite store your restaurant a 00:01:37 business that you may law firm medical 00:01:42 practice all of those things there's a 00:01:43 at least a one in four chance and maybe 00:01:46 a 50% chance on those type of businesses 00:01:49 that it's running on a wordpress site 00:01:51 we're joined today by a real expert in 00:01:53 this from a company that runs hundreds 00:01:56 of thousands maybe millions of WordPress 00:01:57 sites I don't know if they disclose 00:01:59 these numbers but a ton of them for web 00:02:02 design agencies for individual 00:02:04 businesses and for enterprises so Justin 00:02:07 thank you for coming to join us this 00:02:09 week yeah it's really good to be here 00:02:11 thanks for having me yeah so your day 00:02:14 job is to keep this stuff safe day job 00:02:17 is to keep WordPress safe yeah so can 00:02:21 you for those listening that have not 00:02:23 heard of WordPress before I mean I 00:02:25 shared a little stats about it's a 00:02:26 quarter of the Internet but what is it 00:02:28 how did it get there and why are people 00:02:30 building so many websites on it yeah so 00:02:32 WordPress is its open source technology 00:02:34 for one which means the code is open 00:02:37 source anyone can contribute to it you 00:02:39 just need to have expertise in it and 00:02:41 you need to go through the proper 00:02:42 channels to actually contribute to it so 00:02:44 people really appreciate that aspect of 00:02:46 it and they get transparency into what's 00:02:48 actually happening and then in addition 00:02:50 to that so it's a content management 00:02:51 system which means you don't necessarily 00:02:54 have to code everything in your website 00:02:55 you actually get to go in and there's a 00:02:57 nice UI and you can you can actually 00:02:59 visually configure what's going to 00:03:01 happen in your website and you don't 00:03:02 necessarily have to know how to write 00:03:04 PHP 00:03:04 code or Python code or or anything like 00:03:06 that you can actually just be a novice 00:03:09 web user and go in and create your own 00:03:11 website with some pretty looking themes 00:03:13 one of the things about WordPress that's 00:03:15 make it made it so successful along with 00:03:17 the open sources it's adopted a very 00:03:20 pluggable architecture so there's just 00:03:23 massive amounts of wordpress plugins 00:03:25 WordPress themes and you can go through 00:03:27 and for instance when you're setting up 00:03:29 your site the first thing you do is like 00:03:30 okay well what kind of what kind of 00:03:31 theme don't want to start with maybe I'm 00:03:33 creating a shop I'm going to sell 00:03:35 necklaces so I'm going to go look for 00:03:37 e-commerce based themes and there's 00:03:39 thousands of them out there right and 00:03:42 then there's some great plugins like 00:03:43 WooCommerce that allow you to really 00:03:45 like set up and manage the site so it 00:03:47 helps you helps you to price items helps 00:03:49 you to be able to like track your 00:03:50 inventory and all that stuff it just 00:03:52 makes it very user friendly for people 00:03:54 that aren't extremely tech savvy and 00:03:56 then basically you can go from that and 00:03:59 like you start looking at okay what kind 00:04:01 of functionality do I want on my site I 00:04:03 want users to be able to interact with 00:04:04 me on social media so I'll go and solve 00:04:07 some social media plugins and it just it 00:04:10 allows you to very quickly connect all 00:04:11 the pieces together and it also gives 00:04:14 you the flexibility to sort of dive 00:04:16 under the hood to if you want to it's 00:04:18 open source all the code is there and 00:04:20 available for you and that includes the 00:04:22 plugins so when you install a plug-in if 00:04:25 you need to tweak it a little bit if you 00:04:26 need to tweak a theme and you're savvy 00:04:29 enough to go in there and sort of get 00:04:30 your hands dirty you can customize it as 00:04:32 much as you want to yeah that's for 00:04:34 those that are not technically savvy and 00:04:37 it's as easy as using a web-based email 00:04:40 so like if you're going to edit the page 00:04:42 on your website if you can go in and use 00:04:46 a web browser-based email client and you 00:04:48 can edit and send an email to somebody 00:04:49 you can edit a web page at your site so 00:04:51 that's how easy WordPress makes it and 00:04:52 with that accessibility and then is 00:04:56 Justin described this pluggable and 00:04:58 modular architecture this is is where 00:05:00 the complexity comes in and for those 00:05:03 cyber security professionals out there 00:05:04 they hear the word complexity and they 00:05:06 they scream and terror in a way this 00:05:08 complexity makes it difficult to 00:05:10 understand all the pieces the components 00:05:12 and for the attackers they only need to 00:05:15 find one chink in the armor they only 00:05:17 need to find one weak 00:05:18 you can secure ninety-nine out of a 00:05:20 hundred things on your site but if they 00:05:22 find one flaw then they can get in and 00:05:25 go from there so Justin is you you 00:05:26 talked about WordPress the code is open 00:05:28 source and many of the folks say well 00:05:30 open source should be the safest thing 00:05:32 ever because everyone cannot have the 00:05:34 code millions of people have seen it so 00:05:36 is a open source just not as secure as 00:05:38 folks think or what is it this really 00:05:40 drive some of this security 00:05:41 vulnerability in the WordPress 00:05:43 architecture right so that's the great 00:05:46 observation to make with it being open 00:05:48 source you get a lot of eyes on the code 00:05:50 which admittedly makes makes code 00:05:52 quality a lot better overall but still 00:05:55 not perfect right humans aren't perfect 00:05:56 everyone's not reviewing every tiny 00:05:58 piece of code that goes in like you have 00:06:00 a set of reviewers and someone might 00:06:02 happen to look at some code but once 00:06:04 again it depends on who's putting that 00:06:06 in there who's looking at it and what 00:06:07 their expertise and thought process is 00:06:09 and that it's not always perfect so even 00:06:12 with all those eyes on it you'll still 00:06:14 have problems and one of the things with 00:06:16 WordPress as well so the great plug-in 00:06:18 theme ecosystem you have thousands out 00:06:20 there as I mentioned that also means 00:06:22 thousands of developers of varying 00:06:24 quality that are developing and 00:06:25 publishing these plugins and themes and 00:06:27 while the WordPress official repository 00:06:30 tries to maintain a stance of keeping 00:06:33 the code that goes in there to a certain 00:06:36 standard certain quality there's still 00:06:38 stuff that slips through the cracks 00:06:39 right they have a review process but 00:06:41 when you have so many submissions so 00:06:43 many plug-in version updates and just 00:06:45 code changes constantly it becomes very 00:06:47 hard to really really track all those 00:06:49 and ensure that they're secure to the 00:06:52 top quality and so there are as I 00:06:55 mentioned varying skills from those 00:06:57 developers and really some of them 00:07:00 follow better practices than others and 00:07:02 that can really end up biting you or 00:07:05 really benefiting you right so one of 00:07:08 the things is actually to to try to 00:07:10 stick with that approved and like 00:07:13 mainstream themes and plugins and that's 00:07:16 that's one way that you can sort of 00:07:17 mitigate and reduce your attack vectors 00:07:20 yeah so those those mainstream themes 00:07:22 and plugins more likely to have a 00:07:24 thorough code review process and other 00:07:26 pieces so as you spend your time dealing 00:07:30 with WordPress security issues on a 00:07:31 regular 00:07:32 how many of them come from the actual 00:07:35 WordPress core project code itself 00:07:37 versus themes and plugins I don't have 00:07:39 numbers but off the top of my head I 00:07:40 would say it's 95 plus percent from 00:07:44 themes and plugins WordPress core is 00:07:46 they've over the years sort of developed 00:07:49 and adapted their their practices around 00:07:51 security and code development and code 00:07:53 reviews and I'll say they have a pretty 00:07:56 good system in place now that even when 00:07:59 even when critical vulnerabilities are 00:08:01 discovered at least in the past I'm 00:08:04 going to say a year to two years it has 00:08:06 been a majority discovered by actual 00:08:08 security researchers who have practiced 00:08:10 responsible disclosure and disclosed 00:08:13 them to the WordPress foundation and 00:08:15 then they have taken their notification 00:08:17 process to be able to notify providers 00:08:20 like us ahead of time so we're able to 00:08:23 sort of take action and be ready if you 00:08:26 will for because as soon as that code 00:08:28 change is actually posted before the 00:08:30 update is even pushed out and available 00:08:31 as soon as that code change is posted a 00:08:34 savvy person can go in and what it's 00:08:36 open-source right so they can go in and 00:08:38 look and see oh well they're changing 00:08:40 this thing here but their commit message 00:08:43 had nothing to do with that actual 00:08:46 change so you can go in and kind of read 00:08:48 between the lines and see so from that 00:08:51 perspective like you can have some some 00:08:52 potential zero days out there if you're 00:08:54 not taking action to quickly update 00:08:56 after that happened so it becomes like a 00:08:58 very tricky flow when you're actually 00:09:00 going through that just due to the 00:09:02 visibility and the eyes on that and of 00:09:04 course this hackers are are looking at 00:09:06 that with very very closely because that 00:09:09 gives them vectors in yeah but yeah as 00:09:12 WordPress core has been has been pretty 00:09:15 good as of late and it's really the 00:09:16 plugins that like suffer the the 00:09:18 majority of vulnerabilities and then one 00:09:20 thing is just keeping things up to date 00:09:22 right so it's not even necessarily that 00:09:24 the newest versions of these plugins or 00:09:26 even WordPress core are vulnerable 00:09:29 it's that vulnerabilities come out and 00:09:31 users don't take action to go through 00:09:34 and update and that what that leaves is 00:09:37 these vulnerabilities that have been 00:09:38 known about published in the wild for 00:09:41 months or years are just sitting there 00:09:43 waiting to be exploited 00:09:45 and for those that experience this on 00:09:48 the news 00:09:48 the wanna cry ransomware that infected a 00:09:52 bunch of Windows computers Microsoft had 00:09:54 released patches for the vulnerability 00:09:57 that that ransomware worm exploited and 00:10:00 if you had gone in and patched and 00:10:02 updated your operating system then you 00:10:05 wouldn't have had that problem that we 00:10:06 saw a Honda plant over in Japan we saw 00:10:10 the National Health Service in the UK we 00:10:11 saw lots of folks not patching and 00:10:14 updating in a timely manner because it's 00:10:16 complicated to patch an update sometimes 00:10:19 because from a wordpress so does 00:10:22 WordPress work only on one specific 00:10:24 version of an operating system with one 00:10:26 specific web or web server technology or 00:10:28 that how do you how many different ways 00:10:31 can you deploy WordPress you can deploy 00:10:33 it quite a few different ways right so 00:10:35 it relies on PHP PHP is actual the 00:10:37 backend code that's running it can be 00:10:39 deployed in Linux environments Windows 00:10:41 environments basically anything that has 00:10:43 a webserver that's able to execute PHP 00:10:46 and it works with a few different 00:10:49 versions of PHP some plugins are not 00:10:50 compatible with some of the older ones 00:10:52 most stuff is compatible with PHP 7 00:10:55 nowadays which is great to use as it's 00:10:57 much much faster than the 5x variety but 00:11:01 yeah it's a variety of different 00:11:02 platforms ultimately anything that can 00:11:05 host a web server executes PHP you could 00:11:08 you could host WordPress there and 00:11:10 people probably are last saw I was 00:11:12 really digging into the WordPress 00:11:13 security world most the deployments I 00:11:15 think then were on the apache 00:11:17 foundation's H DVD project are you 00:11:20 seeing a shift across the WordPress 00:11:22 world to folks using nginx or other 00:11:23 different web technologies these days 00:11:25 from a web server perspective yeah I 00:11:27 think HTTP D is like its quick to set up 00:11:29 it's easy to use right engine X I have 00:11:33 seen a lot of people going towards nginx 00:11:35 just due to its its speed and 00:11:37 scalability it becomes more lightweight 00:11:39 and allows you to really sort of tweak 00:11:42 and configure more to your liking so if 00:11:45 you know what you're doing it can be a 00:11:46 much more powerful tool in a lot of ways 00:11:48 and yet it allows you to easily 00:11:51 incorporate things like caching layers 00:11:53 and stuff like that so you can you can 00:11:55 kind of do some some magic with it 00:11:58 yeah and then you have folks on on 00:12:00 Windows running internet information 00:12:01 server but Apache htpb also runs on 00:12:05 Windows does nginx run on Windows these 00:12:07 days do you know I actually don't know 00:12:08 if the top of my head on the matter yeah 00:12:10 I would be kind of scared to explore 00:12:13 that yeah so you have all of these 00:12:15 different combinations and permutations 00:12:17 to test so this is one as you're 00:12:19 listening and thinking well this is the 00:12:21 powering a quarter of the Internet why 00:12:23 can't the developers in this project 00:12:24 make it safe well software is built in a 00:12:27 layer cake model and analogy I'd like to 00:12:30 use is from a house where you've got the 00:12:32 foundation and one team builds the 00:12:34 foundation and someone else comes in and 00:12:36 built the frame on top and when you 00:12:37 build a roof on top of that and when 00:12:39 you're building a house everyone really 00:12:42 works together everything's pretty 00:12:44 tightly coordinated and you double check 00:12:47 to make sure that that frame will be 00:12:49 able to be built on that foundation that 00:12:51 the frame is going to be able to support 00:12:53 the roof tile if you're going to do 00:12:54 asphalt shingles or if you're going to 00:12:57 do ceramic tile you've got to do a 00:12:58 different frame and you've got have a 00:13:00 different foundation to deal with the 00:13:01 weight of the house and all of those 00:13:02 folks are really working together from 00:13:04 top to bottom in that snack building a 00:13:06 house and that's why houses don't fall 00:13:07 down well this can happen in technology 00:13:10 as well if you have a team of trained 00:13:11 experts that are managing the operating 00:13:13 system and that web server technology 00:13:15 and then managing WordPress the 00:13:17 application on top of the web server 00:13:18 then all those pieces work together very 00:13:20 well and you can keep things safe but 00:13:23 the the folks that are building the 00:13:26 foundation if they're not talking to the 00:13:28 folks that are going to come put the 00:13:29 frame in the roof on the house and 00:13:31 you've got folks that are not experts 00:13:33 now it makes it into a spot where you 00:13:35 end up with any one of those areas if 00:13:38 you have a problem then word presence of 00:13:39 ultimately getting blamed for all of 00:13:41 these because it's the application there 00:13:44 at the front like if the roof the leaks 00:13:46 or the roof has a problem the roof has 00:13:48 to get replaced 00:13:49 you're not often going to blame the 00:13:51 framing guy or blame the foundation guy 00:13:53 you're going to end up blaming the 00:13:54 roofer for the roof having a problem and 00:13:57 this is I think where WordPress gets a 00:13:59 picked on and maybe beat up a little bit 00:14:01 out there where it doesn't necessarily 00:14:02 deserve some of the rap that it gets it 00:14:05 could be a flaw anywhere in the stack 00:14:07 below it and it just happens to be that 00:14:09 WordPress is the application running on 00:14:11 that 00:14:11 that shaky foundation yeah that's 00:14:14 definitely true I really like that 00:14:15 analogy there's so when you're thinking 00:14:18 about security threats and modeling and 00:14:20 where if you're hosting a website what 00:14:22 you need to be worried about it's all 00:14:24 the way from you think about the server 00:14:27 the operating system that's hosting so 00:14:28 whether it be windows-based UNIX Bay's 00:14:30 you're gonna have to worry about threats 00:14:32 on that level and then like you worry 00:14:34 about them your so your HTTP server so 00:14:37 like if you're running Apache HTTP D if 00:14:40 you're running engine X whatever that 00:14:42 layer might be as well as like your your 00:14:44 PHP configuration right what version of 00:14:46 PHP are using what is it vulnerable to 00:14:48 what how have you configured that 00:14:50 environment is it actually a safe 00:14:52 configuration you put into place there 00:14:54 and then that goes all the way to the 00:14:57 WordPress like the application layer 00:14:58 right so and then there's there's tons 00:15:00 just on the front end there that if it's 00:15:02 not properly managed and configured and 00:15:05 it can be a serious risk to you and it 00:15:08 for a lot of users it's just um they're 00:15:10 not knowing exactly how they should be 00:15:12 configuring that and not following the 00:15:14 best practices and so really like to 00:15:16 preach preach education in that sense to 00:15:19 go out and do your research and 00:15:21 understand like the threat model that 00:15:23 you face and if you're using like a 00:15:25 managed platform a managed platform 00:15:28 provider like us so we're we're managing 00:15:30 everything but the WordPress for you you 00:15:32 just need to worry about that WordPress 00:15:33 piece if you're super techy and you want 00:15:36 to take on that whole stack you know 00:15:37 like you're welcome to but that's much 00:15:39 more that you have to worry about and be 00:15:41 educated on and be up to speed on and 00:15:43 like we kind of mentioned earlier it 00:15:46 takes a lot of active effort so you 00:15:48 constantly have to be monitoring and 00:15:51 updating these components to make sure 00:15:53 you don't you don't fall behind 00:15:54 attackers not falling behind and so if 00:15:57 you if you're slacking on on those 00:15:59 updates and really staying with it 00:16:01 you're ultimately going to pay the price 00:16:03 at some point it becomes a lot to take 00:16:06 in and manage and that's that's why you 00:16:08 see a lot of people gravitating towards 00:16:11 like these managed providers that are 00:16:14 able to give them sort of like a sandbox 00:16:16 environment to where you say ok we're 00:16:17 going to take care of all this stuff for 00:16:19 you and here's your instance and that's 00:16:21 all you have to worry about at that 00:16:22 point you're listening to 1,200 waa 00:16:25 I this is cyber talk radio and this week 00:16:28 we're talking wordpress security i'm 00:16:29 joined with justin daily security 00:16:31 manager and engineer at a WP engine a 00:16:35 company that takes care and is he was 00:16:37 mentioning runs secure wordpress 00:16:40 environments for folks to then build and 00:16:42 run their web sites and web wordpress 00:16:44 based applications on top of so yeah and 00:16:47 as you're going through talking about 00:16:48 this updating maintaining it's it's one 00:16:53 in the technology world i think 00:16:54 especially we see with the open source 00:16:55 you get this that's really 00:16:56 do-it-yourself crowd and from a home 00:17:00 perspective i think a lot of folks in 00:17:03 that do-it-yourself crowd they'll tinker 00:17:06 with things you might do a little repair 00:17:07 underneath the sink you might do a hang 00:17:11 a new light fixture but most the time 00:17:13 people aren't like plumbing a whole new 00:17:15 bathroom themselves or they're not going 00:17:17 to Home Depot you could go buy all the 00:17:19 parts to build your own bathroom from 00:17:21 scratch but you can't do this you need 00:17:23 permits you need all these things in the 00:17:24 technology world 00:17:25 you don't need permits or anything you 00:17:27 can go download the source code you can 00:17:28 get a website up and running you can do 00:17:31 all of this stuff without any of those 00:17:33 and and I think we see a lot of folks 00:17:34 because there's an article on there on 00:17:36 how to set up a wordpress site for your 00:17:38 business you can google that and you're 00:17:39 going to find a list of millions of 00:17:41 articles on the internet telling you all 00:17:43 about how to do that and it's going to 00:17:45 show you how to set up a wordpress site 00:17:46 for your business in three simple steps 00:17:48 I'll bet that post exists as well and 00:17:50 you're going to go wow I can do this and 00:17:52 and do it well and you can set it up and 00:17:54 you can make the site look pretty with 00:17:55 themes as Justin to mention and if you 00:17:57 miss the early part of our conversation 00:17:59 we post a rebroadcast and we put this up 00:18:02 online on iTunes podcast pocket casts or 00:18:05 on our website at WWF or talk-radio comm 00:18:08 there steams and plugins you can make it 00:18:10 look pretty but at every point in time 00:18:12 you need to be reading WordPress 00:18:14 security updates and plug-in security of 00:18:16 articles and all of these things on an 00:18:18 ongoing basis or you're just going to 00:18:21 end up at some point where the attacker 00:18:24 breaks in and they're in your website 00:18:26 and they're pretty good at getting in 00:18:28 and hiding inside as well all right 00:18:30 definitely attackers they they don't 00:18:32 stop so they have many motivations 00:18:35 mainly money they're seeking to to 00:18:38 exploit these research 00:18:39 and take advantage of them for their 00:18:41 benefit and it's really interesting 00:18:43 point you bring up about the sort of DIY 00:18:45 and WordPress is perfect for DIY you 00:18:47 know like I want to spin up my own blog 00:18:49 that's how we're press started right is 00:18:50 like oh it's a great like blogging 00:18:52 platform like it's really easy to use 00:18:54 you can have a blog spun up in no time 00:18:56 at all like you said three steps you're 00:18:59 probably doing two now who knows yeah so 00:19:01 from that perspective like even someone 00:19:04 that's just a DIY kind of person they 00:19:06 want to learn some of this technology 00:19:08 they want to get their hands dirty like 00:19:09 it's great to start going down that path 00:19:11 but then once you get to the point where 00:19:13 oh you have a significant resource 00:19:16 that's a WordPress site you know like 00:19:17 many businesses are building either just 00:19:20 their their site so basically the face 00:19:22 of your business or actually your entire 00:19:24 core business so these WordPress sites 00:19:26 that serve functionality right so like 00:19:28 stores are a good example it might be a 00:19:31 forum it can be like just a full-on new 00:19:34 site that that's actually where people 00:19:35 go to engage with your content so 00:19:38 there's there's all kinds of ways that 00:19:40 people are building their companies 00:19:41 around WordPress and once I guess at 00:19:43 that point it becomes more important 00:19:45 right so at that point you're not just 00:19:47 DIY like this is my hobby personal side 00:19:49 it's like this is actually probably a 00:19:52 large portion of your income or even 00:19:54 like the company that you found it so it 00:19:56 becomes much more important much more 00:19:57 relevant at that point and that's when 00:19:59 you want to start taking steps to really 00:20:01 like understand and fully secure and 00:20:05 protect those assets yeah and as soon as 00:20:08 you mentioned the new sites I mean 00:20:11 there's major publications that run 00:20:14 their whole business on WordPress 00:20:16 there's a one here and in our market I 00:20:19 know that runs their site and they've 00:20:24 got probably 15 or 20 journalists out 00:20:27 there writing articles and driving a lot 00:20:29 of page views and traffic to that and 00:20:32 this those are the kind of sites that 00:20:34 hackers like to get into potentially 00:20:37 there because then they can put in 00:20:39 malware and all the people are going to 00:20:42 go read those news articles if they've 00:20:43 got a vulnerability in their browser end 00:20:45 up getting infected by visiting that 00:20:47 news site so the new site example is one 00:20:50 where 00:20:51 they may not be doing any e-commerce 00:20:53 directly on that site you think I'm not 00:20:55 taking money on my site I don't have to 00:20:56 worry about securing it well you don't 00:20:58 want all the people that are coming to 00:20:59 visit your business ending up as as 00:21:02 victims I mean this is one where you may 00:21:04 not get robbed specifically yourself 00:21:06 that now you are an agent effectively of 00:21:09 a criminal organization and those folks 00:21:12 are able to infect all of your customers 00:21:14 and steal from them which is not what 00:21:16 anyone wants and there's a example out 00:21:19 there as well some of these new sites 00:21:20 are recommending please turn off your ad 00:21:21 blocker and we there have been its 00:21:24 issues over the last few years where 00:21:25 there been malware served up through ads 00:21:27 online and different news sites have 00:21:29 ended up then delivering malware out to 00:21:32 customers because there please support 00:21:35 our site by turning off your ad blocker 00:21:36 on our site and you end up ending up 00:21:38 creating victims there so it's one where 00:21:40 regardless of if you think you know what 00:21:43 I'm not taking money on my site I don't 00:21:44 really need to pay attention the 00:21:45 security my customers know that like if 00:21:47 my website got hacked somebody put up a 00:21:49 bad picture or whatever else they know 00:21:51 That's not me it'll be okay 00:21:53 but there's the days I think of the the 00:21:55 web defacement where some teenager puts 00:21:58 up a funny picture on your website 00:22:00 instead of it being your real website 00:22:01 those are long gone and Justin to 00:22:03 mention that folks out there now are 00:22:04 motivated by money 00:22:06 most of the hacking on the Internet is 00:22:08 done by organized criminal enterprise 00:22:09 and these folks are very sophisticated 00:22:12 and very patient as well so we're 00:22:16 getting ready here in a couple of 00:22:18 minutes for the news traffic and weather 00:22:20 update at the bottom of the hour the 00:22:21 second half of the program this week 00:22:23 we're going to deep dive into some of 00:22:25 the what is Justin's daily life what 00:22:26 does it look like in the week of a 00:22:28 WordPress security team what's up 00:22:30 patching updating management how many 00:22:32 people does this really take to keep 00:22:35 things safe I want to go into that level 00:22:38 of detail will help any of those DIY 00:22:40 practitioners if you really want to try 00:22:42 to DIY this Justin's going to give you a 00:22:44 lot of tips are my real recommendation 00:22:47 unless you're operating at a very very 00:22:50 large scale I mean if you're a top 10 00:22:53 newspaper you should have your own 00:22:54 security team maybe you should try to go 00:22:56 do what Justin's doing if you're not at 00:22:58 that scale if you're not one of the top 00:23:00 100 ecommerce sites online you probably 00:23:03 should not be trying to hire 00:23:04 team and do the stuff yourself there's 00:23:06 not a ton of folks out there in the 00:23:08 market like Justin this is one of the 00:23:10 topics we've covered on this program on 00:23:11 a regular basis just the shortage of 00:23:14 cybersecurity aware technical talent 00:23:16 there's hundreds of thousands of job 00:23:18 openings posted today and we really 00:23:21 believe there's probably millions of job 00:23:22 openings it's just latent jobs that are 00:23:24 not posted because employers know that 00:23:26 even if I put up a job posting for this 00:23:28 I'm never going to get a candidate so 00:23:29 why even bother if you wanted to learn 00:23:31 more about all of those job and a career 00:23:34 and cyber employment issues so that you 00:23:38 can fill one of those jobs if you want 00:23:39 to learn some about the problems and 00:23:40 constraints in the market you can listen 00:23:42 to our past episodes on our website at 00:23:45 WWF or a do comm you can also find them 00:23:49 on iTunes podcasts pocket cast on your 00:23:52 Android device or on our youtube channel 00:23:54 as well you are listening to cyber talk 00:23:57 radio we will be right back after the 00:24:00 break news traffic and weather on 1270 00:24:03 way up 00:24:03 [Music] 00:24:27 [Music] 00:24:33 you 00:25:04 welcome back to cyber talk radio I'm 00:25:07 your host Brad Pyatt a 20-year internet 00:25:09 security veterans joined this week by 00:25:12 Justin daily from WP engine and we're 00:25:14 talking how to secure WordPress this 00:25:17 half of the program we're going to go 00:25:19 deep dive into this so I'm going to 00:25:23 pretend that uh I've been trying to run 00:25:25 a wordpress site myself not doing a very 00:25:27 good job because frankly you just kind 00:25:29 of stay on top of things all the time 00:25:30 it's a lot of work so Justin's going to 00:25:33 walk us through all of the things that 00:25:35 he would do if I handed him my wordpress 00:25:38 site and I added a root access to my 00:25:40 server and he's going to start going 00:25:42 through from there to dig in if you 00:25:44 wanted to learn more just about 00:25:45 WordPress in general what it does in the 00:25:47 internet and all of those we covered 00:25:49 that in the first half of the program 00:25:50 and you can listen to a rebroadcast 00:25:52 replay of this on iTunes podcast pocket 00:25:55 casts our YouTube channel or our website 00:25:57 at www.att.com/biz 00:26:06 thank you for listening on in and I know 00:26:10 that you can catch us each weekend at 00:26:12 11:00 p.m. on Saturday night on 1200 W a 00:26:15 I and your AM radio dial or on I Heart 00:26:19 Radio on your Android iOS device or even 00:26:22 on your computer all across the internet 00:26:24 so Justin how did you get yourself into 00:26:27 WordPress security to begin with oh good 00:26:30 it's been a long journey actually came 00:26:33 from just a computer science computer 00:26:36 engineering background focused on 00:26:38 digital electronics actually so FPGAs 00:26:40 which are field programmable gate arrays 00:26:43 very hardware digital focused um but 00:26:46 always kind of gravitated towards the 00:26:48 software side kept part of my head in 00:26:51 that side of things and also in the 00:26:52 security world through the years and 00:26:54 yeah just sort of gravitated that way 00:26:56 professionally as well and wound up at 00:26:59 WP engine with no prior WordPress 00:27:02 experience but then it's been a ride to 00:27:05 sort of learn all that exposure and just 00:27:08 see the the many ways that WordPress is 00:27:09 used and just the power of WordPress and 00:27:13 also see of course the 00:27:14 security side of it is what interests me 00:27:16 heavily and that's how many different 00:27:18 ways people can take advantage of people 00:27:20 using WordPress and then just the web in 00:27:23 general yeah so if you're thinking about 00:27:26 a security job and cyber security or 00:27:29 WordPress or any of these as Justin said 00:27:32 there I think if if you have a solid 00:27:34 fundamental background in technology and 00:27:36 then you have the attitude to learn to 00:27:39 dig in to improve your skills in a daily 00:27:41 basis there's opportunities out there 00:27:43 for you so don't feel like you need to 00:27:46 go back and get a college degree in 00:27:48 cyber security specifically those help 00:27:50 they're useful it's wonderful they help 00:27:52 you think through a lot of frameworks 00:27:53 but if you have the technical skills 00:27:56 understanding and the desire to go in 00:27:58 and learn every day you can build the 00:28:00 skills you need to get a job in these 00:28:03 fields so if you're in there and you're 00:28:05 thinking about well what should I learn 00:28:07 the secure WordPress so I guess I hear 00:28:09 we go into secure in this Justin so I've 00:28:11 given you my Fedora Linux box so you've 00:28:15 got access to it now you've got root 00:28:18 you've telnet it in you've not tell 00:28:20 mitad in anyone if you're running telnet 00:28:21 on any machine out there right now 00:28:23 please go in and disable that service if 00:28:26 you don't know how to disable the 00:28:27 service please just turn the server off 00:28:29 so I've used SSH to actually securely 00:28:32 securely connect using approved modern 00:28:36 ciphers so I've done this very very 00:28:37 safely and securely yeah oh good so yeah 00:28:40 at that point you know you're looking at 00:28:42 a few things like he went so you're 00:28:45 considering now you have the full stacks 00:28:47 to think about right so you have to 00:28:49 start thinking about the base operating 00:28:51 system level right so you're hosting a 00:28:54 website that means you have to be 00:28:56 publicly addressable so you at least 00:28:58 have some ports open to the wide 00:28:59 internet like you mentioned telnet might 00:29:02 be one of them hopefully it's not but 00:29:04 yeah that's the first first thing you 00:29:06 want to look at is like okay 00:29:07 how am I actually exposed what services 00:29:09 am i running and it should ideally be as 00:29:12 minimal as possible so you might have 00:29:14 SSH because of course you need to 00:29:16 connect and actually administer and then 00:29:19 you've probably got four four three four 00:29:21 secure HTTP and then 84 unsecure HTTP 00:29:24 HTTP potentially and then maybe you're 00:29:27 looking at you 00:29:28 FTP or SFTP for actually uploading file 00:29:31 to the server as well but yeah I mean 00:29:33 you might have other services running 00:29:35 you didn't know about maybe you just 00:29:36 installed some package that was running 00:29:38 listening on some port you know so it 00:29:41 that's important to take a look at and 00:29:43 understand sort of what's installed 00:29:44 what's running on that system as well as 00:29:47 like are you keeping an update how are 00:29:50 you managing that system and what are 00:29:52 your practices around that right are you 00:29:54 patching on a regular basis daily weekly 00:29:57 any sort of cadence there do you have 00:30:00 are you tapping into any sort of threat 00:30:02 feeds to understand when your installed 00:30:04 packages are becoming vulnerable all 00:30:06 things to think about and just knowing 00:30:08 how how you're exposed on that level 00:30:11 because the reality is if you're if 00:30:12 you're hosting a website on the Internet 00:30:14 you're in publicly addressable space so 00:30:16 you're you're fair game and even more so 00:30:19 if you have a domain tied to your IP 00:30:20 address then it's not just random 00:30:22 scanners that are going to come and find 00:30:24 you it's people that that see your 00:30:26 domain that visit your website so it 00:30:28 makes you a target in a lot of different 00:30:30 ways and you'll commonly see people that 00:30:32 are hosting websites on servers that are 00:30:34 doing other things as well they might be 00:30:36 hosting like IRC servers or just 00:30:38 ridiculous things and it's funny to see 00:30:41 how many things people overlook and what 00:30:43 they just don't walk down yeah so well 00:30:46 one of the things that we haven't 00:30:47 mentioned yet that you need a database 00:30:49 to as well to run with WordPress it's 00:30:52 almost always run with MySQL the most 00:30:55 common database to run with it there's 00:30:56 ways to run it with other databases but 00:30:58 it's almost always running with MySQL so 00:31:00 if you're going to go in and you're 00:31:02 running a WordPress site - qaul has to 00:31:04 listen on a port as well WordPress 00:31:06 communicates it with it over a port and 00:31:10 so on that machine looking at the 00:31:12 interface configuration you should have 00:31:14 a loopback or a local interface you 00:31:16 should have another IP address on that 00:31:19 machine that MySQL is listening on MySQL 00:31:21 should not be listening on the internet 00:31:24 routable IP address it should not be 00:31:26 especially on the one that's mapped to 00:31:28 your website like if we scan your 00:31:30 website from the IP is listening on or 00:31:34 from your domain name to get to the IP 00:31:35 we shouldn't see the MySQL port there we 00:31:38 also should not see the the PHP myadmin 00:31:42 or we shouldn't see the MySQL admin has 00:31:44 a lot of people use these web Adan's 00:31:47 add-ons and plugins to manage to make 00:31:50 these things simpler to take the 00:31:53 operations because running a database 00:31:54 can be kind of complicated but you can 00:31:57 use those tools but they need to not be 00:31:59 on that publicly routable address and 00:32:01 that's one of the real common 00:32:02 configuration errors I see out there 00:32:04 yeah absolutely and my sequel is way up 00:32:07 there for concern right because if 00:32:09 access to that is if someone's able to 00:32:11 gain access to that that's essentially 00:32:13 control of your website that's where 00:32:14 WordPress pulled everything from that's 00:32:17 where it stores all the posts all your 00:32:18 content all your media everything so we 00:32:21 actually see compromises where people 00:32:23 will get access to a site maybe they 00:32:25 find like a sequel injection or maybe 00:32:27 you actually left your sequel 00:32:29 configuration in the default mode and so 00:32:31 your port is just exposed and what 00:32:33 they'll do is they'll inject their 00:32:35 content into your WP headers and so what 00:32:38 that means is every time someone loads a 00:32:40 page it populates with that WP header 00:32:43 from the database and that actually 00:32:45 might contain some malicious content 00:32:46 like we were talking about earlier or 00:32:48 maybe they're just injecting their own 00:32:49 ads into your page and therefore all 00:32:52 your page views are translating into ad 00:32:54 revenue for them right so yeah that's a 00:32:57 really great thing to look out for and 00:32:59 just a sort of inform our listeners like 00:33:02 one of the tools that people use to just 00:33:05 sort of profile servers in map basically 00:33:07 network mapper and so what that does is 00:33:10 use pointed at an IP address and it will 00:33:12 scan you can scan all ports if you want 00:33:15 or you can do quick cursory scans and 00:33:18 sort of just scan the most highly used 00:33:20 ports so my sequel has a default port 00:33:22 that it listens on so what people will 00:33:24 do is they'll take IP ranges and they'll 00:33:26 just scan across them within map and 00:33:29 they'll seek to identify servers that 00:33:32 have these these vulnerable services 00:33:34 that are listening and they'll do things 00:33:36 like they'll enumerate that and then 00:33:37 they'll go through and try to either 00:33:39 connect if there's no authentication or 00:33:41 they'll start trying to brute force 00:33:43 those things and so that's another thing 00:33:45 to think about as well if you don't have 00:33:47 protections on those services then 00:33:49 that's a possible vector that they can 00:33:52 also get you by so WordPress as well so 00:33:55 as 00:33:55 here on that house we'll get into a 00:33:58 little bit of some of the specific 00:34:00 things about securing WordPress but you 00:34:02 have to be able to administrate that 00:34:03 remotely as well I mean almost all the 00:34:05 websites in the internet are run now 00:34:07 remotely you're not sitting physically 00:34:09 at the server typing on the keyboard 00:34:11 with a monitor plugged into that server 00:34:12 so this is where this you have to allow 00:34:16 for remote administration and it 00:34:17 requires you to be thoughtful and 00:34:19 careful in your setup and operations of 00:34:21 it so if we we go up from that operating 00:34:24 system so let's say we've got minus QL 00:34:26 it's not listening on a public port now 00:34:28 we've got the Edward we're using SSH 00:34:31 we've got maybe key-based authentication 00:34:33 setup or if you're not using key-based 00:34:34 authentication with SSH please use a 00:34:37 secure password because there's just 00:34:40 like with the nmap scanner there's lots 00:34:42 of ssh brute-force attacks and if you 00:34:45 pick a poor password you will get brute 00:34:47 forced on the ssh board you should also 00:34:49 disable root login from the nest estates 00:34:52 port pick a username that you log in as 00:34:55 you that's just going to stop a lot of 00:34:57 just the drive-by brute-force attack 00:35:00 stuff as well because everyone knows 00:35:03 that root is the super user on all of 00:35:05 the Linux machines there's no reason to 00:35:07 allow you to log in directly to that you 00:35:08 should have to go onto the server and 00:35:10 then either su or sudo ideally in to 00:35:14 execute commands as root that is we're 00:35:17 going to look and talking about some of 00:35:19 the stuff I mean should I be running my 00:35:21 web server as root should I be running 00:35:23 should PHP be running as root or what do 00:35:26 you do from that user and group 00:35:27 permission set up these yeah that's a 00:35:29 great so as far as that layer goes like 00:35:31 you obviously never want that to be 00:35:33 executing his root right because what 00:35:34 that means is any of your your web 00:35:36 application code actually has root 00:35:38 privileges which translates to ownership 00:35:41 of the machine right so you want to run 00:35:43 that in the most contained environment 00:35:44 can and there's various ways to achieve 00:35:47 that one is by not executing as that 00:35:51 root user creating a user dub-dub-dub 00:35:54 data is like the standard like across 00:35:56 almost everything like you're just going 00:35:59 to create a dub dub dub data user and 00:36:01 you're going to have your web server 00:36:02 execute code as that user and what you 00:36:05 want to do with that user is lock the 00:36:06 permissions down to exactly what your 00:36:09 when application needs to access and so 00:36:12 what that turns out to be is it's a 00:36:14 short list of things mainly your web 00:36:17 content directory so your web root 00:36:18 directory as well as some other various 00:36:21 things on the OS that it's going to need 00:36:23 to access to actually run and perform 00:36:25 its function another important thing to 00:36:27 think about there is your database 00:36:29 credentials so WordPress connects to the 00:36:31 database how is it connecting to the 00:36:33 database is it connecting as a root user 00:36:34 or is it connecting as an actual 00:36:36 database user many people probably don't 00:36:39 realize but there's if you have root 00:36:41 access in a my sequel database there's a 00:36:43 lot of ways to translate that into root 00:36:45 access to a machine 00:36:46 you basically have unfettered access to 00:36:49 all device equal functions which can 00:36:51 translate into just compromises from 00:36:53 many different angles so really 00:36:56 important things to think about is like 00:36:57 what permissions does your application 00:36:59 have when it's executing on your machine 00:37:01 itself yeah my sequel should also not be 00:37:04 running his route yeah it should have 00:37:06 its own separate database user whether 00:37:08 you call it my sequel or whether you 00:37:10 call it local database or whatever you 00:37:12 call it should run if something else is 00:37:14 not as root the only thing that should 00:37:16 run as root is nothing I mean there's 00:37:19 basically no process on the machine that 00:37:22 needs to run with root permissions as a 00:37:24 remote listening as part of your 00:37:26 application absolutely absolutely and 00:37:28 you always want to follow principle of 00:37:30 least privilege right so yeah that's a 00:37:32 good way to we're talking about all 00:37:34 these different attack vectors and 00:37:36 services it's even for security experts 00:37:39 it's impossible could to account for 00:37:41 every potential threat so what you have 00:37:44 to do is you have to you have to build 00:37:45 up security in layers and you have to 00:37:47 take precautions and put in mitigations 00:37:49 where you can and the principle of least 00:37:51 privilege is a great mitigation right so 00:37:53 that's just protecting your environment 00:37:56 basically segmenting your environment so 00:37:58 if one portion gets compromised the 00:38:00 entire environment is not compromised 00:38:02 yeah and then so the one of the other 00:38:04 things that recommend is Gil here 00:38:07 defense-in-depth you'll hear these these 00:38:09 different things but it's basically 00:38:10 trying not to rely on just one control 00:38:13 it's like then most people's door on 00:38:15 your house you've got a deadbolt lock 00:38:18 and if you just lock the deadbolt that's 00:38:19 the real safe super-strong lock but 00:38:22 there's also usually a 00:38:23 back on the main doorknob as well so you 00:38:24 get the deadbolt plus the second little 00:38:26 lock and you can twist them both lock 00:38:28 and this the second one is good and 00:38:30 strong as the deadbolt no but if you 00:38:31 accidentally forgot to lock the deadbolt 00:38:33 once more the door wasn't exactly seated 00:38:35 right so you thought you twisted the 00:38:37 deadbolt that it didn't get all the way 00:38:38 locked you still haven't left the door 00:38:40 completely unlocked so well we recommend 00:38:42 not running MySQL on that Internet 00:38:46 facing port how to folks setup 00:38:48 firewalling on their their linux to also 00:38:51 then set some local firewall rules to 00:38:54 block that MySQL port itself yeah so 00:38:58 firewall is another important thing you 00:38:59 can you can have a software firewall 00:39:01 that actually runs on in your Linux 00:39:03 environment or you can have a hardware 00:39:05 firewall if you're you're managing your 00:39:06 data center or if your data center 00:39:08 provider gives you access to that as 00:39:10 well and sort of the same thing applies 00:39:12 there and as far as least privilege 00:39:14 because you only want to allow 00:39:16 connection that you expect to happen and 00:39:18 you want to restrict those to I the 00:39:20 smallest amount of IP space that you can 00:39:23 so basically if even if you are running 00:39:25 say MySQL and it's listening publicly 00:39:28 you might be doing that because you want 00:39:30 to connect remotely from you know your 00:39:33 home or maybe your VPN your company's 00:39:36 VPN right that's actually ok as long as 00:39:39 you've properly configured it and 00:39:42 configured the listener and also the 00:39:44 firewall so you can lock it down and say 00:39:46 oh ok we're only going to allow 00:39:47 connection to that my sequel port from 00:39:50 this one specific IP address and as long 00:39:52 as you are very confident that only you 00:39:55 can connect from that IP address that's 00:39:57 actually ok so there can there's another 00:40:00 opportunity there to sort of put in a 00:40:01 layer of protections for connections to 00:40:03 all those network services if you want 00:40:06 to learn more about that you can look up 00:40:08 a bastion host online if you google that 00:40:11 and you can read some articles about 00:40:12 bash to notes but yeah how do you set up 00:40:14 that safe secure management point to 00:40:15 then connect in remotely to add that 00:40:18 next layer of security and that bastion 00:40:20 host should have advanced logging 00:40:23 multi-factor authentication all of those 00:40:25 things ideally so that you create a 00:40:27 point to where you could see an attacker 00:40:30 coming in to try to then be able to get 00:40:32 into your actual production 00:40:33 infrastructure from there right that 00:40:34 becomes the choke point for actually 00:40:36 connecting 00:40:37 and administering anything on that 00:40:39 server itself yeah so now that we've 00:40:41 gone through or running our web server 00:40:43 at the write permission we're running 00:40:45 our database with the right permission 00:40:46 and so what we're going in to check are 00:40:51 our PHP version so do we get boner 00:40:55 abilities and problems in PHP the 00:40:57 language itself or that the PHP plug 00:41:00 into the to allow the web server to 00:41:02 execute PHP code absolutely that can be 00:41:05 a nightmare and a headache 00:41:07 if you're not properly configuring and 00:41:09 managing that so once again PHP like 00:41:13 there's a lot of configuration options 00:41:14 for PHP you can you can go in you can 00:41:18 allow users to to basically do as much 00:41:21 as they want or you can restrict some of 00:41:23 the functionality you can actually 00:41:24 remove functions that are accessible to 00:41:26 PHP and so many people probably aren't 00:41:30 aware of what PHP did not originate as a 00:41:32 programming language it was actually 00:41:34 part of a a web-based suite and the PHP 00:41:37 templating part of it took off and kind 00:41:40 of left the rest behind and it is 00:41:41 evolved over time into what we see now 00:41:43 is the number one scripting language on 00:41:45 the Internet and so what that means is 00:41:47 it didn't have a solid base and firm 00:41:50 from the ground up construction so 00:41:54 there's lots of lots of legacy things in 00:41:55 there that make it difficult to manage 00:41:57 at times and basically manifests itself 00:42:00 as various vulnerabilities and so of 00:42:03 course I know harping on updating things 00:42:05 but updating staying current with PHP is 00:42:07 a huge thing and then basically looking 00:42:10 at what users can do what your web 00:42:12 application can do with the PHP code so 00:42:15 these be really really common thing is 00:42:17 they have a system function and an exec 00:42:20 function and what those are is they 00:42:22 basically pass you to a command line 00:42:24 shell so that's the first thing that you 00:42:27 want to disable if you were running web 00:42:29 code in PHP if an attacker is able to 00:42:32 compromise your website upload a 00:42:34 malicious PHP file and then get the web 00:42:37 server to execute that PHP file they can 00:42:39 update upload one with a system grant or 00:42:42 an execute command and basically execute 00:42:44 whatever they want on your system yeah 00:42:46 if you've ever been in a terminal window 00:42:47 on your Mac or in a dot prompt on your 00:42:50 your Windows PC or you've been in a bash 00:42:54 or CSH or other shell on your linux and 00:42:57 you type in a command LS to list a 00:42:59 directory or those things what attackers 00:43:02 can do there and what justin is 00:43:03 describing is they can execute that LS 00:43:05 command to list a directory and then 00:43:07 instead of it popping back up in the 00:43:09 terminal window for them it's going to 00:43:10 get rendered as a page inside of the 00:43:12 website for them so they can send 00:43:13 commands to the the web page and using 00:43:16 web protocols they effectively have a 00:43:18 local terminal on your computer that 00:43:20 just goes back and forth over that web 00:43:22 port so they're not even connecting in 00:43:24 via SSH you won't see that local shell 00:43:26 connection it'll just look like more web 00:43:29 traffic on your website so if you're 00:43:30 looking at your logs or if you've got an 00:43:32 intrusion detection system that's 00:43:34 checking to see SSH connections or if 00:43:36 you only allow SSH connections from that 00:43:38 bastion host if you're allowing PHP to 00:43:40 exact commands and they're able to get 00:43:42 PHP files into your site it's just going 00:43:44 to look like web traffic right yeah and 00:43:47 there's there's various vectors to come 00:43:49 about that so and basically the attack 00:43:51 vector for that is okay I have a 00:43:53 vulnerability in my in my web site so 00:43:55 maybe someone's able to upload content 00:43:57 to a directory that I didn't expect or 00:43:59 write file to a directory that I didn't 00:44:01 expect whether it's provided as a 00:44:03 functionality of the website or not 00:44:05 maybe I'm not filtering out my images 00:44:08 properly so someone can upload an image 00:44:09 that's actually a PHP script and then 00:44:12 request it in my web server will execute 00:44:14 it so and that's just a variety of the 00:44:17 ways that that can occur and ultimately 00:44:19 if you're not properly restricting the 00:44:22 permissions of PHP as well as what 00:44:24 functions are available that manifest 00:44:26 itself is potentially full takeover of 00:44:29 the machine yeah and then this goes into 00:44:31 so you've got the PHP security piece 00:44:33 itself but then also you mentioned in 00:44:35 there in that website of being able to 00:44:37 upload content to a directory or to even 00:44:42 read files maybe in the directory that 00:44:43 you didn't expect on the website I think 00:44:45 all of us have probably seen this when 00:44:47 you go out to a somewhere website on the 00:44:49 internet and all the said they pops up a 00:44:50 folder browser view for you you're like 00:44:52 why is that there well because that 00:44:53 wasn't turned off in that website I mean 00:44:55 now you're browsing file directories on 00:44:57 there and there's no index for that 00:45:00 directory that's going to pop up and 00:45:01 actually render an HTML page so the 00:45:04 a web server says oh you must just want 00:45:05 to use this as a file browser and now 00:45:07 it's just letting you browse the file 00:45:09 system on that machine so the web server 00:45:12 has got all sorts of configuration 00:45:14 settings as well to dig in and to ensure 00:45:16 that you're not allowing folks to upload 00:45:19 additional files there with a most of 00:45:22 the web browsing side of the world is a 00:45:24 get request you're getting and 00:45:25 downloading things but you want to be 00:45:26 able to upload that user-generated 00:45:27 content 00:45:28 allow that into your website so you're 00:45:30 allowing either whether it's an HTTP put 00:45:32 request or whether it is something 00:45:34 actually built in the application code 00:45:36 of the website you're often allowing 00:45:38 people to upload and you have to allow 00:45:40 folks to write things on to your server 00:45:42 either into your database or into a 00:45:43 local file system 00:45:45 but there's all sorts of aspects to can 00:45:47 to dig into on the security there so 00:45:50 let's say we've we've now secured PHP 00:45:53 we've secured our web server so we're 00:45:54 we're up to WordPress and I thought it 00:45:57 was pretty easy I just put WordPress in 00:45:58 the machine and I go in there and I 00:46:00 install a bunch of plugins and then in 00:46:01 that little WordPress admin user 00:46:03 interface it just says update all your 00:46:05 plugins I just click a little update 00:46:07 button and everything just updates it 00:46:08 works right for the most part actually 00:46:10 yeah except when it does it except when 00:46:14 it doesn't so that securing WordPress 00:46:16 can be almost as complicated as you want 00:46:18 or as simple as you want if you if you 00:46:20 know what you're doing so kind of the 00:46:23 same thing there you want to look at 00:46:24 what your attack surface is understand 00:46:26 so the best thing you can do is educate 00:46:29 yourself on web attacks like common 00:46:31 things the OWASP top 10 is a great place 00:46:34 to start and really understand what 00:46:36 attackers are doing and with the biggest 00:46:37 threats that face web face web 00:46:39 applications are and you can start with 00:46:42 that and take that knowledge and start 00:46:43 translating it into securing your site 00:46:45 itself the first most obvious place that 00:46:49 everyone should start is do you have SSL 00:46:51 all right are you supporting TLS and 00:46:54 there is no excuse for anyone at this 00:46:57 point to not be using TLS now let's 00:47:00 encrypt free yeah we both said it we 00:47:02 brain connection right there let's 00:47:04 encrypt free certificates for all yes 00:47:06 and it takes no time at all our platform 00:47:09 actually supports a complete integration 00:47:11 with it you can have a certificate set 00:47:13 up in under five minutes with a few 00:47:14 quick it's seamless yeah 00:47:17 it's free for everyone and what that 00:47:19 does is that allows you all traffic 00:47:21 that's going to and from your website to 00:47:22 be encrypted and that's important for 00:47:24 your your users that's also important 00:47:26 for you as an administrator so when 00:47:29 you're when you're making changes this 00:47:30 WordPress site you're connecting to it 00:47:32 remotely over the Internet and using the 00:47:33 WordPress admin panel and you want to 00:47:36 make very very certain that those 00:47:38 connections are encrypted otherwise you 00:47:41 face the risk of some one man in the 00:47:42 middling you and being able to basically 00:47:44 take over your website yeah so on my 00:47:47 website if I'm running WordPress should 00:47:48 I the admin panel I think it defaults to 00:47:51 slash WP dash admin that's correct yeah 00:47:54 should I leave it there no best practice 00:47:58 is to remove that also remove you know 00:48:00 the default admin user that's created 00:48:03 and then so you can sort of do some 00:48:06 security by obfuscation there and sort 00:48:09 of move things out of the expect its 00:48:10 place and what that does is that raises 00:48:12 the bar significantly for attackers that 00:48:14 are doing these drive-by hits on your 00:48:16 site right they don't like all of a 00:48:19 sudden it's not very easy for them to 00:48:21 like find your login page and so they'll 00:48:23 move on to the next yeah cuz there's 00:48:25 there's maybe a billion WordPress sites 00:48:27 on the internet so right there is 00:48:29 there's over billion it's about a 00:48:31 quarter of Internet I think twenty eight 00:48:33 percent the last time I check so it's a 00:48:35 wide variety and you'd be surprised some 00:48:38 of the sites that you're on that you're 00:48:39 like oh man this is actually a WordPress 00:48:40 site like it's become a very flexible 00:48:43 and expandable platform yeah so going in 00:48:46 on WordPress so you've got themes and 00:48:48 plugins and if I want to pick a theme or 00:48:52 plugin how do I know if it's safe and 00:48:54 secure it is there a Good Housekeeping 00:48:56 Seal of Approval out there on themes and 00:48:59 plugins is there something that says 00:49:00 these plugins are safe to use they've 00:49:02 got some reasonable level of auditing 00:49:05 and updating and patching and they have 00:49:07 developers in their community they're 00:49:09 paying attention to security mailing 00:49:11 lists yeah yeah and the best most 00:49:13 obvious place is the WordPress approved 00:49:15 like plug-in and theme repos so they 00:49:18 have a review process for people 00:49:20 submitting plug-ins to those yet sort of 00:49:22 like we talked about