00:00:01 [Music]
00:00:23 from the dark let you ladies out you
00:00:26 were listening to cyber talk radio on
00:00:28 news 400 wao
00:00:31 [Music]
00:00:51 welcome to cyber talk radio
00:00:54 I'm your host Bret Pyatt a 20-year
00:00:56 internet security veteran this week
00:00:59 we're going to be talking about one of
00:01:01 the hottest topics on the Internet we
00:01:04 were just discussing before we went on
00:01:05 air I said I think if your Google
00:01:07 profile is a little bit geeky and nerdy
00:01:09 and security enough if you type in the
00:01:12 phrase how to it may just automatically
00:01:15 populate there for you in the search
00:01:16 suggestions the the next thing that
00:01:18 we're going to talk about here with our
00:01:20 guest this week which is how to secure
00:01:21 WordPress for those of you that are not
00:01:24 in the tech side of the world WordPress
00:01:28 is the thing that powers almost a
00:01:30 quarter of the Internet if you're out
00:01:33 there and you go to a website for your
00:01:35 favorite store your restaurant a
00:01:37 business that you may law firm medical
00:01:42 practice all of those things there's a
00:01:43 at least a one in four chance and maybe
00:01:46 a 50% chance on those type of businesses
00:01:49 that it's running on a wordpress site
00:01:51 we're joined today by a real expert in
00:01:53 this from a company that runs hundreds
00:01:56 of thousands maybe millions of WordPress
00:01:57 sites I don't know if they disclose
00:01:59 these numbers but a ton of them for web
00:02:02 design agencies for individual
00:02:04 businesses and for enterprises so Justin
00:02:07 thank you for coming to join us this
00:02:09 week yeah it's really good to be here
00:02:11 thanks for having me yeah so your day
00:02:14 job is to keep this stuff safe day job
00:02:17 is to keep WordPress safe yeah so can
00:02:21 you for those listening that have not
00:02:23 heard of WordPress before I mean I
00:02:25 shared a little stats about it's a
00:02:26 quarter of the Internet but what is it
00:02:28 how did it get there and why are people
00:02:30 building so many websites on it yeah so
00:02:32 WordPress is its open source technology
00:02:34 for one which means the code is open
00:02:37 source anyone can contribute to it you
00:02:39 just need to have expertise in it and
00:02:41 you need to go through the proper
00:02:42 channels to actually contribute to it so
00:02:44 people really appreciate that aspect of
00:02:46 it and they get transparency into what's
00:02:48 actually happening and then in addition
00:02:50 to that so it's a content management
00:02:51 system which means you don't necessarily
00:02:54 have to code everything in your website
00:02:55 you actually get to go in and there's a
00:02:57 nice UI and you can you can actually
00:02:59 visually configure what's going to
00:03:01 happen in your website and you don't
00:03:02 necessarily have to know how to write
00:03:04 PHP
00:03:04 code or Python code or or anything like
00:03:06 that you can actually just be a novice
00:03:09 web user and go in and create your own
00:03:11 website with some pretty looking themes
00:03:13 one of the things about WordPress that's
00:03:15 make it made it so successful along with
00:03:17 the open sources it's adopted a very
00:03:20 pluggable architecture so there's just
00:03:23 massive amounts of wordpress plugins
00:03:25 WordPress themes and you can go through
00:03:27 and for instance when you're setting up
00:03:29 your site the first thing you do is like
00:03:30 okay well what kind of what kind of
00:03:31 theme don't want to start with maybe I'm
00:03:33 creating a shop I'm going to sell
00:03:35 necklaces so I'm going to go look for
00:03:37 e-commerce based themes and there's
00:03:39 thousands of them out there right and
00:03:42 then there's some great plugins like
00:03:43 WooCommerce that allow you to really
00:03:45 like set up and manage the site so it
00:03:47 helps you helps you to price items helps
00:03:49 you to be able to like track your
00:03:50 inventory and all that stuff it just
00:03:52 makes it very user friendly for people
00:03:54 that aren't extremely tech savvy and
00:03:56 then basically you can go from that and
00:03:59 like you start looking at okay what kind
00:04:01 of functionality do I want on my site I
00:04:03 want users to be able to interact with
00:04:04 me on social media so I'll go and solve
00:04:07 some social media plugins and it just it
00:04:10 allows you to very quickly connect all
00:04:11 the pieces together and it also gives
00:04:14 you the flexibility to sort of dive
00:04:16 under the hood to if you want to it's
00:04:18 open source all the code is there and
00:04:20 available for you and that includes the
00:04:22 plugins so when you install a plug-in if
00:04:25 you need to tweak it a little bit if you
00:04:26 need to tweak a theme and you're savvy
00:04:29 enough to go in there and sort of get
00:04:30 your hands dirty you can customize it as
00:04:32 much as you want to yeah that's for
00:04:34 those that are not technically savvy and
00:04:37 it's as easy as using a web-based email
00:04:40 so like if you're going to edit the page
00:04:42 on your website if you can go in and use
00:04:46 a web browser-based email client and you
00:04:48 can edit and send an email to somebody
00:04:49 you can edit a web page at your site so
00:04:51 that's how easy WordPress makes it and
00:04:52 with that accessibility and then is
00:04:56 Justin described this pluggable and
00:04:58 modular architecture this is is where
00:05:00 the complexity comes in and for those
00:05:03 cyber security professionals out there
00:05:04 they hear the word complexity and they
00:05:06 they scream and terror in a way this
00:05:08 complexity makes it difficult to
00:05:10 understand all the pieces the components
00:05:12 and for the attackers they only need to
00:05:15 find one chink in the armor they only
00:05:17 need to find one weak
00:05:18 you can secure ninety-nine out of a
00:05:20 hundred things on your site but if they
00:05:22 find one flaw then they can get in and
00:05:25 go from there so Justin is you you
00:05:26 talked about WordPress the code is open
00:05:28 source and many of the folks say well
00:05:30 open source should be the safest thing
00:05:32 ever because everyone cannot have the
00:05:34 code millions of people have seen it so
00:05:36 is a open source just not as secure as
00:05:38 folks think or what is it this really
00:05:40 drive some of this security
00:05:41 vulnerability in the WordPress
00:05:43 architecture right so that's the great
00:05:46 observation to make with it being open
00:05:48 source you get a lot of eyes on the code
00:05:50 which admittedly makes makes code
00:05:52 quality a lot better overall but still
00:05:55 not perfect right humans aren't perfect
00:05:56 everyone's not reviewing every tiny
00:05:58 piece of code that goes in like you have
00:06:00 a set of reviewers and someone might
00:06:02 happen to look at some code but once
00:06:04 again it depends on who's putting that
00:06:06 in there who's looking at it and what
00:06:07 their expertise and thought process is
00:06:09 and that it's not always perfect so even
00:06:12 with all those eyes on it you'll still
00:06:14 have problems and one of the things with
00:06:16 WordPress as well so the great plug-in
00:06:18 theme ecosystem you have thousands out
00:06:20 there as I mentioned that also means
00:06:22 thousands of developers of varying
00:06:24 quality that are developing and
00:06:25 publishing these plugins and themes and
00:06:27 while the WordPress official repository
00:06:30 tries to maintain a stance of keeping
00:06:33 the code that goes in there to a certain
00:06:36 standard certain quality there's still
00:06:38 stuff that slips through the cracks
00:06:39 right they have a review process but
00:06:41 when you have so many submissions so
00:06:43 many plug-in version updates and just
00:06:45 code changes constantly it becomes very
00:06:47 hard to really really track all those
00:06:49 and ensure that they're secure to the
00:06:52 top quality and so there are as I
00:06:55 mentioned varying skills from those
00:06:57 developers and really some of them
00:07:00 follow better practices than others and
00:07:02 that can really end up biting you or
00:07:05 really benefiting you right so one of
00:07:08 the things is actually to to try to
00:07:10 stick with that approved and like
00:07:13 mainstream themes and plugins and that's
00:07:16 that's one way that you can sort of
00:07:17 mitigate and reduce your attack vectors
00:07:20 yeah so those those mainstream themes
00:07:22 and plugins more likely to have a
00:07:24 thorough code review process and other
00:07:26 pieces so as you spend your time dealing
00:07:30 with WordPress security issues on a
00:07:31 regular
00:07:32 how many of them come from the actual
00:07:35 WordPress core project code itself
00:07:37 versus themes and plugins I don't have
00:07:39 numbers but off the top of my head I
00:07:40 would say it's 95 plus percent from
00:07:44 themes and plugins WordPress core is
00:07:46 they've over the years sort of developed
00:07:49 and adapted their their practices around
00:07:51 security and code development and code
00:07:53 reviews and I'll say they have a pretty
00:07:56 good system in place now that even when
00:07:59 even when critical vulnerabilities are
00:08:01 discovered at least in the past I'm
00:08:04 going to say a year to two years it has
00:08:06 been a majority discovered by actual
00:08:08 security researchers who have practiced
00:08:10 responsible disclosure and disclosed
00:08:13 them to the WordPress foundation and
00:08:15 then they have taken their notification
00:08:17 process to be able to notify providers
00:08:20 like us ahead of time so we're able to
00:08:23 sort of take action and be ready if you
00:08:26 will for because as soon as that code
00:08:28 change is actually posted before the
00:08:30 update is even pushed out and available
00:08:31 as soon as that code change is posted a
00:08:34 savvy person can go in and what it's
00:08:36 open-source right so they can go in and
00:08:38 look and see oh well they're changing
00:08:40 this thing here but their commit message
00:08:43 had nothing to do with that actual
00:08:46 change so you can go in and kind of read
00:08:48 between the lines and see so from that
00:08:51 perspective like you can have some some
00:08:52 potential zero days out there if you're
00:08:54 not taking action to quickly update
00:08:56 after that happened so it becomes like a
00:08:58 very tricky flow when you're actually
00:09:00 going through that just due to the
00:09:02 visibility and the eyes on that and of
00:09:04 course this hackers are are looking at
00:09:06 that with very very closely because that
00:09:09 gives them vectors in yeah but yeah as
00:09:12 WordPress core has been has been pretty
00:09:15 good as of late and it's really the
00:09:16 plugins that like suffer the the
00:09:18 majority of vulnerabilities and then one
00:09:20 thing is just keeping things up to date
00:09:22 right so it's not even necessarily that
00:09:24 the newest versions of these plugins or
00:09:26 even WordPress core are vulnerable
00:09:29 it's that vulnerabilities come out and
00:09:31 users don't take action to go through
00:09:34 and update and that what that leaves is
00:09:37 these vulnerabilities that have been
00:09:38 known about published in the wild for
00:09:41 months or years are just sitting there
00:09:43 waiting to be exploited
00:09:45 and for those that experience this on
00:09:48 the news
00:09:48 the wanna cry ransomware that infected a
00:09:52 bunch of Windows computers Microsoft had
00:09:54 released patches for the vulnerability
00:09:57 that that ransomware worm exploited and
00:10:00 if you had gone in and patched and
00:10:02 updated your operating system then you
00:10:05 wouldn't have had that problem that we
00:10:06 saw a Honda plant over in Japan we saw
00:10:10 the National Health Service in the UK we
00:10:11 saw lots of folks not patching and
00:10:14 updating in a timely manner because it's
00:10:16 complicated to patch an update sometimes
00:10:19 because from a wordpress so does
00:10:22 WordPress work only on one specific
00:10:24 version of an operating system with one
00:10:26 specific web or web server technology or
00:10:28 that how do you how many different ways
00:10:31 can you deploy WordPress you can deploy
00:10:33 it quite a few different ways right so
00:10:35 it relies on PHP PHP is actual the
00:10:37 backend code that's running it can be
00:10:39 deployed in Linux environments Windows
00:10:41 environments basically anything that has
00:10:43 a webserver that's able to execute PHP
00:10:46 and it works with a few different
00:10:49 versions of PHP some plugins are not
00:10:50 compatible with some of the older ones
00:10:52 most stuff is compatible with PHP 7
00:10:55 nowadays which is great to use as it's
00:10:57 much much faster than the 5x variety but
00:11:01 yeah it's a variety of different
00:11:02 platforms ultimately anything that can
00:11:05 host a web server executes PHP you could
00:11:08 you could host WordPress there and
00:11:10 people probably are last saw I was
00:11:12 really digging into the WordPress
00:11:13 security world most the deployments I
00:11:15 think then were on the apache
00:11:17 foundation's H DVD project are you
00:11:20 seeing a shift across the WordPress
00:11:22 world to folks using nginx or other
00:11:23 different web technologies these days
00:11:25 from a web server perspective yeah I
00:11:27 think HTTP D is like its quick to set up
00:11:29 it's easy to use right engine X I have
00:11:33 seen a lot of people going towards nginx
00:11:35 just due to its its speed and
00:11:37 scalability it becomes more lightweight
00:11:39 and allows you to really sort of tweak
00:11:42 and configure more to your liking so if
00:11:45 you know what you're doing it can be a
00:11:46 much more powerful tool in a lot of ways
00:11:48 and yet it allows you to easily
00:11:51 incorporate things like caching layers
00:11:53 and stuff like that so you can you can
00:11:55 kind of do some some magic with it
00:11:58 yeah and then you have folks on on
00:12:00 Windows running internet information
00:12:01 server but Apache htpb also runs on
00:12:05 Windows does nginx run on Windows these
00:12:07 days do you know I actually don't know
00:12:08 if the top of my head on the matter yeah
00:12:10 I would be kind of scared to explore
00:12:13 that yeah so you have all of these
00:12:15 different combinations and permutations
00:12:17 to test so this is one as you're
00:12:19 listening and thinking well this is the
00:12:21 powering a quarter of the Internet why
00:12:23 can't the developers in this project
00:12:24 make it safe well software is built in a
00:12:27 layer cake model and analogy I'd like to
00:12:30 use is from a house where you've got the
00:12:32 foundation and one team builds the
00:12:34 foundation and someone else comes in and
00:12:36 built the frame on top and when you
00:12:37 build a roof on top of that and when
00:12:39 you're building a house everyone really
00:12:42 works together everything's pretty
00:12:44 tightly coordinated and you double check
00:12:47 to make sure that that frame will be
00:12:49 able to be built on that foundation that
00:12:51 the frame is going to be able to support
00:12:53 the roof tile if you're going to do
00:12:54 asphalt shingles or if you're going to
00:12:57 do ceramic tile you've got to do a
00:12:58 different frame and you've got have a
00:13:00 different foundation to deal with the
00:13:01 weight of the house and all of those
00:13:02 folks are really working together from
00:13:04 top to bottom in that snack building a
00:13:06 house and that's why houses don't fall
00:13:07 down well this can happen in technology
00:13:10 as well if you have a team of trained
00:13:11 experts that are managing the operating
00:13:13 system and that web server technology
00:13:15 and then managing WordPress the
00:13:17 application on top of the web server
00:13:18 then all those pieces work together very
00:13:20 well and you can keep things safe but
00:13:23 the the folks that are building the
00:13:26 foundation if they're not talking to the
00:13:28 folks that are going to come put the
00:13:29 frame in the roof on the house and
00:13:31 you've got folks that are not experts
00:13:33 now it makes it into a spot where you
00:13:35 end up with any one of those areas if
00:13:38 you have a problem then word presence of
00:13:39 ultimately getting blamed for all of
00:13:41 these because it's the application there
00:13:44 at the front like if the roof the leaks
00:13:46 or the roof has a problem the roof has
00:13:48 to get replaced
00:13:49 you're not often going to blame the
00:13:51 framing guy or blame the foundation guy
00:13:53 you're going to end up blaming the
00:13:54 roofer for the roof having a problem and
00:13:57 this is I think where WordPress gets a
00:13:59 picked on and maybe beat up a little bit
00:14:01 out there where it doesn't necessarily
00:14:02 deserve some of the rap that it gets it
00:14:05 could be a flaw anywhere in the stack
00:14:07 below it and it just happens to be that
00:14:09 WordPress is the application running on
00:14:11 that
00:14:11 that shaky foundation yeah that's
00:14:14 definitely true I really like that
00:14:15 analogy there's so when you're thinking
00:14:18 about security threats and modeling and
00:14:20 where if you're hosting a website what
00:14:22 you need to be worried about it's all
00:14:24 the way from you think about the server
00:14:27 the operating system that's hosting so
00:14:28 whether it be windows-based UNIX Bay's
00:14:30 you're gonna have to worry about threats
00:14:32 on that level and then like you worry
00:14:34 about them your so your HTTP server so
00:14:37 like if you're running Apache HTTP D if
00:14:40 you're running engine X whatever that
00:14:42 layer might be as well as like your your
00:14:44 PHP configuration right what version of
00:14:46 PHP are using what is it vulnerable to
00:14:48 what how have you configured that
00:14:50 environment is it actually a safe
00:14:52 configuration you put into place there
00:14:54 and then that goes all the way to the
00:14:57 WordPress like the application layer
00:14:58 right so and then there's there's tons
00:15:00 just on the front end there that if it's
00:15:02 not properly managed and configured and
00:15:05 it can be a serious risk to you and it
00:15:08 for a lot of users it's just um they're
00:15:10 not knowing exactly how they should be
00:15:12 configuring that and not following the
00:15:14 best practices and so really like to
00:15:16 preach preach education in that sense to
00:15:19 go out and do your research and
00:15:21 understand like the threat model that
00:15:23 you face and if you're using like a
00:15:25 managed platform a managed platform
00:15:28 provider like us so we're we're managing
00:15:30 everything but the WordPress for you you
00:15:32 just need to worry about that WordPress
00:15:33 piece if you're super techy and you want
00:15:36 to take on that whole stack you know
00:15:37 like you're welcome to but that's much
00:15:39 more that you have to worry about and be
00:15:41 educated on and be up to speed on and
00:15:43 like we kind of mentioned earlier it
00:15:46 takes a lot of active effort so you
00:15:48 constantly have to be monitoring and
00:15:51 updating these components to make sure
00:15:53 you don't you don't fall behind
00:15:54 attackers not falling behind and so if
00:15:57 you if you're slacking on on those
00:15:59 updates and really staying with it
00:16:01 you're ultimately going to pay the price
00:16:03 at some point it becomes a lot to take
00:16:06 in and manage and that's that's why you
00:16:08 see a lot of people gravitating towards
00:16:11 like these managed providers that are
00:16:14 able to give them sort of like a sandbox
00:16:16 environment to where you say ok we're
00:16:17 going to take care of all this stuff for
00:16:19 you and here's your instance and that's
00:16:21 all you have to worry about at that
00:16:22 point you're listening to 1,200 waa
00:16:25 I this is cyber talk radio and this week
00:16:28 we're talking wordpress security i'm
00:16:29 joined with justin daily security
00:16:31 manager and engineer at a WP engine a
00:16:35 company that takes care and is he was
00:16:37 mentioning runs secure wordpress
00:16:40 environments for folks to then build and
00:16:42 run their web sites and web wordpress
00:16:44 based applications on top of so yeah and
00:16:47 as you're going through talking about
00:16:48 this updating maintaining it's it's one
00:16:53 in the technology world i think
00:16:54 especially we see with the open source
00:16:55 you get this that's really
00:16:56 do-it-yourself crowd and from a home
00:17:00 perspective i think a lot of folks in
00:17:03 that do-it-yourself crowd they'll tinker
00:17:06 with things you might do a little repair
00:17:07 underneath the sink you might do a hang
00:17:11 a new light fixture but most the time
00:17:13 people aren't like plumbing a whole new
00:17:15 bathroom themselves or they're not going
00:17:17 to Home Depot you could go buy all the
00:17:19 parts to build your own bathroom from
00:17:21 scratch but you can't do this you need
00:17:23 permits you need all these things in the
00:17:24 technology world
00:17:25 you don't need permits or anything you
00:17:27 can go download the source code you can
00:17:28 get a website up and running you can do
00:17:31 all of this stuff without any of those
00:17:33 and and I think we see a lot of folks
00:17:34 because there's an article on there on
00:17:36 how to set up a wordpress site for your
00:17:38 business you can google that and you're
00:17:39 going to find a list of millions of
00:17:41 articles on the internet telling you all
00:17:43 about how to do that and it's going to
00:17:45 show you how to set up a wordpress site
00:17:46 for your business in three simple steps
00:17:48 I'll bet that post exists as well and
00:17:50 you're going to go wow I can do this and
00:17:52 and do it well and you can set it up and
00:17:54 you can make the site look pretty with
00:17:55 themes as Justin to mention and if you
00:17:57 miss the early part of our conversation
00:17:59 we post a rebroadcast and we put this up
00:18:02 online on iTunes podcast pocket casts or
00:18:05 on our website at WWF or talk-radio comm
00:18:08 there steams and plugins you can make it
00:18:10 look pretty but at every point in time
00:18:12 you need to be reading WordPress
00:18:14 security updates and plug-in security of
00:18:16 articles and all of these things on an
00:18:18 ongoing basis or you're just going to
00:18:21 end up at some point where the attacker
00:18:24 breaks in and they're in your website
00:18:26 and they're pretty good at getting in
00:18:28 and hiding inside as well all right
00:18:30 definitely attackers they they don't
00:18:32 stop so they have many motivations
00:18:35 mainly money they're seeking to to
00:18:38 exploit these research
00:18:39 and take advantage of them for their
00:18:41 benefit and it's really interesting
00:18:43 point you bring up about the sort of DIY
00:18:45 and WordPress is perfect for DIY you
00:18:47 know like I want to spin up my own blog
00:18:49 that's how we're press started right is
00:18:50 like oh it's a great like blogging
00:18:52 platform like it's really easy to use
00:18:54 you can have a blog spun up in no time
00:18:56 at all like you said three steps you're
00:18:59 probably doing two now who knows yeah so
00:19:01 from that perspective like even someone
00:19:04 that's just a DIY kind of person they
00:19:06 want to learn some of this technology
00:19:08 they want to get their hands dirty like
00:19:09 it's great to start going down that path
00:19:11 but then once you get to the point where
00:19:13 oh you have a significant resource
00:19:16 that's a WordPress site you know like
00:19:17 many businesses are building either just
00:19:20 their their site so basically the face
00:19:22 of your business or actually your entire
00:19:24 core business so these WordPress sites
00:19:26 that serve functionality right so like
00:19:28 stores are a good example it might be a
00:19:31 forum it can be like just a full-on new
00:19:34 site that that's actually where people
00:19:35 go to engage with your content so
00:19:38 there's there's all kinds of ways that
00:19:40 people are building their companies
00:19:41 around WordPress and once I guess at
00:19:43 that point it becomes more important
00:19:45 right so at that point you're not just
00:19:47 DIY like this is my hobby personal side
00:19:49 it's like this is actually probably a
00:19:52 large portion of your income or even
00:19:54 like the company that you found it so it
00:19:56 becomes much more important much more
00:19:57 relevant at that point and that's when
00:19:59 you want to start taking steps to really
00:20:01 like understand and fully secure and
00:20:05 protect those assets yeah and as soon as
00:20:08 you mentioned the new sites I mean
00:20:11 there's major publications that run
00:20:14 their whole business on WordPress
00:20:16 there's a one here and in our market I
00:20:19 know that runs their site and they've
00:20:24 got probably 15 or 20 journalists out
00:20:27 there writing articles and driving a lot
00:20:29 of page views and traffic to that and
00:20:32 this those are the kind of sites that
00:20:34 hackers like to get into potentially
00:20:37 there because then they can put in
00:20:39 malware and all the people are going to
00:20:42 go read those news articles if they've
00:20:43 got a vulnerability in their browser end
00:20:45 up getting infected by visiting that
00:20:47 news site so the new site example is one
00:20:50 where
00:20:51 they may not be doing any e-commerce
00:20:53 directly on that site you think I'm not
00:20:55 taking money on my site I don't have to
00:20:56 worry about securing it well you don't
00:20:58 want all the people that are coming to
00:20:59 visit your business ending up as as
00:21:02 victims I mean this is one where you may
00:21:04 not get robbed specifically yourself
00:21:06 that now you are an agent effectively of
00:21:09 a criminal organization and those folks
00:21:12 are able to infect all of your customers
00:21:14 and steal from them which is not what
00:21:16 anyone wants and there's a example out
00:21:19 there as well some of these new sites
00:21:20 are recommending please turn off your ad
00:21:21 blocker and we there have been its
00:21:24 issues over the last few years where
00:21:25 there been malware served up through ads
00:21:27 online and different news sites have
00:21:29 ended up then delivering malware out to
00:21:32 customers because there please support
00:21:35 our site by turning off your ad blocker
00:21:36 on our site and you end up ending up
00:21:38 creating victims there so it's one where
00:21:40 regardless of if you think you know what
00:21:43 I'm not taking money on my site I don't
00:21:44 really need to pay attention the
00:21:45 security my customers know that like if
00:21:47 my website got hacked somebody put up a
00:21:49 bad picture or whatever else they know
00:21:51 That's not me it'll be okay
00:21:53 but there's the days I think of the the
00:21:55 web defacement where some teenager puts
00:21:58 up a funny picture on your website
00:22:00 instead of it being your real website
00:22:01 those are long gone and Justin to
00:22:03 mention that folks out there now are
00:22:04 motivated by money
00:22:06 most of the hacking on the Internet is
00:22:08 done by organized criminal enterprise
00:22:09 and these folks are very sophisticated
00:22:12 and very patient as well so we're
00:22:16 getting ready here in a couple of
00:22:18 minutes for the news traffic and weather
00:22:20 update at the bottom of the hour the
00:22:21 second half of the program this week
00:22:23 we're going to deep dive into some of
00:22:25 the what is Justin's daily life what
00:22:26 does it look like in the week of a
00:22:28 WordPress security team what's up
00:22:30 patching updating management how many
00:22:32 people does this really take to keep
00:22:35 things safe I want to go into that level
00:22:38 of detail will help any of those DIY
00:22:40 practitioners if you really want to try
00:22:42 to DIY this Justin's going to give you a
00:22:44 lot of tips are my real recommendation
00:22:47 unless you're operating at a very very
00:22:50 large scale I mean if you're a top 10
00:22:53 newspaper you should have your own
00:22:54 security team maybe you should try to go
00:22:56 do what Justin's doing if you're not at
00:22:58 that scale if you're not one of the top
00:23:00 100 ecommerce sites online you probably
00:23:03 should not be trying to hire
00:23:04 team and do the stuff yourself there's
00:23:06 not a ton of folks out there in the
00:23:08 market like Justin this is one of the
00:23:10 topics we've covered on this program on
00:23:11 a regular basis just the shortage of
00:23:14 cybersecurity aware technical talent
00:23:16 there's hundreds of thousands of job
00:23:18 openings posted today and we really
00:23:21 believe there's probably millions of job
00:23:22 openings it's just latent jobs that are
00:23:24 not posted because employers know that
00:23:26 even if I put up a job posting for this
00:23:28 I'm never going to get a candidate so
00:23:29 why even bother if you wanted to learn
00:23:31 more about all of those job and a career
00:23:34 and cyber employment issues so that you
00:23:38 can fill one of those jobs if you want
00:23:39 to learn some about the problems and
00:23:40 constraints in the market you can listen
00:23:42 to our past episodes on our website at
00:23:45 WWF or a do comm you can also find them
00:23:49 on iTunes podcasts pocket cast on your
00:23:52 Android device or on our youtube channel
00:23:54 as well you are listening to cyber talk
00:23:57 radio we will be right back after the
00:24:00 break news traffic and weather on 1270
00:24:03 way up
00:24:03 [Music]
00:24:27 [Music]
00:24:33 you
00:25:04 welcome back to cyber talk radio I'm
00:25:07 your host Brad Pyatt a 20-year internet
00:25:09 security veterans joined this week by
00:25:12 Justin daily from WP engine and we're
00:25:14 talking how to secure WordPress this
00:25:17 half of the program we're going to go
00:25:19 deep dive into this so I'm going to
00:25:23 pretend that uh I've been trying to run
00:25:25 a wordpress site myself not doing a very
00:25:27 good job because frankly you just kind
00:25:29 of stay on top of things all the time
00:25:30 it's a lot of work so Justin's going to
00:25:33 walk us through all of the things that
00:25:35 he would do if I handed him my wordpress
00:25:38 site and I added a root access to my
00:25:40 server and he's going to start going
00:25:42 through from there to dig in if you
00:25:44 wanted to learn more just about
00:25:45 WordPress in general what it does in the
00:25:47 internet and all of those we covered
00:25:49 that in the first half of the program
00:25:50 and you can listen to a rebroadcast
00:25:52 replay of this on iTunes podcast pocket
00:25:55 casts our YouTube channel or our website
00:25:57 at www.att.com/biz
00:26:06 thank you for listening on in and I know
00:26:10 that you can catch us each weekend at
00:26:12 11:00 p.m. on Saturday night on 1200 W a
00:26:15 I and your AM radio dial or on I Heart
00:26:19 Radio on your Android iOS device or even
00:26:22 on your computer all across the internet
00:26:24 so Justin how did you get yourself into
00:26:27 WordPress security to begin with oh good
00:26:30 it's been a long journey actually came
00:26:33 from just a computer science computer
00:26:36 engineering background focused on
00:26:38 digital electronics actually so FPGAs
00:26:40 which are field programmable gate arrays
00:26:43 very hardware digital focused um but
00:26:46 always kind of gravitated towards the
00:26:48 software side kept part of my head in
00:26:51 that side of things and also in the
00:26:52 security world through the years and
00:26:54 yeah just sort of gravitated that way
00:26:56 professionally as well and wound up at
00:26:59 WP engine with no prior WordPress
00:27:02 experience but then it's been a ride to
00:27:05 sort of learn all that exposure and just
00:27:08 see the the many ways that WordPress is
00:27:09 used and just the power of WordPress and
00:27:13 also see of course the
00:27:14 security side of it is what interests me
00:27:16 heavily and that's how many different
00:27:18 ways people can take advantage of people
00:27:20 using WordPress and then just the web in
00:27:23 general yeah so if you're thinking about
00:27:26 a security job and cyber security or
00:27:29 WordPress or any of these as Justin said
00:27:32 there I think if if you have a solid
00:27:34 fundamental background in technology and
00:27:36 then you have the attitude to learn to
00:27:39 dig in to improve your skills in a daily
00:27:41 basis there's opportunities out there
00:27:43 for you so don't feel like you need to
00:27:46 go back and get a college degree in
00:27:48 cyber security specifically those help
00:27:50 they're useful it's wonderful they help
00:27:52 you think through a lot of frameworks
00:27:53 but if you have the technical skills
00:27:56 understanding and the desire to go in
00:27:58 and learn every day you can build the
00:28:00 skills you need to get a job in these
00:28:03 fields so if you're in there and you're
00:28:05 thinking about well what should I learn
00:28:07 the secure WordPress so I guess I hear
00:28:09 we go into secure in this Justin so I've
00:28:11 given you my Fedora Linux box so you've
00:28:15 got access to it now you've got root
00:28:18 you've telnet it in you've not tell
00:28:20 mitad in anyone if you're running telnet
00:28:21 on any machine out there right now
00:28:23 please go in and disable that service if
00:28:26 you don't know how to disable the
00:28:27 service please just turn the server off
00:28:29 so I've used SSH to actually securely
00:28:32 securely connect using approved modern
00:28:36 ciphers so I've done this very very
00:28:37 safely and securely yeah oh good so yeah
00:28:40 at that point you know you're looking at
00:28:42 a few things like he went so you're
00:28:45 considering now you have the full stacks
00:28:47 to think about right so you have to
00:28:49 start thinking about the base operating
00:28:51 system level right so you're hosting a
00:28:54 website that means you have to be
00:28:56 publicly addressable so you at least
00:28:58 have some ports open to the wide
00:28:59 internet like you mentioned telnet might
00:29:02 be one of them hopefully it's not but
00:29:04 yeah that's the first first thing you
00:29:06 want to look at is like okay
00:29:07 how am I actually exposed what services
00:29:09 am i running and it should ideally be as
00:29:12 minimal as possible so you might have
00:29:14 SSH because of course you need to
00:29:16 connect and actually administer and then
00:29:19 you've probably got four four three four
00:29:21 secure HTTP and then 84 unsecure HTTP
00:29:24 HTTP potentially and then maybe you're
00:29:27 looking at you
00:29:28 FTP or SFTP for actually uploading file
00:29:31 to the server as well but yeah I mean
00:29:33 you might have other services running
00:29:35 you didn't know about maybe you just
00:29:36 installed some package that was running
00:29:38 listening on some port you know so it
00:29:41 that's important to take a look at and
00:29:43 understand sort of what's installed
00:29:44 what's running on that system as well as
00:29:47 like are you keeping an update how are
00:29:50 you managing that system and what are
00:29:52 your practices around that right are you
00:29:54 patching on a regular basis daily weekly
00:29:57 any sort of cadence there do you have
00:30:00 are you tapping into any sort of threat
00:30:02 feeds to understand when your installed
00:30:04 packages are becoming vulnerable all
00:30:06 things to think about and just knowing
00:30:08 how how you're exposed on that level
00:30:11 because the reality is if you're if
00:30:12 you're hosting a website on the Internet
00:30:14 you're in publicly addressable space so
00:30:16 you're you're fair game and even more so
00:30:19 if you have a domain tied to your IP
00:30:20 address then it's not just random
00:30:22 scanners that are going to come and find
00:30:24 you it's people that that see your
00:30:26 domain that visit your website so it
00:30:28 makes you a target in a lot of different
00:30:30 ways and you'll commonly see people that
00:30:32 are hosting websites on servers that are
00:30:34 doing other things as well they might be
00:30:36 hosting like IRC servers or just
00:30:38 ridiculous things and it's funny to see
00:30:41 how many things people overlook and what
00:30:43 they just don't walk down yeah so well
00:30:46 one of the things that we haven't
00:30:47 mentioned yet that you need a database
00:30:49 to as well to run with WordPress it's
00:30:52 almost always run with MySQL the most
00:30:55 common database to run with it there's
00:30:56 ways to run it with other databases but
00:30:58 it's almost always running with MySQL so
00:31:00 if you're going to go in and you're
00:31:02 running a WordPress site - qaul has to
00:31:04 listen on a port as well WordPress
00:31:06 communicates it with it over a port and
00:31:10 so on that machine looking at the
00:31:12 interface configuration you should have
00:31:14 a loopback or a local interface you
00:31:16 should have another IP address on that
00:31:19 machine that MySQL is listening on MySQL
00:31:21 should not be listening on the internet
00:31:24 routable IP address it should not be
00:31:26 especially on the one that's mapped to
00:31:28 your website like if we scan your
00:31:30 website from the IP is listening on or
00:31:34 from your domain name to get to the IP
00:31:35 we shouldn't see the MySQL port there we
00:31:38 also should not see the the PHP myadmin
00:31:42 or we shouldn't see the MySQL admin has
00:31:44 a lot of people use these web Adan's
00:31:47 add-ons and plugins to manage to make
00:31:50 these things simpler to take the
00:31:53 operations because running a database
00:31:54 can be kind of complicated but you can
00:31:57 use those tools but they need to not be
00:31:59 on that publicly routable address and
00:32:01 that's one of the real common
00:32:02 configuration errors I see out there
00:32:04 yeah absolutely and my sequel is way up
00:32:07 there for concern right because if
00:32:09 access to that is if someone's able to
00:32:11 gain access to that that's essentially
00:32:13 control of your website that's where
00:32:14 WordPress pulled everything from that's
00:32:17 where it stores all the posts all your
00:32:18 content all your media everything so we
00:32:21 actually see compromises where people
00:32:23 will get access to a site maybe they
00:32:25 find like a sequel injection or maybe
00:32:27 you actually left your sequel
00:32:29 configuration in the default mode and so
00:32:31 your port is just exposed and what
00:32:33 they'll do is they'll inject their
00:32:35 content into your WP headers and so what
00:32:38 that means is every time someone loads a
00:32:40 page it populates with that WP header
00:32:43 from the database and that actually
00:32:45 might contain some malicious content
00:32:46 like we were talking about earlier or
00:32:48 maybe they're just injecting their own
00:32:49 ads into your page and therefore all
00:32:52 your page views are translating into ad
00:32:54 revenue for them right so yeah that's a
00:32:57 really great thing to look out for and
00:32:59 just a sort of inform our listeners like
00:33:02 one of the tools that people use to just
00:33:05 sort of profile servers in map basically
00:33:07 network mapper and so what that does is
00:33:10 use pointed at an IP address and it will
00:33:12 scan you can scan all ports if you want
00:33:15 or you can do quick cursory scans and
00:33:18 sort of just scan the most highly used
00:33:20 ports so my sequel has a default port
00:33:22 that it listens on so what people will
00:33:24 do is they'll take IP ranges and they'll
00:33:26 just scan across them within map and
00:33:29 they'll seek to identify servers that
00:33:32 have these these vulnerable services
00:33:34 that are listening and they'll do things
00:33:36 like they'll enumerate that and then
00:33:37 they'll go through and try to either
00:33:39 connect if there's no authentication or
00:33:41 they'll start trying to brute force
00:33:43 those things and so that's another thing
00:33:45 to think about as well if you don't have
00:33:47 protections on those services then
00:33:49 that's a possible vector that they can
00:33:52 also get you by so WordPress as well so
00:33:55 as
00:33:55 here on that house we'll get into a
00:33:58 little bit of some of the specific
00:34:00 things about securing WordPress but you
00:34:02 have to be able to administrate that
00:34:03 remotely as well I mean almost all the
00:34:05 websites in the internet are run now
00:34:07 remotely you're not sitting physically
00:34:09 at the server typing on the keyboard
00:34:11 with a monitor plugged into that server
00:34:12 so this is where this you have to allow
00:34:16 for remote administration and it
00:34:17 requires you to be thoughtful and
00:34:19 careful in your setup and operations of
00:34:21 it so if we we go up from that operating
00:34:24 system so let's say we've got minus QL
00:34:26 it's not listening on a public port now
00:34:28 we've got the Edward we're using SSH
00:34:31 we've got maybe key-based authentication
00:34:33 setup or if you're not using key-based
00:34:34 authentication with SSH please use a
00:34:37 secure password because there's just
00:34:40 like with the nmap scanner there's lots
00:34:42 of ssh brute-force attacks and if you
00:34:45 pick a poor password you will get brute
00:34:47 forced on the ssh board you should also
00:34:49 disable root login from the nest estates
00:34:52 port pick a username that you log in as
00:34:55 you that's just going to stop a lot of
00:34:57 just the drive-by brute-force attack
00:35:00 stuff as well because everyone knows
00:35:03 that root is the super user on all of
00:35:05 the Linux machines there's no reason to
00:35:07 allow you to log in directly to that you
00:35:08 should have to go onto the server and
00:35:10 then either su or sudo ideally in to
00:35:14 execute commands as root that is we're
00:35:17 going to look and talking about some of
00:35:19 the stuff I mean should I be running my
00:35:21 web server as root should I be running
00:35:23 should PHP be running as root or what do
00:35:26 you do from that user and group
00:35:27 permission set up these yeah that's a
00:35:29 great so as far as that layer goes like
00:35:31 you obviously never want that to be
00:35:33 executing his root right because what
00:35:34 that means is any of your your web
00:35:36 application code actually has root
00:35:38 privileges which translates to ownership
00:35:41 of the machine right so you want to run
00:35:43 that in the most contained environment
00:35:44 can and there's various ways to achieve
00:35:47 that one is by not executing as that
00:35:51 root user creating a user dub-dub-dub
00:35:54 data is like the standard like across
00:35:56 almost everything like you're just going
00:35:59 to create a dub dub dub data user and
00:36:01 you're going to have your web server
00:36:02 execute code as that user and what you
00:36:05 want to do with that user is lock the
00:36:06 permissions down to exactly what your
00:36:09 when application needs to access and so
00:36:12 what that turns out to be is it's a
00:36:14 short list of things mainly your web
00:36:17 content directory so your web root
00:36:18 directory as well as some other various
00:36:21 things on the OS that it's going to need
00:36:23 to access to actually run and perform
00:36:25 its function another important thing to
00:36:27 think about there is your database
00:36:29 credentials so WordPress connects to the
00:36:31 database how is it connecting to the
00:36:33 database is it connecting as a root user
00:36:34 or is it connecting as an actual
00:36:36 database user many people probably don't
00:36:39 realize but there's if you have root
00:36:41 access in a my sequel database there's a
00:36:43 lot of ways to translate that into root
00:36:45 access to a machine
00:36:46 you basically have unfettered access to
00:36:49 all device equal functions which can
00:36:51 translate into just compromises from
00:36:53 many different angles so really
00:36:56 important things to think about is like
00:36:57 what permissions does your application
00:36:59 have when it's executing on your machine
00:37:01 itself yeah my sequel should also not be
00:37:04 running his route yeah it should have
00:37:06 its own separate database user whether
00:37:08 you call it my sequel or whether you
00:37:10 call it local database or whatever you
00:37:12 call it should run if something else is
00:37:14 not as root the only thing that should
00:37:16 run as root is nothing I mean there's
00:37:19 basically no process on the machine that
00:37:22 needs to run with root permissions as a
00:37:24 remote listening as part of your
00:37:26 application absolutely absolutely and
00:37:28 you always want to follow principle of
00:37:30 least privilege right so yeah that's a
00:37:32 good way to we're talking about all
00:37:34 these different attack vectors and
00:37:36 services it's even for security experts
00:37:39 it's impossible could to account for
00:37:41 every potential threat so what you have
00:37:44 to do is you have to you have to build
00:37:45 up security in layers and you have to
00:37:47 take precautions and put in mitigations
00:37:49 where you can and the principle of least
00:37:51 privilege is a great mitigation right so
00:37:53 that's just protecting your environment
00:37:56 basically segmenting your environment so
00:37:58 if one portion gets compromised the
00:38:00 entire environment is not compromised
00:38:02 yeah and then so the one of the other
00:38:04 things that recommend is Gil here
00:38:07 defense-in-depth you'll hear these these
00:38:09 different things but it's basically
00:38:10 trying not to rely on just one control
00:38:13 it's like then most people's door on
00:38:15 your house you've got a deadbolt lock
00:38:18 and if you just lock the deadbolt that's
00:38:19 the real safe super-strong lock but
00:38:22 there's also usually a
00:38:23 back on the main doorknob as well so you
00:38:24 get the deadbolt plus the second little
00:38:26 lock and you can twist them both lock
00:38:28 and this the second one is good and
00:38:30 strong as the deadbolt no but if you
00:38:31 accidentally forgot to lock the deadbolt
00:38:33 once more the door wasn't exactly seated
00:38:35 right so you thought you twisted the
00:38:37 deadbolt that it didn't get all the way
00:38:38 locked you still haven't left the door
00:38:40 completely unlocked so well we recommend
00:38:42 not running MySQL on that Internet
00:38:46 facing port how to folks setup
00:38:48 firewalling on their their linux to also
00:38:51 then set some local firewall rules to
00:38:54 block that MySQL port itself yeah so
00:38:58 firewall is another important thing you
00:38:59 can you can have a software firewall
00:39:01 that actually runs on in your Linux
00:39:03 environment or you can have a hardware
00:39:05 firewall if you're you're managing your
00:39:06 data center or if your data center
00:39:08 provider gives you access to that as
00:39:10 well and sort of the same thing applies
00:39:12 there and as far as least privilege
00:39:14 because you only want to allow
00:39:16 connection that you expect to happen and
00:39:18 you want to restrict those to I the
00:39:20 smallest amount of IP space that you can
00:39:23 so basically if even if you are running
00:39:25 say MySQL and it's listening publicly
00:39:28 you might be doing that because you want
00:39:30 to connect remotely from you know your
00:39:33 home or maybe your VPN your company's
00:39:36 VPN right that's actually ok as long as
00:39:39 you've properly configured it and
00:39:42 configured the listener and also the
00:39:44 firewall so you can lock it down and say
00:39:46 oh ok we're only going to allow
00:39:47 connection to that my sequel port from
00:39:50 this one specific IP address and as long
00:39:52 as you are very confident that only you
00:39:55 can connect from that IP address that's
00:39:57 actually ok so there can there's another
00:40:00 opportunity there to sort of put in a
00:40:01 layer of protections for connections to
00:40:03 all those network services if you want
00:40:06 to learn more about that you can look up
00:40:08 a bastion host online if you google that
00:40:11 and you can read some articles about
00:40:12 bash to notes but yeah how do you set up
00:40:14 that safe secure management point to
00:40:15 then connect in remotely to add that
00:40:18 next layer of security and that bastion
00:40:20 host should have advanced logging
00:40:23 multi-factor authentication all of those
00:40:25 things ideally so that you create a
00:40:27 point to where you could see an attacker
00:40:30 coming in to try to then be able to get
00:40:32 into your actual production
00:40:33 infrastructure from there right that
00:40:34 becomes the choke point for actually
00:40:36 connecting
00:40:37 and administering anything on that
00:40:39 server itself yeah so now that we've
00:40:41 gone through or running our web server
00:40:43 at the write permission we're running
00:40:45 our database with the right permission
00:40:46 and so what we're going in to check are
00:40:51 our PHP version so do we get boner
00:40:55 abilities and problems in PHP the
00:40:57 language itself or that the PHP plug
00:41:00 into the to allow the web server to
00:41:02 execute PHP code absolutely that can be
00:41:05 a nightmare and a headache
00:41:07 if you're not properly configuring and
00:41:09 managing that so once again PHP like
00:41:13 there's a lot of configuration options
00:41:14 for PHP you can you can go in you can
00:41:18 allow users to to basically do as much
00:41:21 as they want or you can restrict some of
00:41:23 the functionality you can actually
00:41:24 remove functions that are accessible to
00:41:26 PHP and so many people probably aren't
00:41:30 aware of what PHP did not originate as a
00:41:32 programming language it was actually
00:41:34 part of a a web-based suite and the PHP
00:41:37 templating part of it took off and kind
00:41:40 of left the rest behind and it is
00:41:41 evolved over time into what we see now
00:41:43 is the number one scripting language on
00:41:45 the Internet and so what that means is
00:41:47 it didn't have a solid base and firm
00:41:50 from the ground up construction so
00:41:54 there's lots of lots of legacy things in
00:41:55 there that make it difficult to manage
00:41:57 at times and basically manifests itself
00:42:00 as various vulnerabilities and so of
00:42:03 course I know harping on updating things
00:42:05 but updating staying current with PHP is
00:42:07 a huge thing and then basically looking
00:42:10 at what users can do what your web
00:42:12 application can do with the PHP code so
00:42:15 these be really really common thing is
00:42:17 they have a system function and an exec
00:42:20 function and what those are is they
00:42:22 basically pass you to a command line
00:42:24 shell so that's the first thing that you
00:42:27 want to disable if you were running web
00:42:29 code in PHP if an attacker is able to
00:42:32 compromise your website upload a
00:42:34 malicious PHP file and then get the web
00:42:37 server to execute that PHP file they can
00:42:39 update upload one with a system grant or
00:42:42 an execute command and basically execute
00:42:44 whatever they want on your system yeah
00:42:46 if you've ever been in a terminal window
00:42:47 on your Mac or in a dot prompt on your
00:42:50 your Windows PC or you've been in a bash
00:42:54 or CSH or other shell on your linux and
00:42:57 you type in a command LS to list a
00:42:59 directory or those things what attackers
00:43:02 can do there and what justin is
00:43:03 describing is they can execute that LS
00:43:05 command to list a directory and then
00:43:07 instead of it popping back up in the
00:43:09 terminal window for them it's going to
00:43:10 get rendered as a page inside of the
00:43:12 website for them so they can send
00:43:13 commands to the the web page and using
00:43:16 web protocols they effectively have a
00:43:18 local terminal on your computer that
00:43:20 just goes back and forth over that web
00:43:22 port so they're not even connecting in
00:43:24 via SSH you won't see that local shell
00:43:26 connection it'll just look like more web
00:43:29 traffic on your website so if you're
00:43:30 looking at your logs or if you've got an
00:43:32 intrusion detection system that's
00:43:34 checking to see SSH connections or if
00:43:36 you only allow SSH connections from that
00:43:38 bastion host if you're allowing PHP to
00:43:40 exact commands and they're able to get
00:43:42 PHP files into your site it's just going
00:43:44 to look like web traffic right yeah and
00:43:47 there's there's various vectors to come
00:43:49 about that so and basically the attack
00:43:51 vector for that is okay I have a
00:43:53 vulnerability in my in my web site so
00:43:55 maybe someone's able to upload content
00:43:57 to a directory that I didn't expect or
00:43:59 write file to a directory that I didn't
00:44:01 expect whether it's provided as a
00:44:03 functionality of the website or not
00:44:05 maybe I'm not filtering out my images
00:44:08 properly so someone can upload an image
00:44:09 that's actually a PHP script and then
00:44:12 request it in my web server will execute
00:44:14 it so and that's just a variety of the
00:44:17 ways that that can occur and ultimately
00:44:19 if you're not properly restricting the
00:44:22 permissions of PHP as well as what
00:44:24 functions are available that manifest
00:44:26 itself is potentially full takeover of
00:44:29 the machine yeah and then this goes into
00:44:31 so you've got the PHP security piece
00:44:33 itself but then also you mentioned in
00:44:35 there in that website of being able to
00:44:37 upload content to a directory or to even
00:44:42 read files maybe in the directory that
00:44:43 you didn't expect on the website I think
00:44:45 all of us have probably seen this when
00:44:47 you go out to a somewhere website on the
00:44:49 internet and all the said they pops up a
00:44:50 folder browser view for you you're like
00:44:52 why is that there well because that
00:44:53 wasn't turned off in that website I mean
00:44:55 now you're browsing file directories on
00:44:57 there and there's no index for that
00:45:00 directory that's going to pop up and
00:45:01 actually render an HTML page so the
00:45:04 a web server says oh you must just want
00:45:05 to use this as a file browser and now
00:45:07 it's just letting you browse the file
00:45:09 system on that machine so the web server
00:45:12 has got all sorts of configuration
00:45:14 settings as well to dig in and to ensure
00:45:16 that you're not allowing folks to upload
00:45:19 additional files there with a most of
00:45:22 the web browsing side of the world is a
00:45:24 get request you're getting and
00:45:25 downloading things but you want to be
00:45:26 able to upload that user-generated
00:45:27 content
00:45:28 allow that into your website so you're
00:45:30 allowing either whether it's an HTTP put
00:45:32 request or whether it is something
00:45:34 actually built in the application code
00:45:36 of the website you're often allowing
00:45:38 people to upload and you have to allow
00:45:40 folks to write things on to your server
00:45:42 either into your database or into a
00:45:43 local file system
00:45:45 but there's all sorts of aspects to can
00:45:47 to dig into on the security there so
00:45:50 let's say we've we've now secured PHP
00:45:53 we've secured our web server so we're
00:45:54 we're up to WordPress and I thought it
00:45:57 was pretty easy I just put WordPress in
00:45:58 the machine and I go in there and I
00:46:00 install a bunch of plugins and then in
00:46:01 that little WordPress admin user
00:46:03 interface it just says update all your
00:46:05 plugins I just click a little update
00:46:07 button and everything just updates it
00:46:08 works right for the most part actually
00:46:10 yeah except when it does it except when
00:46:14 it doesn't so that securing WordPress
00:46:16 can be almost as complicated as you want
00:46:18 or as simple as you want if you if you
00:46:20 know what you're doing so kind of the
00:46:23 same thing there you want to look at
00:46:24 what your attack surface is understand
00:46:26 so the best thing you can do is educate
00:46:29 yourself on web attacks like common
00:46:31 things the OWASP top 10 is a great place
00:46:34 to start and really understand what
00:46:36 attackers are doing and with the biggest
00:46:37 threats that face web face web
00:46:39 applications are and you can start with
00:46:42 that and take that knowledge and start
00:46:43 translating it into securing your site
00:46:45 itself the first most obvious place that
00:46:49 everyone should start is do you have SSL
00:46:51 all right are you supporting TLS and
00:46:54 there is no excuse for anyone at this
00:46:57 point to not be using TLS now let's
00:47:00 encrypt free yeah we both said it we
00:47:02 brain connection right there let's
00:47:04 encrypt free certificates for all yes
00:47:06 and it takes no time at all our platform
00:47:09 actually supports a complete integration
00:47:11 with it you can have a certificate set
00:47:13 up in under five minutes with a few
00:47:14 quick it's seamless yeah
00:47:17 it's free for everyone and what that
00:47:19 does is that allows you all traffic
00:47:21 that's going to and from your website to
00:47:22 be encrypted and that's important for
00:47:24 your your users that's also important
00:47:26 for you as an administrator so when
00:47:29 you're when you're making changes this
00:47:30 WordPress site you're connecting to it
00:47:32 remotely over the Internet and using the
00:47:33 WordPress admin panel and you want to
00:47:36 make very very certain that those
00:47:38 connections are encrypted otherwise you
00:47:41 face the risk of some one man in the
00:47:42 middling you and being able to basically
00:47:44 take over your website yeah so on my
00:47:47 website if I'm running WordPress should
00:47:48 I the admin panel I think it defaults to
00:47:51 slash WP dash admin that's correct yeah
00:47:54 should I leave it there no best practice
00:47:58 is to remove that also remove you know
00:48:00 the default admin user that's created
00:48:03 and then so you can sort of do some
00:48:06 security by obfuscation there and sort
00:48:09 of move things out of the expect its
00:48:10 place and what that does is that raises
00:48:12 the bar significantly for attackers that
00:48:14 are doing these drive-by hits on your
00:48:16 site right they don't like all of a
00:48:19 sudden it's not very easy for them to
00:48:21 like find your login page and so they'll
00:48:23 move on to the next yeah cuz there's
00:48:25 there's maybe a billion WordPress sites
00:48:27 on the internet so right there is
00:48:29 there's over billion it's about a
00:48:31 quarter of Internet I think twenty eight
00:48:33 percent the last time I check so it's a
00:48:35 wide variety and you'd be surprised some
00:48:38 of the sites that you're on that you're
00:48:39 like oh man this is actually a WordPress
00:48:40 site like it's become a very flexible
00:48:43 and expandable platform yeah so going in
00:48:46 on WordPress so you've got themes and
00:48:48 plugins and if I want to pick a theme or
00:48:52 plugin how do I know if it's safe and
00:48:54 secure it is there a Good Housekeeping
00:48:56 Seal of Approval out there on themes and
00:48:59 plugins is there something that says
00:49:00 these plugins are safe to use they've
00:49:02 got some reasonable level of auditing
00:49:05 and updating and patching and they have
00:49:07 developers in their community they're
00:49:09 paying attention to security mailing
00:49:11 lists yeah yeah and the best most
00:49:13 obvious place is the WordPress approved
00:49:15 like plug-in and theme repos so they
00:49:18 have a review process for people
00:49:20 submitting plug-ins to those yet sort of
00:49:22 like we talked about