Meeting Notes: October 13, 2015

Agenda

• Greetings
• Hardening WordPress – Tabby Chapman, OIT

Files

• UCI WordPress ToolBox (PDF) – Presentation Slides
• UCI WordPress Toolbox – Replay Recording

Hardening WordPress

Is WordPress insecure?

• WordPress does not provide any automated security during installation. WordPress takes security seriously, but you need to take extra steps to ensure WordPress is “hardened” to help prevent against hacking.
• Great information on the WordPress Codex: http://codex.wordpress.org/Hardening_WordPress

Where to start?

Host

• Make sure your host is up to security standards including restricting ports, two-factor authentication, etc.
• Make sure the server is running the most stable versions of all software (PHP, MySQL, Apache, etc.)
• Make sure the hosting provider provides reliable methods for backup and recovery.

Website Application (WordPress core, Themes & Plugins)

• Make sure you are using the latest stable code. Keep WordPress and your themes and plugins up to date.
• Make sure to vet your third-party software (plugins, themes). Download and purchase from reliable sources.
• Make sure standards are followed in themes and plugins. If you don’t know how, find a WordPress developer resource.

Things to Consider

• UCI Related
  • Never use WordPress for restricted or confidential data. The upload process is not secure and you will need to do a lot of work to upload securely. Google has been known to index the uploads directory.
  • More information on data classification: http://security.uci.edu/plan-classification.php
• Restrict Access
  • Only make accounts for those who need them and only give them the minimum amount of access they need to complete a task. Use appropriate roles for what the user needs to do on the site. See the Codex for default Roles and Capabilities – https://codex.wordpress.org/Roles_and_Capabilities
  • Don’t use “admin” as the administrator account. If it exists, create another administrator account with a different name and remove the “admin” account. This is the most common username used in malicious login attempts.
  • If you are running a WordPress Multisite installation only give Network Administrator access to people administering the service. Give Site Admin access to the sites needed on an individual basis.
  • Disable registration if it is not used or needed. (It should be off by default, but check it under Settings > General > Membership.)
  • Turn off comments by default. Unless you are using comments, this can be a vector for hacking as bots can use comments to try to inject code or links to bad sites. If you don’t do this early on, you will need to manually turn off comments for published Posts. You can manually turn on comments on a Post by Post basis. As of WordPress 4.3, comments are only available for Posts and not Pages.
• Server Containment
  • Ensure that your server account is restricted to just that site and cannot access other sites.
  • Set the correct permissions on files and directories.
• Backups and Recovery
  • Backup your site and database regularly off the server. (You can keep copies on the server, too, but you will want off server versions in case the entire server is compromised.)
  • Practice backup/recovery often so you will know how to do it if/when you actually need it.
• Use Trusted Sources
  • Only use plugins and themes from “trusted sources”.
  • At UCI, Sylvia provides a list of plugins we use and trust:
    • http://sites.uci.edu/docs/plugins/
    • http://sites.uci.edu/docs/plugins/#optional
  • We also use plugins from WPMUDev, Rocket Genius, WooThemes. These are large, well-known companies with a good reputation and constant updates (don’t see this as a burden)
  • Not every theme is okay. Check reviews and Google the theme.
  • If you make changes to a theme, make a child theme so that your changes are kept when the theme is upgraded. – https://codex.wordpress.org/Child_Themes
• Make sure your computer is secure
  • No amount of security will matter if your computer is compromised, particularly with a key-logger.
  • This applies to all operating systems, Mac and Linux, too, but particularly to Windows.

Automatic Updates

WordPress is not invulnerable! While they take security seriously, it is up to you to keep it up to date. As of WordPress 3.7, security updates will happen automatically unless you have disabled it or are using some sort of version control to do your updates. However, WordPress will only do security updates a few versions back, so stay on top of feature updates, too. Feature updates will be two numbers, for example 4.3. Security updates will be three numbers, for example 4.3.1. You can wait a few weeks for a feature update before applying the update.

Discussion

We talked a little about Security plugins. WordFence (https://wordpress.org/plugins/wordfence/) and Sucuri Security (https://wordpress.org/plugins/sucuri-scanner/) are good ones. WordFence can help ensure strong passwords, check for file changes, lockout login attempts, notify you when updates are needed among other things. Sucuri can monitor activity, check for file changes, scan for malware, etc. Both have free versions and paid versions with more features.

Conclusion

This is a brief overview. There is a lot more great information on the Slides and Replay presentation linked above.

A big thank you to Tabby for sharing her wealth of expertise. We will likely meet again in early December. If anyone has something they want to present or discuss, let Sylvia know.