$30 off During Our Annual Pro Sale. View Details »

Securing WordPress in Azure the cheap way

Securing WordPress in Azure the cheap way

WordPress is still the number one publishing platform for organizations and individuals, hence it draws the attention of many malicious actors. Protecting WordPress in the cloud seems like a huge challenge since the platform was not built with the cloud in mind.

In this talk I will explain the challenges WordPress faces for becoming a first-class cloud citizen, and how I solved these challenges without spending lots of money. If you like WordPress and you want to run it on your favorite cloud platform, than this session is for you!

DragonBe

May 01, 2023
Tweet

More Decks by DragonBe

Other Decks in Technology

Transcript

  1. Securing WordPress in Azure
    The cheap way
    1

    View Slide

  2. Michelangelo van Dam
    Web Applica
    ti
    on Developer since 1997


    Cer
    ti fi
    ed PHP Developer since 2006


    PHPBenelux Community leader since 2007


    First Azure usage in 2012


    Azure Technical Advisory Group (TAG) since 2016


    Azure MVP since 2018
    2

    View Slide

  3. Why this talk?
    1. Lots of people use WordPress (± 45% of all internet websites)


    2. Perfect example of a monolithic applica
    ti
    on


    3. Securing applica
    ti
    ons in Azure seems to be challenging for many


    4. It’s fun to talk about my two passions: PHP and Azure 😄
    3

    View Slide

  4. One-click install
    • In Azure Marketplace there’s a one-click install
    for WordPress


    • Works great for non-cri
    ti
    cal usages with low
    tra
    ffi
    c


    • Hard to modify and secure


    • Bit of expensive
    4

    View Slide

  5. Star
    ti
    ng with WordPress in Azure
    5
    • A Resource Group


    • A Linux App Service plan


    • A Web App service


    • An Azure database for MySQL*
    (*) In-app MySQL is only available for Windows Web Apps
    Web App Azure database for


    MySQL
    App Service Plan
    Resource Group

    View Slide

  6. Your Azure monthly bill
    6
    Azure Resource SKU Tier Price per month
    Linux App Service Plan F1 Free € 0.00
    Azure database for MySQL

    (Single Server)
    B1 Basic € 26.85
    € 26.85

    View Slide

  7. Some limita
    ti
    ons with this setup
    7
    • All services are publicly accessible


    • Op
    ti
    on to restrict tra
    ff
    i
    c on Azure database for
    MySQl


    • Media
    fi
    les are uploaded to the Linux App Service


    • Not shared amongst instances


    • Limited disk capacity on the instance


    • No central monitoring, logging or aler
    ti
    ng


    • No protec
    ti
    on against malicious tra
    ffi
    c
    Web App Azure database for


    MySQL
    App Service Plan
    Resource Group

    View Slide

  8. Adding a storage account
    8
    • Logs can now be collected on the storage
    account


    • Media assets can be uploaded to the
    storage account (WordPress Plugin)


    • If necessary, we can enable CDN for
    faster delivery of these media assets


    • Database backups can be kept on the
    storage account
    Web App Azure database for


    MySQL
    App Service Plan
    Resource Group
    Storage Account

    View Slide

  9. Your Azure monthly bill
    9
    Azure Resource SKU Tier Price per month
    Linux App Service Plan F1 Free € 0.00
    Azure database for MySQL

    (Single Server)
    B1 Basic € 26.85
    Storage Account StandardV2
    Standard

    (50GB)
    € 27.64
    € 54.59

    View Slide

  10. Microso
    ft
    Azure Storage for WordPress
    This WordPress plugin allows you to use Microso
    ft
    Azure Storage Service to host your media and
    uploads for your WordPress powered website.
    Microso
    ft
    Azure Storage is an e
    ff
    ec
    ti
    ve way to
    in
    fi
    nitely scale storage of your site and leverage
    Azure’s global infrastructure.


    See h
    tt
    ps://wordpress.org/plugins/windows-azure-
    storage/
    10

    View Slide

  11. Adding Azure Insights
    11
    With Azure insights you enable monitoring
    and aler
    ti
    ng on abnormal events
    Web App Azure database for


    MySQL
    App Service Plan
    Resource Group
    Storage Account
    Azure Insights

    View Slide

  12. Your Azure monthly bill
    12
    Azure Resource SKU Tier Price per month
    Linux App Service Plan F1 Free € 0.00
    Azure database for MySQL

    (Single Server)
    B1 Basic € 26.85
    Storage Account StandardV2
    Standard

    (50GB)
    € 27.64
    Azure Insights € 0.00
    € 54.59

    View Slide

  13. Adding Azure Key Vault
    13
    With Azure Key Vault you can keep the
    connec
    ti
    on values for database, storage and
    integrated services (like payment and
    shipping) secure
    Web App Azure database for


    MySQL
    App Service Plan
    Resource Group
    Storage Account
    Azure Insights
    Key Vault

    View Slide

  14. Your Azure monthly bill
    14
    Azure Resource SKU Tier Price per month
    Linux App Service Plan F1 Free € 0.00
    Azure database for MySQL

    (Single Server)
    B1 Basic € 26.85
    Storage Account StandardV2
    Standard

    (50GB)
    € 27.64
    Azure Insights € 0.00
    Azure Key Vault € 0.00
    € 54.59

    View Slide

  15. Improving security further
    15

    View Slide

  16. WordPress is very a
    tt
    rac
    ti
    ve to malicious actors
    • Built with minimal security in mind


    • Contains lots of valuable (personal) data when
    used for eCommerce, event management,
    training pla
    tf
    orm, trading exchange or a popular
    blog


    • Used as proxy for spamming, phishing or other
    neferious ac
    ti
    vies
    16

    View Slide

  17. Layered security
    • Virtual Networking


    • Web Applica
    ti
    on Firewall (WAF)


    • Virtual Private Network (VPN) Gateway
    17

    View Slide

  18. Frontend Network Backend Network
    Typical network segmenta
    ti
    on
    18
    Reverse Proxy Web Server
    PHP FPM
    MySQL
    File Server

    View Slide

  19. Not directly applicable in cloud
    19
    Frontend Subnet Backend Subnet
    Private Network

    View Slide

  20. A secured network segmenta
    ti
    on
    20
    Restricted Subnet
    Public Subnet
    Secured VNet
    Site Admin
    Azure Key Vault
    MySQL
    Storage Account
    Web App
    WAF
    Applica
    ti
    on


    Gateway
    CDN
    Internet

    View Slide

  21. Your Azure monthly bill
    21
    Azure Resource SKU Tier Price per month
    Linux App Service Plan F1 Free € 0.00
    Azure database for MySQL

    (Single Server)
    B1 Basic € 26.85
    Storage Account StandardV2
    Standard

    (50GB)
    € 27.64
    Azure Insights € 0.00
    Azure Key Vault € 0.00
    Application Gateway + WAF Small Basic € 18.54
    CDN Microsoft Classic € 0.37
    € 73.40

    View Slide

  22. Making use of WordPress API
    22

    View Slide

  23. Sta
    ti
    c Frontend (advanced)
    23
    Restricted Subnet
    Secured VNet
    Site Admin
    Redis Cache
    API Management
    Wordpress Resource Group
    Storage Account


    (Sta
    ti
    c Websites + Blob Storage)
    CDN
    Internet Web App
    Azure Key Vault
    Sta
    ti
    c Assets

    View Slide

  24. Your Azure monthly bill
    24
    Azure Resource SKU Tier Price per month
    Linux App Service Plan F1 Free € 0.00
    Azure database for MySQL

    (Single Server)
    B1 Basic € 26.85
    Storage Account StandardV2 Standard

    (50GB)
    € 27.64
    Azure Insights € 0.00
    Azure Key Vault € 0.00
    Application Gateway + WAF Small Basic € 18.54
    CDN Microsoft Classic € 0.37
    API Management Basic € 133.26
    € 206.66

    View Slide

  25. Scale up when needed
    • For € 75 a month you have a scalable, secure WordPress setup


    • For € 200 a month you now have a high-performant API-
    fi
    rst WordPress


    • Protects against common a
    tt
    ack vectors used against WordPress


    • Recovery is fast and reliable with upgraded storage redundancy
    25

    View Slide

  26. Or you can go “all the way”
    26

    View Slide

  27. Microso
    ft
    ’s recommenda
    ti
    on
    27
    Source: h
    tt
    ps://learn.microso
    ft
    .com/en-us/azure/architecture/example-scenario/infrastructure/wordpress

    View Slide

  28. Not just WordPress…
    28

    View Slide

  29. Works also for other pla
    tf
    orms
    29

    View Slide

  30. Lessons learned
    • Start with basics


    • Layer more security over
    ti
    me


    • Learn about the security it brings


    • Grow with budget in control


    • Security is an evolu
    ti
    on, adapt along with it


    • Works also for other monolithic “legacy”
    applica
    ti
    ons
    30

    View Slide

  31. Resources to learn more
    31

    View Slide

  32. Thank you 🙏
    in2.se/azure-wp


    32
    DragonBe [email protected]
    DragonBe
    DragonBe
    DragonBe
    DragonBe Happy to answer your ques
    ti
    ons

    View Slide