Securing WordPress in Azure the cheap way

Securing WordPress in Azure
The cheap way
1

View Slide

Michelangelo van Dam
Web Applica
ti
on Developer since 1997

Cer
ti fi
ed PHP Developer since 2006

PHPBenelux Community leader since 2007

First Azure usage in 2012

Azure Technical Advisory Group (TAG) since 2016

Azure MVP since 2018
2

View Slide

Why this talk?
1. Lots of people use WordPress (± 45% of all internet websites)

2. Perfect example of a monolithic applica
ti
on

3. Securing applica
ti
ons in Azure seems to be challenging for many

4. It’s fun to talk about my two passions: PHP and Azure 😄
3

View Slide

One-click install
• In Azure Marketplace there’s a one-click install
for WordPress

• Works great for non-cri
ti
cal usages with low
tra
ffi
c

• Hard to modify and secure

• Bit of expensive
4

View Slide

Star
ti
ng with WordPress in Azure
5
• A Resource Group

• A Linux App Service plan

• A Web App service

• An Azure database for MySQL*
(*) In-app MySQL is only available for Windows Web Apps
Web App Azure database for

MySQL
App Service Plan
Resource Group

View Slide

Your Azure monthly bill
6
Azure Resource SKU Tier Price per month
Linux App Service Plan F1 Free € 0.00
Azure database for MySQL 
(Single Server)
B1 Basic € 26.85
€ 26.85

View Slide

Some limita
ti
ons with this setup
7
• All services are publicly accessible

• Op
ti
on to restrict tra
ff
i
c on Azure database for
MySQl

• Media
fi
les are uploaded to the Linux App Service

• Not shared amongst instances

• Limited disk capacity on the instance

• No central monitoring, logging or aler
ti
ng

• No protec
ti
on against malicious tra
ffi
c

MySQL
App Service Plan
Resource Group

View Slide

Adding a storage account
8
• Logs can now be collected on the storage
account

• Media assets can be uploaded to the
storage account (WordPress Plugin)

• If necessary, we can enable CDN for
faster delivery of these media assets

• Database backups can be kept on the
storage account

MySQL
App Service Plan
Resource Group
Storage Account

View Slide

9
(Single Server)
B1 Basic € 26.85
Storage Account StandardV2
Standard

(50GB)
€ 27.64
€ 54.59

View Slide

Microso
ft
Azure Storage for WordPress
This WordPress plugin allows you to use Microso
ft
Azure Storage Service to host your media and
uploads for your WordPress powered website.
Microso
ft
Azure Storage is an e
ff
ec
ti
ve way to
in
fi
nitely scale storage of your site and leverage
Azure’s global infrastructure.

See h
tt
ps://wordpress.org/plugins/windows-azure-
storage/
10

View Slide

Adding Azure Insights
11
With Azure insights you enable monitoring
and aler
ti
ng on abnormal events

MySQL
App Service Plan
Resource Group
Storage Account
Azure Insights

View Slide

12
(Single Server)
B1 Basic € 26.85
Standard

(50GB)
€ 27.64
Azure Insights € 0.00
€ 54.59

View Slide

Adding Azure Key Vault
13
With Azure Key Vault you can keep the
connec
ti
on values for database, storage and
integrated services (like payment and
shipping) secure

MySQL
App Service Plan
Resource Group
Storage Account
Azure Insights
Key Vault

View Slide

14
(Single Server)
B1 Basic € 26.85
Standard

(50GB)
€ 27.64
Azure Key Vault € 0.00
€ 54.59

View Slide

Improving security further
15

View Slide

WordPress is very a
tt
rac
ti
ve to malicious actors
• Built with minimal security in mind

• Contains lots of valuable (personal) data when
used for eCommerce, event management,
training pla
tf
orm, trading exchange or a popular
blog

• Used as proxy for spamming, phishing or other
neferious ac
ti
vies
16

View Slide

Layered security
• Virtual Networking

• Web Applica
ti
on Firewall (WAF)

• Virtual Private Network (VPN) Gateway
17

View Slide

Frontend Network Backend Network
Typical network segmenta
ti
on
18
Reverse Proxy Web Server
PHP FPM
MySQL
File Server

View Slide

Not directly applicable in cloud
19
Frontend Subnet Backend Subnet
Private Network

View Slide

A secured network segmenta
ti
on
20
Restricted Subnet
Public Subnet
Secured VNet
Site Admin
Azure Key Vault
MySQL
Storage Account
Web App
WAF
Applica
ti
on

Gateway
CDN
Internet

View Slide

21
(Single Server)
B1 Basic € 26.85
Standard

(50GB)
€ 27.64
Application Gateway + WAF Small Basic € 18.54
CDN Microsoft Classic € 0.37
€ 73.40

View Slide

Making use of WordPress API
22

View Slide

Sta
ti
c Frontend (advanced)
23
Restricted Subnet
Secured VNet
Site Admin
Redis Cache
API Management
Wordpress Resource Group
Storage Account

(Sta
ti
c Websites + Blob Storage)
CDN
Internet Web App
Azure Key Vault
Sta
ti
c Assets

View Slide

24
(Single Server)
B1 Basic € 26.85
Storage Account StandardV2 Standard

(50GB)
€ 27.64
Application Gateway + WAF Small Basic € 18.54
CDN Microsoft Classic € 0.37
API Management Basic € 133.26
€ 206.66

View Slide

Scale up when needed
• For € 75 a month you have a scalable, secure WordPress setup

• For € 200 a month you now have a high-performant API-
fi
rst WordPress

• Protects against common a
tt
ack vectors used against WordPress

• Recovery is fast and reliable with upgraded storage redundancy
25

View Slide

Or you can go “all the way”
26

View Slide

Microso
ft
’s recommenda
ti
on
27
Source: h
tt
ps://learn.microso
ft
.com/en-us/azure/architecture/example-scenario/infrastructure/wordpress

View Slide

Not just WordPress…
28

View Slide

Works also for other pla
tf
orms
29

View Slide

Lessons learned
• Start with basics

• Layer more security over
ti
me

• Learn about the security it brings

• Grow with budget in control

• Security is an evolu
ti
on, adapt along with it

• Works also for other monolithic “legacy”
applica
ti
ons
30

View Slide

Resources to learn more
31

View Slide

Thank you 🙏
in2.se/azure-wp

32
DragonBe [email protected]
DragonBe
DragonBe
DragonBe
DragonBe Happy to answer your ques
ti
ons

View Slide

Securing WordPress in Azure the cheap way

Securing WordPress in Azure the cheap way

DragonBe

More Decks by DragonBe

Other Decks in Technology

Featured

Transcript