Securing WordPress in Azure the cheap way

Transcript

1. Securing WordPress in Azure The cheap way 1

2. Michelangelo van Dam Web Applica ti on Developer since 1997

   Cer ti fi ed PHP Developer since 2006 PHPBenelux Community leader since 2007 First Azure usage in 2012 Azure Technical Advisory Group (TAG) since 2016 Azure MVP since 2018 2

3. Why this talk? 1. Lots of people use WordPress (±

   45% of all internet websites) 2. Perfect example of a monolithic applica ti on 3. Securing applica ti ons in Azure seems to be challenging for many 4. It’s fun to talk about my two passions: PHP and Azure 😄 3

4. One-click install • In Azure Marketplace there’s a one-click install

   for WordPress • Works great for non-cri ti cal usages with low tra ffi c • Hard to modify and secure • Bit of expensive 4

5. Star ti ng with WordPress in Azure 5 • A

   Resource Group • A Linux App Service plan • A Web App service • An Azure database for MySQL* (*) In-app MySQL is only available for Windows Web Apps Web App Azure database for MySQL App Service Plan Resource Group

6. Your Azure monthly bill 6 Azure Resource SKU Tier Price

   per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 € 26.85

7. Some limita ti ons with this setup 7 • All

   services are publicly accessible • Op ti on to restrict tra ff i c on Azure database for MySQl • Media fi les are uploaded to the Linux App Service • Not shared amongst instances • Limited disk capacity on the instance • No central monitoring, logging or aler ti ng • No protec ti on against malicious tra ffi c Web App Azure database for MySQL App Service Plan Resource Group

8. Adding a storage account 8 • Logs can now be

   collected on the storage account • Media assets can be uploaded to the storage account (WordPress Plugin) • If necessary, we can enable CDN for faster delivery of these media assets • Database backups can be kept on the storage account Web App Azure database for MySQL App Service Plan Resource Group Storage Account

9. Your Azure monthly bill 9 Azure Resource SKU Tier Price

   per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 Storage Account StandardV2 Standard (50GB) € 27.64 € 54.59

10. Microso ft Azure Storage for WordPress This WordPress plugin allows

    you to use Microso ft Azure Storage Service to host your media and uploads for your WordPress powered website. Microso ft Azure Storage is an e ff ec ti ve way to in fi nitely scale storage of your site and leverage Azure’s global infrastructure. See h tt ps://wordpress.org/plugins/windows-azure- storage/ 10

11. Adding Azure Insights 11 With Azure insights you enable monitoring

    and aler ti ng on abnormal events Web App Azure database for MySQL App Service Plan Resource Group Storage Account Azure Insights

12. Your Azure monthly bill 12 Azure Resource SKU Tier Price

    per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 Storage Account StandardV2 Standard (50GB) € 27.64 Azure Insights € 0.00 € 54.59

13. Adding Azure Key Vault 13 With Azure Key Vault you

    can keep the connec ti on values for database, storage and integrated services (like payment and shipping) secure Web App Azure database for MySQL App Service Plan Resource Group Storage Account Azure Insights Key Vault

14. Your Azure monthly bill 14 Azure Resource SKU Tier Price

    per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 Storage Account StandardV2 Standard (50GB) € 27.64 Azure Insights € 0.00 Azure Key Vault € 0.00 € 54.59

15. Improving security further 15

16. WordPress is very a tt rac ti ve to malicious

    actors • Built with minimal security in mind • Contains lots of valuable (personal) data when used for eCommerce, event management, training pla tf orm, trading exchange or a popular blog • Used as proxy for spamming, phishing or other neferious ac ti vies 16

17. Layered security • Virtual Networking • Web Applica ti on

    Firewall (WAF) • Virtual Private Network (VPN) Gateway 17

18. Frontend Network Backend Network Typical network segmenta ti on 18

    Reverse Proxy Web Server PHP FPM MySQL File Server

19. Not directly applicable in cloud 19 Frontend Subnet Backend Subnet

    Private Network

20. A secured network segmenta ti on 20 Restricted Subnet Public

    Subnet Secured VNet Site Admin Azure Key Vault MySQL Storage Account Web App WAF Applica ti on Gateway CDN Internet

21. Your Azure monthly bill 21 Azure Resource SKU Tier Price

    per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 Storage Account StandardV2 Standard (50GB) € 27.64 Azure Insights € 0.00 Azure Key Vault € 0.00 Application Gateway + WAF Small Basic € 18.54 CDN Microsoft Classic € 0.37 € 73.40

22. Making use of WordPress API 22

23. Sta ti c Frontend (advanced) 23 Restricted Subnet Secured VNet

    Site Admin Redis Cache API Management Wordpress Resource Group Storage Account (Sta ti c Websites + Blob Storage) CDN Internet Web App Azure Key Vault Sta ti c Assets

24. Your Azure monthly bill 24 Azure Resource SKU Tier Price

    per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 Storage Account StandardV2 Standard (50GB) € 27.64 Azure Insights € 0.00 Azure Key Vault € 0.00 Application Gateway + WAF Small Basic € 18.54 CDN Microsoft Classic € 0.37 API Management Basic € 133.26 € 206.66

25. Scale up when needed • For € 75 a month

    you have a scalable, secure WordPress setup • For € 200 a month you now have a high-performant API- fi rst WordPress • Protects against common a tt ack vectors used against WordPress • Recovery is fast and reliable with upgraded storage redundancy 25

26. Or you can go “all the way” 26

27. Microso ft ’s recommenda ti on 27 Source: h tt

    ps://learn.microso ft .com/en-us/azure/architecture/example-scenario/infrastructure/wordpress

28. Not just WordPress… 28

29. Works also for other pla tf orms 29

30. Lessons learned • Start with basics • Layer more security

    over ti me • Learn about the security it brings • Grow with budget in control • Security is an evolu ti on, adapt along with it • Works also for other monolithic “legacy” applica ti ons 30

31. Resources to learn more 31

32. Thank you 🙏 in2.se/azure-wp 32 DragonBe [email protected] DragonBe DragonBe DragonBe

    DragonBe Happy to answer your ques ti ons