Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Securing WordPress in Azure the cheap way

Securing WordPress in Azure the cheap way

WordPress is still the number one publishing platform for organizations and individuals, hence it draws the attention of many malicious actors. Protecting WordPress in the cloud seems like a huge challenge since the platform was not built with the cloud in mind.

In this talk I will explain the challenges WordPress faces for becoming a first-class cloud citizen, and how I solved these challenges without spending lots of money. If you like WordPress and you want to run it on your favorite cloud platform, than this session is for you!

DragonBe

May 01, 2023
Tweet

More Decks by DragonBe

Other Decks in Technology

Transcript

  1. Michelangelo van Dam Web Applica ti on Developer since 1997

    Cer ti fi ed PHP Developer since 2006 PHPBenelux Community leader since 2007 First Azure usage in 2012 Azure Technical Advisory Group (TAG) since 2016 Azure MVP since 2018 2
  2. Why this talk? 1. Lots of people use WordPress (±

    45% of all internet websites) 2. Perfect example of a monolithic applica ti on 3. Securing applica ti ons in Azure seems to be challenging for many 4. It’s fun to talk about my two passions: PHP and Azure 😄 3
  3. One-click install • In Azure Marketplace there’s a one-click install

    for WordPress • Works great for non-cri ti cal usages with low tra ffi c • Hard to modify and secure • Bit of expensive 4
  4. Star ti ng with WordPress in Azure 5 • A

    Resource Group • A Linux App Service plan • A Web App service • An Azure database for MySQL* (*) In-app MySQL is only available for Windows Web Apps Web App Azure database for MySQL App Service Plan Resource Group
  5. Your Azure monthly bill 6 Azure Resource SKU Tier Price

    per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 € 26.85
  6. Some limita ti ons with this setup 7 • All

    services are publicly accessible • Op ti on to restrict tra ff i c on Azure database for MySQl • Media fi les are uploaded to the Linux App Service • Not shared amongst instances • Limited disk capacity on the instance • No central monitoring, logging or aler ti ng • No protec ti on against malicious tra ffi c Web App Azure database for MySQL App Service Plan Resource Group
  7. Adding a storage account 8 • Logs can now be

    collected on the storage account • Media assets can be uploaded to the storage account (WordPress Plugin) • If necessary, we can enable CDN for faster delivery of these media assets • Database backups can be kept on the storage account Web App Azure database for MySQL App Service Plan Resource Group Storage Account
  8. Your Azure monthly bill 9 Azure Resource SKU Tier Price

    per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 Storage Account StandardV2 Standard (50GB) € 27.64 € 54.59
  9. Microso ft Azure Storage for WordPress This WordPress plugin allows

    you to use Microso ft Azure Storage Service to host your media and uploads for your WordPress powered website. Microso ft Azure Storage is an e ff ec ti ve way to in fi nitely scale storage of your site and leverage Azure’s global infrastructure. See h tt ps://wordpress.org/plugins/windows-azure- storage/ 10
  10. Adding Azure Insights 11 With Azure insights you enable monitoring

    and aler ti ng on abnormal events Web App Azure database for MySQL App Service Plan Resource Group Storage Account Azure Insights
  11. Your Azure monthly bill 12 Azure Resource SKU Tier Price

    per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 Storage Account StandardV2 Standard (50GB) € 27.64 Azure Insights € 0.00 € 54.59
  12. Adding Azure Key Vault 13 With Azure Key Vault you

    can keep the connec ti on values for database, storage and integrated services (like payment and shipping) secure Web App Azure database for MySQL App Service Plan Resource Group Storage Account Azure Insights Key Vault
  13. Your Azure monthly bill 14 Azure Resource SKU Tier Price

    per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 Storage Account StandardV2 Standard (50GB) € 27.64 Azure Insights € 0.00 Azure Key Vault € 0.00 € 54.59
  14. WordPress is very a tt rac ti ve to malicious

    actors • Built with minimal security in mind • Contains lots of valuable (personal) data when used for eCommerce, event management, training pla tf orm, trading exchange or a popular blog • Used as proxy for spamming, phishing or other neferious ac ti vies 16
  15. Layered security • Virtual Networking • Web Applica ti on

    Firewall (WAF) • Virtual Private Network (VPN) Gateway 17
  16. Frontend Network Backend Network Typical network segmenta ti on 18

    Reverse Proxy Web Server PHP FPM MySQL File Server
  17. A secured network segmenta ti on 20 Restricted Subnet Public

    Subnet Secured VNet Site Admin Azure Key Vault MySQL Storage Account Web App WAF Applica ti on Gateway CDN Internet
  18. Your Azure monthly bill 21 Azure Resource SKU Tier Price

    per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 Storage Account StandardV2 Standard (50GB) € 27.64 Azure Insights € 0.00 Azure Key Vault € 0.00 Application Gateway + WAF Small Basic € 18.54 CDN Microsoft Classic € 0.37 € 73.40
  19. Sta ti c Frontend (advanced) 23 Restricted Subnet Secured VNet

    Site Admin Redis Cache API Management Wordpress Resource Group Storage Account (Sta ti c Websites + Blob Storage) CDN Internet Web App Azure Key Vault Sta ti c Assets
  20. Your Azure monthly bill 24 Azure Resource SKU Tier Price

    per month Linux App Service Plan F1 Free € 0.00 Azure database for MySQL
 (Single Server) B1 Basic € 26.85 Storage Account StandardV2 Standard (50GB) € 27.64 Azure Insights € 0.00 Azure Key Vault € 0.00 Application Gateway + WAF Small Basic € 18.54 CDN Microsoft Classic € 0.37 API Management Basic € 133.26 € 206.66
  21. Scale up when needed • For € 75 a month

    you have a scalable, secure WordPress setup • For € 200 a month you now have a high-performant API- fi rst WordPress • Protects against common a tt ack vectors used against WordPress • Recovery is fast and reliable with upgraded storage redundancy 25
  22. Microso ft ’s recommenda ti on 27 Source: h tt

    ps://learn.microso ft .com/en-us/azure/architecture/example-scenario/infrastructure/wordpress
  23. Lessons learned • Start with basics • Layer more security

    over ti me • Learn about the security it brings • Grow with budget in control • Security is an evolu ti on, adapt along with it • Works also for other monolithic “legacy” applica ti ons 30