Alt Hacks – WordCamp Philly 2017

Transcript

1. None

2. Daniel Olson @emaildano Alternative Hacks WordPress Security from
 the Outside

   Looking In

3. Daniel Olson, COO @emaildano

4. We develop WordPress
 products on AWS

5. None
6. None

7. Philadelphia

8. None

9. Kobe

10. Kobe Niigata

11. Kobe Tokyo Niigata

12. Kobe Sendai Tokyo Niigata

13. Kobe Sendai Tokyo Niigata Fukuoka

14. Let’s talk WordPress Security!

15. What is WordPress Security?

16. WordPress Security is Web Security This is not a plugin

    talk

17. Phases + Stakeholders

18. Phases Planning – Development – Post Launch

19. Stakeholders You – Client – Users

20. 5 Tips

21. Tip 1 Old Habits
 Die Hard

22. Tip 1 Old Habits
 Die Hard

23. Adjust your Workflow

24. Workflow Find that weak link and fix it

25. Workflow Lobby for the right fix Not the quick fix

26. Workflow Lobby for the right fix Not the quick fix

    (But compromise)

27. Workflow Versioning Release Candidates for
 Personal Micro Improvements

28. sourcemaking.com @sourcemaking

29. AntiPattern
 - SourceMaking - “commonly occurring solution to a problem

    that generates decidedly negative consequences”

30. Design Pattern
 - SourceMaking - “An approach to a solution

    to a commonly occurring problem that’s repeatable and
 is not a finished design”

31. Workflow ⇣ AntiPattern ⇣ Design Pattern

32. Tip 2 Create a disaster plan

33. Tip 2 Create a disaster plan

34. Disaster Plans Discuss them, early and often

35. – Someone “If your data is in one place, it’s

    no place.”

36. Disaster Plans Total Data Loss Client or Customer Data Hack

    Unexpected downtime & downtime Alerts

37. pingdom, uptime robot, etc.

38. Backup efficiently,
 not aggressively

39. Write an SLA A Service Level Agreement will define
 who’s

    responsable for what

40. Tip 3 Read the 12 Factor App

41. Tip 3 Read the 12 Factor App

42. 12factor.net

43. I. Codebase
 One codebase tracked in revision control, many deploys

    II. Dependencies
 Explicitly declare and isolate dependencies III. Config
 Store config in the environment IV. Backing services
 Treat backing services as attached resources V. Build, release, run
 Strictly separate build and run stages VI. Processes
 Execute the app as one or more stateless processes VII. Port binding
 Export services via port binding VIII. Concurrency
 Scale out via the process model IX. Disposability
 Maximize robustness with fast startup and graceful shutdown X. Dev/prod parity
 Keep development, staging, and production as similar as possible XI. Logs
 Treat logs as event streams XII. Admin processes
 Run admin/management tasks as one- off processes

44. I. Codebase
 One codebase tracked in revision control, many deploys

    II. Dependencies
 Explicitly declare and isolate dependencies III. Config
 Store config in the environment

45. I. Codebase
 One codebase tracked in revision control, many deploys

46. II. Dependencies
 Explicitly declare and isolate dependencies

47. III. Config
 Store config in the environment

48. I. Codebase
 One codebase tracked in revision control, many deploys

    II. Dependencies
 Explicitly declare and isolate dependencies III. Config
 Store config in the environment

49. roots/sage — j2made/apollo

50. Tip 4 Think critically about hosting

51. Tip 4 Think critically about hosting

52. Web Hosting Find the right fit

53. Web Hosting Hammered with bot traffic Secure Connections Recovery, Scaling,

    Automation

54. Bot Traffic Put your server to work and serve static

    404s
 with NGINX, Apache, or .htaccess

55. Secure Connections

56. Secure Connections Limit IPs and ports Force SFTP or SSH

    over FTP HTTPs Always

57. Tip 5 Go Serverless

58. WTF is..
 Serverless

59. src: http://www.gartner.com/newsroom/id/3784363

60. None

61. Serverless "There is no such thing as 'serverless'.
 It's just

    someone else's problem" src: https://news.ycombinator.com/item?id=12349388

62. Serverless is a design pattern.

63. Serverless is a concept that is
 currently running in production.

64. Okay, so.. What’s Serverless IRL?

65. A Simple Example

66. index.html

67. Button index.html

68. Button Hello, the current
 time is 2:45pm index.html

69. 'use strict'; module.exports.endpoint = (event, context, callback) => { const

    response = { statusCode: 200, body: JSON.stringify({ message: `Hello, the current time is ${new Date().toTimeString()}.`, }), }; callback(null, response); }; getTime.js src: https://github.com/serverless/examples/tree/master/aws-node-simple-http-endpoint

70. getTime.js Hello, the current
 time is 2:45pm index.html Your Hosting

    Server

71. getTime.js Hello, the current
 time is 2:45pm index.html Your Hosting

    Server

72. getTime.js Hello, the current
 time is 2:45pm index.html Your Hosting

    Server

73. What if that function didn’t have to run on your

    server?

74. What if that function didn’t have to run on your

    server? It doesn’t have to!

75. Hello, the current
 time is 2:45pm Your Hosting Server getTime.js

    index.html

76. Hello, the current
 time is 2:45pm Your Hosting Server Button

    index.html </> getTime.js 3rd Party Service

77. Your Hosting Server </> getTime.js 3rd Party Service index.html 3rd

    Party Service CDN

78. </> getTime.js 3rd Party Service index.html 3rd Party Service CDN

79. Serverless WordPress Model

80. None

81. A Few Other Things

82. A Few Other Things

83. WordPress Plugins They are not a cure-all Definitely still need

    them More != Better

84. WordPress Plugins Learn what they actually do Can you apply

    what they do without them?

85. Tinfoil File Permissions When in doubt, follow the docs 777

    Stackoverflow person is
 not your friend

86. Hashing and MD5 define('AUTH_KEY', 'rBN}%iAh*I`qlv{@+`YKKH5[+YUod+Dw%8rS`G]GW+=_Y*=0KU~LiwcmlATNNDl-'); define('SECURE_AUTH_KEY', ':$]e6IE~g!_zyzN)@,@<>M=^5^Ee20O&I,-McveFiAUd}ChL}Ru*7I?cTOt+J{3_'); define('LOGGED_IN_KEY', 'q%Y^|1Fsav^a)Z(Tuhlu~~08>gDC@N?MLum .N(cD

    5[VMR.cKEY{[M+}b<Wb+B@'); define('NONCE_KEY', 'z7B_^%WiSBcbqboq>~`{:WYH(K0;Xo)6JpKWKE%_`mSXEjq<`!#yE,q8P?Olu^=!'); define('AUTH_SALT', '|E&3v!xyl22AJvbwmhNh2:kPkF4H|b]fb m5G%1+<m-54}=#fWbR7M(o).Eo9s$4'); define('SECURE_AUTH_SALT', 'eg*-mSFE?1Vt-V*:EgKKNYP8a|AW<[IYJ3cxR!.FRV/l_Q@N|r0r>GR:)l<c%qp3'); define('LOGGED_IN_SALT', ':Uc5.yBt5Pj:HV >sYf5I.;LEs1-vgz-+)U|*>]U=Sq!sPmJSG=R+xqR|dh]aeAO'); define('NONCE_SALT', 'K0xAvt.=H]!45K_9^2!)8LoUqD%$Nu,k_)3pjC3o6{/9--aJ*g_;{c,%,01-|?[p');

87. – WordPress.org “MD5 is used by default because
 it’s supported

    on all platforms”

88. Try bcrypt, SHA512, scrypt

89. Take Aways

90. Happens Learn from your mistakes

91. Secure Secure

92. Approach security as a design problem
 and less of a

    technical problem

93. Thank you!

94. Thank you!

95. Daniel Olson DigitalCube, COO @emaildano