Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Alt Hacks – WordCamp Philly 2017

emaildano
October 28, 2017

Alt Hacks – WordCamp Philly 2017

From plugins that promise a layer of security to lofty opinions about file permissions, it’s hard to tell what works. Simply put, a security plan that aims to slow down someone who’s already in your house isn’t really a plan. I’d like to discuss security as the foundation of a site rather than an add-on and approach this idea from the outside looking in. We’ll cover a high-level process on how to enhance security with version control, hosting and access management, third party integrations and more. My goal is to highlight flaws in common practices and present alternative ones to create more secure WordPress sites. As a developer working with businesses and Universities with thousands of hacking attempts per day I’ve learned what works.

emaildano

October 28, 2017
Tweet

More Decks by emaildano

Other Decks in Technology

Transcript

  1. AntiPattern
 - SourceMaking - “commonly occurring solution to a problem

    that generates decidedly negative consequences”
  2. Design Pattern
 - SourceMaking - “An approach to a solution

    to a commonly occurring problem that’s repeatable and
 is not a finished design”
  3. Disaster Plans Total Data Loss Client or Customer Data Hack

    Unexpected downtime & downtime Alerts
  4. I. Codebase
 One codebase tracked in revision control, many deploys

    II. Dependencies
 Explicitly declare and isolate dependencies III. Config
 Store config in the environment IV. Backing services
 Treat backing services as attached resources V. Build, release, run
 Strictly separate build and run stages VI. Processes
 Execute the app as one or more stateless processes VII. Port binding
 Export services via port binding VIII. Concurrency
 Scale out via the process model IX. Disposability
 Maximize robustness with fast startup and graceful shutdown X. Dev/prod parity
 Keep development, staging, and production as similar as possible XI. Logs
 Treat logs as event streams XII. Admin processes
 Run admin/management tasks as one- off processes
  5. I. Codebase
 One codebase tracked in revision control, many deploys

    II. Dependencies
 Explicitly declare and isolate dependencies III. Config
 Store config in the environment
  6. I. Codebase
 One codebase tracked in revision control, many deploys

    II. Dependencies
 Explicitly declare and isolate dependencies III. Config
 Store config in the environment
  7. Bot Traffic Put your server to work and serve static

    404s
 with NGINX, Apache, or .htaccess
  8. Serverless "There is no such thing as 'serverless'.
 It's just

    someone else's problem" src: https://news.ycombinator.com/item?id=12349388
  9. 'use strict'; module.exports.endpoint = (event, context, callback) => { const

    response = { statusCode: 200, body: JSON.stringify({ message: `Hello, the current time is ${new Date().toTimeString()}.`, }), }; callback(null, response); }; getTime.js src: https://github.com/serverless/examples/tree/master/aws-node-simple-http-endpoint
  10. Hello, the current
 time is 2:45pm Your Hosting Server Button

    index.html </> getTime.js 3rd Party Service
  11. Tinfoil File Permissions When in doubt, follow the docs 777

    Stackoverflow person is
 not your friend
  12. Hashing and MD5 define('AUTH_KEY', 'rBN}%iAh*I`qlv{@+`YKKH5[+YUod+Dw%8rS`G]GW+=_Y*=0KU~LiwcmlATNNDl-'); define('SECURE_AUTH_KEY', ':$]e6IE~g!_zyzN)@,@<>M=^5^Ee20O&I,-McveFiAUd}ChL}Ru*7I?cTOt+J{3_'); define('LOGGED_IN_KEY', 'q%Y^|1Fsav^a)Z(Tuhlu~~08>gDC@N?MLum .N(cD

    5[VMR.cKEY{[M+}b<Wb+B@'); define('NONCE_KEY', 'z7B_^%WiSBcbqboq>~`{:WYH(K0;Xo)6JpKWKE%_`mSXEjq<`!#yE,q8P?Olu^=!'); define('AUTH_SALT', '|E&3v!xyl22AJvbwmhNh2:kPkF4H|b]fb m5G%1+<m-54}=#fWbR7M(o).Eo9s$4'); define('SECURE_AUTH_SALT', 'eg*-mSFE?1Vt-V*:EgKKNYP8a|AW<[IYJ3cxR!.FRV/l_Q@N|r0r>GR:)l<c%qp3'); define('LOGGED_IN_SALT', ':Uc5.yBt5Pj:HV >sYf5I.;LEs1-vgz-+)U|*>]U=Sq!sPmJSG=R+xqR|dh]aeAO'); define('NONCE_SALT', 'K0xAvt.=H]!45K_9^2!)8LoUqD%$Nu,k_)3pjC3o6{/9--aJ*g_;{c,%,01-|?[p');