This page will serve as a point of entry into various WordPress Security related subjects. The constant will be to educate WordPress users around the importance of Security, and help by educating and the various facets that make up security. What you will learn is that it's not a simple step, configuration or plugin installation that makes a difference. No, it's a series of steps and tool implementations that help you best improve your posture, in turn reducing your security risk.
We will cover a number of subjects pertaining to WordPress Security in a way that many are unable to, below are a series of links that will dive deeper into each subject as required.
Pillars of WordPress Security
When we talk about WordPress Security we're going to talk to the various domains of security, specifically as they relate to the overarching security wheel.
For us at Sucuri this is a very important distinction that many people fail to make when talking to Security. When you look at security this way you are able to quickly identify the areas in which you are most deficient in your own security posture. It also helps bring the point home that security is not a simple 10 step check list, or feasible with the quick flip of the plugin switch, instead it's a combination of good processes supported with good tools.
Protection and Malware Prevention
Stopping the Hackers from Exploiting Vulnerabilities in your WordPress website
When we talk about protection there are many facets to consider. The most common today revolves around something known as Brute Force attacks, sometimes confused with Denial of Service (DoS) attacks. Many will often talk to out of date software, but very few appreciate the importance of value of out of date software is such a bad thing. When we look at the security wheel it's important to understand how each of the pillars play a critical role in your over security posture. And while protection is a critical piece, understanding what you're protecting, and more importantly why, makes all the difference in your overall security posture.
Monitoring and Malware Detection
Identify WordPress Security Issues like Malware and other Infections
Detection, since the beginning of time has always been the red-headed step child of security. It's the unsexy side of security, it's often nitty gritty work that no tool can fully consume. When you think protection, you think tools you implement or configuration you make to help stop something bad from happening. When it comes to detection however you're talking about this idea that you'll identify when something goes wrong. You'll often couple your concerns with - "Why do I need detection if I need protection?"
With the ever increasing threat environment, no matter what level of protection a system may have, it will get compromised given a greater level of motivation and skill. - SANS Institute
While the answer is simple, many fail to understand it. In security, the idea of detection is a necessity. We recognize that that security is compromised of tools and that no tool is the absolute solution, as such we implement a variety of tools and processes, couple with human support, for the most complete approach.
Incident Response and Hack Repair
When everything goes wrong, you need a solution to help you respond to security incidents.
Incident response is a very robust field, but as an end-user likely something you have never considered. This pillar of security talks to the events that take place after a compromise. We often hear a lot of things about ways to prevent, what to look for, but very little time spent on what to do after a compromise. That being said, it's perhaps one of the most important actions. This step is about not only responding to an incident, but analyzing the impacts of the event, and implementing controls and processes to help avoid it in the future.
Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack (also known as an incident).
Administration and Maintenance
Often the most forgotten piece of security, basic administration goes a long way.
This is an extension of the existing Information Security wheel but a critical one none the less. Because of the nature of how websites get on line today, specifically the extensibility of platforms like WordPress, it's imperative we specifically call out functions that would normally be understood by webmasters, but that everyday website owners overlook. Today's webmasters have a different makeup than the webmasters of yesterday, especially when it comes to WordPress. The common message end-users get from their design / development shops is the ease of use of the platform. Sometimes though this oversimplification is done to a fault, the basic responsibilities of being a good webmaster are lost on the website owner.
It's because of this that we have to extend the existing security wheel to include elements that would otherwise be accounted for in large enterprises, and integrate it in a concise manner for everyday website owners.
Best Practice and Principles
Some of the most common principles are the most effective to helping you reduce risk
In security, we love our principles and best practices. Many will chuckle because sometimes there are so many it's hard to decipher those that are applicable and those that are philosophical. Regardless, there are a number of them that are critical to website owners, things like Defense in Depth or Principles of Least Privileged. Two of what we would categorize the most important principles that every website owner should adhere to.
What many fail to realize is the value that these principles offer them, in many cases, by implementing them they can often reduce their overall risk of attack and ensure the integrity of their online property.