Practical WordPress Security with Tim Nash

Tim Nash (@tnash) from 34SP joined us on Monday 14 May to share his knowledge of WordPress security.

Tim Nash

You can see slides from Tim’s recent talks on security here

Tim’s said:

Thanks folks who came to my Practical Security talk at WP Cambridge last night.

Today it’s time to take action we covered a lot of stuff so where to start?

Here are 3 things to do right now.

1. DONT PANIC
2. Remove all admin roles and replace with editors
3. test your backups

 

October 2017 Meetup: Managing WordPress & WP Transients

Managing WordPress

Steven Watts of Newt Labs talked about WordPress management, which also included a quick introduction to Slack – an instant messaging/support system.

See the slides below:

Click on the image above to see the slide (pdf format)

This is a cut down version of the presentation, for more see https://www.slideshare.net/StevenWatts8/managing-wordpress

Takeaways: where to get help, how to setup a staging site, a backup strategy, quick security wins, eyes on your site, and a better understanding of quality hosting.

Slack – We at WordPress Cambridge have two channels. There are a bunch of UK channels, and also a bunch of international channels. You can stay in contact with the Cambridge group, and get help/support from the UK and internationally.

Newt Labs is a sponsor of our Meetup group. They provide site care for WordPress websites by providing unlimited small fixes, implementing best practices and taking care of ongoing technical tasks. Keeping WordPress sites secure and effective, from £49 a month.

WordPress Transients API

Adam Maltpress of http://maltpress.co.uk/ talked about the WordPress Transients API.

Transients help speed up your site by reducing the number of database queries needed to create a page. We discussed the code needed to start using transients in your theme or plugin as well as looking at a couple of ways of measuring your code’s performance while developing and testing. We also discussed some of the issues around caching content and the compromises involved.

See the slides below:

Transients API presentation cover
Click on the image above to see the slides (PDF format)

Security with Tim Nash

Another amazing guest speaker – this time Tim Nash of 34SP.com (and timnash.co.uk).

Tim is the platform lead at 34SP.com for their Managed WordPress product in addition to being the company’s Developer Advocate.

Tim’s presentation managed to be both scary and reassuring about security: making it clear that security is everyone’s responsibility but also that there are plenty of things we can do to make our sites secure.

Tim pointed out that sites are as likely to be hacked if they’re running a security plugin as they are if they’re not! This underlines the fact that plugins only really fix one small part of a larger security process which includes making sure the server is set up correctly, that people are sensible with the way they use passwords, and that site administrators set up users correctly.

It’s important to make sure that users are only given the permissions that they need and that sites have as few administrators as possible. Some site owners have two accounts – an editor and an administrator – and purposefully change their administrator password to something ridiculous so it’s impossible to log in with it unless it’s reset using the site’s database. Others add alerts to their sites which make it really clear when logged in as an administrator and they may have too much power!

In terms of passwords, most have been leaked at some point so it’s important to change them regularly and never use the same password for multiple sites.

Whether you use a password manager or not (see Keypass and Keeweb, password length is far more important that complexity (i.e. combinations of letters, numbers and special characters) so an increasingly popular way of handling passwords is to use pass phrases

Two factor authentication (using a phone app to provide a special login key every time you log in) is another great way to increase your site’s security. There are several plugins which add two-factor authentication to your site. Just make sure you print (and keep safe) your backup codes! The best method is to combine a long pass phrase and two-factor authentication.

Keeping everything up to date is also vitally important – core WordPress, plugins and themes (even if they’re not active) and don’t pirate themes which might not be updateable. Using child themes, as ever, is strongly recommended. Tim pointed out it’s worth updating even if it breaks little things – it’s better to have a secure site.

Site monitoring is a handy tip Tim gave us: use visual regression testing, which takes a visual snapshot of your site (or part of your site) and warns you if it looks different. Visualping.io is one example of a visual regression testing service. Testing backups when you take them is also really important – and it’s handy to automate this as much as you can, if you know how!

Hardening WordPress refers to making sure the server is set up correctly. There’s a great guide at https://codex.wordpress.org/Hardening_WordPress

Finally, use HTTPS on everything! We’ll be covering HTTPS in more depth in a future meetup but in the mean time it’s worth checking the sort of HTTPS/SSL certificate your hosting service can provide you with. You shouldn’t need to pay – there are plenty of free services available now, inlcuding Amazon.

Workflow

The first meetup of 2017 covered the workflow of various developers.

  • Chris O’Dell uses Microsoft’s Visual Studio with a PHP plugin and Team Foundation Server as a code repository. Chris doesn’t version control his WP core files, and is meticulous in keeping version notes and his check in routines.
  • Jonathan Whiteland has rather an esoteric setup working between three different desktop machines, using BBedit for code editing and Git (GitHub) as an analogue of Dropbox – storing working files in Git and deploying to dev and then live as needed.
  • Ben Attenborough uses DesktopServer as a local dev server with Bitbucket for Git storage. Ben also uses Gulp for running tasks like concatenation, SASS pre-processing and so on. Ben pushes changes through Git, rather than FTP. Ben also introduced us to Kint and Whoops, two excellent ways to make PHP var dumps and error messages more useful.
  • Adam Maltpress shared some of the software he uses for work and sanity, including the NetBeans IDE. Adam uses either Git or SVN for version control, and tries to build sites as database agnostically as possible – they should work as well with test content as with real content!
  • Simon Bragg uses Xampp, the Duplicator WordPress plugin, and FileZilla as well as the NetBeans IDE (using its built-in SASS pre-processing). This prompted a big discussion around the PHPStorm IDE.
  • Steven Watts then took us through his infographic on setting up a WordPress site and some of the key plugins he uses.

You can download the presentations for the meetup here.