What I Learned Interviewing 10 WordPress Security Experts
I’ve spent the last three months deep in the weeds of WordPress security. As regular readers will know, this is because I’ve launched on a new course: WordPress Security With Confidence.
Part of this research has involved talking to a lot of WordPress security experts. Some of these experts focus on the big picture, whilst some focus on extremely specific aspects. As a whole they offer an incredible depth of knowledge about how WordPress security works, what’s important, and what we should all be focusing on.
Hopefully you’ll find something interesting in this diverse mix of perspectives. I talked to people from S-brands like Sucuri, SiteGround, SiteLock, and SecuPress. (I prefer brands whose first letters are in the second half of the alphabet. ;p) To give you a quick sense of topics: these cover everything from convincing clients to think about security, why your WordPress site shouldn’t have a username and password, and how WordPress itself deals with security fixes.
WordPress Security With Confidence includes hours of screencasts of me talking about security concepts, and showing you how to implement them in WordPress (and, if you’re a developer, your PHP code). Both the Non-Developer and Developer editions also include all ten of these incredibly insightful interviews with some of the finest security minds. You can see the course here, but to pique your interest, I’ve collated some of the most interesting, insightful and intriguing comments on WordPress security from the interviews.
Before we start, can I teach you more about WordPress security?
We’ll get into the insights – from people including Aaron Campbell, Tony Perez, and Chris Wiegman – in a moment. Before we do, I want to ask if I can teach you some more about WordPress security! I’ve got three excellent videos from my new course to share, which show you how three different types of compromises of WordPress sites actually happen (and how to protect yourself from them).
I’ve put the videos together into a neat series, which you can sign up for below:
The videos are taken straight from the (paid) course, so this is a really great opportunity to learn more, and get some premium material for free. I will, of course, always respect your inbox, and you’ll be joining thousands of other WordPress users, implementers, and developers on our list 🙂
1. Aaron Campbell told me about WordPress Core Security
Aaron Campbell is the WordPress Core Security Team Lead. Or as I think of him “the czar of security.” “Czar” is generally used in English to mean someone who’s given lots of informal power and control to keep tabs on something. So it’s rare that an organization officially bestows the “czar” title, but when they do it means that that person is the main person responsible for that topic. That’s why I was so happy to have the opportunity to talk to Aaron.
Aaron was quick to point out that he is not the only one who is responsible for the security of WordPress. There truly is a big team, and all the core committers are thinking about security whenever they review or commit any code to the project. That said, Aaron and the security team are the ones responsible for when a security issue in the core WordPress project is found.
The security team is relying more and more on HackerOne.
One of the biggest things that was interesting to hear from Aaron is the way that the security team’s process is changing. For a while, there has been a separate version of Trac (the interface where the WordPress core project talks about issues and code patches) which is private and maintained just for the security team. The reason that this exists? It’s far better (even in an open source project) to fix security issues without them being made known to the public. This prevents attackers from trying to exploit an explained but unpatched vulnerability in the software.
What was interesting to hear is that the security team is relying more and more on HackerOne. HackerOne is a site which allows for the payment of bug bounties in exchange for responsible (that is: private) disclosure of security issues. It was just a few months ago that the core team created an account there, but now they regularly use it both to receive reports and keep in touch with the reporter. It’s clearly been a good change for the project on the whole.
2. With Tony Perez We Talked About Secure Defaults
Tony Perez was the CEO of Sucuri for most (maybe all…?) of the time the company was private before being acquired by GoDaddy in April of this year. Now he’s inside the larger company, and seeing his role expand. So one of the things we talked about at some length was how GoDaddy can take steps to make the WordPress experience secure by default.
While it certainly wasn’t a promise of future product changes, Tony is clearly considering the possible things that GoDaddy could do to give people hosting with them a better and more secure experience. That means things like making sure that the host is securely auto-updating not just WordPress itself, but the plugins that the site runs. Or making two-factor authentication the default. If they can do these things, their WordPress sites would unquestionably be more secure for it.
Tony is clearly considering the things that GoDaddy can do to give people hosting with them a better and more secure experience.
We also talked, at some length, about the Sucuri suite of services (which remain available to everyone, GoDaddy or not). We covered a little about what the plugin does, what sets its web-application firewall (or WAF) apart, and more. But you’ll have to see the full interview for that…
3. Chris Wiegman Told Me He Doesn’t Use His Security Plugin
Chris Wiegman first came to my attention when he was making the Better WP Security plugin. That plugin has since changed names: it’s called iThemes Security. Chris has moved on from his role in making, maintaining, and selling that plugin. He’s now a web developer at the University of Florida.
There were a lot of interesting things I learned from Chris. Something of a surprise was that Chris says he doesn’t run any explicit WordPress security plugin, including the one he started. As he said, a good site admin can take care of most of the things a plugin does themselves. But that he’s the founder of just such a plugin makes the choice a little more interesting.
Chris doesn’t have a login page on his WordPress site.
The other piece of unconventional advice form Chris, and perhaps part of the reason that he doesn’t run a security plugin, is that he doesn’t have a login page on his WordPress site. What he’s done, instead, is use Jetpack’s single-sign-on via WordPress.com feature. So he logs into his WordPress sites with his WordPress.com account, much like you’ve probably logged into an online service with your Facebook or Google account. Chris goes a step further, and just makes his WordPress login page forward to the WordPress.com login page. Brute-force login attacks be gone!
4. Meher Bala Explained How Stories Convince Clients to Think About Security
Meher Bala is a web developer in India, and I must thank @WomenWhoWP for the recommendation to talk to her. She mostly does client site-builds, like many other WordPress pros around the world. What sets Meher apart is that she had a very interesting bit of insight about how to convince client to care about security. (This is an issue that I’ve heard from many different people in client services about security.)
Stories are the secret to convincing people of the importance of security on WordPress sites.
Many of her clients come to Meher without a clear sense of what WordPress is, they just feel a need for a website. (Sound familiar?) In addition to getting them a site, Meher makes sure that that site stays secure. To do that, she has to convince them security is important. And the most interesting, and useful, technique she’s found for that is to tell a personal story of someone she knows who had their site taken over, and started to lose Google rankings. People are able to connect with stories far more than figures, so I’m sure it’s a terribly effective technique to get clients to care.
5. Hristo Pandjarov Told me How SiteGround Hosting is Secured
Hristo is the WordPress expert at SiteGround. He maintains their caching plugin, and regularly speaks at WordCamps about all kinds of topics in the WordPress ecosystem. My motivation in the conversation with Hristo was to get the host’s perspective on keeping WordPress secure.
Hristo offered the host’s perspective on keeping WordPress secure.
The most interesting thing we discussed was one of the things that differentiates SiteGround from most other hosts offering low-cost WordPress hosting: the inclusion of Memcached for shared hosting users. This is another layer of caching that a WordPress site might use — it’s often called “object caching”. But Memcahe doesn’t really have a security policy that makes it easy to offer on shared hosting.
If a host carelessly offered Memcache, their users would potentially trample each others data, or have the ability to read each others data. Both are bad, and SiteGround solved the problem in a simple and elegant way: they give each hosting account it’s own running process of Memcache.
6. Ben Gillbanks Told Me About TimThumb
Ben Gillbanks makes his living with his theme-development shop Pro Theme Design. He also runs, with our good friend Alex Denning, the excellent MasterWP newsletter. But I was really interested to talk to Ben for a specific reason–his first-hand knowledge of TimThumb, which is one of the most notorious causes of site-compromise in WordPress’s history.
I really appreciated Ben’s willingness to discuss the topic. TimThumb was a tool to resize images before WordPress included that functionality. It was also early in the era of premium themes, and lots of themes incorporated the library into their code. And that’s really where the issue comes in.
If everyone had updated promptly when the fix to TimThumb was released, a fraction of the sites that were compromizsed using it would have been affected.
One of the the biggest wins in security is simply staying up to date on your dependencies. When the issue in TimThumb was found, it was fixed quickly, and if everyone had quickly gotten an update, nothing too bad would have happened. But WordPress end-users failed to update offered theme fixes. And there were also a number of themes who failed to update their version of TimThumb at all, so a non-developer user could do nothing.
As a result of that double failure to update, lots of WordPress sites were continuing to run code with a disclosed vulnerability. And that’s a big mistake in security. That’s why this is one of the top causes of site compromise. Not because of anything Ben and team did wrong (code errors are common, and everyone should expect them), but because the users of their code were not responsibly updating.
7. Hack Remediation Advice from Michele Butcher-Jones
Michele Butcher-Jones has been working in WordPress for quite some time, and cleaning up compromised WordPress sites for almost five years. While she no longer does it as a day job, she still enjoys the challenge of taking a site that was compromised (with unwanted ads, offering malware, whatever) and setting it right.
When repairing a site, replace just about every single PHP file you can with a known-good one.
The big thing that I learned from Michele is the importance of simply replacing just about every single PHP file you can on a site with a known-good one in a case where you suspect a compromise may have occurred. This advice makes sense, but it’s significantly faster and easier than what I can envision myself trying to do: find that hacked code and meticulously remove it. There’s some diagnostic benefit in that–which is why Michele always saves a local copy of the whole site in its pre-cleaned state–but you can too easily miss another place they put their code if you’re not careful.
8. Adam Warner from SiteLock talked to me about WAFs
Adam and I met at the SiteLock booth at WordCamp Denver earlier this year. Aside from being a nice guy, Adam explained to me that SiteLock contains a web-application firewall (or WAF), and the way theirs is different from endpoint firewalls that you see in a plugin like Wordfence.
Denial of service attacks are those in which an attacker simply tries to flood your site with so much traffic that it stops being publicly available.
One of the things that makes a cloud WAF, like SiteLock’s, more effective than an endpoint one is that it has the ability to absorb a lot of the traffic of a (distributed) denial of service attack. Denial of service attacks are those in which an attacker simply tries to flood your site with so much traffic that it stops being publicly available. SiteLock’s WAF offers always-on protection from that.
But you want a WAF for other reasons as well. The biggest ones are automatic shared IP blocking — someone SiteLock sees attacking one site will be stopped from attacking yours — and firewall-level stopping of malicious-looking web requests. Both of these things are the more-important security benefits of a WAF.
9. Julio Potier Told Me Why You Want a Security Plugin
Julio runs SecuPress. SecuPress was initially a product from WP-Media, which you may know as the makers of the WP-Rocket caching plugin. Recently, SecuPress spun out of the parent company with Julio to get a little more focused attention. One of things that Julio emphasized when telling me about SecuPress was the importance of good defaults in a security plugin. (And as someone who has reviewed a good number for this course, I couldn’t agree more about its importance.)
Julio emphasized the importance of good defaults in a security plugin… I couldn’t agree more.
One of the things I’d not fully appreciated, which was interesting to me as a developer, is the point Julio made about the fact that a malware scanner is basically just a whole bunch of regular expressions. For the non-programmers, regular expressions (or regex) is just fancy searching for text strings in a program. I’ve always struggled with them, so lots of appreciation for all the hard-working security professionals who are writing these for their malware scanners so we don’t have to.
10. Joe Howard Covered Why Security Matters
Joe runs the WordPress support and virtual-CTO company, WP Buffs. They do all kinds of stuff, from technical advising to site optimization and security. And all of it’s on a monthly subscription basis, so you always know you have someone to go to when you need help.Joe also runs WPMRR, a robust video course that teaches WordPress professionals how to implement, sell and execute ongoing care plans for their clients and increase their revenue every single month. Alongside that, The WPMRR WordPress podcast entirely focused on growing successful WordPress businesses and monthly recurring revenue without taking itself too seriously.
People only go shopping for security help when they’ve had a security compromise. That’s too late.
One of the things that was interesting to learn from Joe (though it makes sense in retrospect) is the frequency with which people only go shopping for this sort of help when they’ve had a security compromise, like their site getting “hacked” or similar. It’s understandable that they do this. But Joe shares my goal of making sure that people think about security well before something drastic and bad like that happens to them. The easiest time to fix a hacked WordPress site is always before it was hacked.
So Many Different Parts of WordPress Security
There are so many different facets of WordPress security, it can take some time to wrap your head around it. Security encompasses choices as simple as who you get your web hosting from to who you share your passwords with and what those passwords are.
But they’re just the beginning. That’s why my new course WordPress Security with Confidence also features hours of discussion of the detailed and important topics in WordPress security.
Installing a good security plugin is great, but understanding all the facets of WordPress security is more important and powerful.
But by reading this you’ve got a good start. If you want a teaser on what’s to come, do grab the videos through the form above, or read my complete guide to WordPress security 🙂