Avoiding CMS Disaster: Raising Your WordPress Security to the Next Level
Protecting your enterprise WordPress sites, applications, and data from online threats with security best practices.
No one wants to be the next breaking news headline for suffering a customer data breach or a catastrophic site collapse.
Threats online today exist in various forms—from bots scanning for known vulnerabilities to script kiddies, cyber gangs, and even nation state actors.
For beleaguered IT teams, ensuring an online presence isn’t compromised can feel like more than a full-time job, “running just to stand still.” Unfortunately, that often leaves precious little bandwidth for the real task of preparing a site, its infrastructure, and business for its future state.
In the fourth of our Avoiding CMS Disaster series, we explore five ways organizations and their IT guardians can battle-harden their sites and applications against malicious attacks, protect sensitive customer data, and keep their business always open for business.
1. Vulnerability management
Identifying and mitigating software vulnerabilities can be an overwhelming task, even for the largest IT teams.
Vulnerability management requires on-going identification, classification, prioritization, managing, and remediation of vulnerabilities within your organization’s infrastructure. According to the UK’s National Cyber Security Centre, “Exploitation of known vulnerabilities in software remains the greatest cause of security incidents.”
Periodic scanning of your network to monitor for any new vulnerabilities or unintended open access to machines is a must for any organization that wants to minimize their attack surface. Unfortunately, maintaining scanning software, reviewing the scan results, and actioning them often fall down the list of priorities in a busy IT department.
The WordPress VIP answer:
Our platform provides security throughout your network—from edge security to protection of data in transit between components. For example, DDoS protection continuously monitors web traffic and takes active mitigation steps when suspicious activity is detected. Network and host-based firewalls with real-time notification processes are there to prevent unauthorized access attempts.
Keeping the application layer updated is just one step in the process. All the supporting layers and infrastructure need to be kept up to date, too. Sometimes vulnerabilities are exposed that don’t have an immediate patch or require mitigation in your codebase.
To keep your applications infrastructure up to date requires multiple steps, including:
- Checking for updates for each piece of software
- Building the new release
- Testing on your non-production architecture
- Ensuring no new issues are introduced and subsequently fixing any that are
- Putting your production application into maintenance mode and rolling out your updates
Note: All these steps should be done with every patch available at every layer of your application.
Specifically for WordPress, it’s not just keeping core and underlying infrastructure up to date. Third-party themes and plugins must be updated and patched regularly. It’s also important to recognize the quality of third-party plugins added to your WordPress site. Some might be poorly coded or introduce security vulnerabilities—neglectfully or maliciously. Tools such as WPScan, SonarQube, or PHP_CodeSniffer can help automate your code reviews to catch unwanted exploits being introduced.
The WordPress VIP answer:
Our platform is managed by active members of the WordPress community. When an issue arises, we immediately patch it, often ahead of the fix getting pushed to WordPress core code. Meanwhile, we proactively alert all customers of: 1) upcoming, automated WordPress updates, checking to make sure they’re on the latest version of our platform, and 2) plugin exploits in the wild and attempts to patch these issues at a platform level.
Going deeper, we use automated code scans for pull requests created in an application’s GitHub repository. This can identify potential security concerns before code goes into production (and is useful for evaluating plugins from the wider WordPress ecosystem.) Leveraging our Kubernetes orchestration, WordPress VIP provides zero downtime deployments for customers’ applications.
Finally, based on years of experience running WordPress at scale, we can mitigate common attack vectors—thanks to continuously testing our infrastructure for vulnerabilities and engaging independent third parties to run penetration tests against it.
2. Network security
Network security is a vital part of an organization’s online presence.
Best-in-class security means managing both perimeter-based security and internal network security. Here multiple factors must be considered and managed to effectively protect users and their data.
Intrusion detection systems
Monitoring and logging all network traffic is essential in identifying malicious or suspicious activity. To prevent unauthorized access, security teams need either automated rules or alert system administrators to review suspicious traffic and take appropriate action.
Understanding what traffic is allowed to traverse your network and how applications communicate within and outside the network is a must to minimize security risks. This means setting and reviewing ingress/egress rules using either software or hardware firewalls, which allow only essential network traffic for your applications to run.
Blocking or allowing the wrong traffic could prevent a vital system from performing or, worse, expose your database to the world.
Physical network security
A network is only as secure as its physical security. The best firewalls, intrusion detection systems, and threat management software can all be circumvented by a malicious actor gaining physical access to your servers.
Data centers require multiple levels of physical security, such as:
- Physical access controls
- Environment monitoring
- Alarms and sensors
- Backup power
All these also need periodic auditing to ensure they are meeting security best practices.
3. Data protection
No company wants their data leak showing up on haveibeenpwned.com for all the world to see.
Users lose trust fast with companies that don’t protect their data to the level they expect. Ensuring only authorized, role-specified users can access sensitive customer data requires multiple layers of protection.
Communication between your application and your users needs to be encrypted in transit to prevent data being intercepted or tampered with by a third party. Transport Layer Security (TLS) is generally used to encrypt the data. This requires creating TLS certificates and ensuring they are renewed.
Because data can also be encrypted at rest, this requires protecting data kept on storage media such as backups. If a malicious actor does gain access, they will still need the data encryption key to actually use the data.
Key management is an important part of data encryption. Keys have several stages in their lifecycle: generation, distribution, use, backup, rotation, and destruction. At each stage, there are best practices to follow to keep your data safe.
Keeping a chronological record of all activities that occur within your application at every level of the stack is essential for any enterprise. Audit logs are required for forensic investigations, detecting security breaches and their impact, and understanding systems errors.
Audit trails need to collate logs for multiple layers and applications, secure enough so they can’t be altered by users. And they must ensure chronological accuracy. This requires knowing what actions need to be logged, connecting multiple systems into an ELK tool such as Kibana, synchronizing systems using network time protocol (NTP) so timestamps are meaningful, and managing access to logs.
Knowing what defines a security incident, what requires manual assessment, and how they should be managed is an art in itself.
Automated log analysis can flag suspicious behavior at an early stage (if you know what to look for). Tools with predefined or custom rules can be created specific to your application. This requires setting parameters within your log analysis to know when:
- Automated actions should be executed to protect against attacks and malicious traffic.
- The Systems team should manually intervene to examine the patterns and try to determine whether it’s falsely flagged benign behavior or action is required.
All this relies on well-configured tools and an experienced security team that understands your applications’ usage patterns. No enterprise wants a piece of content to go viral, only for their system to flag it as a DDoS attack and block the traffic.
The WordPress VIP answer:
We maintain separate containerized database infrastructure for every client and application, each with their own unique authentication. This mitigates the risk of unauthorized access between applications and protects each customer’s data and reduces the risk of attack. We provide database, file system, application, and data center security, as well as hourly encrypted backups. And our origin data centers meet the International Organization of Standardization (ISO), International Electrotechnical Commission (IEC) 27001 certification, Standards for Attestation Engagements (SSAE) No. 18 (SOC1) and SOC2 Type 2.
Case study: For a media outlet with the global reach and influence of Al Jazeera, it was essential to migrate its properties to a CMS platform hardened against malicious actors. Read why they chose WordPress VIP.
4. Access and authentication
According to Telesign, more than half of consumers use five or fewer passwords across their entire online life and almost half of consumers rely on a password that hasn’t been changed for five years.
Gaining access to a user’s account may be one of the easiest ways to access a secured system. That’s why granular access control, multifactor authentication, and/or single sign-on are so important for security-conscious organizations.
Granular access controls and implementing a policy of “least privilege” is vital to keeping your data safe and reducing attack surfaces for your application. The policy of least privilege states that a user should be given only those permissions needed to complete their task. Ensuring every user does not have administrator privileges, for example, means that if a malicious actor does gain a user’s credentials, the likelihood of them being able to do significant damage is limited.
Single sign-on (SSO)
With SSO, users login to multiple services via one set of login credentials. If a user does not exist in a specific service, they can sometimes be provisioned on the fly by utilizing user mapping from the service’s Identity Provider. Services like Azure AD, Google Apps, AuthO, or OneLogin provide SSO functionality.
SSO helps IT departments set centralized rules for users, reduce time recovering lost passwords, and remove the need for manually provisioning and deprovisioning users during onboarding/offboarding.
Using MFA provides a further layer of protection against your organization’s users being compromised.
MFA requires a combination of at least two methods of authentication to login. Generally it will be configured with a username and password as the first layer of authentication followed by a time-based authentication token generated via a hardware device or software like Google Authenticator. The benefit of this process is that even if the username and password are compromised, a user can’t login without the authentication token and vice versa.
The WordPress VIP answer:
WordPress VIP is built on a foundation of granular access controls and permissions, including multifactor authentication, brute force protection, data access audit trails, and physical security. These provide an extra layer of protection against compromised passwords, prevent unauthorized employees or contractors from accessing customer data, and dynamically apply restrictions at the network level when unnatural behavior is detected.
5. Breach recovery
Automated backups and hardware redundancy is vital to the smooth running of your day-to-day online business operations.
Backups are vital for data loss prevention, preventing ransomware attacks, and quick recovery from outages. There are a number of backup best practices every organization should follow to ensure they have full control and redundancy of their data.
- Regular backups. The more frequent the better in terms of reducing your Recovery Point Objective (RPO) and minimizing data loss.
- Backup redundancy. Storing backups in multiple locations (e.g., offsite) ensures you can still access them, even if you lose access to your main server.
- Encrypted backups. Even if your backup storage is compromised, the data will be useless without the encryption key.
- Regular testing. Regularly extract your backups and test them in a non-production environment to ensure your team can actually restore your site with them.
Having backups available is little to no use without backup hardware to restore to.
This requires redundant hardware within and outside your primary data center. No matter if the issue is with a single server or the entire data center, your team will be able to access this hardware to quickly get back online.
The WordPress VIP answer:
In the unlikely event of a breach, we help customers quickly recover and get back to business, thanks to multiple levels of backup (origin datacenter and offsite locations), plus disaster recovery and security breach procedures. We also provide the ability to automatically ship your backups to your own S3 storage to ensure you can set your own data retention policies on them or even run automated recovery testing. Utilizing multiple levels of redundant storage, we can reconstruct data in its original or last-replicated state before the moment it was lost. WordPress VIP also has multiple origin data centers that sites can be migrated to in the improbable event of a single data center failure.
From vulnerability management to breach recovery, working WordPress VIP gives organizations the opportunity to leverage years of experience keeping high-profile, high-scale WordPress-based sites online and secure in the face of threats.
Built with multiple levels of security controls and protection—including edge protection, secure networking, robust access controls, continuous security monitoring, and code scanning—WordPress VIP meets the most exacting security requirements. That’s why it’s trusted by customers in high-risk industries such as banking, pharmaceuticals, public utilities, and government. We’re also the only WordPress platform to achieve FedRAMP Authority to Operate (ATO).
Looking to upgrade to a battle-tested, more secure CMS? Learn more about WordPress VIP, including our deep roots in open source software. And just for the record, you can go ahead and check our WordPress VIP platform status right now.