I missed out on a talk by Tim Nash from 34sp.com on security called “Come to the dark side they have cookies” at WordCamp London this year – the room filled out before I could get there. Luckily Tim gave the same talk at a WPLDN meet up last month. It gave an insight into how WordPress sites are attacked and how that can lead to even more issues, I was so enthralled by the talk I forgot to take any notes, luckily the original talk from WordCamp London has been uploaded to You Tube. If you design, build or develop WordPress sites then I suggest you watch it. Just click the button below to view it.
The key points that I took from the talk are:
- Never click un-trusted links – they could be phishing attacks
- Enable 2FA on all your accounts
- Limit admin users to those who really, really need admin access
- Never, ever, ever use the same password
- Always use a Child Theme
- Always keep everything up to date
- Never rely on theme updates to get plugin updates
- Get plugins and themes from trusted sources only
- Custom code is your responsibility
- Check all your end points for SQL injection vulnerabilities
- If someone says there is a problem with your code don’t dismiss it
Since watching the talk again we have taken steps and are continuously taking steps to ensure that all the sites on our Care Plans are suitable protected against attacks.
We are in the process of auditing all the sites we manage and ensuring all Tim’s recommendations have been implemented.
I personally will be blogging about what we find, the steps we take and what tools, services and methods we have used to better protect the sites my company looks after, to get these as they are published simply subscribe to our blog.