WordPress Security – WPLDN follow-up
A few weeks ago I did a talk on WordPress security at the WordPress London meetup (video, slides). At the end there were a couple of questions relating to our hosting platform which bear repeating and a bit of a follow-up.
“Why don’t you use VaultPress?”
There are a number of security plugins on the market which do a variety of things, from changing the url of your login page to fool attackers to locking down the admin permissions.
VaultPress is a paid subscription plugin published by Automattic (the team behind wordpress.com) and, amongst other things, runs security scans on the files within your installation. This helps to protect against the sort of attack which involves an attacker using a vulnerability in your site to write a malicious file to your server.
This sort of attack isn’t a problem for GovPress, since file permissions on our server are totally locked down: the only place that files can be written to is the uploads directory. We can do this because we apply WordPress core and plugin updates directly on the server using git, rather than through the admin interface.
A low-level approach
In general, we find that security plugins do some things (like VaultPress’ file scans) that aren’t really applicable on GovPress because we’ve set things up to remove the category of problem that they’re designed to address.
Some other things that these plugins do are useful, but since with GovPress we have full control over both the WordPress installation and the server we can implement solutions at a lower level than in WordPress. This allows us to tightly integrate them with the rest of the platform and provide a seamless experience for our users. GovPress is under continuous development so if we do spot something interesting that a plugin does to improve security which we’re not doing we’ll generally add a feature to our development backlog.
Finally, there are some things we do, like logging and blocking repeated failed login attempts, which need to be integrated with the platform and it wouldn’t be possible to achieve these with a generic plugin.
“Do you use two-factor authentication?”
Two factor authentication involves improving the authentication of a service by requiring both something you know (a password) and something you have (often a mobile phone). It’s not something you would want to require for each login, but it’s useful for more firmly verifying identity if an account is showing suspicious activity.
It’s something which we frequently recommend to our clients – particularly the more security-conscious ones – but we haven’t had anyone take us up on it yet.
There are a number of probable reasons for this – firstly we would want to use some kind of third party app (e.g. Google Authenticator), so everyone in the organisation would need to have a smartphone. Many civil servants are reluctant to use personal devices for a work purpose (and in some cases are prohibited from doing so), and work devices are often locked down so that nothing can be installed on them without permission. Processes for approving new software are often extremely painful.
Add to all this that the organisation would have to support their users in installing and using the authenticator app and it’s understandable why the whole thing looks quite unappealing.
dxw runs a WordPress hosting platform called GovPress. It’s built around the needs of the public sector and is where we host the majority of the WordPress sites we build for our clients.
One of those needs is security: some public sector sites hold sensitive data, and the reputational impact of getting hacked is high – particularly for central government websites. The platform does a number of things to secure the sites we host including:
- Password length restrictions and improved password encryption (Bcrypt – we’ve published this functionality in a plugin which anyone can use: wp-bcrypt)
- Blocking of repeated password attempts at the IP level
- Disables dangerous admin functionality like the theme editors
- Plugin restrictions – we review, install and update plugins as a managed service
- Proactive monitoring – preventing a site from being attacked is one thing: knowing when an attack is underway so that you can respond appropriately is another thing entirely.
We’re always happy to discuss how we approach security – if you’ve got any further questions let us know in the comments below or send an email to firstname.lastname@example.org. If you think GovPress might be a good fit for you, give us a call on 0345 257 7520.