WordPress Security for Enterprise PDF Free Download
1 / 61
/61
100%
2
4
5
Securing WordPress (tl;dr)
1. Use Enterprise Hosting
○Hardened Network, Server, and Application Environment
2. Apply Timely Updates
○Manage Core, Plugins, Themes, Extensions, Dependencies…
○Choose wisely — and keep them updated.
3. Build Policies, Practices, and Culture
○Protect People and Passwords Against Convenience,
Carelessness, and Phishing. (The Weakest Links)
○Account for Supply Chains and Tool Chains.
○Defense in Depth, Zero Trust, Principle of Least Privilege
6
●What is Security?
○What is at stake?
●Why is it so Difficult?
●What are the Main Threats?
○for WordPress?
○for Publishers?
○for Everyone?
●What makes us Vulnerable?
●What are the Best Defenses?
What We’ll Cover Today
8
What is
Security?
Feelings
Perceptions
Certifications
Reality.
Humans, especially in groups,
are very bad at truly
confronting the illusions that
seem to protect them from risk
and failure.
9
What is Security? What’s at Stake?
Loss of
Data
Reputation /
People
Revenue /
Liability
Visibility
What’s the worst that could happen?
10
What is Security? Why is it so difficult?
“Any person can invent a security
system so clever that they can't think of
how to break it.”
Schneier’s Law
11
Security is not just difficult.
It’s impossible to achieve and sustain a totally secure system.
Everyone is vulnerable.
Some more than others…
What is Security? Why is it so difficult?
12
What Who is the Main Threat?
13
What Who is the Main Threat?
14
What Who is the Main Threat?
15
What Who is the Main Threat?
16
Time, the infinite problem…
What is the Main Threat?
➔More attacks.
➔More sophisticated attacks.
➔More vulnerable, aging systems.
➔More successful attacks to build on.
(Data breaches)
17
What are the main threats…
●to WordPress?
●to Publishers?
●to Anyone?
18
WordPress
64.5%
WordPress Security
19
The lowest
hanging fruit...
WordPress Security
20
Vulnerable
Code
Outdated
Plugins
Weak, Reused,
Stolen, and Guessed
Passwords
WordPress Security
21
Common Vulnerabilities
●Cross-Site Scripting (XSS) is the
most common vulnerability.
●Cross-Site Request Forgery
(XSRF/CSRF) tricks users into
harmful actions.
●SQL Injections manipulate the
application database directly.
●Broken Access Controls allow
privilege escalation.
Vulnerable Code in Third-Party Plugins
WordPress Security
22
Common Attacks
1. Brute-Force Login Attempts - Guessing common passwords.
2. Credential Stuffing - More sophisticated than brute force.
3. Denial-of-Service (D/DOS) - Can be the result of 1 & 2.
4. Phishing - Social Engineering. Pretexting and Spear Phishing.
WordPress Security
23
Targets on Publishing Sites
1. Many Users - Control Privileges and Passwords.
2. Privileged Users - Limit Administrators and Editors.
3. Many Places to Hide - Monitor Content and Changes.
4. Plugins - Fewer is better. Apply updates. Review changelogs.
WordPress Security for Publishers
24
Security for Everyone
Verizon Data Breach
Investigations Report
2024
Non-Malicious Human Element: 68%
Non-error, non-misuse, possible
carelessness or neglect.
Credentials: 31% over the past decade.
● 77% of web app breaches (2024)
● 24% of all breaches (2024)
Third-Party Partners: 15%
Vulnerable Software: 14%
Errors: 28%
25
Humans! Vulnerable
Software
More Errors
What Makes Us Vulnerable?
26
What should we do?
?
27
Threats, Mitigation, and Resilience
Planning and Best Practices
Unknown
Threats
Known
Threats
Risk
Mitigation
Resilience to
Stress and Harm
28
Planning and Best Practices
“Everyone has a plan until they
get punched in the face.”
Tyson’s Law
29
Planning and Best Practices
30
●Practice failure.
●Plan to be hit in the face.
●Learn to take a hit and keep
functioning.
Planning and Best Practices
Teams must be allowed to fail.
But failing to recover from incidents is unforgivable.
“Adrenalin does not scale.”
— Dennis Xu, Gartner Security and Risk Management Summit (Sydney 2024)
31
Evaluating Threats
What is the context?
●Attack Vectors
●Attack Surfaces
●Vulnerabilities
●Risks
32
Evaluating Threats
The Technical
Environment
The Human
Environment
33
Groups of
People
Distributed/Remote
Teams
Evaluating Threats
34
Evaluating Threats
35
Evaluating Threats
36
Evaluating Threats
37
Evaluating Threats
38
WordPress & Security
Evaluating Threats
39
Evaluating Threats
40
What is
the best
defense?
41
Not Most Security Plugins
●Poor substitute for a good host
●Potentially negative impact
●Compliance bandaid
●Easily misused
Pro Tip: The best ones don’t scan
for malware infections.
What is the best defense?
42
Open Source
Transparency
Diligent
Deployment &
Management
Vigilant User
Management
What is the best defense?
43
A Healthy Ecosystem
Security
Advocates
Coding
Standards Security
Patches
Timely
Updates
Solid
Hosting
What is the best defense?
44
Strong Technical
Environment
(Enterprise Hosting)
Well-Managed
User Environment
Security
Mindset
What is the best defense?
45
The Technical Environment: Defense in Depth
●Network
●Server
●Application
●Users
●Personal Devices
●Physical Security
What is the best defense?
46
❏Your Trusted Enterprise Hosting Partner
❏Isolated Resources, Containerization
❏Vulnerability Scanning, Code Scanning and Review
❏Continuous Monitoring, DDoS protection, Firewalls
❏Currently supported major PHP release
❏A+ SSL Certificates
❏Secure Server (SSH) and Network Connections
(VPNs)
What is the best defense?
Secure the Technical Environment
47
Secure the Technical Environment
❏Secure Your Networks
❏Company and Employee VPNs
❏Security Information and Event Management System (SIEM)
❏Security Operations Center (SOC)
❏Involve Your People
❏Perform Audits
❏Practice Incident Responses
❏Monitor Recaptured Breach Data
❏Build a Security Culture
What is the best defense?
48
Secure the User Environment
●Strong, Unique Passwords and
2FA/MFA (Required)
●Limit Privileged Users, Roles and
their Capabilities (Defaults)
●Limit User Sessions and Terminate
Inactive Sessions (Defaults)
●Lock Down User Role and
Capability Definitions (Defaults)
●Apply the Principle of the Least
Privilege (Required)
●Continuous User Verification - Must
ReAuthenticate! (Optional Default)
●Restrict Privileged Users - IP Allow
List / Device Policy (Recommended)
●Monitor Privileged User Activity
(Highly Recommended)
What is the best defense?
49
Security as Culture
What is the best defense?
50
What is the best defense?
Security Mindset
51
Zero Trust?
Surely we can’t
go on together
with suspicious
minds…
52
What is the best defense?
Changing the mindset…
●Third-party breaches are inevitable.
●Fostering behavioral change is
better than trying to raise
awareness.
●Security behaviour and culture
programs are effective.
●Focus more on resilience than
front-loaded due diligence activities.
●Start by strengthening contingency
plans: prioritize by risk.
●Adopt specific practices like:
○timely access revocation
○data destruction
●Human-centric security design reduces friction and drives adoption.
54
dan.knauss@multidots.com
55
About Us
Multidots is a forward-thinking, full-service WordPress agency that
has successfully spearheaded complex projects since 2009.
Through carefully considered strategy and by optimizing workflows
for websites, we help digital publishers, content & editorial teams
and audience revenue experts maximize their performance online.
Companies seek out our assistance for their Strategy, WordPress
Support and Management, Security and Accessibility.
With a dedicated team of over 115+ full-time members, we
provide clients the confidence of being large enough to tackle their
most difficult challenges while remaining agile enough to offer
personalized care to each client.
Global Leader in WordPress
www.multidots.com
Founded
2009
Global Presence
USA, UK, India,
Canada, Germany
Team Members
115+
Clients Served
300+
56
57
Global Team.
Modern Teamwork
Multidots was established in 2009. In 2020 our team went 100%
remote and distributed. We’ve pioneered and refined this
operating model since then.
We source the best talent from across the globe and bring them
together in a vibrant, remote-first culture.
Our North American Division has representation throughout the
United States and Canada. We have team members located in
AMER and EMEA time zones backed by additional full time,
industry-leading experts working remotely from APAC.
We pride ourselves on becoming part of our clients’ team and
aligning to their requirements. With long established client
partnerships we’re helping them innovate and evolve in the
digital landscape.
About Us
Multidots & WordPress
We are one of only a dozen agencies
selected as an official WordPress
Gold VIP Agency Partner.
Our participation in this
highly-competitive program allows
us to provide our customers, with
best practice in code, validated
WordPress projects, access to
enterprise support, special features,
and the latest updates.
WordPress VIP Partner
-Multidots is the 3rd biggest contributor to the WordPress
open source project, and we’re pioneering new
functionality every day.
-89% of our team has contributed to WordPress,
WooCommerce, and BuddyPress releases. We’re actively
engineering and adding a new collaboration tool to
WordPress core.
-Multidots sponsors 7 contributors for a total of 200+
hours per week for the “Five For The Future” initiative by
WordPress.
-Multidots is actively attending, organizing and sponsoring
WordCamps and Meetups globally.
WordPress Contribution
Multidots is the creator of
‘Multicollab’, an globally used
WordPress plugin which lets users
collaborate on various Gutenberg
blocks to facilitate editing and
content management:
Compatible Blocks for Real-time
Collaboration. Compatible Blocks for
Commenting. Compatible Blocks for
Suggestions.
https://www.multicollab.com/
Our Plugin for Creators
58
59
Our Services
﹣WordPress Website Development & Maintenance
﹣CMS Migration to WordPress
﹣WordPress Hosting Migration
﹣WordPress Website Audit/Assessment
﹣Plugin Audit & Development
﹣WooCommerce Development
﹣BuddyPress Development
﹣API Development & Integration
﹣Headless/Decoupled WordPress Development
﹣Hire WordPress Developers
﹣WordPress Security & Accessibility
﹣WordPress Multisite Development
﹣WordPress Performance Optimization
﹣WordPress & Third Party Software Integration
WordPress Development
﹣SaaS Product Development
﹣API Development & Integration
﹣Custom Tools Development
Custom Apps
﹣Website Design
﹣WordPress Theme Design
﹣PSDs to HTML/CSS
﹣Design Systems
﹣Editorial Workflow Design
﹣Graphic Design
﹣User Testing
UI & UX Design
﹣Website Testing
﹣Automation Testing
﹣Security Testing
﹣Performance and Load Testing
Quality Testing
﹣Discovery & Research
﹣Competitive Analysis
﹣UX Strategy
﹣Content Strategy
﹣Website Migration
﹣Component Audit
﹣Technical SEO
Strategy
Trusted by Leading Publishers
60
