At WP Engine, we’re passionate about helping our customers learn and grow. In keeping with that ethos, we proudly present “Finely Tuned Expert,” a series of interviews with some of the brightest talents in tech, marketing, and (naturally) WordPress.

On this episode, we tackled the all-important topic of website security. We were joined by two members of the WP Engine security team, Security Director Eric Murphy, and Security Engineer Justin Dailey. Together, they painted a picture of the greater website security threat landscape and provided some tips on how to bolster WordPress site security.

Did you miss the live broadcast? No worries! Catch the full recording below or on the WP Engine YouTube channel.

Video Transcription: 

Jonathan: From wpestaging.qa you’re watching Finely Tuned Expert. A series of interviews with some of the brightest talents in tech, marketing and, of course, WordPress. On this episode, we’re tackling website security. Joining us to discuss this are two members of the WP Engine security team, security director Eric Murphy and security engineer Justin Dailey. Gents thank you so much for being on the show today.

Eric Murphy: Hello.

Justin Dailey: Hey, guys thanks for having us.

Jonathan: I guess for those who are watching the stream, Eric is on the right side. Eric, could you wave. Justin is here with us on the left. Just to keep that organized. To get going guys first I’d like to go over a little background on the both of you. Can you tell us about your jobs at WP Engine and what your day to day looks like as members of the security team?

Eric Murphy: Sure. I’ll go ahead and start. I’m Eric Murphy I head up the security organization for WP Engine. As far as background goes I’ve spent many, many, many years in security working in all different facets from government, education to security firms. I have a lot of experience in pen testing and red teaming as well as building security platforms. As far as WP Engine goes and what that day to day looks like many meetings. No, the day to day really involves running the engineering organization to build the security platform which encompasses many features for customers so on and so forth.

Jonathan: Cool.

Justin Dailey: I’m Justin Dailey. I’m one of our security engineers here at WP Engine. My background I actually started off in computer engineering with actually a more hardware focus. Over time gravitated towards the software stuff because that was my true calling I found. Then security was really what called my name. I just love the all aspects of it I guess. It requires a lot of knowledge, a lot of skill. It’s just fun overall. It’s a very fun place to work, in general.

Justin Dailey: I joined WP Engine and had a focus on testing automation and that came into security. In doing that day to day looks it varies a lot, to be honest. You moving in all different directions but largely working on technical implementations for our security platform, and our just ensuring that our customers are being kept secure in pretty much all aspects.

Jonathan: Right on.

Speaker 4: Awesome. Let’s start with a look at the current security landscape as it relates not only to WordPress but the internet as a whole. Can you break it down for us about the current state and how it may be different from even a year ago today?

Eric Murphy: Sure. I’ll take the first stab. There is a huge paradigm shift that’s happening in security. We’re seeing two different worlds of security melt. There’s this concept of corporate security which is very defensive oriented and then there’s this concept of modern security which is more red team offensive oriented. The two worlds are really colliding. The security community is really having a hard time finding good talent.

Eric Murphy: We’re in a talent deficit right now. However, how it’s different from years previous we’re dealing with all different kinds of challenges in relation to bad actors and the bad guys. Many of you probably already know and have heard of the concept of IoT, the internet of things, devices which these botnets … If you don’t know what a botnet is a botnet is really a series of machines that have been taken over by malicious software that are then used for malicious activity such as DDoS and things of that nature.

Eric Murphy: Where it’s different today is that these botnets are much larger in size. We’re seeing these IoT botnets take down huge, huge companies and really internet infrastructure. To relay and how it’s different is its unprecedented in the size of the attacks that we’re dealing with today as opposed to years previous. They’ve never gotten that big before. That’s really the big challenge of today.

Justin Dailey: It’s interesting to see the way that things have evolved and the IoT is one really interesting aspect of I that’s really coming to light recently. As far as the WordPress world goes it’s interesting to see as well. I guess WordPress it being such a large portion of the internet has become a large target as well. As attackers have seen oh, we can use these same patters of attacks to compromise multiple sites. That leads to some really interesting things as well such as lots of sophisticated tooling that the bad guys actually develop.

Justin Dailey: Automation in tooling. Scripts and stuff that they have to actually go out and identify WordPress sites and identify specific vulnerabilities in those sites and then export them without any manual intervention on their part. They just press a button and watch things happen. That’s a really scary thing and something that we have to watch out for. Then in addition to that tooling just knowledge sharing from the bad guys. It’s ever increasing.

Justin Dailey: They’re very good at collaborating which the good guy’s side struggles quite a bit with. Corporations struggle a bit with the active communication as opposed to bad guys who are just very fluid and they’re always sharing their knowledge in the new stuff they find. That just leads to worse and worse things and more challenges for us. One really something that’s come to light in recent months, years is just the social aspect of securities. That’s been a huge thing. Bad guys have identified that as actual technical security measures get better the weakest link in the chain if you will for security is actually people. The social aspect. There’s been a lot more targeted attacks in that area as well.

Eric Murphy: Actually, one other thing to expand upon. Nation states are much more actively involved. I mean, they’ve always been involved from the beginning but they’re much more public and social about it. That’s yet another element that we have to deal with. Sometimes the bad guys are very large. More importantly, sometimes the bad guys actually are misrepresenting themselves as good guys such as the NSA and so on and so forth. We’re seeing new challenges for sure.

Speaker 4: What can enterprise level site owners do to protect the WordPress sites and the sites that belong to their clients?

Eric Murphy: I think some of the biggest mistakes that I have witnessed with the enterprise in relation to security or even WordPress is they don’t have any semblance of a security team or security person. They specifically rely on internal IT to understand that security landscape and really what they can do to remedy some of the problems that arise. I think number one having an understanding of security. By having someone that’s dedicated to it is extremely important.

Eric Murphy: In addition, injecting security in the beginnings of code deployment. If you are creating a plugin or if you’re creating certain things security typically becomes an afterthought. In other words, let’s deploy the thing and then worry about security later. That’s another big mistake. We wanna inject security in the front of that process. Then lastly, really having good remediation strategies. Many enterprises rely on their hosting provider to essentially fix their hack WordPress site or address security concerns. Many of the good that hosting providers will assist and help with them. It’s also up to the customer to have some responsibility in managing security of their site.

Justin Dailey: Totally. It’s one of those things that especially for bigger corporations or bigger teams they do need to dedicate some resources to security and build that into their development workflow and their thought process and their architecture and everything. It’s something that often gets forgotten and then at the last second, it’s like, oh, did we consider security when we were doing this. It needs to be a developer mindset thing and really an overall mindset thing. Building that into your quality control, QA, QE processes, to even have automated security tests to make sure you are up to the bar on as far as the aspects of security on your site goes. Really important stuff. Resources should be dedicated to that. It should be prioritized. It’s a very important aspect that often goes overlooked until the last minute or until something bad happens.

Justin Dailey: Then building that up in layers as well just making sure that you’re not doing a single security solution that you expect to keep yourself safe. For instance, you don’t just put a WAF in front of your website and assume that you’re safe. You also have to have a WAF along with all users have to use strong passwords and two-factor authentication. We have active virus scanning. We use SSL. A combination of all these things to build layers upon layers. Really ensure that oh, if they do get through one layer well, at least we have all these other roadblocks ahead of them. That’s just some things that you can do to try to put things in place to stop the bad guys and then mitigate the danger if they are to succeed in some of their exploitations.

Jonathan: Of course, it’s not just the enterprise level sites that are at risk it’s the smaller sites as well. The bloggers, the hobbyists, the small businesses. What can those average mom-and-pop style online businesses do to protect their worker sites as much as possible without maybe the resources that a large corporate site might have?

Eric Murphy: Smaller sites have many resources available to them to understand security. Step one is really understanding what’s running on your site right. Many people have this concept of that they want to install whichever plugins they want to test things. They really don’t check into the background of these plugins. Who’s developing them? One of the problems with WordPress, and it’s strange, it’s a double edge sword. We’re lucky in a sense that we have access to all these themes and plugins but on the same side, we’re unlucky that we have access to all these themes and plugins because anyone can develop a plugin or theme that has some malicious intent. Or, perhaps the developers is more amateur in nature and does not I guess protect the plugin from being exploited.

Eric Murphy: From a smaller customer mom-and-pop perspective, it’s understanding the plugins that you’re installing. Also, updates. I can’t stress that enough. I think the last that we looked up to 85% of the vulnerabilities with the exploits that we’ve seen are mainly due to out-of-date plugins and themes. There’s huge tradeoffs there. People think well, I don’t wanna go update my theme because it’s gonna break something on my site. It’s actually better to update your theme even if it breaks something because you can fix the thing that broke. You’re gonna spend a lot more time and effort trying to remediate some pack then fixing some CSS or something like that.

Eric Murphy: It’s really two-fold. It’s updating plugins and themes, understanding what you’re running and then really researching and looking into the resources that you have available to you to understand common security threats. One of the things that we really recommend and this goes for enterprise and small business is to really understand the OWASP top 10. We can link that for you guys but that is extremely important to understand.

Justin Dailey: Totally. That’s one of the resource constraint things some of the smaller sites and smaller businesses are gonna struggle with. The best advice is to just echo what Eric said, do a little research. Understandable to have time constraint’s resource constraints everything but do yourself some justice and do some research. Give security some love. Make sure that you’re at least aware of what your current state is and what somethings that you could and are doing to mitigate those dangers are.

Justin Dailey: Just in addition to so OWASP top 10 I guess WordPress now is they have several security guidelines that they use for development as far as WordPress core goes. Accounting for the OWASP top 10. They got a little document they put out that details having an account for all those. They have a going into the plugins they have a review panel for the plugins that go into their repository. As Eric was saying anyone could make those plugins and then while people are trying to review them and ensure that they’re secure there’s human error involved in that as well. Making sure that you stick with the well maintains.

Justin Dailey: More popular plugins is usually a very, very smart thing to do. Updates make sure you either have automatic updates set up especially for core and even plugins if you can handle that. If you can’t do the full automatic update thing at least set up a notification system so when vulnerabilities or updates are disclosed for either core or your plugins make sure you get notified as soon as possible. Then make sure to prioritize those fixes for that. Or, if you have a test environment go install the updates in your test environment. Make sure everything looks good.

Justin Dailey: Just make you’re staying current with all that. That is the absolute lowest hanging fruit for WordPress is make sure everything is up-to-date. It is so surprising how many sites are compromised due to out-of-date plugins or core. It’s so easy for bad guys to see that and identify it and be like, “Oh, well, this is” … You become a product of opportunity at that point because they drive by they see that they identify that and then they’ll compromise you based on that. Whereas if they drive by and they see you and they’re like, “Oh, this guys up-to-date. I don’t really know how to exploit this easily.” They’ll just move on.

Jonathan: Well, I hate to cut this interview short but I have to go update all my plugins on my site.

Justin Dailey: Get on that.

Eric Murphy: To late.

Jonathan: It’s too late. All right, well, we were talking a lot about bolstering security and some of the ideas to do that. Does it come with a tradeoff? Should site owners be concerned that an increase in security could negatively impact overall say performance? If so, how might that be remedied or mitigated a little bit?

Eric Murphy: Yes. Absolutely. The security battle is always a tradeoff with the user experience right. The more layers of security that you have the more it’s gonna affect performance. The more it’s gonna affect how that user experience works and frequently it’s not just in WordPress it’s really any kind of web app. There are certain people that necessarily don’t understand those tradeoffs. Often times its business owners themselves whether that be enterprise or small business. To give you an example, if a designer wants to implement a new fence, so you drop a script button or something like that, they don’t necessarily understand the implication of that and how that could be exploited. We see that very frequently.

Eric Murphy: To answer the question most definitely there’s a tradeoff and it’s usually always user experience. Then you have to ask yourself well, what’s the middle ground? How can we get the best of both worlds? One of the things that WP Engine tries to do in that regard is build security into the backend as much as possible. The layers of security that we like to add are typically on the parts that the customers cannot touch. Same thing goes.

Eric Murphy: Customers that are either evaluating hosting providers or perhaps enterprise customers that are running their own instances one of the best things you can do is build as much security as possible in the backend. Whether that’s evaluating logs, adjusting firewall rules or maybe WAF implementation things like that are always very helpful. In regards to I guess the front end side of things it’s really just education. That’s where the compromise comes. You need to make sure that people that are implementing features, as well as the users, understand why we are doing something a certain way.

Justin Dailey: In addition to security being a tradeoff with customer experience in a lot of ways I think it’s also a tradeoff in engineering or development in a lot of ways as well. It becomes very challenging sometimes to do something the right and secure way rather than do something this way that I know how to do it or this way that I found this snip-it of code that does it on the internet. Or, the way this plugin does it or something like that. A lot of the times it’s more difficult from a development perspective to actually do things securely. It’s more time-consuming.

Justin Dailey: It can be more difficult to architect and you really have to have a holistic view and take into account all aspects of your site, your system, what you’re developing and understand the threats there. It’s so important to put emphasis on that. I mean, security for websites it’s a requirement to remain relevant. I mean, if you have poor site security you’re gonna lose your trust. It’s gonna be headache after headache after headache. You just can’t run a credible website sustainably without incorporating security into it.

Eric Murphy: When you say remain relevant part of what you’re describing there is SEO, is that correct?

Justin Dailey: SEO. User-base. If you’re running an e-commerce store. Any of that really. If you neglect security it will eventually come back to bite you. You’re gonna lose user trust, which is visitors right customers. Eventually, it will come back to bite you.

Eric Murphy: To just expand on that. If, for instance, you neglect your security implementation and your site becomes compromised not only are you exposing your user data which affects your trust but the example that you gave in regards to SEO, often times you’ll see this concept of black hat SEO. Where you don’t necessarily know your sites compromised but your SEO and your rankings are being greatly affected by what was injected by the bad actor right. If you neglect security especially as it pertains to WordPress and plugins and themes there’s really only a negative effect right. In other words, you’re prolonging the inevitable. You’re gonna as Justin said it’s headache after headache. You wanna do your due diligence and you wanna ensure that you’re addressing security especially as vulnerabilities come out so you don’t have to deal with these situations.

Jonathan: Gotcha.

Speaker 4: Let’s talk about the common misconceptions you hear about security. What are they and what are your responses? Here’s one to get you started. If I have SSL my site is secure right?

Eric Murphy: That’s a good one. Let’s talk about that for a minute. Before I get into the SSL part I wanna talk about WordPress core. Often times especially when you’re dealing with developers or especially in the enterprise. I hear this frequently. We can’t use WordPress for our enterprise site because it’s insecure. Typically, people refer to WordPress core. The good news is WordPress corporate is actually pretty good about security. Sure there’s vulnerabilities that appear, but they’re much more infrequent compared to plugins and themes. In fact, there’s a fairly extensive review process within WordPress core.

Eric Murphy: I think that’s the first thing to debunk is when people are talking about security and WordPress. More often than not they’re referring to themes and plugins that are exploitable not necessarily WordPress core. Now, that changes as someones running a WordPress version that’s two years out-of-date, of course. No. I think it’s important to debunk that part.

Eric Murphy: As far as SSL goes these days I think we’re starting to understand especially with services like Let’s Encrypt. The SSL is more or less a requirement. Yes, data is encrypted in transit. Sure that’s great but that’s not the only thing that you need to do to secure your site. In other words, we need to move away from this paradigm of oh, I’m gonna obtain an SSL cert, and my sites gonna be secure too. SSLs is a requirement of my site what else can I do to protect it? Justin, do you have any other comments?

Justin Dailey: Totally. Lots. There are lots and lots of common conceptions about security. One that I find really comes up all the time is people expect to be able to do something like have an SSL cert or install plugin or enable two-factor on my site. Things like that just to do one thing and that means your secure right. There are lots and lots of different ways to improve security at both sites. WordPress sites, in particular. You really need to use a combination of those and educate yourself. There’s plenty of resources out there to be able to understand what the general threats to a WordPress site are.

Justin Dailey: The big thing is to educate yourself with that. Understand what are the general threats that my site faces? What am I doing to mitigate XY and Z? If you can’t answer those questions then you need to continue thinking about it. Go out there and … There’s plenty of resources on the internet right. Lots of people write articles, blog posts everything talking about how to improve the security of your site. Some of them are not the best but if you’re diligent about it you can find good resources to help guide you in the right direction.

Eric Murphy: I think to further debunk misconceptions. People have this idea where if they install a security plugin, or they run SSL then they’re good to go. Good security’s all about layers. You’re never gonna be 100% hack proof. What you can do is implement layer upon layer upon layer upon layer. That really goes for all the different levels right. There’s host-level security. There’s network level security and there’s application level. Many people when they talk about WordPress they’re referring to the application level. Often time the network or the host level are neglected.

Eric Murphy: Don’t get me wrong there are certain responsibilities depending on if you’re hosting yourself or what the hosting provider can offer. I would say that’s actually a big misconception. You really wanna understand how your site’s being hosted and what protections your provider is offering you. Yes, you can do your due diligence and you can enable SSL and you can harden WordPress and you can install certain plugins that help you monitor the application level. Those other two areas network and host are equally as important. In other words, if you’re in a shared environment and your neighbor gets compromised how are you protected? These are things that you definitely wanna understand and really articulate with your hosting provider. Where is the line drawn? Who is responsible for network and host level security?

Justin Dailey: Absolutely. Just one last thing I wanna add to that is the misconception that if I made my site secure then I don’t have to worry about it anymore. Unfortunately, that’s not the case at all.

Eric Murphy: That’s not true? I thought that was true.

Justin Dailey: No. It’s just an ever-changing landscape. Attackers are always trying to … As you put walls up they’re figuring out ways to jump over those walls or break through those walls or dig under those walls. Or, disintegrate those walls. You name it they’re trying to figure out how to do it. It’s something that you just have to continue to put attention into. It doesn’t have to be your 100% focus every day but maybe make it your 10% focus. At least put some time into it and think about it.

Jonathan: All right. Well, we’ve got a little bit of time left and I wanna use this to talk about what’s next. Where is WordPress security heading in the near future? Where do you guys see modern web security threats continuing to evolve?

Eric Murphy: I’ll take a stab at this one first. It’s a very interesting question. I’m gonna break it down. As far as WordPress goes I think the proliferation of API back services, microservices is gonna become ever more prevalent. For example, the way that WordPress operates internally or how plugins communicate with WordPress core I think we’re gonna see changes there. I think another really important aspect and this is really the community as a whole. This is something that WP Engine is trying to help spur the change on is that community threat sharing. It is extremely important that hosting providers, content developers, plugin and theme developers share threat data amongst themselves.

Eric Murphy: Today, there’s not many good ways to do that. Sure there’s semblance of bug bounty programs. There’s actually a framework that WP Engine is investigating which is I think it’s collective intelligence framework. Those things are gonna be vitally important. As Justin alluded to bad guys are really good at sharing information and good guys are not. That’s one area that we want to change and help spur change in. Anything that we can do not only at WP Engine but individuals that contribute to sharing intelligence data such as log data and so on and so forth will greatly help the community and help push security in the right direction.

Eric Murphy: The whole idea is we wanna understand what the bad guys are doing but more importantly we wanna predict what’s coming next. I think that prediction is very difficult to do in its current form. That’s one area that I think the communities gonna move towards is this idea of threat sharing. Then, of course, WP Engine is gonna be actively involved in that. Hopefully, really spurring that movement.

Justin Dailey: Totally. Then as far as WordPress goes, in general, the community for WordPress has come to adopt security as more of a I guess first-tier requirement. There’s started to be more focus on it over the past few years. People have really started to understand oh, this is one the most important things about my website. That’s one of the messages we’re trying to drive home communicate as well. I think there’s been pretty good reception from that around the WordPress community. People have started to open their eyes, which is awesome. I think that’s gonna lead to some continual improvements as far as the way WordPress security is managed. The way plugin security is managed. They’ve already introduced some things like automatic core updates became a standard WordPress feature. That was a while back. Things along those lines to continue to drive the entirety of WordPress in a more secure direction.

Justin Dailey: Then as far as the general landscape of the internet goes, you’re gonna continue to see more sophisticated and complex bad actors. They’re gonna get better and better. I was talking about before just their tooling is gonna improve. They get smarter. They get more collaborative. They figure out new ways to get over hurdles. For them, it’s a the challenge is always how can I take this further? How can I do something that I wasn’t doing before? Or, if, in the case, where mitigation’s have been put in place how do I get around those now? It’s always new challenges for them, and they’re always trying to take a step further in your will. We always have to try to do the same thing.

Justin Dailey: From the good community aspect, all the stuff Eric was talking about is excellent. Increasing our collaboration. Really knowledge sharing and becoming more sophisticated as a whole on the good side of things is really gonna help us stand up against the bad guys because they’re not necessarily coming at us one and one and one separate entities. It may be separate entities but that are collaborating very closely with others or maybe the entire group coming to run an attack campaign on a series of sites and things like that. Just better collaboration from the good side of things, and we’re continuing to try to develop new solutions and new auditing mechanisms. Just ways to understand the landscape and what they’re doing better and faster. Be able to identify and stop them before … Even faster than we did before. Before they can do damage.

Eric Murphy: I think one last comment to add there is also there’s fairly new concepts in how to deal with threats. Again, from the corporate security landscape, it’s very much a defensive posture. That’s starting to change and evolve where people are now taking action against attackers. Not only legally but there are times when the best way to defeat an attack campaign is actually to attack the attacker back. That’s something that we take very seriously and why red teaming, for example, and attack campaigns from a defensive posture is extremely important. I think we’re gonna start to see that evolution as well. That this concept of hack the bad guy before he hacks you is turning out to be a very real thing.

Speaker 4: All right. That is it for this edition of Finely Tuned Expert. Eric and Justin thank you so much for being on the show with us today.

Eric Murphy: No problem.

Justin Dailey: Thanks, guys.

Speaker 4: For more on security, you can head over to wpengine. Com/blog. We’ll be updating the show notes for this episode with linked helpful security articles and sites courtesy of Eric and Justin.

Jonathan: Hey guys, great job. Maybe we should make this a regular thing. Talk more about security on a future episode. Would you guys be down for that?

Justin Dailey: Secure all the things or make all the things.

Jonathan: All right. Well, as always you can watch this episode of Finely Tuned Expert on the wpengine blog that’s wpestaging.qa/blog. Of course, on our wpengine YouTube channel. Enjoy that and we’ll see you next time on Finely Tuned Expert.

Justin Dailey: All right.