141 - Feeling insecure about security (Part 2)

[spp-player url="https://episodes.castos.com/wpbuilds/wpbuilds-episode-141.mp3"]

In this episode:

Discussion - Feeling insecure about security (Part 2) So this is part two of our discussion of WordPress security. I think you could well listen to this episode in isolation, but it might be better if you went back to episode 140 and finish that one first? I will leave that decision to you! A brief recap on last week though in case you don't want to do that. We discussed:

• Non WordPress security matter: the data we keep, how we store passwords
• How we manage sites that we pass over to clients if we know that we won't be managing them going forwards
• We talked about what we have done in the last with our WordPress website care plans and what we were promising

We start the discuss this week listing out our experiences of the security solutions that we have come into contact with. This is certainly not and exhaustive list, and is not intended as a set of preferences. It's just what we've heard of and in most cases what we have tried out ourselves. I'm sure that you could add other plugins to the list and likely you have different opinions as to what works best in the environment that you have set up. Some of the security plugins feel a bit like car insurance in that you don’t know how good they are (for you) until something goes wrong. There is a whole lot of overlap too; many have features that are already taken care of in other way (ie. database prefixes, file permissions, strong passwords).

• Wordfence - resource heavy, confusing, prone to giving false positives, but the scanner is brilliant.
• iThemes - good on preventative and light weight, but uses Sucuri’s malware scan. All in one security made for beginners.
• Malcare - brilliant for no using server resources, avoid false positive and probably best is that they will look at the problem if the one click solution does not work.
• WebARX - has a ton of fans and I see Oliver Sild being very active. I missed the AppSumo deal and regret it. Another that uses no server resources. I have started to use this more recently and have been happy to see that it's blocking some intrusions.
• BulletProof Security - we have no idea about this one. It is complex and has a scanner.
• SecuPress - no idea. Has a scanner. Is pretty if you don’t mind them changing the WordPress look (it came out of WP Rocket).
• Sucuri - I think their selling point is their support, real humans will fix your site for a fee.
• Defender - WPMU Dev hardening offering which has a similar set of features to the hardening aspects of iThemes.
• Blackhole for Bad Bots and BBQ Pro

One of the things that comes out of this discussion is that most people (including ourselves) don't really understand the implications of all of the options in these security solutions. We can read the help text that accompanies the check boxes or fields, but this only gives us a cursory understanding at best. As people who work with technology, I would say that non-technical website users would have even less of a clue and so that creates a problem for us. Should we tick boxes if we don't fully understand what we're doing? Should we stay with the default set up as we can have some confidence that this is what the developers of the plugin think is the 'best' set up out of the box? Beyond the options that we're presented with, do we even know what the plugin is doing for us on a day to day basis? If we get no alerts, does that really mean that all is well? The opposite might also be true, do we get so many email alerts that we simply never bother to open them because the last 241 emails contained the exact same text informing us that all is well and there's nothing to see here? Are we deploying multiple solutions into the same website and suffering from bloat and option overlap? I've heard that this happens quite a lot, the thought being that more layers of defence is better, but I'm really not too sure if it is. In fact might we be compromising both plugins if they're trying to do the same thing. Again, we're back to the problem that we don't really know what these solutions are doing. Towards the end of the episode we talk about what it is that we're actually doing in our businesses to promote security to our clients. David's list is as follows

• All clients are going to get the Editor role which he can modify for more capabilities if required.
• Scanning will inform the quality of the backups - whether or not an error has occurred and how far back the backups can be trusted. This scanning is going to be made up of MalCare and Wordfence

Nathan's list is as follows

• I'm going to creating full site backups of all sites everyday. These are then stored in multiple off site locations and are never deleted. The repo just gets bigger and bigger!
• I'm going to do a daily scan with something like Wordfence each day.
• Use some hardening techniques, such as blocking multiple login attempts with IP banning.

I'm sure that your set up is quite different, and I'd be really interested to hear your thoughts on this subject. You can leave comments below, or why not head over to the WP Builds Facebook group and get in on the conversation over there?