This past Friday, I gave a 20-minute presentation on WordPress security, giving a high-level overview of things you can do to help keep your sites secure.

The Presentation

Here's a SlideShare embed of the presentation deck:

And you can download the Keynote source file for my presentation, including presenter notes.

Twitter Questions

As part of my talk, I asked attendees to submit any questions they might have had via Twitter using the hashtag #wpvipsec. Here are the questions I received, and some brief answers to them as best I can provide.

As we have been transitioning some of the WordPress.com VIP platform to our next-generation VIP Go platform, we've had to reinvent some of this stuff slightly. :) You'll be pleased to know that we have made the mu-plugins we use on VIP Go publicly-viewable on Github, and you can see our custom two-factor module here.

https://twitter.com/NelsonTheFresh/status/936659951711408129

I don't know very much about securing sites via VPN, but I'm assuming here that you have site access (even front-end) locked to internal IPs only based on that VPN connection. That should handle a large portion of your security from outside attack, assuming the VPN is using appropriate security precautions.

At this point, your chief enemy is likely to become human error. This is where portions of the talk surrounding things like limiting user capabilities and access to certain settings pages can really help you out. Making sure your users are following good account security processes for connecting to the VPN is also critical.

As I suggested in the Q&A after the talk, I highly recommend that user roles and capabilities be in your WordPress engineering toolbox. They are enormously useful.

Multisites are interesting because they have additional layers of user access. Let's look at the two admin roles:

Super Admin: This should be as limited as humanly possible. The only users who should have superadmin powers on a multisite IMO are system administrators, your development team, and support users who will be assisting other users with account-level actions regularly. (An additional user or two might be necessary if you have people who need to spin up new sites on-demand rather than contacting your support team.) You should certainly require two-factor authentication here, and if you can require proxy or VPN access at this level, you absolutely should look into that as an option.

Administrator: This is going to be on a site-by-site basis within the multisite. If you can craft custom roles and their capabilities finely enough for your needs so that non-development users who are "in charge" of a site can use those roles instead of full admin, you should absolutely do this. Ideally, this user group and the Super Admin user group are as close to identical (and as limited) as possible.

The remainder of the roles are easier to parse. I'd like to especially recommend here (as I did during the talk) the use of an audit trail plugin; as you will have many users working on sites, and some with superadmin powers, the helpfulness of knowing which users performed which actions increases.

Additional Questions?

If you have any questions that haven't been covered above or in the talk, please send me a reply on Twitter and I'll be happy to drop them in the post and let you know when I have updated it.

I'll be updating this post occasionally with new information, as well as a link to the talk's video archive when it's available. To be notified of this, please either follow my blog or follow me on Twitter.

It’s time to look forward to WordCamp US at the end of the year: seeing lots of familiar faces, attending fantastic sessions by creative and knowledgeable people, and volunteering to help create a great event for every attendee.

Last year, I gave a lightning talk on code review that I thought went very well; it was an adaptation of a talk I gave earlier in the year at WordCamp St. Louis based on the experience I’ve had with code review as a culture-centric thing at Automattic and specifically on the WordPress.com VIP team.

The deadline for talk submissions for this year is tomorrow, and so far, I have submitted two talks (I’ll bring up the third in a bit here):

Security, the VIP Way

My VIP team colleagues suggested this topic. We deal with some pretty large sites with lots of users, and can be the target of attacks by unsavory people, so we have developed security policies and best practices that we have found to be successful. I think I could relay some of these practices and give good examples in an engaging way.

I submitted this as a 50-minute talk, but it could be adapted as a lightning talk. I think this talk is pretty straightforward and would need some creative slide deck management to make it my particular style of engaging.

User Support: Playing to Win

OK, so this one is a long shot—and to be honest, I haven’t written it yet, but it’s nearly-fully-formed in my head. Support has been my career for over a decade now.

I have also played fighting games for a huge chunk of my life, but only in the last few years have I taken playing them seriously and competitively.

Fighting games are about resource management, spacing, timing, and adaptation. It struck me at one point that a lot of that is very similar to how I approach support interactions. I want to find a way to bridge those metaphors in a talk.

This would almost definitely be a lightning talk, and I submitted it that way. The slide deck would be really challenging and enjoyable to create. I’m secretly hoping this one is chosen.

A Third Talk?

Just a bit earlier this evening, I considered submitting a third talk based on my blog post from last night, regarding advice for applying to Automattic. After I wrote it, it occurred to me that a lot of what I talk about in the back half of the post is less specific to Automattic and more interesting in the context of open-source-related companies, of which Automattic is one.

But when it came time to write the abstract, I couldn’t come up with a good way to frame the talk that wouldn’t come across as “hey, you should come work at Automattic.”

The concept I had: I would talk with some other people at other WordPress-ecosystem and maybe even other OSS-ecosystem companies, and gather some more information from them about their workplaces and what they like to see.

In the end, because of where I work, there are optics to consider. Does it come across as a recruitment effort? Some people might look at it and think that it does, especially since I would be referencing a post that’s specifically advice for people who might want to work here. What I would love to get across is that there are lots of great companies in WordPress orbit people can work for, or could start, and I suspect they share these open-source traits. It’d probably be interesting.

But I won’t be submitting that one. I feel comfortable talking on my own space here about the work culture of Automattic and why I love working there (and I do this often because it’s all true), but I’m not comfortable making that the subject of a talk at one of the two large-focus gatherings of people from all of the WordPress community. It could be interpreted in a way I’d rather not evoke if I can avoid it.

How’s The Third Talk Different from The First Talk?

(Thought I’d address it because I know someone will think it.)

To be concise: I think there’s a big difference between sharing best practices concerning the WordPress software and supporting users and giving a talk where my workplace is a focus. Bonus: at VIP, we work in partnership with various agencies and WordPress users, so many of those best practices have developed in active collaboration. I feel comfortable sharing those practices in a broader arena without making it overly Automattic-centric.