WordCamp US 2017 Presentation: Security, The VIP Way

This past Friday, I gave a 20-minute presentation on WordPress security, giving a high-level overview of things you can do to help keep your sites secure.

The Presentation

Here's a SlideShare embed of the presentation deck:

And you can download the Keynote source file for my presentation, including presenter notes.

Twitter Questions

As part of my talk, I asked attendees to submit any questions they might have had via Twitter using the hashtag #wpvipsec. Here are the questions I received, and some brief answers to them as best I can provide.

As we have been transitioning some of the WordPress.com VIP platform to our next-generation VIP Go platform, we've had to reinvent some of this stuff slightly. :) You'll be pleased to know that we have made the mu-plugins we use on VIP Go publicly-viewable on Github, and you can see our custom two-factor module here.

I don't know very much about securing sites via VPN, but I'm assuming here that you have site access (even front-end) locked to internal IPs only based on that VPN connection. That should handle a large portion of your security from outside attack, assuming the VPN is using appropriate security precautions.

At this point, your chief enemy is likely to become human error. This is where portions of the talk surrounding things like limiting user capabilities and access to certain settings pages can really help you out. Making sure your users are following good account security processes for connecting to the VPN is also critical.

As I suggested in the Q&A after the talk, I highly recommend that user roles and capabilities be in your WordPress engineering toolbox. They are enormously useful.

Multisites are interesting because they have additional layers of user access. Let's look at the two admin roles:

Super Admin: This should be as limited as humanly possible. The only users who should have superadmin powers on a multisite IMO are system administrators, your development team, and support users who will be assisting other users with account-level actions regularly. (An additional user or two might be necessary if you have people who need to spin up new sites on-demand rather than contacting your support team.) You should certainly require two-factor authentication here, and if you can require proxy or VPN access at this level, you absolutely should look into that as an option.

Administrator: This is going to be on a site-by-site basis within the multisite. If you can craft custom roles and their capabilities finely enough for your needs so that non-development users who are "in charge" of a site can use those roles instead of full admin, you should absolutely do this. Ideally, this user group and the Super Admin user group are as close to identical (and as limited) as possible.

The remainder of the roles are easier to parse. I'd like to especially recommend here (as I did during the talk) the use of an audit trail plugin; as you will have many users working on sites, and some with superadmin powers, the helpfulness of knowing which users performed which actions increases.

Additional Questions?

If you have any questions that haven't been covered above or in the talk, please send me a reply on Twitter and I'll be happy to drop them in the post and let you know when I have updated it.

I'll be updating this post occasionally with new information, as well as a link to the talk's video archive when it's available. To be notified of this, please either follow my blog or follow me on Twitter.

More WordPress.com VIP Open Source

At WordPress.com VIP, we are currently hard at work designing new platform services for our clients we think will help us take their sites to the next level of WordPress awesome. And today, my colleagues open sourced two of the tools we are using internally.

(Both of them are use on this very site, actually—because my blog has been running on our new platform as a test for some time now.)

The first is VIP Jetpack, which is a series of forced module activations and testing preparation we use with the Jetpack plugin suite for VIP Go. (Yes, this site and other sites on VIP Go always use Jetpack. No, it’s not a performance hog.)

The second is VIP Support, which we use to access client administration pages when troubleshooting a site. This ensures that we don’t always have admin access to client sites, but that we can assist when something goes wrong.

This project is so exciting for me, because we have a dedication to developing as much as we can in the open, a test-driven development process, and a peer review-heavy culture. I’m not actually generating any of the code you see in these repos, but that doesn’t mean I’m not proud of what we are accomplishing and how we are doing it.

By the way, the source used to power this site on that same platform is available here; I’m working on things in the open as well even though I don’t have much time to work on them. :)

I Helped Launch This: Major Nelson 4.0

I love days like this one where we get a new site off the ground on WordPress.com VIP and I can finally talk about cool things I’ve been working on.

First, a little back story: In late 2010 and early 2011, I had heard that Major Nelson was looking to move from Telligent Community to another CMS for his site. I reached out via email and had some conversation with him about WordPress as an option.

Thankfully, the suggestion was a good one and he transitioned the site a couple of months later to be on WordPress, where it’s been ever since.

At the time, I’d brought up the idea of WordPress.com VIP as an option, but the time wasn’t right and instead majornelson.com ended up as a—still awesome—self-hosted site.

Time passes.

A few months ago, my colleague Nick Gernert posted to our team to note that we had reached out to the Xbox team to see if WordPress.com VIP was a good fit. It is, and for the last couple of months, I’ve been assisting with the migration and support for the new majornelson.com, which launched this morning in advance of E3.

Take a look! I think it looks fantastic—especially the podcast post views. They look really sharp.

And welcome to WordPress.com VIP, Major! I’m happy to be part of the team that will be supporting your site.

2014 at WordPress.com VIP

My colleague Steph just posted our year in review post for the WordPress.com VIP team at Automattic, and it’s a cool read if you want to see the kinds of things I work with on a daily basis:

2014 has been a big year at WordPress.com VIP. So far, we’ve served more than 28 billion pageviews (or, 28,250,403,658 the last time we checked). We’ve also added 350 new sites to the VIP network and 13 new members to our team (including an acquisition)!

As the leading WordPress solution for enterprises, we pride ourselves on working with your team to ensure that your code is optimized, secure, and fast. This year our customers have deployed changes 31,000 times, comprising more than one million lines of code—and we’ve reviewed every line. (And in case you were wondering, 4pm ET on Thursdays is the busiest hour in our deploy queue).

2014 is the first full year I’ve been on the WordPress.com VIP team, and I couldn’t be happier with the challenges we attack, the problems we solve, and the clients we serve every day. And to boot, I get to do this from wherever I want to be, working alongside some insanely intelligent and thoughtful people.

It was a good year, and more is yet to come. :)

VIP Workshop 2014 Recap

My colleague Sara just posted the “official” recap post for this year’s VIP Workshop, which I attended and at which I learned quite a bit and had a great time. A quote from the writeup that stood out to me:

We again had some great flash talks from VIP clients and partners, and this year’s presentations included talks from CBS Local, Re/code, USA Today, Digital First Media, BlueHost, The New York Times, Tribune Broadcasting, and Interactive One.

These are all top-notch clients doing amazing things with WordPress and the WordPress.com VIP service, and I get to work with them every day. I love that.

If you want to see my thoughts on the workshop, you can find them here.

2014 VIP Workshop: Photos

This past week, I was happy to attend the WordPress.com VIP Intensive Workshop with my colleagues and some of our clients, spend time with them chatting about all things WordPress and VIP (and even some things not), and learn a ton of things myself—including attending a security workshop taught by my colleague Mike Adams.

The last dinner we had as a big group (both the VIP team and our clients) was a fantastic time and we had some great conversation. (Special guest photographer on some of these shots is the one, the only Peter Slutsky.)

As you can see, the grounds where we stayed, learned, and worked for three nights are just fantastic. It rained a bit much in the early going, but once the sun came out it was beautiful and just a great place to retreat and spend time building relationships with the people who make WordPress.com VIP what it is.

Some shout-outs are due post-event:

All these people (and more) had a bigger impact on me than they probably think. I saw—time and time again—people talking about problems and then going and starting to solve them, collaborating on the potential solutions, and walking away having learned something.

It was the first time it struck me how much of a community WordPress developers (and really, developers of all stripes) tend to be. And it was about fixing real problems not just for themselves, but for other people who would run in to those same things down the line.

This is why I’m renewing my effort at upping my game, engineer-wise. This is something I want to be a part of and contribute to. I want to have these conversations more often.

Now, if I can just clone myself so I have enough time to get everything done…

VIP Workshop 2014: Sage Advice

vip-mug

I’ll write more about my week and takeaways from it in a bit, but this is one of the swag pieces we gave to our clients at the WordPress.com VIP Workshop this past week in Napa.

The best preview I can give is that I’m much more motivated to be in a position where the above pictured advice will be useful.

I Helped Launch This: FiveThirtyEight

Earlier today, ESPN launched the new FiveThirtyEight, hosted on WordPress.com VIP. I’m happy to say that I had a hand in this one, as I helped with the content migration process, much as I did with Grantland when it launched on VIP.

It’s such a small thing, and it’s quite a bit automated, but it feels great whenever I’m able to have a hand in helping something that’s so interesting to so many people get fired up and out the door on our service.

I love that about being on the VIP team—I get to help make really cool, really big sites happen. And I get to be part of the team that helps take care of the technical stuff needed for such a site to run, so their editors can focus on creating great content.