Last week I spent some time chatting with Mike Dahn who is the co-founder of the BSides information security conferences globally. He’s also organizer of BSides San Francisco and is well known and respected in information security circles.
We had a really informative chat and I’ve posted the video interview below. You know you’re chatting with someone who spends a lot of time thinking about a subject when they’re able to provide insights that are concise and are highly effective – ideas that can have a significant impact if overlooked or implemented.
During our conversation I asked Mike how “we can all be more secure”. We stopped filming for a few minutes and agreed….that is a really big question. He told me he knew what many vendors could do to be more secure – and so I filmed his response.
What Mike said is that “the best way to secure data is to get rid of it“. If you’re new to systems administration, security or WordPress administration, you may not understand the value of this advice. So I’m going to expand on what Mike said because I think it’s something that is overlooked by many of us and can be a major risk reducer when trying to secure your website or your systems.
Anything you store needs to be protected. Storing data you don’t absolutely need is a potential liability and a source of risk. Here are a few things that you may currently store on your WordPress site or in other areas of your organization that you may be able to get rid of or take offline, reducing risk:
We’ve seen many customers use WordPress plugins that store backup files on the server. Sometimes, catastrophically, the backups even end up in publicly accessible web directories. These should be backed up to an external storage system that is secure, or ideally taken completely offline. You don’t need your backups online until you need to perform a disaster recovery and that is (hopefully) a rare occurrence.
One compelling reason to take your backups offline is the rise in ransomware which encrypts both your web server (or workstation) and your backups. If your backups are offline, ransomware can’t encrypt it and your backups remain safe.
Credit Card Data
Never, ever store any data related to credit cards. In the interview Mike mentions “tokenization”. If you want to give your customers the ability to “store” their card information with you so they can perform repeat transactions, the way to do this securely is to pass the card data to a processor like Authorize.net (owned by Visa) and have them store the card data. They give you a unique ID or token which you can use to perform future transactions.
By tokenizing credit card data, you avoid having to store it and there is no card data on your site for an attacker to steal.
User Personally Identifiable Information (PII)
Only store what you absolutely must. Don’t collect information you only think you “might” use. Collect the data you have to and discard everything else.
For example, I’ve seen many online forms that ask for physical address information. Leave this out if you can because it’s one more piece of sensitive PII that you need to protect and it introduces additional liability into your organization if you are hacked.
Leave it to the (real) experts
While it’s tempting to store data on your own servers, companies like Visa in the credit card example above have much more stringent compliance requirements and have a larger team of security professionals than you do. So if you are able to outsource storage of data to a company that has a proven track record of excellence in data security, do that rather than reinventing secure data storage as a small team.
Delete old data
Another way to get rid of data so that you don’t have to protect it is to remove old data you no longer need. This may include:
- Inactive user accounts
- Old backups
- Archived copies of your site stored on the server
- Draft posts and pages
- Inactive plugins and themes on your WordPress site
- Websites that are still active but don’t receive any traffic or aren’t used
- Old database instances that aren’t used anymore
- Old database tables no longer used
- Backup files or old files – for example if you made a copy of wp-config.php for WordPress and called it wp-config.php.old you definitely need to delete that because it contains your database credentials and is publicly visible on your site!
The Interview with Mike
This was filmed outside the BSides security conference in San Francisco. As always we welcome your feedback and insights in the comments below. Please share this to help promote good security practices in the WordPress community.