The innovative ideas, the spirit of the community – building bridges for a better world wide web tomorrow. WordCamp Europe 2018 Belgrade rolled around for us to refuel on the WordPress energy. And WCEU 2018 was a special one with a record-breaking 2,085 attendees and 808 livestreamers. We got inspired by thought-provoking talks, shared and met peers, all wrapped up in an amazing 3-day experience. But here are the best takeaways for me and Plesk.
Why we love contributing to the WordPress open source project
Contributor day all went down the day before WCEU took off. With 177 returning contributors and 156 newbies to the group – impressive. It was so easy to get involved that I’m not surprised at the high number of returning contributors.
And it wasn’t just me either. We also had five Pleskians on the hosting team focusing on improving security. It feels great to be contributing as a team.
But one of the best bits has to be learning how much we all improved and fixed in our different teams in just one day. Be it in CLI, TIDE, Java, Marketing. And loads of pull requests too. Good job everyone!
Learning Content Security Policies (CSPs)
Content security policies (CSPs) are a relatively new security element online. CSPs use browsers to find and mitigate attacks such as cross-site scripting (XSS), clickjacking and more code injection attacks. These come from executing malicious content in the trusted web page context.You can use CSPs to enforce HTTPS on SSl-enabled sites and only authorize truly trusted sources, blocking others. The reality is most sites don’t have CSPs in place. So let’s band together and discover more. Below is what Miriam Schwab had to say about the whole new way of securing your sites that not many know about.
How to protect ourselves and our visitors from attacks
How are web apps compromised? It can be server-side – which is what we’re mostly used to, and the client-side, so basically – on the browser. Among the top web app threats is cross-site scripting (XSS) – when a hacker injects evil js code into your source code, that loads onto the browser.
When XSS happens, the user is the victim, more than your app. As a result, the user can experience session hijacking, cookie theft, account takeover, redirecting traffic, credentials, unwanted ads, and infections. It’s not pretty, guys. So we need to take action.
First off, use directives, which are strings specifying the type of resource, taken from a predefined list (font-srcmframe-src, for example). And source expressions – patterns describing one or more servers that resources can be downloaded from (‘non’, ‘self’, ‘unsafe-inline, and so on).
It’s not great practice to put inline JS for behavioural practices. If your site has been built with inline scripts, it’s a vulnerability. But you can have these as security – it whitelists these inline scripts.
Content-security-policy (CSP): default-src ‘self’ https : ;
Script-src ‘self’ https://www.google.analytics.com
Basically whitelisting Google Analytics and saying that this is OK to load. Unsafe inline and unsafe eval is kind of vulnerable, but it’s another way of securing. Check it:
Content-security-policy: Script-src ‘unsafe-inline’ ‘unsafe-eval’
All our WordPress sites are migrated on HTTPS and SSL – but something may have gotten lost. So this helps you ensure that everything is loaded with HTTPS. Therefore, you’ll always have a green padlock and no mixed content.
Tools to make you CSP journey a bit easier
Google created its own tool CSP evaluator – it does give you feedback which is useful. Otherwise it tells you ‘no CSP’. Security headers by Sophos give you a kind of report. And there are also some WP plugins for security. Report URI is an amazing site that spits out a security policy for you. And Telerik fiddler has a Windows version – you just put your URL in and it tells you what you need to put as a CSP.
XSS is one of the most difficult attacks to prevent but CSP helps add an extra layer of security. I know I’ve taken a lot away from this session – hope this was useful for at least a few of you. Because stats reveal that, even though WordPress powers almost a third of the web, the number of sites with CSPs in place is still relatively low. So let’s all make the internet a safer place with CSPs.
Inspired by WCEU? So are we
You can relive the whirlwind of talks, networking, inspiration, knowledge exchange, and generally all-round brilliant WCEU experiences on WordPress TV soon! Let’s now share this one goal to make WordPress, and the web, the best it can be.