Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening WordPress is An Art

Sponsored · Your Podcast. Everywhere. Effortlessly. Share. Educate. Inspire. Entertain. You do you. We'll handle the rest.
Avatar for Chathu Vishwajith Chathu Vishwajith
September 23, 2017
Technology
160
0

Hardening WordPress is An Art

My presentation for First-ever WordCamp Colombo 2017, Sri Lanka

#wccmb

Avatar for Chathu Vishwajith

Chathu Vishwajith

September 23, 2017

More Decks by Chathu Vishwajith

See All by Chathu Vishwajith
Lerna and Monorepo architecture for JavaScript
Avatar for Chathu Vishwajith iamchathu
0
75
Properly Securing Node.js APIs
Avatar for Chathu Vishwajith iamchathu
0
63
Hardening WordPress is kind of Art
Avatar for Chathu Vishwajith iamchathu
0
140
It's Someone Else's Servers
Avatar for Chathu Vishwajith iamchathu
0
52
Speed Up Your WordPess
Avatar for Chathu Vishwajith iamchathu
0
120
CMBJS Meetup: Securing NodeJS APIs with JWT
Avatar for Chathu Vishwajith iamchathu
0
110

Other Decks in Technology

See All in Technology
Databricks 月刊サービスアップデート 2026年05月号
Avatar for ちょし tyosi1212
0
200
Oracle AI Database@AWS:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
4
2.8k
TypeScript Compiler APIとPHP-Parserを活用し、TypeScriptとPHPで型を共有する
Avatar for did0es shuta13
0
350
大学生が本気でDatabricksを活用してDiscordサークルをデータ駆動させてみた
Avatar for Kazuki Date phantomjuju
1
390
AI Adaptable なテストを整える工夫 / Ways to Make Your Tests AI-Adaptable
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
PRO
2
210
新アーキテクチャ「TiDB X」解説とDedicated比較 TiDB Cloud Premiumのゲーム運用活用を検証
Avatar for altplus Inc. staffrecruiter
0
110
「嘘をつくテスト」の失敗例から学ぶ 良いテストコード #frontend_phpcon_do
Avatar for asumikam asumikam
0
210
コードレビューを制するチームがソフトウェアデリバリーのフローを制す / Beyond Code Review: Distributing Its Responsibilities Across the SDLC
Avatar for mtx2s mtx2s
3
1k
Claude code Orchestra
Avatar for Taisei Ozaki ozakiomumkj
3
940
イベントストーミングとKiroの仕様駆動開発で実現する要件の認識合わせプロセス
Avatar for syobochim syobochim
7
1.2k
Diagnosing performance problems without the guesswork
Avatar for Elena Tanasoiu elenatanasoiu
0
160
「コーディング」しない人のための Claude Code 入門 ChatGPT の次の一歩 — 業務に組み込む 育成・共有・自動化
Avatar for ふくだ(fukuda ryu) rfdnxbro
2
1.2k

Featured

See All Featured
The Anti-SEO Checklist Checklist. Pubcon Cyber Week
Avatar for Ryan Jones ryanjones
0
150
BBQ
Avatar for Matthew Crist matthewcrist
89
10k
Design and Strategy: How to Deal with People Who Don’t "Get" Design
Avatar for Morgane Peng morganepeng
133
19k
New Earth Scene 8
Avatar for Sydney Stone popppiees
3
2.3k
Context Engineering - Making Every Token Count
Avatar for Addy Osmani addyosmani
9
940
Public Speaking Without Barfing On Your Shoes - THAT 2023
Avatar for David Neal reverentgeek
1
410
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
49
3.5k
[SF Ruby Conf 2025] Rails X
Avatar for Vladimir Dementyev palkan
2
1.1k
Product Roadmaps are Hard
Avatar for C. Todd Lombardo iamctodd
PRO
55
12k
Test your architecture with Archunit
Avatar for Yoan thirion
1
2.3k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
39
3.2k
Connecting the Dots Between Site Speed, User Experience & Your Business [WebExpo 2025]
Avatar for Tammy Everts tammyeverts
11
930

Transcript

  1. Hardening WordPress is an Art

  2. Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a

    startup

  3. Alex Proimos from Sydney, Australia

  4. Is WordPress is secure? → 52% are from WordPress plugins

    → 37% are from core WordPress → 11% are from WordPress themes

  5. Recent incidents

  6. Recent Incidents → Display Widgets → WooCommerce Product Vendors →

    WordPress Security Update 4.8.2 – Update Immediately!

  7. Types of vulnerabilities → SQL Injection (SQLI) → Cross-site Scripting

    (XSS) → Cross-Site Request Forgery (CSRF) → Brute Force → Denial of Service (DoS) → Distributed Denial of Service (DDoS) → Full Path Disclosure (FPD) → User Enumeration → Remote Code Execution (RCE) → Remote File Inclusion (RFI) → Directory Traversal

  8. So what is the Art

  9. Continuous improvements

  10. Find a secured hosting

  11. Don’t forget to update!

  12. Don’t forget to update! → Keep your WordPress up-to-date →

    Update your plugins and themes → Change passwords periodically → Keep yourself updated

  13. Use your own, not defaults!

  14. Use your own, not defaults! → Do not use ‘admin’

    as your username → Change WP_CONFIG’s keys and salt values to randomly generated values → Change table prefix

  15. Stop directory indexing

  16. Prevent User emumaration

  17. Disable XML-RPC if not using

  18. Limit login failed attempts

  19. Backup regularly

  20. Remove unused plugins/themes

  21. Turn on Comments approval

  22. Use HTTPS! Atleast wp-admin area and wp-login.php

  23. Make sure Debugging is off!

  24. Apache, PHP, NGINX, SSL Vulnerabilities

  25. WordPress Vulnerability Database https://wpvulndb.com

  26. WordPress Vulnerability Scanner https://github.com/RamadhanAmizudin/ Wordpress-scanner

  27. None

  28. Summery → Don’t forget to update. → Use your own

    rather defaults. → Stop directory traversal. → Disable XML-RPC if you are not using it. → Limit login attempts. → Backup regularly → Remove unused plugins/themes → Keep yourself updated

  29. From Sri Lanka !

  30. Thank you !