Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening WordPress is An Art

Avatar for Chathu Vishwajith Chathu Vishwajith
September 23, 2017
Technology
150
0

Hardening WordPress is An Art

My presentation for First-ever WordCamp Colombo 2017, Sri Lanka

#wccmb

Avatar for Chathu Vishwajith

Chathu Vishwajith

September 23, 2017

More Decks by Chathu Vishwajith

See All by Chathu Vishwajith
Lerna and Monorepo architecture for JavaScript
Avatar for Chathu Vishwajith iamchathu
0
72
Properly Securing Node.js APIs
Avatar for Chathu Vishwajith iamchathu
0
61
Hardening WordPress is kind of Art
Avatar for Chathu Vishwajith iamchathu
0
140
It's Someone Else's Servers
Avatar for Chathu Vishwajith iamchathu
0
50
Speed Up Your WordPess
Avatar for Chathu Vishwajith iamchathu
0
120
CMBJS Meetup: Securing NodeJS APIs with JWT
Avatar for Chathu Vishwajith iamchathu
0
110

Other Decks in Technology

See All in Technology
AWS認定資格は本当に意味があるのか?
Avatar for NRI Netcom nrinetcom
PRO
1
260
Azure Speech で音声対応してみよう
Avatar for kosmosebi kosmosebi
0
160
AIが書いたコードを信じられない問題 〜レビュー負荷を下げるために変えたこと〜 / The AI Code Trust Gap: Reducing the Review Burden
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
PRO
6
1.1k
生成AI時代のエンジニア育成 変わる時代と変わらないコト
Avatar for starfish719 starfish719
0
10k
Data Hubグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
2.9k
ARIA Notifyについて
Avatar for ryokatsuse ryokatsuse
1
120
Rapid Start: Faster Internet Connections, with Ruby's Help
Avatar for kazuho kazuho
2
160
EarthCopilotに学ぶマルチエージェントオーケストレーション
Avatar for なかしょ nakasho
0
280
Introduction to Bill One Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
410
20260415_生成AIを専属DSに_自動レポート作成_ハンズオン_交通事故データ
Avatar for NobuakiOshiro doradora09
PRO
0
110
サイボウズ 開発本部採用ピッチ / Cybozu Engineer Recruit
Avatar for Cybozu cybozuinsideout
PRO
10
78k
AIエージェントの権限管理 1: MCPサーバー・ ツールの Fine grained access control 編
Avatar for Renya Kujirada ren8k
3
490

Featured

See All Featured
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
31
6.7k
Un-Boring Meetings
Avatar for Sebastian Deterding codingconduct
0
270
Ethics towards AI in product and experience design
Avatar for Skipper Chong Warson skipperchong
2
260
For a Future-Friendly Web
Avatar for Brad Frost brad_frost
183
10k
Done Done
Avatar for chrislema chrislema
186
16k
Odyssey Design
Avatar for Ryan Kendrick rkendrick25
PRO
2
570
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.8k
Thoughts on Productivity
Avatar for Jon Yablonski jonyablonski
76
5.1k
Writing Fast Ruby
Avatar for Erik Berlin sferik
630
63k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
46
8.1k
Deep Space Network (abreviated)
Avatar for Tony Rice tonyrice
0
110
Getting science done with accelerated Python computing platforms
Avatar for Jacob Tomlinson jacobtomlinson
2
180

Transcript

  1. Hardening WordPress is an Art

  2. Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a

    startup

  3. Alex Proimos from Sydney, Australia

  4. Is WordPress is secure? → 52% are from WordPress plugins

    → 37% are from core WordPress → 11% are from WordPress themes

  5. Recent incidents

  6. Recent Incidents → Display Widgets → WooCommerce Product Vendors →

    WordPress Security Update 4.8.2 – Update Immediately!

  7. Types of vulnerabilities → SQL Injection (SQLI) → Cross-site Scripting

    (XSS) → Cross-Site Request Forgery (CSRF) → Brute Force → Denial of Service (DoS) → Distributed Denial of Service (DDoS) → Full Path Disclosure (FPD) → User Enumeration → Remote Code Execution (RCE) → Remote File Inclusion (RFI) → Directory Traversal

  8. So what is the Art

  9. Continuous improvements

  10. Find a secured hosting

  11. Don’t forget to update!

  12. Don’t forget to update! → Keep your WordPress up-to-date →

    Update your plugins and themes → Change passwords periodically → Keep yourself updated

  13. Use your own, not defaults!

  14. Use your own, not defaults! → Do not use ‘admin’

    as your username → Change WP_CONFIG’s keys and salt values to randomly generated values → Change table prefix

  15. Stop directory indexing

  16. Prevent User emumaration

  17. Disable XML-RPC if not using

  18. Limit login failed attempts

  19. Backup regularly

  20. Remove unused plugins/themes

  21. Turn on Comments approval

  22. Use HTTPS! Atleast wp-admin area and wp-login.php

  23. Make sure Debugging is off!

  24. Apache, PHP, NGINX, SSL Vulnerabilities

  25. WordPress Vulnerability Database https://wpvulndb.com

  26. WordPress Vulnerability Scanner https://github.com/RamadhanAmizudin/ Wordpress-scanner

  27. None

  28. Summery → Don’t forget to update. → Use your own

    rather defaults. → Stop directory traversal. → Disable XML-RPC if you are not using it. → Limit login attempts. → Backup regularly → Remove unused plugins/themes → Keep yourself updated

  29. From Sri Lanka !

  30. Thank you !