Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Hardening WordPress is An Art
Chathu Vishwajith
September 23, 2017
Technology
0
68
Hardening WordPress is An Art
My presentation for First-ever WordCamp Colombo 2017, Sri Lanka
#wccmb
Chathu Vishwajith
September 23, 2017
Tweet
Share
More Decks by Chathu Vishwajith
See All by Chathu Vishwajith
iamchathu
0
25
iamchathu
0
77
iamchathu
0
26
iamchathu
0
94
iamchathu
0
56
Other Decks in Technology
See All in Technology
finengine
0
290
line_developers
PRO
2
170
mixi_engineers
0
360
finengine
0
370
yfutamura
0
780
yaegashi
0
160
riki_hiraoka
0
240
noriyukitakei
17
9.4k
shirayanagiryuji
0
320
kloudleinc
0
270
ta28masa
0
270
line_developers_tw2
0
590
Featured
See All Featured
jacobian
257
20k
chriscoyier
146
20k
mongodb
23
3.9k
philhawksworth
192
17k
keithpitt
402
20k
qrush
285
19k
addyosmani
495
110k
eitanlees
116
10k
sugarenia
233
900k
shpigford
166
19k
denniskardys
219
120k
smashingmag
283
47k
Transcript
Hardening WordPress is an Art
Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a
startup
Alex Proimos from Sydney, Australia
Is WordPress is secure? → 52% are from WordPress plugins
→ 37% are from core WordPress → 11% are from WordPress themes
Recent incidents
Recent Incidents → Display Widgets → WooCommerce Product Vendors →
WordPress Security Update 4.8.2 – Update Immediately!
Types of vulnerabilities → SQL Injection (SQLI) → Cross-site Scripting
(XSS) → Cross-Site Request Forgery (CSRF) → Brute Force → Denial of Service (DoS) → Distributed Denial of Service (DDoS) → Full Path Disclosure (FPD) → User Enumeration → Remote Code Execution (RCE) → Remote File Inclusion (RFI) → Directory Traversal
So what is the Art
Continuous improvements
Find a secured hosting
Don’t forget to update!
Don’t forget to update! → Keep your WordPress up-to-date →
Update your plugins and themes → Change passwords periodically → Keep yourself updated
Use your own, not defaults!
Use your own, not defaults! → Do not use ‘admin’
as your username → Change WP_CONFIG’s keys and salt values to randomly generated values → Change table prefix
Stop directory indexing
Prevent User emumaration
Disable XML-RPC if not using
Limit login failed attempts
Backup regularly
Remove unused plugins/themes
Turn on Comments approval
Use HTTPS! Atleast wp-admin area and wp-login.php
Make sure Debugging is off!
Apache, PHP, NGINX, SSL Vulnerabilities
WordPress Vulnerability Database https://wpvulndb.com
WordPress Vulnerability Scanner https://github.com/RamadhanAmizudin/ Wordpress-scanner
None
Summery → Don’t forget to update. → Use your own
rather defaults. → Stop directory traversal. → Disable XML-RPC if you are not using it. → Limit login attempts. → Backup regularly → Remove unused plugins/themes → Keep yourself updated
From Sri Lanka !
Thank you !
iamchathu
finengine
line_developers
mixi_engineers
yfutamura
yaegashi
riki_hiraoka
noriyukitakei
shirayanagiryuji
kloudleinc
ta28masa
line_developers_tw2
jacobian
chriscoyier
mongodb
philhawksworth
keithpitt
qrush
addyosmani
eitanlees
sugarenia
shpigford
denniskardys
smashingmag
