Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening WordPress is An Art

Avatar for Chathu Vishwajith Chathu Vishwajith
September 23, 2017
Technology
0
140

Hardening WordPress is An Art

My presentation for First-ever WordCamp Colombo 2017, Sri Lanka

#wccmb

Avatar for Chathu Vishwajith

Chathu Vishwajith

September 23, 2017
Tweet

More Decks by Chathu Vishwajith

See All by Chathu Vishwajith
Lerna and Monorepo architecture for JavaScript
Avatar for Chathu Vishwajith iamchathu
0
66
Properly Securing Node.js APIs
Avatar for Chathu Vishwajith iamchathu
0
57
Hardening WordPress is kind of Art
Avatar for Chathu Vishwajith iamchathu
0
120
It's Someone Else's Servers
Avatar for Chathu Vishwajith iamchathu
0
43
Speed Up Your WordPess
Avatar for Chathu Vishwajith iamchathu
0
110
CMBJS Meetup: Securing NodeJS APIs with JWT
Avatar for Chathu Vishwajith iamchathu
0
110

Other Decks in Technology

See All in Technology
MCPサーバーを活用したAWSコスト管理
Avatar for Kaisei Arimura arie0703
0
130
はじめての転職講座/The Guide of First Career Change
Avatar for Hiromu Shioya kwappa
5
4.4k
MCP認可の現在地と自律型エージェント対応に向けた課題 / MCP Authorization Today and Challenges to Support Autonomous Agents
Avatar for Yoichi Kawasaki yokawasa
5
2.5k
AWSの最新サービスでAIエージェント構築に楽しく入門しよう
Avatar for みのるん minorun365
PRO
8
470
AIに頼りすぎない新人育成術
Avatar for CUEBiC Inc. cuebic9bic
3
330
リモートワークで心掛けていること 〜AI活用編〜
Avatar for naoki85 naoki85
0
190
Kiro と Q Dev で 同じゲームを作らせてみた
Avatar for r3_yamauchi r3_yamauchi
PRO
1
120
LTに影響を受けてテンプレリポジトリを作った話
Avatar for Horikawa hol1kgmg
0
380
AI時代の大規模データ活用とセキュリティ戦略
Avatar for Kengo Suzuki ken5scal
1
260
僕たちが「開発しやすさ」を求め 模索し続けたアーキテクチャ #アーキテクチャ勉強会_findy
Avatar for 弁護士ドットコム bengo4com
0
2.6k
Foundation Model × VisionKit で実現するローカル OCR
Avatar for SansanTech sansantech
PRO
1
420
Telemetry APIから学ぶGoogle Cloud ObservabilityとOpenTelemetryの現在 / getting-started-telemetry-api-with-google-cloud
Avatar for 逆井(さかさい) k6s4i53rx
0
160

Featured

See All Featured
[RailsConf 2023 Opening Keynote] The Magic of Rails
Avatar for Eileen M. Uchitelle eileencodes
30
9.6k
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
32
1.1k
StorybookのUI Testing Handbookを読んだ
Avatar for Shingo Yamazaki zakiyama
30
6k
Done Done
Avatar for chrislema chrislema
185
16k
Large-scale JavaScript Application Architecture
Avatar for Addy Osmani addyosmani
512
110k
Art, The Web, and Tiny UX
Avatar for Lynn Fisher lynnandtonic
301
21k
Statistics for Hackers
Avatar for Jake VanderPlas jakevdp
799
220k
Sharpening the Axe: The Primacy of Toolmaking
Avatar for Bryan Cantrill bcantrill
44
2.4k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
71
11k
CSS Pre-Processors: Stylus, Less & Sass
Avatar for Bermon Painter bermonpainter
358
30k
GitHub's CSS Performance
Avatar for Jon Rohan jonrohan
1031
460k

Transcript

  1. Hardening WordPress is an Art

  2. Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a

    startup

  3. Alex Proimos from Sydney, Australia

  4. Is WordPress is secure? → 52% are from WordPress plugins

    → 37% are from core WordPress → 11% are from WordPress themes

  5. Recent incidents

  6. Recent Incidents → Display Widgets → WooCommerce Product Vendors →

    WordPress Security Update 4.8.2 – Update Immediately!

  7. Types of vulnerabilities → SQL Injection (SQLI) → Cross-site Scripting

    (XSS) → Cross-Site Request Forgery (CSRF) → Brute Force → Denial of Service (DoS) → Distributed Denial of Service (DDoS) → Full Path Disclosure (FPD) → User Enumeration → Remote Code Execution (RCE) → Remote File Inclusion (RFI) → Directory Traversal

  8. So what is the Art

  9. Continuous improvements

  10. Find a secured hosting

  11. Don’t forget to update!

  12. Don’t forget to update! → Keep your WordPress up-to-date →

    Update your plugins and themes → Change passwords periodically → Keep yourself updated

  13. Use your own, not defaults!

  14. Use your own, not defaults! → Do not use ‘admin’

    as your username → Change WP_CONFIG’s keys and salt values to randomly generated values → Change table prefix

  15. Stop directory indexing

  16. Prevent User emumaration

  17. Disable XML-RPC if not using

  18. Limit login failed attempts

  19. Backup regularly

  20. Remove unused plugins/themes

  21. Turn on Comments approval

  22. Use HTTPS! Atleast wp-admin area and wp-login.php

  23. Make sure Debugging is off!

  24. Apache, PHP, NGINX, SSL Vulnerabilities

  25. WordPress Vulnerability Database https://wpvulndb.com

  26. WordPress Vulnerability Scanner https://github.com/RamadhanAmizudin/ Wordpress-scanner

  27. None

  28. Summery → Don’t forget to update. → Use your own

    rather defaults. → Stop directory traversal. → Disable XML-RPC if you are not using it. → Limit login attempts. → Backup regularly → Remove unused plugins/themes → Keep yourself updated

  29. From Sri Lanka !

  30. Thank you !