Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
Hardening WordPress is An Art
Search
Sponsored
·
Ship Features Fearlessly
Turn features on and off without deploys. Used by thousands of Ruby developers.
→
Chathu Vishwajith
September 23, 2017
Technology
160
0
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
Hardening WordPress is An Art
My presentation for First-ever WordCamp Colombo 2017, Sri Lanka
#wccmb
Chathu Vishwajith
September 23, 2017
More Decks by Chathu Vishwajith
See All by Chathu Vishwajith
Lerna and Monorepo architecture for JavaScript
iamchathu
0
78
Properly Securing Node.js APIs
iamchathu
0
63
Hardening WordPress is kind of Art
iamchathu
0
140
It's Someone Else's Servers
iamchathu
0
56
Speed Up Your WordPess
iamchathu
0
120
CMBJS Meetup: Securing NodeJS APIs with JWT
iamchathu
0
110
Other Decks in Technology
See All in Technology
Why is RC4 still being used?
tamaiyutaro
0
290
金融の未来を考える / Thinking About the Future of Finance
ks91
PRO
0
150
Foxgloveについて 実際にExtensionを開発して公開するまでの話 / About Foxglove: The Story of Developing and Releasing an Extension
ry0_ka
0
120
攻撃者がいなくてもAIエージェントはインシデントを起こす
nomizone
0
200
事業価値を⽣み出すSREへ SREが担うべき意思決定の5層
kenta_hi
0
180
AI Agentをシステムに組み込む前にゆるく向き合ってみる
hayama17
0
200
本当の”仕事”を手放せる未来が見えた
mu7889yoon
0
220
どうして今サーバーサイドKotlinを選択したのか
nealle
0
200
型は壁、Rustでもバグを直すな、表現できなくせよ
nwiizo
10
1.3k
SRE依存からの脱却 運用を開 発チームへ移す、 フルサイ クル開 発体制の実践
joooee0000
0
210
次世代ランサムウェア対策の考察 / 20260704 Mitsutoshi Matsuo
shift_evolve
PRO
5
1.7k
CSに"SLO"は要らない、経営層に"99.9%"は伝わらない - SREを全社に"翻訳"する3原則
cscengineer
PRO
0
1.4k
Featured
See All Featured
Bootstrapping a Software Product
garrettdimon
PRO
307
120k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
danielanewman
230
23k
Mind Mapping
helmedeiros
PRO
1
280
Done Done
chrislema
186
16k
世界の人気アプリ100個を分析して見えたペイウォール設計の心得
akihiro_kokubo
PRO
72
40k
Paper Plane
katiecoart
PRO
1
52k
Neural Spatial Audio Processing for Sound Field Analysis and Control
skoyamalab
0
360
Faster Mobile Websites
deanohume
310
32k
Dealing with People You Can't Stand - Big Design 2015
cassininazir
367
27k
実際に使うSQLの書き方 徹底解説 / pgcon21j-tutorial
soudai
PRO
201
75k
Git: the NoSQL Database
bkeepers
PRO
432
67k
Hiding What from Whom? A Critical Review of the History of Programming languages for Music
tomoyanonymous
3
890
Transcript
Hardening WordPress is an Art
Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a
startup
Alex Proimos from Sydney, Australia
Is WordPress is secure? → 52% are from WordPress plugins
→ 37% are from core WordPress → 11% are from WordPress themes
Recent incidents
Recent Incidents → Display Widgets → WooCommerce Product Vendors →
WordPress Security Update 4.8.2 – Update Immediately!
Types of vulnerabilities → SQL Injection (SQLI) → Cross-site Scripting
(XSS) → Cross-Site Request Forgery (CSRF) → Brute Force → Denial of Service (DoS) → Distributed Denial of Service (DDoS) → Full Path Disclosure (FPD) → User Enumeration → Remote Code Execution (RCE) → Remote File Inclusion (RFI) → Directory Traversal
So what is the Art
Continuous improvements
Find a secured hosting
Don’t forget to update!
Don’t forget to update! → Keep your WordPress up-to-date →
Update your plugins and themes → Change passwords periodically → Keep yourself updated
Use your own, not defaults!
Use your own, not defaults! → Do not use ‘admin’
as your username → Change WP_CONFIG’s keys and salt values to randomly generated values → Change table prefix
Stop directory indexing
Prevent User emumaration
Disable XML-RPC if not using
Limit login failed attempts
Backup regularly
Remove unused plugins/themes
Turn on Comments approval
Use HTTPS! Atleast wp-admin area and wp-login.php
Make sure Debugging is off!
Apache, PHP, NGINX, SSL Vulnerabilities
WordPress Vulnerability Database https://wpvulndb.com
WordPress Vulnerability Scanner https://github.com/RamadhanAmizudin/ Wordpress-scanner
None
Summery → Don’t forget to update. → Use your own
rather defaults. → Stop directory traversal. → Disable XML-RPC if you are not using it. → Limit login attempts. → Backup regularly → Remove unused plugins/themes → Keep yourself updated
From Sri Lanka !
Thank you !