Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening WordPress is kind of Art

Avatar for Chathu Vishwajith Chathu Vishwajith
November 25, 2017
Technology
0
120

Hardening WordPress is kind of Art

Update presentation I did at WordCamp Utrecht 2017, Netherlands

Avatar for Chathu Vishwajith

Chathu Vishwajith

November 25, 2017
Tweet

More Decks by Chathu Vishwajith

See All by Chathu Vishwajith
Lerna and Monorepo architecture for JavaScript
Avatar for Chathu Vishwajith iamchathu
0
67
Properly Securing Node.js APIs
Avatar for Chathu Vishwajith iamchathu
0
57
It's Someone Else's Servers
Avatar for Chathu Vishwajith iamchathu
0
43
Hardening WordPress is An Art
Avatar for Chathu Vishwajith iamchathu
0
140
Speed Up Your WordPess
Avatar for Chathu Vishwajith iamchathu
0
110
CMBJS Meetup: Securing NodeJS APIs with JWT
Avatar for Chathu Vishwajith iamchathu
0
110

Other Decks in Technology

See All in Technology
これがLambdaレス時代のChatOpsだ!実例で学ぶAmazon Q Developerカスタムアクション活用法
Avatar for iwamot iwamot
PRO
6
1k
​Vibe Coding Year in Review. From Karpathy to Real-World Agents by Niels Rolland, CEO Paatch
Avatar for Strapi vcoisne
0
130
"プロポーザルってなんか怖そう"という境界を超えてみた@TSUDOI by giftee Tech #1
Avatar for shilo shilo113
0
190
プレーリーカードを活用しよう❗❗デジタル名刺交換からはじまるイベント会場交流のススメ
Avatar for Masataka Tsukamoto tsukaman
0
130
今この時代に技術とどう向き合うべきか
Avatar for gree_tech gree_tech
PRO
0
260
大規模サーバーレスAPIの堅牢性・信頼性設計 〜AWSのベストプラクティスから始まる現実的制約との向き合い方〜
Avatar for maimyyym maimyyym
9
4.5k
やる気のない自分との向き合い方/How to Deal with Your Unmotivated Self
Avatar for Genki Sano sanogemaru
0
500
Shirankedo NOCで見えてきたeduroam/OpenRoaming運用ノウハウと課題 - BAKUCHIKU BANBAN #2
Avatar for marokiki marokiki
0
190
カンファレンスに託児サポートがあるということ / Having Childcare Support at Conferences
Avatar for nobu09 nobu09
1
540
【Kaigi on Rails 事後勉強会LT】MeはどうしてGirlsに? 私とRubyを繋いだRail(s)
Avatar for joy joyfrommasara
0
240
名刺メーカーDevグループ 紹介資料
Avatar for Sansan, Inc. sansan33
PRO
0
930
Introduction to Bill One Development Engineer
Avatar for Sansan, Inc. sansan33
PRO
0
300

Featured

See All Featured
Gamification - CAS2011
Avatar for David Bonilla davidbonilla
81
5.5k
Designing Dashboards & Data Visualisations in Web Apps
Avatar for Des Traynor destraynor
231
53k
The Cult of Friendly URLs
Avatar for Andy Hume andyhume
79
6.6k
Code Reviewing Like a Champion
Avatar for maltzj maltzj
526
40k
How to Create Impact in a Changing Tech Landscape [PerfNow 2023]
Avatar for Tammy Everts tammyeverts
55
3k
The Web Performance Landscape in 2024 [PerfNow 2024]
Avatar for Tammy Everts tammyeverts
9
870
The World Runs on Bad Software
Avatar for Brandon Keepers bkeepers
PRO
72
11k
Raft: Consensus for Rubyists
Avatar for Patrick Van Stee vanstee
139
7.1k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
431
66k
Stop Working from a Prison Cell
Avatar for Chris Michel hatefulcrawdad
271
21k
I Don’t Have Time: Getting Over the Fear to Launch Your Podcast
Avatar for Joe Casabona jcasabona
33
2.5k
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
Avatar for Stéphanie Walter stephaniewalter
285
14k

Transcript

  1. None

  2. Hardening WordPress is kind of Art

  3. Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a

    startup

  4. Alex Proimos from Sydney, Australia

  5. Is WordPress is secure? → 52% are from WordPress plugins

    → 37% are from core WordPress → 11% are from WordPress themes

  6. Recent incidents

  7. Recent Incidents → bbPress → Shortcodes Ultimate → Formidable Forms

    → Duplicator → Yoast SEO 5.7.1 → WordPress Security Update 4.8.2 – Update Immediately! → WordPress 4.9

  8. Types of vulnerabilities → SQL Injection (SQLI) → Cross-site Scripting

    (XSS) → Cross-Site Request Forgery (CSRF) → Brute Force → Denial of Service (DoS) → Distributed Denial of Service (DDoS) → Full Path Disclosure (FPD) → User Enumeration → Remote Code Execution (RCE) → Remote File Inclusion (RFI) → Directory Traversal

  9. So what is the Art

  10. Continuous improvements

  11. Find a secured hosting

  12. Don’t forget to update!

  13. Don’t forget to update! → Keep your WordPress up-to-date →

    Update your plugins and themes → Change passwords periodically → Keep yourself updated

  14. Use your own, not defaults!

  15. Use your own, not defaults! → Do not use ‘admin’

    as your username → Change WP_CONFIG’s keys and salt values to randomly generated values → Change table prefix

  16. Stop directory indexing

  17. Prevent User emumaration

  18. Disable XML-RPC if not using

  19. Limit login failed attempts

  20. Backup regularly

  21. Use Two Factor Authentication

  22. Remove unused plugins/themes

  23. Turn on Comments approval

  24. Use HTTPS! Atleast wp-admin area and wp-login.php

  25. Make sure Debugging is off!

  26. Apache, PHP, NGINX, SSL Vulnerabilities

  27. WordPress Vulnerability Database https://wpvulndb.com

  28. WordPress Vulnerability Scanner https://github.com/RamadhanAmizudin/ Wordpress-scanner

  29. None

  30. Summery → Don’t forget to update. → Use your own

    rather defaults. → Stop directory traversal. → Disable XML-RPC if you are not using it. → Limit login attempts. → Backup regularly → Remove unused plugins/themes → Keep yourself updated

  31. From Holland Artist

  32. Thank you