Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening WordPress is kind of Art

Avatar for Chathu Vishwajith Chathu Vishwajith
November 25, 2017
Technology
0
120

Hardening WordPress is kind of Art

Update presentation I did at WordCamp Utrecht 2017, Netherlands

Avatar for Chathu Vishwajith

Chathu Vishwajith

November 25, 2017
Tweet

More Decks by Chathu Vishwajith

See All by Chathu Vishwajith
Lerna and Monorepo architecture for JavaScript
Avatar for Chathu Vishwajith iamchathu
0
67
Properly Securing Node.js APIs
Avatar for Chathu Vishwajith iamchathu
0
57
It's Someone Else's Servers
Avatar for Chathu Vishwajith iamchathu
0
43
Hardening WordPress is An Art
Avatar for Chathu Vishwajith iamchathu
0
140
Speed Up Your WordPess
Avatar for Chathu Vishwajith iamchathu
0
110
CMBJS Meetup: Securing NodeJS APIs with JWT
Avatar for Chathu Vishwajith iamchathu
0
110

Other Decks in Technology

See All in Technology
Generative AI Japan 第一回生成AI実践研究会「AI駆動開発の現在地──ブレイクスルーの鍵を握るのはデータ領域」
Avatar for KoheiOgawa shisyu_gaku
0
160
これでもう迷わない!Jetpack Composeの書き方実践ガイド
Avatar for ZOZO Developers zozotech
PRO
0
430
Android Audio: Beyond Winning On It
Avatar for Atsushi Eno atsushieno
0
120
なぜテストマネージャの視点が 必要なのか? 〜 一歩先へ進むために 〜
Avatar for Sammy(MoritaMasami) moritamasami
0
220
2つのフロントエンドと状態管理
Avatar for MIXI ENGINEERS mixi_engineers
PRO
3
100
未経験者・初心者に贈る!40分でわかるAndroidアプリ開発の今と大事なポイント
Avatar for operandoOS operando
5
520
EncryptedSharedPreferences が deprecated になっちゃった!どうしよう! / Oh no! EncryptedSharedPreferences has been deprecated! What should I do?
Avatar for Yuki Anzai yanzm
0
290
dbt開発 with Claude Codeのためのガードレール設計
Avatar for 10xinc 10xinc
2
1.2k
職種の壁を溶かして開発サイクルを高速に回す~情報透明性と職種越境から考えるAIフレンドリーな職種間連携~
Avatar for daitasu daitasu
0
160
MCPで変わる Amebaデザインシステム「Spindle」の開発
Avatar for Ameba Spindle spindle
PRO
3
3.2k
allow_retry と Arel.sql / allow_retry and Arel.sql
Avatar for Shintani Teppei euglena1215
1
170
Snowflakeの生成AI機能を活用したデータ分析アプリの作成 〜Cortex AnalystとCortex Searchの活用とStreamlitアプリでの利用〜
Avatar for Nayuta S. nayuts
1
480

Featured

See All Featured
Speed Design
Avatar for Sergey Chernyshev sergeychernyshev
32
1.1k
Templates, Plugins, & Blocks: Oh My! Creating the theme that thinks of everything
Avatar for Michelle Schulp Hunt marktimemedia
31
2.5k
"I'm Feeling Lucky" - Building Great Search Experiences for Today's Users (#IAC19)
Avatar for Dan Newman danielanewman
229
22k
Designing Experiences People Love
Avatar for Jonathan Moore moore
142
24k
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
46
7.6k
The Straight Up "How To Draw Better" Workshop
Avatar for Dennis Kardys denniskardys
236
140k
Exploring the Power of Turbo Streams & Action Cable | RailsConf2023
Avatar for Kevin Liebholz kevinliebholz
34
6k
XXLCSS - How to scale CSS and keep your sanity
Avatar for Zaharenia Atzitzikaki sugarenia
248
1.3M
How To Stay Up To Date on Web Technology
Avatar for Chris Coyier chriscoyier
790
250k
Optimising Largest Contentful Paint
Avatar for Harry Roberts csswizardry
37
3.4k
Testing 201, or: Great Expectations
Avatar for Joseph Mastey jmmastey
45
7.7k
Site-Speed That Sticks
Avatar for Harry Roberts csswizardry
10
810

Transcript

  1. None

  2. Hardening WordPress is kind of Art

  3. Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a

    startup

  4. Alex Proimos from Sydney, Australia

  5. Is WordPress is secure? → 52% are from WordPress plugins

    → 37% are from core WordPress → 11% are from WordPress themes

  6. Recent incidents

  7. Recent Incidents → bbPress → Shortcodes Ultimate → Formidable Forms

    → Duplicator → Yoast SEO 5.7.1 → WordPress Security Update 4.8.2 – Update Immediately! → WordPress 4.9

  8. Types of vulnerabilities → SQL Injection (SQLI) → Cross-site Scripting

    (XSS) → Cross-Site Request Forgery (CSRF) → Brute Force → Denial of Service (DoS) → Distributed Denial of Service (DDoS) → Full Path Disclosure (FPD) → User Enumeration → Remote Code Execution (RCE) → Remote File Inclusion (RFI) → Directory Traversal

  9. So what is the Art

  10. Continuous improvements

  11. Find a secured hosting

  12. Don’t forget to update!

  13. Don’t forget to update! → Keep your WordPress up-to-date →

    Update your plugins and themes → Change passwords periodically → Keep yourself updated

  14. Use your own, not defaults!

  15. Use your own, not defaults! → Do not use ‘admin’

    as your username → Change WP_CONFIG’s keys and salt values to randomly generated values → Change table prefix

  16. Stop directory indexing

  17. Prevent User emumaration

  18. Disable XML-RPC if not using

  19. Limit login failed attempts

  20. Backup regularly

  21. Use Two Factor Authentication

  22. Remove unused plugins/themes

  23. Turn on Comments approval

  24. Use HTTPS! Atleast wp-admin area and wp-login.php

  25. Make sure Debugging is off!

  26. Apache, PHP, NGINX, SSL Vulnerabilities

  27. WordPress Vulnerability Database https://wpvulndb.com

  28. WordPress Vulnerability Scanner https://github.com/RamadhanAmizudin/ Wordpress-scanner

  29. None

  30. Summery → Don’t forget to update. → Use your own

    rather defaults. → Stop directory traversal. → Disable XML-RPC if you are not using it. → Limit login attempts. → Backup regularly → Remove unused plugins/themes → Keep yourself updated

  31. From Holland Artist

  32. Thank you