Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Speaker Deck
PRO
Sign in
Sign up
for free
Hardening WordPress is kind of Art
Chathu Vishwajith
November 25, 2017
Technology
0
77
Hardening WordPress is kind of Art
Update presentation I did at WordCamp Utrecht 2017, Netherlands
Chathu Vishwajith
November 25, 2017
Tweet
Share
More Decks by Chathu Vishwajith
See All by Chathu Vishwajith
iamchathu
0
25
iamchathu
0
26
iamchathu
0
68
iamchathu
0
93
iamchathu
0
56
Other Decks in Technology
See All in Technology
hanasuke
0
220
aizurage
0
100
kataokatsuki
2
240
asahi_k2
0
710
ocise
0
110
ks91
PRO
0
270
supership
0
150
nghialv
2
250
soracom
0
150
nnstt1
2
110
line_developers
PRO
1
330
comucal
PRO
0
290
Featured
See All Featured
hannesfritz
28
970
searls
204
37k
revolveconf
200
9.7k
malarkey
119
16k
holman
462
280k
phodgson
88
4k
frogandcode
128
20k
myddelton
109
11k
bryan
32
3.5k
malarkey
392
61k
stephaniewalter
262
11k
colly
188
14k
Transcript
None
Hardening WordPress is kind of Art
Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a
startup
Alex Proimos from Sydney, Australia
Is WordPress is secure? → 52% are from WordPress plugins
→ 37% are from core WordPress → 11% are from WordPress themes
Recent incidents
Recent Incidents → bbPress → Shortcodes Ultimate → Formidable Forms
→ Duplicator → Yoast SEO 5.7.1 → WordPress Security Update 4.8.2 – Update Immediately! → WordPress 4.9
Types of vulnerabilities → SQL Injection (SQLI) → Cross-site Scripting
(XSS) → Cross-Site Request Forgery (CSRF) → Brute Force → Denial of Service (DoS) → Distributed Denial of Service (DDoS) → Full Path Disclosure (FPD) → User Enumeration → Remote Code Execution (RCE) → Remote File Inclusion (RFI) → Directory Traversal
So what is the Art
Continuous improvements
Find a secured hosting
Don’t forget to update!
Don’t forget to update! → Keep your WordPress up-to-date →
Update your plugins and themes → Change passwords periodically → Keep yourself updated
Use your own, not defaults!
Use your own, not defaults! → Do not use ‘admin’
as your username → Change WP_CONFIG’s keys and salt values to randomly generated values → Change table prefix
Stop directory indexing
Prevent User emumaration
Disable XML-RPC if not using
Limit login failed attempts
Backup regularly
Use Two Factor Authentication
Remove unused plugins/themes
Turn on Comments approval
Use HTTPS! Atleast wp-admin area and wp-login.php
Make sure Debugging is off!
Apache, PHP, NGINX, SSL Vulnerabilities
WordPress Vulnerability Database https://wpvulndb.com
WordPress Vulnerability Scanner https://github.com/RamadhanAmizudin/ Wordpress-scanner
None
Summery → Don’t forget to update. → Use your own
rather defaults. → Stop directory traversal. → Disable XML-RPC if you are not using it. → Limit login attempts. → Backup regularly → Remove unused plugins/themes → Keep yourself updated
From Holland Artist
Thank you
iamchathu
hanasuke
aizurage
kataokatsuki
asahi_k2
ocise
ks91
supership
nghialv
soracom
nnstt1
line_developers
comucal
hannesfritz
searls
revolveconf
malarkey
holman
phodgson
frogandcode
myddelton
bryan
stephaniewalter
colly
