Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening WordPress is kind of Art

Avatar for Chathu Vishwajith Chathu Vishwajith
November 25, 2017
Technology
0
120

Hardening WordPress is kind of Art

Update presentation I did at WordCamp Utrecht 2017, Netherlands
Avatar for Chathu Vishwajith

Chathu Vishwajith

November 25, 2017
Tweet

More Decks by Chathu Vishwajith

See All by Chathu Vishwajith
Lerna and Monorepo architecture for JavaScript
Avatar for Chathu Vishwajith iamchathu
0
63
Properly Securing Node.js APIs
Avatar for Chathu Vishwajith iamchathu
0
57
It's Someone Else's Servers
Avatar for Chathu Vishwajith iamchathu
0
43
Hardening WordPress is An Art
Avatar for Chathu Vishwajith iamchathu
0
140
Speed Up Your WordPess
Avatar for Chathu Vishwajith iamchathu
0
110
CMBJS Meetup: Securing NodeJS APIs with JWT
Avatar for Chathu Vishwajith iamchathu
0
110

Other Decks in Technology

See All in Technology
オフィスビルを監視しよう:フィジカル×デジタルにまたがるSLI/SLO設計と運用の難しさ / Monitoring Office Buildings: The Challenge of Physical-Digital SLI/SLO Design & Operation
Avatar for 株式会社ビットキー / Bitkey Inc. bitkey
1
120
DBのスキルで生き残る技術 - AI時代におけるテーブル設計の勘所
Avatar for soudai sone soudai
PRO
54
21k
Delta airlines®️ USA Contact Numbers: Complete 2025 Support Guide
Avatar for ape1422 airtravelguide
0
340
PO初心者が考えた ”POらしさ”
Avatar for (Ha)rady nb_rady
0
220
20250707-AI活用の個人差を埋めるチームづくり
Avatar for shnjtk shnjtk
6
4k
「クラウドコスト絶対削減」を支える技術—FinOpsを超えた徹底的なクラウドコスト削減の実践論
Avatar for 株式会社DELTA delta_tech
4
180
Getting to Know Your Legacy (System) with AI-Driven Software Archeology (WeAreDevelopers World Congress 2025)
Avatar for Markus Harrer feststelltaste
1
160
データ基盤からデータベースまで?広がるユースケースのDatabricksについて教えるよ!
Avatar for Akihiro Kuwano akuwano
3
140
AWS認定を取る中で感じたこと
Avatar for Siromi siromi
1
210
fukabori.fm 出張版: 売上高617億円と高稼働率を陰で支えた社内ツール開発のあれこれ話 / 20250704 Yoshimasa Iwase & Tomoo Morikawa
Avatar for SHIFT EVOLVE shift_evolve
PRO
2
8.1k
タイミーのデータモデリング事例と今後のチャレンジ
Avatar for Toshiki Tsuchikawa ttccddtoki
6
2.5k
〜『世界中の家族のこころのインフラ』を目指して”次の10年”へ〜 SREが導いたグローバルサービスの信頼性向上戦略とその舞台裏 / Towards the Next Decade: Enhancing Global Service Reliability
Avatar for kohbis kohbis
2
370

Featured

See All Featured
Bootstrapping a Software Product
Avatar for Garrett Dimon garrettdimon
PRO
307
110k
Done Done
Avatar for chrislema chrislema
184
16k
Producing Creativity
Avatar for Steve Smith orderedlist
PRO
346
40k
Git: the NoSQL Database
Avatar for Brandon Keepers bkeepers
PRO
430
65k
GraphQLの誤解/rethinking-graphql
Avatar for sonatard sonatard
71
11k
Designing for Performance
Avatar for Lara Hogan lara
610
69k
Documentation Writing (for coders)
Avatar for Carmen Chung carmenintech
72
4.9k
The Psychology of Web Performance [Beyond Tellerrand 2023]
Avatar for Tammy Everts tammyeverts
48
2.9k
Rails Girls Zürich Keynote
Avatar for Gregor Martynus gr2m
95
14k
Principles of Awesome APIs and How to Build Them.
Avatar for Keavy McMinn keavy
126
17k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
107
19k
The Success of Rails: Ensuring Growth for the Next 100 Years
Avatar for Eileen M. Uchitelle eileencodes
45
7.5k

Transcript

  1. None

  2. Hardening WordPress is kind of Art

  3. Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a

    startup

  4. Alex Proimos from Sydney, Australia

  5. Is WordPress is secure? → 52% are from WordPress plugins

    → 37% are from core WordPress → 11% are from WordPress themes

  6. Recent incidents

  7. Recent Incidents → bbPress → Shortcodes Ultimate → Formidable Forms

    → Duplicator → Yoast SEO 5.7.1 → WordPress Security Update 4.8.2 – Update Immediately! → WordPress 4.9

  8. Types of vulnerabilities → SQL Injection (SQLI) → Cross-site Scripting

    (XSS) → Cross-Site Request Forgery (CSRF) → Brute Force → Denial of Service (DoS) → Distributed Denial of Service (DDoS) → Full Path Disclosure (FPD) → User Enumeration → Remote Code Execution (RCE) → Remote File Inclusion (RFI) → Directory Traversal

  9. So what is the Art

  10. Continuous improvements

  11. Find a secured hosting

  12. Don’t forget to update!

  13. Don’t forget to update! → Keep your WordPress up-to-date →

    Update your plugins and themes → Change passwords periodically → Keep yourself updated

  14. Use your own, not defaults!

  15. Use your own, not defaults! → Do not use ‘admin’

    as your username → Change WP_CONFIG’s keys and salt values to randomly generated values → Change table prefix

  16. Stop directory indexing

  17. Prevent User emumaration

  18. Disable XML-RPC if not using

  19. Limit login failed attempts

  20. Backup regularly

  21. Use Two Factor Authentication

  22. Remove unused plugins/themes

  23. Turn on Comments approval

  24. Use HTTPS! Atleast wp-admin area and wp-login.php

  25. Make sure Debugging is off!

  26. Apache, PHP, NGINX, SSL Vulnerabilities

  27. WordPress Vulnerability Database https://wpvulndb.com

  28. WordPress Vulnerability Scanner https://github.com/RamadhanAmizudin/ Wordpress-scanner

  29. None

  30. Summery → Don’t forget to update. → Use your own

    rather defaults. → Stop directory traversal. → Disable XML-RPC if you are not using it. → Limit login attempts. → Backup regularly → Remove unused plugins/themes → Keep yourself updated

  31. From Holland Artist

  32. Thank you