Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening WordPress is kind of Art

Avatar for Chathu Vishwajith Chathu Vishwajith
November 25, 2017
Technology
140
0

Hardening WordPress is kind of Art

Update presentation I did at WordCamp Utrecht 2017, Netherlands

Avatar for Chathu Vishwajith

Chathu Vishwajith

November 25, 2017

More Decks by Chathu Vishwajith

See All by Chathu Vishwajith
Lerna and Monorepo architecture for JavaScript
Avatar for Chathu Vishwajith iamchathu
0
75
Properly Securing Node.js APIs
Avatar for Chathu Vishwajith iamchathu
0
63
It's Someone Else's Servers
Avatar for Chathu Vishwajith iamchathu
0
52
Hardening WordPress is An Art
Avatar for Chathu Vishwajith iamchathu
0
160
Speed Up Your WordPess
Avatar for Chathu Vishwajith iamchathu
0
120
CMBJS Meetup: Securing NodeJS APIs with JWT
Avatar for Chathu Vishwajith iamchathu
0
110

Other Decks in Technology

See All in Technology
AI-DLCを活用した高品質・安全なAI駆動開発実践 / AI Driven Development with AI-DLC
Avatar for 吉田真吾 yoshidashingo
0
130
個人最適 から 全体最適 へ AI情報共有会・AIギルド・AI-DLC で進める カンリーの組織展開
Avatar for ふくだ(fukuda ryu) rfdnxbro
0
1.4k
関西に縁あるMicrosoft MVPsが語るCopilotの未来
Avatar for Kaz Asada | しがない情シス kasada
0
1.1k
AIにフローを作らせようとして挫折した話
Avatar for 濱津 太一|ユースフル hamatsutaichi
0
160
Databricks 月刊サービスアップデート 2026年05月号
Avatar for ちょし tyosi1212
0
200
サプライチェーンセキュリティの空白地帯 - 信頼できる”依存性”の未来を考える
Avatar for Hiroki Suezawa (@rung) rung
PRO
2
680
JJUG CCC 2026 Spring AI時代の開発こそ標準化を武器に! ― 方式・プロセス・プラットフォームの標準化
Avatar for WatanabeShun s27watanabe
2
710
実装は速くなった、レビューはどうする? ― 自身のレビューをAIで再現させるサーヴァントエンジニアリングのすゝめ / Implementation got faster. So what about reviews? — An invitation to Servant Engineering: Recreating your own code reviews with AI
Avatar for nrs nrslib
6
3.7k
AI フレンドリーなエラー監視を TypeScript で実現する
Avatar for Shinobu Hayashi shinyaigeek
2
250
トークン数だけでは測れない — Claude Code 組織展開の効果検証から学んだこと
Avatar for Masaki Kubota makikub
0
130
ポケモンの型をTypeScriptの型システムで表現してみた
Avatar for subroh_0508 subroh0508
0
310
Oracle AI Database@Azure:サービス概要のご紹介
Avatar for oracle4engineer oracle4engineer
PRO
6
1.9k

Featured

See All Featured
Reflections from 52 weeks, 52 projects
Avatar for Jefferson Lam jeffersonlam
356
21k
Fight the Zombie Pattern Library - RWD Summit 2016
Avatar for Marcelo Somers marcelosomers
234
17k
Refactoring Trust on Your Teams (GOTO; Chicago 2020)
Avatar for Rebecca Miller-Webster rmw
35
3.5k
Visualizing Your Data: Incorporating Mongo into Loggly Infrastructure
Avatar for mongodb mongodb
49
10k
A brief & incomplete history of 
UX Design for the World Wide Web: 1989–2019
Avatar for Jason CranfordTeague jct
2
390
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
45
9.1k
Typedesign – Prime Four
Avatar for Hannes Fritz hannesfritz
42
3.1k
Have SEOs Ruined the Internet? - User Awareness of SEO in 2025
Avatar for Akash Hashmi akashhashmi
0
360
We Are The Robots
Avatar for Honza Javorek honzajavorek
0
240
No one is an island. Learnings from fostering a developers community.
Avatar for Antonio thoeni
21
3.7k
ラッコキーワード サービス紹介資料
Avatar for ラッコ株式会社 rakko
1
3.5M
Lessons Learnt from Crawling 1000+ Websites
Avatar for Charles Meaden charlesmeaden
PRO
1
1.3k

Transcript

  1. None

  2. Hardening WordPress is kind of Art

  3. Who am I Chathu Vishwajith Auth0 Ambassador Co-Founder of a

    startup

  4. Alex Proimos from Sydney, Australia

  5. Is WordPress is secure? → 52% are from WordPress plugins

    → 37% are from core WordPress → 11% are from WordPress themes

  6. Recent incidents

  7. Recent Incidents → bbPress → Shortcodes Ultimate → Formidable Forms

    → Duplicator → Yoast SEO 5.7.1 → WordPress Security Update 4.8.2 – Update Immediately! → WordPress 4.9

  8. Types of vulnerabilities → SQL Injection (SQLI) → Cross-site Scripting

    (XSS) → Cross-Site Request Forgery (CSRF) → Brute Force → Denial of Service (DoS) → Distributed Denial of Service (DDoS) → Full Path Disclosure (FPD) → User Enumeration → Remote Code Execution (RCE) → Remote File Inclusion (RFI) → Directory Traversal

  9. So what is the Art

  10. Continuous improvements

  11. Find a secured hosting

  12. Don’t forget to update!

  13. Don’t forget to update! → Keep your WordPress up-to-date →

    Update your plugins and themes → Change passwords periodically → Keep yourself updated

  14. Use your own, not defaults!

  15. Use your own, not defaults! → Do not use ‘admin’

    as your username → Change WP_CONFIG’s keys and salt values to randomly generated values → Change table prefix

  16. Stop directory indexing

  17. Prevent User emumaration

  18. Disable XML-RPC if not using

  19. Limit login failed attempts

  20. Backup regularly

  21. Use Two Factor Authentication

  22. Remove unused plugins/themes

  23. Turn on Comments approval

  24. Use HTTPS! Atleast wp-admin area and wp-login.php

  25. Make sure Debugging is off!

  26. Apache, PHP, NGINX, SSL Vulnerabilities

  27. WordPress Vulnerability Database https://wpvulndb.com

  28. WordPress Vulnerability Scanner https://github.com/RamadhanAmizudin/ Wordpress-scanner

  29. None

  30. Summery → Don’t forget to update. → Use your own

    rather defaults. → Stop directory traversal. → Disable XML-RPC if you are not using it. → Limit login attempts. → Backup regularly → Remove unused plugins/themes → Keep yourself updated

  31. From Holland Artist

  32. Thank you