Upgrade to Pro — share decks privately, control downloads, hide ads and more …

Hardening WordPress is kind of Art

Hardening WordPress is kind of Art

Update presentation I did at WordCamp Utrecht 2017, Netherlands

Avatar for Chathu Vishwajith

Chathu Vishwajith

November 25, 2017
Tweet

More Decks by Chathu Vishwajith

Other Decks in Technology

Transcript

  1. Is WordPress is secure? → 52% are from WordPress plugins

    → 37% are from core WordPress → 11% are from WordPress themes
  2. Recent Incidents → bbPress → Shortcodes Ultimate → Formidable Forms

    → Duplicator → Yoast SEO 5.7.1 → WordPress Security Update 4.8.2 – Update Immediately! → WordPress 4.9
  3. Types of vulnerabilities → SQL Injection (SQLI) → Cross-site Scripting

    (XSS) → Cross-Site Request Forgery (CSRF) → Brute Force → Denial of Service (DoS) → Distributed Denial of Service (DDoS) → Full Path Disclosure (FPD) → User Enumeration → Remote Code Execution (RCE) → Remote File Inclusion (RFI) → Directory Traversal
  4. Don’t forget to update! → Keep your WordPress up-to-date →

    Update your plugins and themes → Change passwords periodically → Keep yourself updated
  5. Use your own, not defaults! → Do not use ‘admin’

    as your username → Change WP_CONFIG’s keys and salt values to randomly generated values → Change table prefix
  6. Summery → Don’t forget to update. → Use your own

    rather defaults. → Stop directory traversal. → Disable XML-RPC if you are not using it. → Limit login attempts. → Backup regularly → Remove unused plugins/themes → Keep yourself updated