Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owa...
Search
Sponsored
·
SiteGround - Reliable hosting with speed, security, and support you can count on.
→
yoshinori matsumoto
October 19, 2018
Technology
1.7k
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup
yoshinori matsumoto
October 19, 2018
More Decks by yoshinori matsumoto
See All by yoshinori matsumoto
WordPress セキュリティガイド #wpmeetupkyoto / WP Security Guide
ym405nm
6
3.5k
FIDO2導入してみたを考えてみた / Around The Auth Capy Matsumoto
ym405nm
0
340
Hack L33t Fighters Ⅱ #owaspsendai
ym405nm
0
410
WordPress保安検査ガイド〜運用可能なセキュリティを始めるために〜 / wpcamp_haneda_security
ym405nm
1
740
CAPYのFIDOへの取り組み / Capy FIDO
ym405nm
0
220
Extreme Honyepotter
ym405nm
0
900
攻撃者からみたWordPressセキュリティ / WordCamp Kansai 2015
ym405nm
8
5.3k
コミュニティ活動からみるPHPセキュリティ / PHP Conference Kansai 2015
ym405nm
0
600
Other Decks in Technology
See All in Technology
ポストモーテム! DDoSからサイトは守れた。 でもビジネスは守れなかった。
bengo4com
0
2.4k
最適な自走を最小限の支援で — M&Aで拡大する組織で少人数SREが挑んだ1年 / SRE NEXT 2026
genda
0
840
Mastraエージェント、どのクラウドにデプロイする?
minorun365
PRO
2
180
勉強会企画をアプリで構造化してみた 〜そこで見えた、AIとの付き合い方〜 / I've structured a study group plan using an app.
pauli
0
340
キャリアの中で本を作る / Making a Book During Your Career
ak1210
0
130
AI時代のエンジニアキャリアについて今一度考える
sakamoto_582
2
1.5k
CIで使うClaude
iwatatomoya
0
210
SRE本の知られざる名シーン / The Hidden Gems of Google SRE Book
nari_ex
1
310
DMM.com 購入改善推進チーム におけるCodeRabbitを用いた レビューフロー改善の一例
ysknsid25
2
570
GuardrailからGovernanceへ~AIエージェント運用の次の課題~
sbspsy
1
250
ADDF - ループエンジニアリングするフレームワークを作ったら/I Didn't Set Out to Build Loop Engineering, But ADDF Did
fruitriin
0
100
Control Planeで育てるBtoB SaaSの認証基盤 - SRE NEXT 2026
pokohide
1
2.1k
Featured
See All Featured
RailsConf & Balkan Ruby 2019: The Past, Present, and Future of Rails at GitHub
eileencodes
141
35k
Imperfection Machines: The Place of Print at Facebook
scottboms
270
14k
Believing is Seeing
oripsolob
1
170
My Coaching Mixtape
mlcsv
0
170
Paper Plane
katiecoart
PRO
1
52k
Navigating the Design Leadership Dip - Product Design Week Design Leaders+ Conference 2024
apolaine
1
370
Darren the Foodie - Storyboard
khoart
PRO
3
3.4k
Accessibility Awareness
sabderemane
1
150
Site-Speed That Sticks
csswizardry
13
1.2k
The Curious Case for Waylosing
cassininazir
1
430
It's Worth the Effort
3n
188
29k
Kristin Tynski - Automating Marketing Tasks With AI
techseoconnect
PRO
0
290
Transcript
/ Yoshinori Matsumoto @ym405nm
, , lc t C JB KA SO rm
ids P e 1, 2 a N phoc Wnk 1 6 05 2 6 , 20 ,
&#\-A ] (5 (2018/10/8 !) @8C89 RNWK 0No Security No
Life1A<6C89 ,89GWordPress<MYPUYV A %:;9 WordPress RNWXTLMYPUYVAOZQQSUL →F72IRNWXTLBA =/"?> 'HA0,+1J $@QVZXZ.E → 5*DI=7)@*4A?3 WordPress A @39[
OWASP
OWASP(, • OWASP (Open Web Application Security Project) – Web@;HLA:84
8#5$. +)<FHCA: – 0+ ,/%79+!(315 (8/&$?D>GL?B-$IO=+ <KEMO>JN*24*'5 " 6$8
OWASP • OWASP Foundation – 2001 –
NPO – 200 Chapter
Japan : OWASP Local Chapters
WORDPRESS
WordPress"%&# $"%&#&! WordPress $"%&#&!
WordPress WordPress OWASP TOP
10 WordPress OWASP WordPress Security Implementa:on Guideline
OWASP TOP 10 Web8AD<F=CE4API,%(3 &.#)"101)2 57( 6 /03!#, $7'-,$
76 ?:BD@9-D>;? :BD@9 +*,3$7( 6 ,3$7( 6 OWASP JAPAN https://www.owasp.org/index.php/Japan
WordPress 209:3/ WordPress.org -,209:3/ .&!(5098;4% #209:3/*WordPress% 17963/%209:3/$%+ '#")-,
OWASP TOP 10 (2013 ) % WordPress % -, + WordPress 209:3/ h6ps://ja.wordpress.org/security/
OWASP WordPress Security Implementation Guideline OWASP $"' WordPress (#,+-'
+-&)-%! WordPress $.*DB ! OWASP WordPress Security Implementation Guideline https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline
WordPress'",-( • WordPress.$!/ • • WordPress
-&# 1*",+/)2 *",+/) WordPress %!)0
WordPress XML RPC wp-login.php TOP10 : A2(
) WP :
P=6R ,A;KMD5 :B:B EI8NF wp-login.php,4<A@TXMLRPC/U 2497RFPC< H@QSGJM?S, LS>-*!!$3"+%0 (1
IP4GO@% $V A;KMD5.,””TU3# )&1$V ., -*2'0 )&1$V
JETPACK
A /@ $3 3,@& '7/@ .2)6)UYID\9#/@_39 ` •
• N]W • UYID\ WordPress8LGXZNCBMUO]PA3!/@ OTF[P3%>1:58-4+)"?);.=*^ TOP10 : A9(8 8(@ J\V]R\P8) WP :LGXZNCZZ]K80<8 SMHIYE\Q
WordPress ! SQL$:+&'*6: XSS='9,;)$1;,'73/#:(> 0<-4<, 0<-4<,
JavaScript )$1 )$1 58%&".%:9<2 TOP10 : A1($:+&'*6:) A7('9,)$1,'73/#:()
WordPress + ,+ The WordPress Codex Is Your Friend… $wpdb->prepare
;@B4<?6B, 21>& wp_kses esc_html / esc_attr %*+JavaScript& How to Prevent File Upload Vulnerabilities https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/ current_user_can('upload_files') &=B3 ,)! #'.8;AB9 ,)!$ wp_check_filetype :-/?5/;,7082+ MINE5/;,("7082+ +
OWASP ZAP • OWASP),.14>?;> • ?D58* <FC • 95@E('%
),. %!. • :5AB=2 ('%#/. (' OWASP ZAP Hands-on In Osaka (2015-02-10) https://speakerdeck.com/ykame/owasp-zap-hands-on-in-osaka- 2015-02-10 "*<FC0*73>) %$.& 16:9) $. -+$
WPScan • WordPress3+- C>MSETQ • KO@=S$FTL$4ITBNS;#+.$" ,: 21(#/): •
WordPress4!216#/): • 4JCRTHPCG'84 -96/): &21 WPSCan37:WordPress h.ps://www.slideshare.net/owaspnagoya/wpscanwordpress4 C>MS *4ETQ;4A=G3/,:0 <?DC3 ,: (%95,
WPScan9E/C3: • ID*UN\_S>% → %VGI[0' " • WordPress>*WZKI]^Q_X>T_MY] → )F-2C!
<; • "<VGI[<;0(4D8,<,/ → readme.html :/ &>T_MY]9? readme.html /AT_MY]0.8,C 3>P_[F>LIR=95C: HJON= #5C 0+B@5 3D72$916A ,,>9?`
$ % • WordPress!%0+215/ OWASP TOP10 WordPress-+23.) OWASP WordPress Security
Implementation Guideline • WordPress"4,*5(& (& WordPress" ( -+23.)'#6(& #twpm1019