Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owa...
Search
yoshinori matsumoto
October 19, 2018
Technology
1.7k
1
Share
Embed
Copy iframe code
Copy JS code
Copy link
Start on current slide
WordPress 管理者がおさえておきたい Web アプリケーションセキュリティ / owasp-wordpress-meetup
yoshinori matsumoto
October 19, 2018
More Decks by yoshinori matsumoto
See All by yoshinori matsumoto
WordPress セキュリティガイド #wpmeetupkyoto / WP Security Guide
ym405nm
6
3.5k
FIDO2導入してみたを考えてみた / Around The Auth Capy Matsumoto
ym405nm
0
340
Hack L33t Fighters Ⅱ #owaspsendai
ym405nm
0
410
WordPress保安検査ガイド〜運用可能なセキュリティを始めるために〜 / wpcamp_haneda_security
ym405nm
1
740
CAPYのFIDOへの取り組み / Capy FIDO
ym405nm
0
220
Extreme Honyepotter
ym405nm
0
900
攻撃者からみたWordPressセキュリティ / WordCamp Kansai 2015
ym405nm
8
5.3k
コミュニティ活動からみるPHPセキュリティ / PHP Conference Kansai 2015
ym405nm
0
590
Other Decks in Technology
See All in Technology
作る力から、見極める力へ — AI時代に広がるエンジニアの価値と役割
rince
0
390
“全部コピーしない”ファイルデータの活用 : — FSx for ONTAP × S3 Tables × Icebergで作るメタデータカタログ
yoshiki0705
0
220
AWS Summit Japan 2026の振り返りと2027へ向けて / AWS Summit Japan 2026 Recap and Prospects for 2027
kaminashi
1
170
「ビジネスがわかるエンジニア」とは何か?
ryooob
0
440
飲食店もAIで。レジ締めやハンディシステムをつくってる話 / Using AI for restaurant management
vtryo
0
230
AIをフル活用してオンコール機能のプロトタイプを2日で作った話 / Building an AI-Powered On-Call Prototype in Just Two Days
nari_ex
0
160
MySQL & MySQL HeatWave Report - June 2026
freshdaz
0
270
クラウドファンディング版StackChan 3体(4体)をインタラクティブな体験型作品にして展示もした話 / スタックチャンお誕生日会2026
you
PRO
0
270
デジタル・デザイン構想 by Sayaka Ishizuka
y150saya
0
170
時期が悪い!それでもRaspberry Piを買って遊んで活用するには / 20260627-osc26do-rpi-jikigawarui
akkiesoft
1
960
AIで政治は変わるのか? — 中高生と考えたAI時代の民主主義(東海高校サタデープログラム)
eitarosuda
0
350
Why is RC4 still being used?
tamaiyutaro
0
270
Featured
See All Featured
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
panda_program
123
22k
Unsuck your backbone
ammeep
672
58k
Building an army of robots
kneath
306
46k
Keith and Marios Guide to Fast Websites
keithpitt
413
23k
Primal Persuasion: How to Engage the Brain for Learning That Lasts
tmiket
0
380
A Tale of Four Properties
chriscoyier
163
24k
The Art of Delivering Value - GDevCon NA Keynote
reverentgeek
16
2k
XXLCSS - How to scale CSS and keep your sanity
sugarenia
250
1.3M
Navigating the moral maze — ethical principles for Al-driven product design
skipperchong
2
400
GraphQLの誤解/rethinking-graphql
sonatard
75
12k
Crafting Experiences
bethany
1
200
The Impact of AI in SEO - AI Overviews June 2024 Edition
aleyda
5
1.1k
Transcript
/ Yoshinori Matsumoto @ym405nm
, , lc t C JB KA SO rm
ids P e 1, 2 a N phoc Wnk 1 6 05 2 6 , 20 ,
&#\-A ] (5 (2018/10/8 !) @8C89 RNWK 0No Security No
Life1A<6C89 ,89GWordPress<MYPUYV A %:;9 WordPress RNWXTLMYPUYVAOZQQSUL →F72IRNWXTLBA =/"?> 'HA0,+1J $@QVZXZ.E → 5*DI=7)@*4A?3 WordPress A @39[
OWASP
OWASP(, • OWASP (Open Web Application Security Project) – Web@;HLA:84
8#5$. +)<FHCA: – 0+ ,/%79+!(315 (8/&$?D>GL?B-$IO=+ <KEMO>JN*24*'5 " 6$8
OWASP • OWASP Foundation – 2001 –
NPO – 200 Chapter
Japan : OWASP Local Chapters
WORDPRESS
WordPress"%&# $"%&#&! WordPress $"%&#&!
WordPress WordPress OWASP TOP
10 WordPress OWASP WordPress Security Implementa:on Guideline
OWASP TOP 10 Web8AD<F=CE4API,%(3 &.#)"101)2 57( 6 /03!#, $7'-,$
76 ?:BD@9-D>;? :BD@9 +*,3$7( 6 ,3$7( 6 OWASP JAPAN https://www.owasp.org/index.php/Japan
WordPress 209:3/ WordPress.org -,209:3/ .&!(5098;4% #209:3/*WordPress% 17963/%209:3/$%+ '#")-,
OWASP TOP 10 (2013 ) % WordPress % -, + WordPress 209:3/ h6ps://ja.wordpress.org/security/
OWASP WordPress Security Implementation Guideline OWASP $"' WordPress (#,+-'
+-&)-%! WordPress $.*DB ! OWASP WordPress Security Implementation Guideline https://www.owasp.org/index.php/OWASP_Wordpress_Security_Implementation_Guideline
WordPress'",-( • WordPress.$!/ • • WordPress
-&# 1*",+/)2 *",+/) WordPress %!)0
WordPress XML RPC wp-login.php TOP10 : A2(
) WP :
P=6R ,A;KMD5 :B:B EI8NF wp-login.php,4<A@TXMLRPC/U 2497RFPC< H@QSGJM?S, LS>-*!!$3"+%0 (1
IP4GO@% $V A;KMD5.,””TU3# )&1$V ., -*2'0 )&1$V
JETPACK
A /@ $3 3,@& '7/@ .2)6)UYID\9#/@_39 ` •
• N]W • UYID\ WordPress8LGXZNCBMUO]PA3!/@ OTF[P3%>1:58-4+)"?);.=*^ TOP10 : A9(8 8(@ J\V]R\P8) WP :LGXZNCZZ]K80<8 SMHIYE\Q
WordPress ! SQL$:+&'*6: XSS='9,;)$1;,'73/#:(> 0<-4<, 0<-4<,
JavaScript )$1 )$1 58%&".%:9<2 TOP10 : A1($:+&'*6:) A7('9,)$1,'73/#:()
WordPress + ,+ The WordPress Codex Is Your Friend… $wpdb->prepare
;@B4<?6B, 21>& wp_kses esc_html / esc_attr %*+JavaScript& How to Prevent File Upload Vulnerabilities https://www.wordfence.com/learn/how-to-prevent-file-upload-vulnerabilities/ current_user_can('upload_files') &=B3 ,)! #'.8;AB9 ,)!$ wp_check_filetype :-/?5/;,7082+ MINE5/;,("7082+ +
OWASP ZAP • OWASP),.14>?;> • ?D58* <FC • 95@E('%
),. %!. • :5AB=2 ('%#/. (' OWASP ZAP Hands-on In Osaka (2015-02-10) https://speakerdeck.com/ykame/owasp-zap-hands-on-in-osaka- 2015-02-10 "*<FC0*73>) %$.& 16:9) $. -+$
WPScan • WordPress3+- C>MSETQ • KO@=S$FTL$4ITBNS;#+.$" ,: 21(#/): •
WordPress4!216#/): • 4JCRTHPCG'84 -96/): &21 WPSCan37:WordPress h.ps://www.slideshare.net/owaspnagoya/wpscanwordpress4 C>MS *4ETQ;4A=G3/,:0 <?DC3 ,: (%95,
WPScan9E/C3: • ID*UN\_S>% → %VGI[0' " • WordPress>*WZKI]^Q_X>T_MY] → )F-2C!
<; • "<VGI[<;0(4D8,<,/ → readme.html :/ &>T_MY]9? readme.html /AT_MY]0.8,C 3>P_[F>LIR=95C: HJON= #5C 0+B@5 3D72$916A ,,>9?`
$ % • WordPress!%0+215/ OWASP TOP10 WordPress-+23.) OWASP WordPress Security
Implementation Guideline • WordPress"4,*5(& (& WordPress" ( -+23.)'#6(& #twpm1019