Upload
caleuanhopkins
View
309
Download
2
Tags:
Embed Size (px)
DESCRIPTION
Plug the Holes - Taking Security Seriously when Developing Themes. Callum Hopkins' slides form his talk at #wordupness in November 2012. Based around the topic of securing wordpress system when developing themes for clients or for mass production.
Citation preview
Plug the Holes#wordupness
(Taking security seriously when developing themes)
Presented by: Callum Hopkins
@caleuanhopkinscallumhopkins.co.uk
yeehah!
Wordpress’ awesome attributes
Open Source - free to use + build
No rules, limits or restrictions
Huge development & user community
Wordpress’ weakest attributes
Open Source - core exposed
no set standard - rubbish work accepted
ignorant users & arrogant devs
my story - brute force exposure
adminusername
password
elephant
my story - brute force exposure
wp footprints viewable in website’s source
no limit on number of login retries
admin login username wasn’t changed
wordpress shock facts
Wordpress is not 100% secure out of the box
more than 30 known wp 3.x core vulnerabilities
http://bit.ly/ceh-wpinfo
83% of hacked wp blogs were not upgraded
Let’s Improve Wordpress
Obscure Wordpress
Lock down Wordpress
secure wordpress
Lock Wordpress down
Lock down login attempts
remove write access for wp-content
rename admin usernames
secure Wordpress
high level password security for admins
remove editor from appearance panel
change admin user id from 1
obscure Wordpress
encode wp-config
remove all wordpress footprints
rewrite for admin panel
wordpress Resources
http://bit.ly/ceh-php
http://bit.ly/ceh-loginlogin lockdown plugin
Better wp security
Hide wp Footprints
http://bit.ly/ceh-security
questions?
Things to remember
be serious about security
any website can be targeted despite status
always code to the best of your abilities