Plug the Holes#wordupness

(Taking security seriously when developing themes)

Presented by: Callum Hopkins

@caleuanhopkinscallumhopkins.co.uk

yeehah!

Wordpress’ awesome attributes

Open Source - free to use + build

No rules, limits or restrictions

Huge development & user community

Wordpress’ weakest attributes

Open Source - core exposed

no set standard - rubbish work accepted

ignorant users & arrogant devs

my story - brute force exposure

adminusername

password

elephant

my story - brute force exposure

wp footprints viewable in website’s source

no limit on number of login retries

admin login username wasn’t changed

wordpress shock facts

Wordpress is not 100% secure out of the box

more than 30 known wp 3.x core vulnerabilities

http://bit.ly/ceh-wpinfo

83% of hacked wp blogs were not upgraded

Let’s Improve Wordpress

Obscure Wordpress

Lock down Wordpress

secure wordpress

Lock Wordpress down

Lock down login attempts

remove write access for wp-content

rename admin usernames

secure Wordpress

high level password security for admins

remove editor from appearance panel

change admin user id from 1

obscure Wordpress

encode wp-config

remove all wordpress footprints

rewrite for admin panel

wordpress Resources

http://bit.ly/ceh-php

http://bit.ly/ceh-loginlogin lockdown plugin

Better wp security

Hide wp Footprints

http://bit.ly/ceh-security

questions?

Things to remember

be serious about security

any website can be targeted despite status

always code to the best of your abilities