WordPress as an
Open Source Project
(and Security)
• Andrew Nacin
• Lead Developer for WordPress
• Washington, D.C.
• Work for WP founder Matt Mullenweg
(Don't work for Auto...
A bit about WordPress releases
• You're not adopting WordPress 3.5
• You're not adopting WordPress 3
• You're adopting Wor...
current WordPress version
3.5.1
current WordPress version
3.5.1MAJOR
RELEASE
MINOR
RELEASE
These are major releases
• WordPress 2.8, 2.9, 3.0, 3.1, 3.2
• New features, enhancements, and bug fixes
• Every 4-6 month...
Our philosophies are important
wordpress.org/about/philosophy
Backwards compatibility
• This is our commitment to users
• Code that works on WordPress now
should always work on WordPre...
How to justify this in government
• We don't have LTS (long term support)
releases (no demand for it)
• Semantic versionin...
Very basic* crash course in
WordPress security
* sysadmins may be bored
Keep everything updated
• Keep WordPress core updated
– Consider following all changes to the 3.5
branch, not just final r...
Prevent file changes in the admin
• Prevent upgrade of plugins, themes, core
• You should be using version control anyway
...
Locking down access
• In wp-config.php, force SSL:
define('FORCE_SSL_ADMIN', true);
• If necessary, lock down wp-login.php...
Report potential
security vulnerabilities to:
security@wordpress.org
Report potential
security vulnerabilities
in plugins to:
plugins@wordpress.org
The WordPress security team
• 25 experts including lead developers
and security researchers
– About half are employees of ...
Our (fairly standard) security process
• Receive and acknowledge the report
• Work to confirm the report and its severity
...
• nacin@wordpress.org
• security@wordpress.org
• Questions?
Upcoming SlideShare
Loading in...5
×

WordPress.org & Optimizing Security for your WordPress sites

7,879

Published on

Andrew Nacin, Lead Developer of WordPress.org, will provide a brief overview and take questions about WordPress's security, its core software and how WordPress approaches development.

Published in: Technology, Business
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
7,879
On Slideshare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
5
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

WordPress.org & Optimizing Security for your WordPress sites

  1. 1. WordPress as an Open Source Project (and Security)
  2. 2. • Andrew Nacin • Lead Developer for WordPress • Washington, D.C. • Work for WP founder Matt Mullenweg (Don't work for Automattic or WP.com) • Full time on WordPress (the project) and WordPress.org (the site) • WordPress Security Team
  3. 3. A bit about WordPress releases • You're not adopting WordPress 3.5 • You're not adopting WordPress 3 • You're adopting WordPress
  4. 4. current WordPress version 3.5.1
  5. 5. current WordPress version 3.5.1MAJOR RELEASE MINOR RELEASE
  6. 6. These are major releases • WordPress 2.8, 2.9, 3.0, 3.1, 3.2 • New features, enhancements, and bug fixes • Every 4-6 months These are minor releases • WordPress 3.4.1, 3.4.2, 3.5.1 • Major bug fixes, sometimes security fixes • As needed
  7. 7. Our philosophies are important wordpress.org/about/philosophy
  8. 8. Backwards compatibility • This is our commitment to users • Code that works on WordPress now should always work on WordPress • Update to minor releases immediately • If you must, wait for the .1 for major releases • (But you shouldn't need to wait) • Don't skip releases: There is no need to
  9. 9. How to justify this in government • We don't have LTS (long term support) releases (no demand for it) • Semantic versioning dictates that a major release is one that breaks compatibility • Since we don't do that, government could think of it as a minor release. Just upgrade :-)
  10. 10. Very basic* crash course in WordPress security * sysadmins may be bored
  11. 11. Keep everything updated • Keep WordPress core updated – Consider following all changes to the 3.5 branch, not just final releases 3.5.1, 3.5.2, etc. • Keep plugins and themes updated • (or if necessary, backport security fixes) • No, seriously • Consider a security audit by WordPress experts (e.g. Automattic)
  12. 12. Prevent file changes in the admin • Prevent upgrade of plugins, themes, core • You should be using version control anyway (Subversion or Git) • In wp-config.php: define('DISALLOW_FILE_MODS', true);
  13. 13. Locking down access • In wp-config.php, force SSL: define('FORCE_SSL_ADMIN', true); • If necessary, lock down wp-login.php and wp-admin: – Restrict it to your VPN or proxy – Restrict it using HTTP Basic Authentication – Restrict it to your office IP addresses
  14. 14. Report potential security vulnerabilities to: security@wordpress.org
  15. 15. Report potential security vulnerabilities in plugins to: plugins@wordpress.org
  16. 16. The WordPress security team • 25 experts including lead developers and security researchers – About half are employees of Automattic – A number work in the web security field • We consult with well-known and trusted security researchers and hosting companies
  17. 17. Our (fairly standard) security process • Receive and acknowledge the report • Work to confirm the report and its severity • Plan and develop an initial patch • All of this happens within 48-72 hours
  18. 18. • nacin@wordpress.org • security@wordpress.org • Questions?
  1. A particular slide catching your eye?

    Clipping is a handy way to collect important slides you want to go back to later.

×