WordPress.org & Optimizing Security for your WordPress sites
 

WordPress.org & Optimizing Security for your WordPress sites

on

  • 7,209 views

Andrew Nacin, Lead Developer of WordPress.org, will provide a brief overview and take questions about WordPress's security, its core software and how WordPress approaches development.

Andrew Nacin, Lead Developer of WordPress.org, will provide a brief overview and take questions about WordPress's security, its core software and how WordPress approaches development.

Statistics

Views

Total Views
7,209
Views on SlideShare
2,215
Embed Views
4,994

Actions

Likes
3
Downloads
4
Comments
0

16 Embeds 4,994

http://vip.wordpress.com 3093
http://ja.naoko.cc 1812
http://cloud.feedly.com 22
https://vip.wordpress.com 14
http://www.feedspot.com 13
http://news.google.com 12
http://www.newsblur.com 10
http://translate.googleusercontent.com 5
http://reader.aol.com 3
http://digg.com 3
http://webcache.googleusercontent.com 2
http://yoleoreader.com 1
http://newsblur.com 1
http://feeds2.feedburner.com 1
http://feedly.com 1
http://www.goread.io 1
More...

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

    WordPress.org & Optimizing Security for your WordPress sites WordPress.org & Optimizing Security for your WordPress sites Presentation Transcript

    • WordPress as an Open Source Project (and Security)
    • • Andrew Nacin • Lead Developer for WordPress • Washington, D.C. • Work for WP founder Matt Mullenweg (Don't work for Automattic or WP.com) • Full time on WordPress (the project) and WordPress.org (the site) • WordPress Security Team
    • A bit about WordPress releases • You're not adopting WordPress 3.5 • You're not adopting WordPress 3 • You're adopting WordPress
    • current WordPress version 3.5.1
    • current WordPress version 3.5.1MAJOR RELEASE MINOR RELEASE
    • These are major releases • WordPress 2.8, 2.9, 3.0, 3.1, 3.2 • New features, enhancements, and bug fixes • Every 4-6 months These are minor releases • WordPress 3.4.1, 3.4.2, 3.5.1 • Major bug fixes, sometimes security fixes • As needed
    • Our philosophies are important wordpress.org/about/philosophy
    • Backwards compatibility • This is our commitment to users • Code that works on WordPress now should always work on WordPress • Update to minor releases immediately • If you must, wait for the .1 for major releases • (But you shouldn't need to wait) • Don't skip releases: There is no need to
    • How to justify this in government • We don't have LTS (long term support) releases (no demand for it) • Semantic versioning dictates that a major release is one that breaks compatibility • Since we don't do that, government could think of it as a minor release. Just upgrade :-)
    • Very basic* crash course in WordPress security * sysadmins may be bored
    • Keep everything updated • Keep WordPress core updated – Consider following all changes to the 3.5 branch, not just final releases 3.5.1, 3.5.2, etc. • Keep plugins and themes updated • (or if necessary, backport security fixes) • No, seriously • Consider a security audit by WordPress experts (e.g. Automattic)
    • Prevent file changes in the admin • Prevent upgrade of plugins, themes, core • You should be using version control anyway (Subversion or Git) • In wp-config.php: define('DISALLOW_FILE_MODS', true);
    • Locking down access • In wp-config.php, force SSL: define('FORCE_SSL_ADMIN', true); • If necessary, lock down wp-login.php and wp-admin: – Restrict it to your VPN or proxy – Restrict it using HTTP Basic Authentication – Restrict it to your office IP addresses
    • Report potential security vulnerabilities to: security@wordpress.org
    • Report potential security vulnerabilities in plugins to: plugins@wordpress.org
    • The WordPress security team • 25 experts including lead developers and security researchers – About half are employees of Automattic – A number work in the web security field • We consult with well-known and trusted security researchers and hosting companies
    • Our (fairly standard) security process • Receive and acknowledge the report • Work to confirm the report and its severity • Plan and develop an initial patch • All of this happens within 48-72 hours
    • • nacin@wordpress.org • security@wordpress.org • Questions?