Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
WordPress as an
Open Source Project
(and Security)
• Andrew Nacin
• Lead Developer for WordPress
• Washington, D.C.
• Work for WP founder Matt Mullenweg
(Don't work for Auto...
A bit about WordPress releases
• You're not adopting WordPress 3.5
• You're not adopting WordPress 3
• You're adopting Wor...
current WordPress version
3.5.1
current WordPress version
3.5.1MAJOR
RELEASE
MINOR
RELEASE
These are major releases
• WordPress 2.8, 2.9, 3.0, 3.1, 3.2
• New features, enhancements, and bug fixes
• Every 4-6 month...
Our philosophies are important
wordpress.org/about/philosophy
Backwards compatibility
• This is our commitment to users
• Code that works on WordPress now
should always work on WordPre...
How to justify this in government
• We don't have LTS (long term support)
releases (no demand for it)
• Semantic versionin...
Very basic* crash course in
WordPress security
* sysadmins may be bored
Keep everything updated
• Keep WordPress core updated
– Consider following all changes to the 3.5
branch, not just final r...
Prevent file changes in the admin
• Prevent upgrade of plugins, themes, core
• You should be using version control anyway
...
Locking down access
• In wp-config.php, force SSL:
define('FORCE_SSL_ADMIN', true);
• If necessary, lock down wp-login.php...
Report potential
security vulnerabilities to:
security@wordpress.org
Report potential
security vulnerabilities
in plugins to:
plugins@wordpress.org
The WordPress security team
• 25 experts including lead developers
and security researchers
– About half are employees of ...
Our (fairly standard) security process
• Receive and acknowledge the report
• Work to confirm the report and its severity
...
• nacin@wordpress.org
• security@wordpress.org
• Questions?
Upcoming SlideShare
Loading in …5
×

WordPress.org & Optimizing Security for your WordPress sites

10,746 views

Published on

Andrew Nacin, Lead Developer of WordPress.org, will provide a brief overview and take questions about WordPress's security, its core software and how WordPress approaches development.

Published in: Technology, Business
  • Be the first to comment

WordPress.org & Optimizing Security for your WordPress sites

  1. 1. WordPress as an Open Source Project (and Security)
  2. 2. • Andrew Nacin • Lead Developer for WordPress • Washington, D.C. • Work for WP founder Matt Mullenweg (Don't work for Automattic or WP.com) • Full time on WordPress (the project) and WordPress.org (the site) • WordPress Security Team
  3. 3. A bit about WordPress releases • You're not adopting WordPress 3.5 • You're not adopting WordPress 3 • You're adopting WordPress
  4. 4. current WordPress version 3.5.1
  5. 5. current WordPress version 3.5.1MAJOR RELEASE MINOR RELEASE
  6. 6. These are major releases • WordPress 2.8, 2.9, 3.0, 3.1, 3.2 • New features, enhancements, and bug fixes • Every 4-6 months These are minor releases • WordPress 3.4.1, 3.4.2, 3.5.1 • Major bug fixes, sometimes security fixes • As needed
  7. 7. Our philosophies are important wordpress.org/about/philosophy
  8. 8. Backwards compatibility • This is our commitment to users • Code that works on WordPress now should always work on WordPress • Update to minor releases immediately • If you must, wait for the .1 for major releases • (But you shouldn't need to wait) • Don't skip releases: There is no need to
  9. 9. How to justify this in government • We don't have LTS (long term support) releases (no demand for it) • Semantic versioning dictates that a major release is one that breaks compatibility • Since we don't do that, government could think of it as a minor release. Just upgrade :-)
  10. 10. Very basic* crash course in WordPress security * sysadmins may be bored
  11. 11. Keep everything updated • Keep WordPress core updated – Consider following all changes to the 3.5 branch, not just final releases 3.5.1, 3.5.2, etc. • Keep plugins and themes updated • (or if necessary, backport security fixes) • No, seriously • Consider a security audit by WordPress experts (e.g. Automattic)
  12. 12. Prevent file changes in the admin • Prevent upgrade of plugins, themes, core • You should be using version control anyway (Subversion or Git) • In wp-config.php: define('DISALLOW_FILE_MODS', true);
  13. 13. Locking down access • In wp-config.php, force SSL: define('FORCE_SSL_ADMIN', true); • If necessary, lock down wp-login.php and wp-admin: – Restrict it to your VPN or proxy – Restrict it using HTTP Basic Authentication – Restrict it to your office IP addresses
  14. 14. Report potential security vulnerabilities to: security@wordpress.org
  15. 15. Report potential security vulnerabilities in plugins to: plugins@wordpress.org
  16. 16. The WordPress security team • 25 experts including lead developers and security researchers – About half are employees of Automattic – A number work in the web security field • We consult with well-known and trusted security researchers and hosting companies
  17. 17. Our (fairly standard) security process • Receive and acknowledge the report • Work to confirm the report and its severity • Plan and develop an initial patch • All of this happens within 48-72 hours
  18. 18. • nacin@wordpress.org • security@wordpress.org • Questions?

×