CIA For WordPress Developers

David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com

A C I A M I N D S E T
P L A N N I N G Y O U R W O R D P R E S S S I T E ’ S S E C U R I T Y ( F O R D E V E L O P E R S )
David Brumbaugh - Web Engineer 10Up
A premiere web design & development consulting service provider,
and a contributor to open platforms like WordPress.

7 0 % O F
W O R D P R E S S
S I T E S
V U L N E R A B L E
O C TO B E R 2 0 1 3 , I N F O R M AT I O N W E E K :
That’s Over 100M Sites
These Vulnerabilities are Preventable

I T S H O U L D P E R M E AT E H O W W E C O D E
Security is a Mindset

C . I . A Confidentiality
Integrity
Availability

W O R D P R E S S
C I A C O D I N G
• ENVIRONMENTAL
FACTORS
• CODE FOR
CONFIDENTIALITY
• CODE FOR INTEGRITY
• CODE FOR AVAILABILITY

C O N F I D E N T I A L I T Y
• Personal Information
• Names, Email Addresses
• Customer Information
• Order History
• Sensitive Information
• Payment Information, Passwords, Health Data

I F T H E H O S T I S C O M P R O M I S E D - Y O U R C O D I N G D O E S N ' T M AT T E R .
C O N F I D E N T I A L I T Y: H O S T I N G
C U LT I VAT E A G O O D R E L AT I O N S H I P W I T H T H E H O S T. AV O I D “ B L A M E G A M E ” .
W I T H A N E W ( O R L A R G E ) H O S T I U S U A L LY S TA RT T H E S U P P O RT T I C K E T
W I T H : “ I A M A D E V E L O P E R ”

C O N F I D E N T I A L I T Y - W O R D P R E S S
Front End vs. Back End
Roles and Capabilities
Built In and Custom
Business Decisions - Purpose of Code
Should Match Responsibilities

S TA N D A R D R O L E S
• Super Admin
• Administrator
• Editor
• Author
• Contributor
• Subscriber
S A M P L E C A PA B L I T I E S
• edit_users
• activate_plugins
• delete_others_pages
• upload_files
• edit_posts
• read
U S I N G C A PA B I L I T I E S I N C O D E

C U S TO M R O L E S A N D C A PA B I L I T I E S

C O D E E X A M P L E S F R O M R E P O S I TO RY
C O N F I D E N T I A L I T Y - W O R D P R E S S
Members (Justin Tadlock)
Eyes Only (Kevin Behrens & Thom Stark)
Restricted Site Access (10Up)
Editorial Access Manager (10Up)

P R O T E C T I O N A G A I N S T:
U N A U T H O R I Z E D
O R U N I N T E N D E D
M O D I F I C AT I O N ,
D E L E T I O N ,
O R A D D I T I O N
O F D ATA
A N D / O R P R O G R A M S .
I N T E G R I T Y

W P I N T E G R I T Y T H R E AT S
• Brute Force Attacks
• Another computer “guesses” username/password
• Username or password is intercepted (email)
• Injection Attacks
• Another computer exploits failure to comply with
best practices by injecting malicious code.

I N T E G R I T Y - W O R D P R E S S C O R E A D VA N TA G E S
• Open Source
• Thousands of Eyes
• Can Audit / Inspect
• YOU Should Inspect It
• https://make.wordpress.org/core/reports/
• Solid Organization Committed to Security
• Built In Security Functions (Only work if used)
• Version Updates - Automatic for Security Related,  
Can (usually should) be automated
• You Should Push Security Updates ASAP

I N Y O U R T H E M E S
A N D P L U G I N S
• Update Procedures (i.e.
WordPress.org Repository)
• Best Practices:
• Input Validation and
Sanitization
• Validate and Escape
Output
• Beware Feature Bloat
I N T E G R I T Y

B R U T E F O R C E D E F E N S E
• Check for Bad Usernames (admin,
administrator etc.)
• Captcha - Advantages and
disadvantages
• Enforce Strong Passwords
• Secure Password Delivery
• Don’t Email Passwords
• Use One Time Secret
I N T E G R I T Y

I N J E C T I O N D E F E N S E S
U S E B U I LT- I N E S C A P I N G , VA L I D AT I O N A N D S A N I T I Z I N G F U N C T I O N S
I N T E G R I T Y
Input Validation

I N T E G R I T Y
Sanitizing: Cleaning User Input

I N T E G R I T Y
Escaping: Securing Output
Why???

I N T E G R I T Y
Escaping: Securing Output
How???

• A L L P L U G I N S / T H E M E S R U N AT T H E S A M E P E R M I S S I O N L E V E L
• S O M E O T H E R P L U G I N C A N M A K E Y O U R S V U L N E R A B L E
• G I T A U T O M AT I C A L LY I N C L U D E S I N T E G R I T Y C H E C K I N G
• C O N S I D E R A “ C A N O N I C A L ” F I L E I N T E G R I T Y S O U R C E :
http://www.sitepoint.com/monitoring-file-integrity/
• S E A R C H P L U G I N R E P O S I T O RY F O R :
“ S E C U R I T Y M O N I T O R I N G ”
A N D / O R “ F I L E I N T E G R I T Y M O N I T O R I N G ”
F I L E & D ATA I N T E G R I T Y

Y O U R W O R D P R E S S S I T E
S H O U L D B E AVA I L A B L E
TO Y O U R C U S TO M E R S ,
U S E R S ,
A D M I N I S T R ATO R S
A N D C O N T E N T C R E ATO R S
W H E N T H E Y N E E D I T.
AVA I L A B I L I T Y

• O F T E N A F U N C T I O N O F I N T E G R I T Y
• AT TA C K E R L O C K S U S E R S O U T
• D D O S L A U N C H E D F R O M
C O M P R O M I S E D W P S I T E S I N
2 0 1 3
• W O R K W I T H T H E H O S T
• P E R F O R M A N C E
• O P T I M I Z AT I O N ( P R O F I L E )
• C A C H E I N G
• A S S E T M A N A G E M E N T ( C D N )
AVA I L A B I L I T Y

David Brumbaugh• @DavidEBrumbaugh • #Team10Up• www.10iup.com/cia-biz
C . I . A . R E S O U R C E S
• developer.wordpress.org
• codex.wordpress.org
• Sanitizing Input
• Escaping Output
• Open Web Application Security Project
• owasp.org
• CERT - Computer Emergency Readiness Team
• http://www.us-cert.gov
• Subscribe to Email Alerts
• Filter your inbox by sender, WordPress

• P R E V I O U S LY M E N T I O N E D P L U G I N S
( W O R D P R E S S . O R G )
• B E S T P R A C T I C E S
• h t t p s : / / 1 0 u p . g i t h u b . i o / E n g i n e e r i n g - B e s t - P r a c t i c e s /
• O N E T I M E S E C R E T: h t t p s : / / s e c r e t . 1 0 u p . c o m /
M O R E C . I . A . R E S O U R C E S - F R O M 1 0 U P

Q U E S T I O N S ?

CIA For WordPress Developers

More Related Content

What's hot

Viewers also liked

Similar to CIA For WordPress Developers

Recently uploaded

CIA For WordPress Developers