2. About Me
❖ Stefan Kremer
❖ 14 yrs WordPress experience
❖ Contributor
❖ freelance IT Consultant,
mainly WordPress, Mac, CTI
❖ Owner of AdminPress (de)
and KeDe Digital LLP (ke)
! @stkjj
! stefan@adminpress.de
3. About WordPress
❖ started as a fork of "B2/cafelog" in 2003 by Matt
Mullenweg as blogging software
❖ Content Management System
❖ 2-tier architecture based on PHP/MySQL
❖ differentiate: WP.org and WP.com !
4. Why this talk?
WordPress can be more than just being a CMS
❖ hacked server can be used to spread malware
❖ critical infrastructure like eCommerce
❖ Portal for other services
❖ other isolated services on same infrastructure
5. ❖ often referred as "insecure"
❖ core vs. 3rd party vs. operation
❖ large community that takes care
❖ WordPress security team
WordPress Security
11 %
52 %
37 %
Core PlugIns Themes
6. Bug Bounty Program
❖ via hackerone.com
❖ ~ $8.000 paid out
❖ range from $25 to $750
❖ double for bugs reported in beta/RC
🐞
7. Policy
❖ responsible disclosure
❖ minor versions are bug- and security fixes
❖ autoupdate for minors
❖ backporting of sec-fixes to 3.7
📜
9. 🧠
Some Basics
❖ harden your infrastructure
➡ ServerOS, Apache/Ngnix, PHP, (My)SQL, Fail2Ban
❖ ensure device security
➡ OS, Malware scan, Firewall, encrypt-on-rest
❖ enumerate the common good practices
➡ strong passwords, encrypt-on-transit, use your brain!
10. Recommendations
1. update, update, update
2. use themes and plugins from wp.org repo only
3. remove unused plugins and themes
4. harden your installation
5. monitor your site(s)
6. have a backup
11. 1. Update, Update, Update!
❖ autoupdate for minor core updates ✅
❖ update plugins and themes ASAP ⏰
❖ critical infrastructure: have a staging system 🎭
❖ check functionalities after update 🚀
❖ premium: renew your subscriptions 💸
12. 2. wp.org Stuff Only!
❖ use themes and plugins from wp.org repo only
❖ avoid "premium" plugins and themes
❖ never ever use doubtful sources
13. 3. Remove Unused Stuff
❖ uninstall themes and plugins not actively used
❖ keep the recent default theme for fallback
❖ disabled plugins are still accessible
🚫
15. 5. Monitoring
❖ server up and running
❖ malicious login attempts
❖ 404's
❖ changed/added/deleted files
❖ user actions
❖ malware detection
❖ changes in UI after updates
16. 6. Backup
❖ you don't want to have a backup,
➡ you want to have a restore!
❖ timed & regular, automatic, off-site
❖ both database and files
❖ practice restore
17. Recommendations
✅ update, update, update
ⓦ use themes and plugins from wp.org repo only
🚫 remove unused plugins and themes
🔒 harden your installation
🔭 monitor your site(s)
🚨 have a backup