SlideShare a Scribd company logo
WordPress as an
Open Source Project
(and Security)
• Andrew Nacin
• Lead Developer for WordPress
• Washington, D.C.
• Work for WP founder Matt Mullenweg
(Don't work for Automattic or WP.com)
• Full time on WordPress (the project)
and WordPress.org (the site)
• WordPress Security Team
A bit about WordPress releases
• You're not adopting WordPress 3.5
• You're not adopting WordPress 3
• You're adopting WordPress
current WordPress version
3.5.1
current WordPress version
3.5.1MAJOR
RELEASE
MINOR
RELEASE
These are major releases
• WordPress 2.8, 2.9, 3.0, 3.1, 3.2
• New features, enhancements, and bug fixes
• Every 4-6 months
These are minor releases
• WordPress 3.4.1, 3.4.2, 3.5.1
• Major bug fixes, sometimes security fixes
• As needed
Our philosophies are important
wordpress.org/about/philosophy
Backwards compatibility
• This is our commitment to users
• Code that works on WordPress now
should always work on WordPress
• Update to minor releases immediately
• If you must, wait for the .1 for major releases
• (But you shouldn't need to wait)
• Don't skip releases: There is no need to
How to justify this in government
• We don't have LTS (long term support)
releases (no demand for it)
• Semantic versioning dictates that a
major release is one that breaks compatibility
• Since we don't do that, government could
think of it as a minor release. Just upgrade :-)
Very basic* crash course in
WordPress security
* sysadmins may be bored
Keep everything updated
• Keep WordPress core updated
– Consider following all changes to the 3.5
branch, not just final releases 3.5.1, 3.5.2, etc.
• Keep plugins and themes updated
• (or if necessary, backport security fixes)
• No, seriously
• Consider a security audit by
WordPress experts (e.g. Automattic)
Prevent file changes in the admin
• Prevent upgrade of plugins, themes, core
• You should be using version control anyway
(Subversion or Git)
• In wp-config.php:
define('DISALLOW_FILE_MODS', true);
Locking down access
• In wp-config.php, force SSL:
define('FORCE_SSL_ADMIN', true);
• If necessary, lock down wp-login.php
and wp-admin:
– Restrict it to your VPN or proxy
– Restrict it using HTTP Basic Authentication
– Restrict it to your office IP addresses
Report potential
security vulnerabilities to:
security@wordpress.org
Report potential
security vulnerabilities
in plugins to:
plugins@wordpress.org
The WordPress security team
• 25 experts including lead developers
and security researchers
– About half are employees of Automattic
– A number work in the web security fieldWe
• We consult with well-known and trusted
security researchers
• We notify major hosting companies and
government agencies of critical issues
(contact us: security@wordpress.org)
Our (fairly standard) security process
• Receive and acknowledge the report
• Work to confirm the report and its severity
• Plan and develop an initial patch
• All of this happens within 48-72 hours
• nacin@wordpress.org
• security@wordpress.org
• Questions?

More Related Content

What's hot

SSDs are Awesome
SSDs are AwesomeSSDs are Awesome
SSDs are Awesome
Barry Abrahamson
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
William Earnhardt
 
Introduction to wordpress & theme implementation
Introduction to wordpress & theme implementationIntroduction to wordpress & theme implementation
Introduction to wordpress & theme implementation
www.netgains.org
 
WordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insightsWordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insights
Blogwerk AG
 
Don't worry with bower
Don't worry with bowerDon't worry with bower
Don't worry with bower
Frank van der Linden
 
WP-CLI: WordCamp Nashville 2016
WP-CLI: WordCamp Nashville 2016WP-CLI: WordCamp Nashville 2016
WP-CLI: WordCamp Nashville 2016
Terell Moore
 
Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16
tshellberg
 
Wordpress vs Google Blogger/ Wampserver
Wordpress vs Google Blogger/ WampserverWordpress vs Google Blogger/ Wampserver
Wordpress vs Google Blogger/ Wampserver
Kshitij Wagle
 
Training Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started GuideTraining Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started Guide
Continuent
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
findingsimple
 
Liz Quilty – Security, Scaling & High End Hosting for WordPress sites
Liz Quilty – Security, Scaling & High End Hosting for WordPress sitesLiz Quilty – Security, Scaling & High End Hosting for WordPress sites
Liz Quilty – Security, Scaling & High End Hosting for WordPress sites
WordCamp New Zealand
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
David Wilemski
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP API
ryanduff
 
Setting up a local WordPress Environment
Setting up a local WordPress EnvironmentSetting up a local WordPress Environment
Setting up a local WordPress Environment
Chris La Nauze
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
Mickey Mellen
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security Basics
Ryan Plas
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPress
Joseph Scott
 
Install Word Press with xampp
Install Word Press with xamppInstall Word Press with xampp
Install Word Press with xampp
Mehdi Sharifirad
 
Running WordPress on AWS
Running WordPress on AWSRunning WordPress on AWS
Running WordPress on AWS
James Monek
 
Leeward WordPress Meetup- Caching and Website Speed
Leeward WordPress Meetup- Caching and Website SpeedLeeward WordPress Meetup- Caching and Website Speed
Leeward WordPress Meetup- Caching and Website Speed
Arlen Nagata
 

What's hot (20)

SSDs are Awesome
SSDs are AwesomeSSDs are Awesome
SSDs are Awesome
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
 
Introduction to wordpress & theme implementation
Introduction to wordpress & theme implementationIntroduction to wordpress & theme implementation
Introduction to wordpress & theme implementation
 
WordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insightsWordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insights
 
Don't worry with bower
Don't worry with bowerDon't worry with bower
Don't worry with bower
 
WP-CLI: WordCamp Nashville 2016
WP-CLI: WordCamp Nashville 2016WP-CLI: WordCamp Nashville 2016
WP-CLI: WordCamp Nashville 2016
 
Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16
 
Wordpress vs Google Blogger/ Wampserver
Wordpress vs Google Blogger/ WampserverWordpress vs Google Blogger/ Wampserver
Wordpress vs Google Blogger/ Wampserver
 
Training Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started GuideTraining Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started Guide
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
Liz Quilty – Security, Scaling & High End Hosting for WordPress sites
Liz Quilty – Security, Scaling & High End Hosting for WordPress sitesLiz Quilty – Security, Scaling & High End Hosting for WordPress sites
Liz Quilty – Security, Scaling & High End Hosting for WordPress sites
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP API
 
Setting up a local WordPress Environment
Setting up a local WordPress EnvironmentSetting up a local WordPress Environment
Setting up a local WordPress Environment
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security Basics
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPress
 
Install Word Press with xampp
Install Word Press with xamppInstall Word Press with xampp
Install Word Press with xampp
 
Running WordPress on AWS
Running WordPress on AWSRunning WordPress on AWS
Running WordPress on AWS
 
Leeward WordPress Meetup- Caching and Website Speed
Leeward WordPress Meetup- Caching and Website SpeedLeeward WordPress Meetup- Caching and Website Speed
Leeward WordPress Meetup- Caching and Website Speed
 

Similar to WordPress.org & Optimizing Security for your WordPress sites

WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
Dan Vasile
 
automatic_updates.pptx
automatic_updates.pptxautomatic_updates.pptx
automatic_updates.pptx
Nida Ismail Shah
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
Robert Vidal
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best Practices
Jonathan Hall
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009   Word Press In The WildWord Camp Ph 2009   Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
rebelpixel
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
rebelpixel
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
Deepu Thomas
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your Website
ReliqusConsulting
 
WordPress Architecture for Tech-Savvy Managers
WordPress Architecture for Tech-Savvy ManagersWordPress Architecture for Tech-Savvy Managers
WordPress Architecture for Tech-Savvy Managers
Mario Peshev
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
Think Media Inc.
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014
The Toolbox, Inc.
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid2685
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
Protecting your site by detection
Protecting your site by detectionProtecting your site by detection
Protecting your site by detection
Marko Heijnen
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
Allanki Srinivas
 
Managing Updates with System Center Configuration Manager 2012
Managing Updates with System Center Configuration Manager 2012Managing Updates with System Center Configuration Manager 2012
Managing Updates with System Center Configuration Manager 2012
JasonCondo
 
WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)
Michael Carnell
 
Vuejs getting-started - Extended Version
Vuejs getting-started - Extended VersionVuejs getting-started - Extended Version
Vuejs getting-started - Extended Version
Murat Doğan
 
WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!
Taylor Lovett
 

Similar to WordPress.org & Optimizing Security for your WordPress sites (20)

WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
 
automatic_updates.pptx
automatic_updates.pptxautomatic_updates.pptx
automatic_updates.pptx
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best Practices
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009   Word Press In The WildWord Camp Ph 2009   Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your Website
 
WordPress Architecture for Tech-Savvy Managers
WordPress Architecture for Tech-Savvy ManagersWordPress Architecture for Tech-Savvy Managers
WordPress Architecture for Tech-Savvy Managers
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Protecting your site by detection
Protecting your site by detectionProtecting your site by detection
Protecting your site by detection
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
 
Managing Updates with System Center Configuration Manager 2012
Managing Updates with System Center Configuration Manager 2012Managing Updates with System Center Configuration Manager 2012
Managing Updates with System Center Configuration Manager 2012
 
WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)
 
Vuejs getting-started - Extended Version
Vuejs getting-started - Extended VersionVuejs getting-started - Extended Version
Vuejs getting-started - Extended Version
 
WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!
 

More from GovLoop

How is GovLoop Transforming Learning for Government?
How is GovLoop Transforming Learning for Government?How is GovLoop Transforming Learning for Government?
How is GovLoop Transforming Learning for Government?
GovLoop
 
Teaching vs learning
Teaching vs learningTeaching vs learning
Teaching vs learning
GovLoop
 
Next Gen: Critical Conversations Slide Deck
Next Gen: Critical Conversations Slide DeckNext Gen: Critical Conversations Slide Deck
Next Gen: Critical Conversations Slide Deck
GovLoop
 
Internet of Things: Lightning Round, Sargent
Internet of Things: Lightning Round, SargentInternet of Things: Lightning Round, Sargent
Internet of Things: Lightning Round, Sargent
GovLoop
 
Internet of Things: Lightning Round, Ronzio
Internet of Things: Lightning Round, RonzioInternet of Things: Lightning Round, Ronzio
Internet of Things: Lightning Round, Ronzio
GovLoop
 
Internet of Things: Lightning Round, Hite
Internet of Things: Lightning Round, HiteInternet of Things: Lightning Round, Hite
Internet of Things: Lightning Round, Hite
GovLoop
 
Internet of Things: Lightning Round, Fritzinger
Internet of Things: Lightning Round, FritzingerInternet of Things: Lightning Round, Fritzinger
Internet of Things: Lightning Round, Fritzinger
GovLoop
 
Internet of Things: Lightning Round, McKinney
Internet of Things: Lightning Round, McKinneyInternet of Things: Lightning Round, McKinney
Internet of Things: Lightning Round, McKinney
GovLoop
 
Internet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy GarrettInternet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy Garrett
GovLoop
 
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
GovLoop
 
Week Three
Week ThreeWeek Three
Week Three
GovLoop
 
FHWA Week Two
FHWA Week TwoFHWA Week Two
FHWA Week Two
GovLoop
 
Building Powerful Outreach - Executive Research Brief
Building Powerful Outreach - Executive Research BriefBuilding Powerful Outreach - Executive Research Brief
Building Powerful Outreach - Executive Research Brief
GovLoop
 
Turning Big Data into Big Decisions
Turning Big Data into Big DecisionsTurning Big Data into Big Decisions
Turning Big Data into Big Decisions
GovLoop
 
Examining the Big Data Frontier
Examining the Big Data FrontierExamining the Big Data Frontier
Examining the Big Data Frontier
GovLoop
 
The Need for NoSQL - MarkLogic
The Need for NoSQL - MarkLogicThe Need for NoSQL - MarkLogic
The Need for NoSQL - MarkLogic
GovLoop
 
Capitalizing on the Cloud
Capitalizing on the CloudCapitalizing on the Cloud
Capitalizing on the Cloud
GovLoop
 
Build Better Virtual Events & Training for your Agency
Build Better Virtual Events & Training for your AgencyBuild Better Virtual Events & Training for your Agency
Build Better Virtual Events & Training for your Agency
GovLoop
 
Social Media Presentation for The Center for Organizational Effectiveness
Social Media Presentation for The Center for Organizational EffectivenessSocial Media Presentation for The Center for Organizational Effectiveness
Social Media Presentation for The Center for Organizational Effectiveness
GovLoop
 
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
GovLoop
 

More from GovLoop (20)

How is GovLoop Transforming Learning for Government?
How is GovLoop Transforming Learning for Government?How is GovLoop Transforming Learning for Government?
How is GovLoop Transforming Learning for Government?
 
Teaching vs learning
Teaching vs learningTeaching vs learning
Teaching vs learning
 
Next Gen: Critical Conversations Slide Deck
Next Gen: Critical Conversations Slide DeckNext Gen: Critical Conversations Slide Deck
Next Gen: Critical Conversations Slide Deck
 
Internet of Things: Lightning Round, Sargent
Internet of Things: Lightning Round, SargentInternet of Things: Lightning Round, Sargent
Internet of Things: Lightning Round, Sargent
 
Internet of Things: Lightning Round, Ronzio
Internet of Things: Lightning Round, RonzioInternet of Things: Lightning Round, Ronzio
Internet of Things: Lightning Round, Ronzio
 
Internet of Things: Lightning Round, Hite
Internet of Things: Lightning Round, HiteInternet of Things: Lightning Round, Hite
Internet of Things: Lightning Round, Hite
 
Internet of Things: Lightning Round, Fritzinger
Internet of Things: Lightning Round, FritzingerInternet of Things: Lightning Round, Fritzinger
Internet of Things: Lightning Round, Fritzinger
 
Internet of Things: Lightning Round, McKinney
Internet of Things: Lightning Round, McKinneyInternet of Things: Lightning Round, McKinney
Internet of Things: Lightning Round, McKinney
 
Internet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy GarrettInternet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy Garrett
 
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
 
Week Three
Week ThreeWeek Three
Week Three
 
FHWA Week Two
FHWA Week TwoFHWA Week Two
FHWA Week Two
 
Building Powerful Outreach - Executive Research Brief
Building Powerful Outreach - Executive Research BriefBuilding Powerful Outreach - Executive Research Brief
Building Powerful Outreach - Executive Research Brief
 
Turning Big Data into Big Decisions
Turning Big Data into Big DecisionsTurning Big Data into Big Decisions
Turning Big Data into Big Decisions
 
Examining the Big Data Frontier
Examining the Big Data FrontierExamining the Big Data Frontier
Examining the Big Data Frontier
 
The Need for NoSQL - MarkLogic
The Need for NoSQL - MarkLogicThe Need for NoSQL - MarkLogic
The Need for NoSQL - MarkLogic
 
Capitalizing on the Cloud
Capitalizing on the CloudCapitalizing on the Cloud
Capitalizing on the Cloud
 
Build Better Virtual Events & Training for your Agency
Build Better Virtual Events & Training for your AgencyBuild Better Virtual Events & Training for your Agency
Build Better Virtual Events & Training for your Agency
 
Social Media Presentation for The Center for Organizational Effectiveness
Social Media Presentation for The Center for Organizational EffectivenessSocial Media Presentation for The Center for Organizational Effectiveness
Social Media Presentation for The Center for Organizational Effectiveness
 
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
 

Recently uploaded

Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
ssuserfac0301
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
danishmna97
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
kumardaparthi1024
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
Aftab Hussain
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
Quotidiano Piemontese
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
Zilliz
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
Alpen-Adria-Universität
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
Tomaz Bratanic
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
Claudio Di Ciccio
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
Mariano Tinti
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
Ivanti
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
akankshawande
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
panagenda
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
Octavian Nadolu
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
shyamraj55
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
Zilliz
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
Matthew Sinclair
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
SitimaJohn
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
Daiki Mogmet Ito
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
DianaGray10
 

Recently uploaded (20)

Taking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdfTaking AI to the Next Level in Manufacturing.pdf
Taking AI to the Next Level in Manufacturing.pdf
 
How to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptxHow to Get CNIC Information System with Paksim Ga.pptx
How to Get CNIC Information System with Paksim Ga.pptx
 
GenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizationsGenAI Pilot Implementation in the organizations
GenAI Pilot Implementation in the organizations
 
Removing Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software FuzzingRemoving Uninteresting Bytes in Software Fuzzing
Removing Uninteresting Bytes in Software Fuzzing
 
National Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practicesNational Security Agency - NSA mobile device best practices
National Security Agency - NSA mobile device best practices
 
Fueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte WebinarFueling AI with Great Data with Airbyte Webinar
Fueling AI with Great Data with Airbyte Webinar
 
Video Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the FutureVideo Streaming: Then, Now, and in the Future
Video Streaming: Then, Now, and in the Future
 
GraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracyGraphRAG for Life Science to increase LLM accuracy
GraphRAG for Life Science to increase LLM accuracy
 
CAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on BlockchainCAKE: Sharing Slices of Confidential Data on Blockchain
CAKE: Sharing Slices of Confidential Data on Blockchain
 
Mariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceXMariano G Tinti - Decoding SpaceX
Mariano G Tinti - Decoding SpaceX
 
June Patch Tuesday
June Patch TuesdayJune Patch Tuesday
June Patch Tuesday
 
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development ProvidersYour One-Stop Shop for Python Success: Top 10 US Python Development Providers
Your One-Stop Shop for Python Success: Top 10 US Python Development Providers
 
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAUHCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
HCL Notes und Domino Lizenzkostenreduzierung in der Welt von DLAU
 
Artificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopmentArtificial Intelligence for XMLDevelopment
Artificial Intelligence for XMLDevelopment
 
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with SlackLet's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
Let's Integrate MuleSoft RPA, COMPOSER, APM with AWS IDP along with Slack
 
Building Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and MilvusBuilding Production Ready Search Pipelines with Spark and Milvus
Building Production Ready Search Pipelines with Spark and Milvus
 
20240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 202420240605 QFM017 Machine Intelligence Reading List May 2024
20240605 QFM017 Machine Intelligence Reading List May 2024
 
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptxOcean lotus Threat actors project by John Sitima 2024 (1).pptx
Ocean lotus Threat actors project by John Sitima 2024 (1).pptx
 
How to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For FlutterHow to use Firebase Data Connect For Flutter
How to use Firebase Data Connect For Flutter
 
UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6UiPath Test Automation using UiPath Test Suite series, part 6
UiPath Test Automation using UiPath Test Suite series, part 6
 

WordPress.org & Optimizing Security for your WordPress sites

  • 1. WordPress as an Open Source Project (and Security)
  • 2. • Andrew Nacin • Lead Developer for WordPress • Washington, D.C. • Work for WP founder Matt Mullenweg (Don't work for Automattic or WP.com) • Full time on WordPress (the project) and WordPress.org (the site) • WordPress Security Team
  • 3. A bit about WordPress releases • You're not adopting WordPress 3.5 • You're not adopting WordPress 3 • You're adopting WordPress
  • 6. These are major releases • WordPress 2.8, 2.9, 3.0, 3.1, 3.2 • New features, enhancements, and bug fixes • Every 4-6 months These are minor releases • WordPress 3.4.1, 3.4.2, 3.5.1 • Major bug fixes, sometimes security fixes • As needed
  • 7. Our philosophies are important wordpress.org/about/philosophy
  • 8. Backwards compatibility • This is our commitment to users • Code that works on WordPress now should always work on WordPress • Update to minor releases immediately • If you must, wait for the .1 for major releases • (But you shouldn't need to wait) • Don't skip releases: There is no need to
  • 9. How to justify this in government • We don't have LTS (long term support) releases (no demand for it) • Semantic versioning dictates that a major release is one that breaks compatibility • Since we don't do that, government could think of it as a minor release. Just upgrade :-)
  • 10. Very basic* crash course in WordPress security * sysadmins may be bored
  • 11. Keep everything updated • Keep WordPress core updated – Consider following all changes to the 3.5 branch, not just final releases 3.5.1, 3.5.2, etc. • Keep plugins and themes updated • (or if necessary, backport security fixes) • No, seriously • Consider a security audit by WordPress experts (e.g. Automattic)
  • 12. Prevent file changes in the admin • Prevent upgrade of plugins, themes, core • You should be using version control anyway (Subversion or Git) • In wp-config.php: define('DISALLOW_FILE_MODS', true);
  • 13. Locking down access • In wp-config.php, force SSL: define('FORCE_SSL_ADMIN', true); • If necessary, lock down wp-login.php and wp-admin: – Restrict it to your VPN or proxy – Restrict it using HTTP Basic Authentication – Restrict it to your office IP addresses
  • 14. Report potential security vulnerabilities to: security@wordpress.org
  • 15. Report potential security vulnerabilities in plugins to: plugins@wordpress.org
  • 16. The WordPress security team • 25 experts including lead developers and security researchers – About half are employees of Automattic – A number work in the web security fieldWe • We consult with well-known and trusted security researchers • We notify major hosting companies and government agencies of critical issues (contact us: security@wordpress.org)
  • 17. Our (fairly standard) security process • Receive and acknowledge the report • Work to confirm the report and its severity • Plan and develop an initial patch • All of this happens within 48-72 hours