Andrew Nacin, Lead Developer of WordPress.org, will provide a brief overview and take questions about WordPress's security, its core software and how WordPress approaches development.
2. • Andrew Nacin
• Lead Developer for WordPress
• Washington, D.C.
• Work for WP founder Matt Mullenweg
(Don't work for Automattic or WP.com)
• Full time on WordPress (the project)
and WordPress.org (the site)
• WordPress Security Team
3. A bit about WordPress releases
• You're not adopting WordPress 3.5
• You're not adopting WordPress 3
• You're adopting WordPress
6. These are major releases
• WordPress 2.8, 2.9, 3.0, 3.1, 3.2
• New features, enhancements, and bug fixes
• Every 4-6 months
These are minor releases
• WordPress 3.4.1, 3.4.2, 3.5.1
• Major bug fixes, sometimes security fixes
• As needed
8. Backwards compatibility
• This is our commitment to users
• Code that works on WordPress now
should always work on WordPress
• Update to minor releases immediately
• If you must, wait for the .1 for major releases
• (But you shouldn't need to wait)
• Don't skip releases: There is no need to
9. How to justify this in government
• We don't have LTS (long term support)
releases (no demand for it)
• Semantic versioning dictates that a
major release is one that breaks compatibility
• Since we don't do that, government could
think of it as a minor release. Just upgrade :-)
10. Very basic* crash course in
WordPress security
* sysadmins may be bored
11. Keep everything updated
• Keep WordPress core updated
– Consider following all changes to the 3.5
branch, not just final releases 3.5.1, 3.5.2, etc.
• Keep plugins and themes updated
• (or if necessary, backport security fixes)
• No, seriously
• Consider a security audit by
WordPress experts (e.g. Automattic)
12. Prevent file changes in the admin
• Prevent upgrade of plugins, themes, core
• You should be using version control anyway
(Subversion or Git)
• In wp-config.php:
define('DISALLOW_FILE_MODS', true);
13. Locking down access
• In wp-config.php, force SSL:
define('FORCE_SSL_ADMIN', true);
• If necessary, lock down wp-login.php
and wp-admin:
– Restrict it to your VPN or proxy
– Restrict it using HTTP Basic Authentication
– Restrict it to your office IP addresses
16. The WordPress security team
• 25 experts including lead developers
and security researchers
– About half are employees of Automattic
– A number work in the web security fieldWe
• We consult with well-known and trusted
security researchers
• We notify major hosting companies and
government agencies of critical issues
(contact us: security@wordpress.org)
17. Our (fairly standard) security process
• Receive and acknowledge the report
• Work to confirm the report and its severity
• Plan and develop an initial patch
• All of this happens within 48-72 hours