SlideShare a Scribd company logo
WordPress as an
Open Source Project
(and Security)
• Andrew Nacin
• Lead Developer for WordPress
• Washington, D.C.
• Work for WP founder Matt Mullenweg
(Don't work for Automattic or WP.com)
• Full time on WordPress (the project)
and WordPress.org (the site)
• WordPress Security Team
A bit about WordPress releases
• You're not adopting WordPress 3.5
• You're not adopting WordPress 3
• You're adopting WordPress
current WordPress version
3.5.1
current WordPress version
3.5.1MAJOR
RELEASE
MINOR
RELEASE
These are major releases
• WordPress 2.8, 2.9, 3.0, 3.1, 3.2
• New features, enhancements, and bug fixes
• Every 4-6 months
These are minor releases
• WordPress 3.4.1, 3.4.2, 3.5.1
• Major bug fixes, sometimes security fixes
• As needed
Our philosophies are important
wordpress.org/about/philosophy
Backwards compatibility
• This is our commitment to users
• Code that works on WordPress now
should always work on WordPress
• Update to minor releases immediately
• If you must, wait for the .1 for major releases
• (But you shouldn't need to wait)
• Don't skip releases: There is no need to
How to justify this in government
• We don't have LTS (long term support)
releases (no demand for it)
• Semantic versioning dictates that a
major release is one that breaks compatibility
• Since we don't do that, government could
think of it as a minor release. Just upgrade :-)
Very basic* crash course in
WordPress security
* sysadmins may be bored
Keep everything updated
• Keep WordPress core updated
– Consider following all changes to the 3.5
branch, not just final releases 3.5.1, 3.5.2, etc.
• Keep plugins and themes updated
• (or if necessary, backport security fixes)
• No, seriously
• Consider a security audit by
WordPress experts (e.g. Automattic)
Prevent file changes in the admin
• Prevent upgrade of plugins, themes, core
• You should be using version control anyway
(Subversion or Git)
• In wp-config.php:
define('DISALLOW_FILE_MODS', true);
Locking down access
• In wp-config.php, force SSL:
define('FORCE_SSL_ADMIN', true);
• If necessary, lock down wp-login.php
and wp-admin:
– Restrict it to your VPN or proxy
– Restrict it using HTTP Basic Authentication
– Restrict it to your office IP addresses
Report potential
security vulnerabilities to:
security@wordpress.org
Report potential
security vulnerabilities
in plugins to:
plugins@wordpress.org
The WordPress security team
• 25 experts including lead developers
and security researchers
– About half are employees of Automattic
– A number work in the web security fieldWe
• We consult with well-known and trusted
security researchers
• We notify major hosting companies and
government agencies of critical issues
(contact us: security@wordpress.org)
Our (fairly standard) security process
• Receive and acknowledge the report
• Work to confirm the report and its severity
• Plan and develop an initial patch
• All of this happens within 48-72 hours
• nacin@wordpress.org
• security@wordpress.org
• Questions?

More Related Content

What's hot

SSDs are Awesome
SSDs are AwesomeSSDs are Awesome
SSDs are Awesome
Barry Abrahamson
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
William Earnhardt
 
Introduction to wordpress & theme implementation
Introduction to wordpress & theme implementationIntroduction to wordpress & theme implementation
Introduction to wordpress & theme implementation
www.netgains.org
 
WordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insightsWordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insights
Blogwerk AG
 
Don't worry with bower
Don't worry with bowerDon't worry with bower
Don't worry with bower
Frank van der Linden
 
WP-CLI: WordCamp Nashville 2016
WP-CLI: WordCamp Nashville 2016WP-CLI: WordCamp Nashville 2016
WP-CLI: WordCamp Nashville 2016
Terell Moore
 
Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16
tshellberg
 
Wordpress vs Google Blogger/ Wampserver
Wordpress vs Google Blogger/ WampserverWordpress vs Google Blogger/ Wampserver
Wordpress vs Google Blogger/ Wampserver
Kshitij Wagle
 
Training Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started GuideTraining Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started Guide
Continuent
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
findingsimple
 
Liz Quilty – Security, Scaling & High End Hosting for WordPress sites
Liz Quilty – Security, Scaling & High End Hosting for WordPress sitesLiz Quilty – Security, Scaling & High End Hosting for WordPress sites
Liz Quilty – Security, Scaling & High End Hosting for WordPress sites
WordCamp New Zealand
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
David Wilemski
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP API
ryanduff
 
Setting up a local WordPress Environment
Setting up a local WordPress EnvironmentSetting up a local WordPress Environment
Setting up a local WordPress Environment
Chris La Nauze
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
Mickey Mellen
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security Basics
Ryan Plas
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPress
Joseph Scott
 
Install Word Press with xampp
Install Word Press with xamppInstall Word Press with xampp
Install Word Press with xampp
Mehdi Sharifirad
 
Running WordPress on AWS
Running WordPress on AWSRunning WordPress on AWS
Running WordPress on AWS
James Monek
 
Leeward WordPress Meetup- Caching and Website Speed
Leeward WordPress Meetup- Caching and Website SpeedLeeward WordPress Meetup- Caching and Website Speed
Leeward WordPress Meetup- Caching and Website Speed
Arlen Nagata
 

What's hot (20)

SSDs are Awesome
SSDs are AwesomeSSDs are Awesome
SSDs are Awesome
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
 
Introduction to wordpress & theme implementation
Introduction to wordpress & theme implementationIntroduction to wordpress & theme implementation
Introduction to wordpress & theme implementation
 
WordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insightsWordPress Zurich Meetup #5: mobilesport.ch insights
WordPress Zurich Meetup #5: mobilesport.ch insights
 
Don't worry with bower
Don't worry with bowerDon't worry with bower
Don't worry with bower
 
WP-CLI: WordCamp Nashville 2016
WP-CLI: WordCamp Nashville 2016WP-CLI: WordCamp Nashville 2016
WP-CLI: WordCamp Nashville 2016
 
Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16Nürnberg WooCommerce Talk - 11/24/16
Nürnberg WooCommerce Talk - 11/24/16
 
Wordpress vs Google Blogger/ Wampserver
Wordpress vs Google Blogger/ WampserverWordpress vs Google Blogger/ Wampserver
Wordpress vs Google Blogger/ Wampserver
 
Training Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started GuideTraining Slides: Tungsten Replicator AMI - The Getting Started Guide
Training Slides: Tungsten Replicator AMI - The Getting Started Guide
 
WordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security FundamentalsWordPress Security - 12 WordPress Security Fundamentals
WordPress Security - 12 WordPress Security Fundamentals
 
Liz Quilty – Security, Scaling & High End Hosting for WordPress sites
Liz Quilty – Security, Scaling & High End Hosting for WordPress sitesLiz Quilty – Security, Scaling & High End Hosting for WordPress sites
Liz Quilty – Security, Scaling & High End Hosting for WordPress sites
 
Word camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurityWord camp2011 introwordpresssecurity
Word camp2011 introwordpresssecurity
 
Ryan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP APIRyan Duff 2015 WordCamp US HTTP API
Ryan Duff 2015 WordCamp US HTTP API
 
Setting up a local WordPress Environment
Setting up a local WordPress EnvironmentSetting up a local WordPress Environment
Setting up a local WordPress Environment
 
WordPress security & performance a beginners guide
WordPress security & performance a beginners guideWordPress security & performance a beginners guide
WordPress security & performance a beginners guide
 
WordPress Security Basics
WordPress Security BasicsWordPress Security Basics
WordPress Security Basics
 
Scaling WordPress
Scaling WordPressScaling WordPress
Scaling WordPress
 
Install Word Press with xampp
Install Word Press with xamppInstall Word Press with xampp
Install Word Press with xampp
 
Running WordPress on AWS
Running WordPress on AWSRunning WordPress on AWS
Running WordPress on AWS
 
Leeward WordPress Meetup- Caching and Website Speed
Leeward WordPress Meetup- Caching and Website SpeedLeeward WordPress Meetup- Caching and Website Speed
Leeward WordPress Meetup- Caching and Website Speed
 

Similar to WordPress.org & Optimizing Security for your WordPress sites

WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
Dan Vasile
 
automatic_updates.pptx
automatic_updates.pptxautomatic_updates.pptx
automatic_updates.pptx
Nida Ismail Shah
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
Robert Vidal
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best Practices
Jonathan Hall
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009   Word Press In The WildWord Camp Ph 2009   Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
rebelpixel
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
Chris Gates
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
rebelpixel
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
Deepu Thomas
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your Website
ReliqusConsulting
 
WordPress Architecture for Tech-Savvy Managers
WordPress Architecture for Tech-Savvy ManagersWordPress Architecture for Tech-Savvy Managers
WordPress Architecture for Tech-Savvy Managers
Mario Peshev
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
Think Media Inc.
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014
The Toolbox, Inc.
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
edavid2685
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
Protecting your site by detection
Protecting your site by detectionProtecting your site by detection
Protecting your site by detection
Marko Heijnen
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
Allanki Srinivas
 
Managing Updates with System Center Configuration Manager 2012
Managing Updates with System Center Configuration Manager 2012Managing Updates with System Center Configuration Manager 2012
Managing Updates with System Center Configuration Manager 2012
JasonCondo
 
WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)
Michael Carnell
 
Vuejs getting-started - Extended Version
Vuejs getting-started - Extended VersionVuejs getting-started - Extended Version
Vuejs getting-started - Extended Version
Murat Doğan
 
WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!
Taylor Lovett
 

Similar to WordPress.org & Optimizing Security for your WordPress sites (20)

WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
WordPress Security Implementation Guideline - Presentation for OWASP Romania ...
 
automatic_updates.pptx
automatic_updates.pptxautomatic_updates.pptx
automatic_updates.pptx
 
WordPress Security and Best Practices
WordPress Security and Best PracticesWordPress Security and Best Practices
WordPress Security and Best Practices
 
WordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best PracticesWordPress Security 101: Practical Techniques & Best Practices
WordPress Security 101: Practical Techniques & Best Practices
 
Word Camp Ph 2009 Word Press In The Wild
Word Camp Ph 2009   Word Press In The WildWord Camp Ph 2009   Word Press In The Wild
Word Camp Ph 2009 Word Press In The Wild
 
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016DevOops Redux Ken Johnson Chris Gates  - AppSec USA 2016
DevOops Redux Ken Johnson Chris Gates - AppSec USA 2016
 
WordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The WildWordCamp Philippines 2009: WordPress In The Wild
WordCamp Philippines 2009: WordPress In The Wild
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
 
WordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your WebsiteWordPress Hardening: Strategies to Secure & Protect Your Website
WordPress Hardening: Strategies to Secure & Protect Your Website
 
WordPress Architecture for Tech-Savvy Managers
WordPress Architecture for Tech-Savvy ManagersWordPress Architecture for Tech-Savvy Managers
WordPress Architecture for Tech-Savvy Managers
 
WordPress Plugins and Security
WordPress Plugins and SecurityWordPress Plugins and Security
WordPress Plugins and Security
 
WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014WordCamp Boston WordPress plugins-8-2014
WordCamp Boston WordPress plugins-8-2014
 
System hardening - OS and Application
System hardening - OS and ApplicationSystem hardening - OS and Application
System hardening - OS and Application
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
Protecting your site by detection
Protecting your site by detectionProtecting your site by detection
Protecting your site by detection
 
Wordpress best practices
Wordpress best practicesWordpress best practices
Wordpress best practices
 
Managing Updates with System Center Configuration Manager 2012
Managing Updates with System Center Configuration Manager 2012Managing Updates with System Center Configuration Manager 2012
Managing Updates with System Center Configuration Manager 2012
 
WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)WordPress Setup and Security (Please look for the newer version!)
WordPress Setup and Security (Please look for the newer version!)
 
Vuejs getting-started - Extended Version
Vuejs getting-started - Extended VersionVuejs getting-started - Extended Version
Vuejs getting-started - Extended Version
 
WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!WordPress Acceptance Testing, Solved!
WordPress Acceptance Testing, Solved!
 

More from GovLoop

How is GovLoop Transforming Learning for Government?
How is GovLoop Transforming Learning for Government?How is GovLoop Transforming Learning for Government?
How is GovLoop Transforming Learning for Government?
GovLoop
 
Teaching vs learning
Teaching vs learningTeaching vs learning
Teaching vs learning
GovLoop
 
Next Gen: Critical Conversations Slide Deck
Next Gen: Critical Conversations Slide DeckNext Gen: Critical Conversations Slide Deck
Next Gen: Critical Conversations Slide Deck
GovLoop
 
Internet of Things: Lightning Round, Sargent
Internet of Things: Lightning Round, SargentInternet of Things: Lightning Round, Sargent
Internet of Things: Lightning Round, Sargent
GovLoop
 
Internet of Things: Lightning Round, Ronzio
Internet of Things: Lightning Round, RonzioInternet of Things: Lightning Round, Ronzio
Internet of Things: Lightning Round, Ronzio
GovLoop
 
Internet of Things: Lightning Round, Hite
Internet of Things: Lightning Round, HiteInternet of Things: Lightning Round, Hite
Internet of Things: Lightning Round, Hite
GovLoop
 
Internet of Things: Lightning Round, Fritzinger
Internet of Things: Lightning Round, FritzingerInternet of Things: Lightning Round, Fritzinger
Internet of Things: Lightning Round, Fritzinger
GovLoop
 
Internet of Things: Lightning Round, McKinney
Internet of Things: Lightning Round, McKinneyInternet of Things: Lightning Round, McKinney
Internet of Things: Lightning Round, McKinney
GovLoop
 
Internet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy GarrettInternet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy Garrett
GovLoop
 
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
GovLoop
 
Week Three
Week ThreeWeek Three
Week Three
GovLoop
 
FHWA Week Two
FHWA Week TwoFHWA Week Two
FHWA Week Two
GovLoop
 
Building Powerful Outreach - Executive Research Brief
Building Powerful Outreach - Executive Research BriefBuilding Powerful Outreach - Executive Research Brief
Building Powerful Outreach - Executive Research Brief
GovLoop
 
Turning Big Data into Big Decisions
Turning Big Data into Big DecisionsTurning Big Data into Big Decisions
Turning Big Data into Big Decisions
GovLoop
 
Examining the Big Data Frontier
Examining the Big Data FrontierExamining the Big Data Frontier
Examining the Big Data Frontier
GovLoop
 
The Need for NoSQL - MarkLogic
The Need for NoSQL - MarkLogicThe Need for NoSQL - MarkLogic
The Need for NoSQL - MarkLogic
GovLoop
 
Capitalizing on the Cloud
Capitalizing on the CloudCapitalizing on the Cloud
Capitalizing on the Cloud
GovLoop
 
Build Better Virtual Events & Training for your Agency
Build Better Virtual Events & Training for your AgencyBuild Better Virtual Events & Training for your Agency
Build Better Virtual Events & Training for your Agency
GovLoop
 
Social Media Presentation for The Center for Organizational Effectiveness
Social Media Presentation for The Center for Organizational EffectivenessSocial Media Presentation for The Center for Organizational Effectiveness
Social Media Presentation for The Center for Organizational Effectiveness
GovLoop
 
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
GovLoop
 

More from GovLoop (20)

How is GovLoop Transforming Learning for Government?
How is GovLoop Transforming Learning for Government?How is GovLoop Transforming Learning for Government?
How is GovLoop Transforming Learning for Government?
 
Teaching vs learning
Teaching vs learningTeaching vs learning
Teaching vs learning
 
Next Gen: Critical Conversations Slide Deck
Next Gen: Critical Conversations Slide DeckNext Gen: Critical Conversations Slide Deck
Next Gen: Critical Conversations Slide Deck
 
Internet of Things: Lightning Round, Sargent
Internet of Things: Lightning Round, SargentInternet of Things: Lightning Round, Sargent
Internet of Things: Lightning Round, Sargent
 
Internet of Things: Lightning Round, Ronzio
Internet of Things: Lightning Round, RonzioInternet of Things: Lightning Round, Ronzio
Internet of Things: Lightning Round, Ronzio
 
Internet of Things: Lightning Round, Hite
Internet of Things: Lightning Round, HiteInternet of Things: Lightning Round, Hite
Internet of Things: Lightning Round, Hite
 
Internet of Things: Lightning Round, Fritzinger
Internet of Things: Lightning Round, FritzingerInternet of Things: Lightning Round, Fritzinger
Internet of Things: Lightning Round, Fritzinger
 
Internet of Things: Lightning Round, McKinney
Internet of Things: Lightning Round, McKinneyInternet of Things: Lightning Round, McKinney
Internet of Things: Lightning Round, McKinney
 
Internet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy GarrettInternet of Things: Government Keynote, Randy Garrett
Internet of Things: Government Keynote, Randy Garrett
 
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
Leap Not Creep Participant Guide Pre-Course Through Week 3 - 20140722
 
Week Three
Week ThreeWeek Three
Week Three
 
FHWA Week Two
FHWA Week TwoFHWA Week Two
FHWA Week Two
 
Building Powerful Outreach - Executive Research Brief
Building Powerful Outreach - Executive Research BriefBuilding Powerful Outreach - Executive Research Brief
Building Powerful Outreach - Executive Research Brief
 
Turning Big Data into Big Decisions
Turning Big Data into Big DecisionsTurning Big Data into Big Decisions
Turning Big Data into Big Decisions
 
Examining the Big Data Frontier
Examining the Big Data FrontierExamining the Big Data Frontier
Examining the Big Data Frontier
 
The Need for NoSQL - MarkLogic
The Need for NoSQL - MarkLogicThe Need for NoSQL - MarkLogic
The Need for NoSQL - MarkLogic
 
Capitalizing on the Cloud
Capitalizing on the CloudCapitalizing on the Cloud
Capitalizing on the Cloud
 
Build Better Virtual Events & Training for your Agency
Build Better Virtual Events & Training for your AgencyBuild Better Virtual Events & Training for your Agency
Build Better Virtual Events & Training for your Agency
 
Social Media Presentation for The Center for Organizational Effectiveness
Social Media Presentation for The Center for Organizational EffectivenessSocial Media Presentation for The Center for Organizational Effectiveness
Social Media Presentation for The Center for Organizational Effectiveness
 
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
Guide to Managing the Presidential Management Fellows (PMF) Application Proce...
 

Recently uploaded

Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
ssuser1915fe1
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
Zilliz
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
HackersList
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
HackersList
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
chetankumar9855
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
rajancomputerfbd
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
ChristopherTHyatt
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
CEPTES Software Inc
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
Neo4j
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Torry Harris
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
Edge AI and Vision Alliance
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
kumarjarun2010
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
alexjohnson7307
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
Priyanka Aash
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Muhammad Ali
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
RaminGhanbari2
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
bhumivarma35300
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
SynapseIndia
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
Emerging Tech
 

Recently uploaded (20)

Feature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptxFeature sql server terbaru performance.pptx
Feature sql server terbaru performance.pptx
 
Using LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and MilvusUsing LLM Agents with Llama 3, LangGraph and Milvus
Using LLM Agents with Llama 3, LangGraph and Milvus
 
How Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdfHow Social Media Hackers Help You to See Your Wife's Message.pdf
How Social Media Hackers Help You to See Your Wife's Message.pdf
 
WhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring AppsWhatsApp Spy Online Trackers and Monitoring Apps
WhatsApp Spy Online Trackers and Monitoring Apps
 
Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...Amul milk launches in US: Key details of its new products ...
Amul milk launches in US: Key details of its new products ...
 
Choose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presenceChoose our Linux Web Hosting for a seamless and successful online presence
Choose our Linux Web Hosting for a seamless and successful online presence
 
How to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdfHow to build a generative AI solution A step-by-step guide (2).pdf
How to build a generative AI solution A step-by-step guide (2).pdf
 
Salesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot WorkshopSalesforce AI & Einstein Copilot Workshop
Salesforce AI & Einstein Copilot Workshop
 
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdfBT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
BT & Neo4j: Knowledge Graphs for Critical Enterprise Systems.pptx.pdf
 
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...Evolution of iPaaS - simplify IT workloads to provide a unified view of  data...
Evolution of iPaaS - simplify IT workloads to provide a unified view of data...
 
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
“Deploying Large Language Models on a Raspberry Pi,” a Presentation from Usef...
 
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSECHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
CHAPTER-8 COMPONENTS OF COMPUTER SYSTEM CLASS 9 CBSE
 
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
leewayhertz.com-AI agents for healthcare Applications benefits and implementa...
 
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-InTrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
TrustArc Webinar - 2024 Data Privacy Trends: A Mid-Year Check-In
 
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
(CISOPlatform Summit & SACON 2024) Digital Personal Data Protection Act.pdf
 
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
Litestack talk at Brighton 2024 (Unleashing the power of SQLite for Ruby apps)
 
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyyActive Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
Active Inference is a veryyyyyyyyyyyyyyyyyyyyyyyy
 
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
High Profile Girls call Service Pune 000XX00000 Provide Best And Top Girl Ser...
 
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptxUse Cases & Benefits of RPA in Manufacturing in 2024.pptx
Use Cases & Benefits of RPA in Manufacturing in 2024.pptx
 
Implementations of Fused Deposition Modeling in real world
Implementations of Fused Deposition Modeling  in real worldImplementations of Fused Deposition Modeling  in real world
Implementations of Fused Deposition Modeling in real world
 

WordPress.org & Optimizing Security for your WordPress sites

  • 1. WordPress as an Open Source Project (and Security)
  • 2. • Andrew Nacin • Lead Developer for WordPress • Washington, D.C. • Work for WP founder Matt Mullenweg (Don't work for Automattic or WP.com) • Full time on WordPress (the project) and WordPress.org (the site) • WordPress Security Team
  • 3. A bit about WordPress releases • You're not adopting WordPress 3.5 • You're not adopting WordPress 3 • You're adopting WordPress
  • 6. These are major releases • WordPress 2.8, 2.9, 3.0, 3.1, 3.2 • New features, enhancements, and bug fixes • Every 4-6 months These are minor releases • WordPress 3.4.1, 3.4.2, 3.5.1 • Major bug fixes, sometimes security fixes • As needed
  • 7. Our philosophies are important wordpress.org/about/philosophy
  • 8. Backwards compatibility • This is our commitment to users • Code that works on WordPress now should always work on WordPress • Update to minor releases immediately • If you must, wait for the .1 for major releases • (But you shouldn't need to wait) • Don't skip releases: There is no need to
  • 9. How to justify this in government • We don't have LTS (long term support) releases (no demand for it) • Semantic versioning dictates that a major release is one that breaks compatibility • Since we don't do that, government could think of it as a minor release. Just upgrade :-)
  • 10. Very basic* crash course in WordPress security * sysadmins may be bored
  • 11. Keep everything updated • Keep WordPress core updated – Consider following all changes to the 3.5 branch, not just final releases 3.5.1, 3.5.2, etc. • Keep plugins and themes updated • (or if necessary, backport security fixes) • No, seriously • Consider a security audit by WordPress experts (e.g. Automattic)
  • 12. Prevent file changes in the admin • Prevent upgrade of plugins, themes, core • You should be using version control anyway (Subversion or Git) • In wp-config.php: define('DISALLOW_FILE_MODS', true);
  • 13. Locking down access • In wp-config.php, force SSL: define('FORCE_SSL_ADMIN', true); • If necessary, lock down wp-login.php and wp-admin: – Restrict it to your VPN or proxy – Restrict it using HTTP Basic Authentication – Restrict it to your office IP addresses
  • 14. Report potential security vulnerabilities to: security@wordpress.org
  • 15. Report potential security vulnerabilities in plugins to: plugins@wordpress.org
  • 16. The WordPress security team • 25 experts including lead developers and security researchers – About half are employees of Automattic – A number work in the web security fieldWe • We consult with well-known and trusted security researchers • We notify major hosting companies and government agencies of critical issues (contact us: security@wordpress.org)
  • 17. Our (fairly standard) security process • Receive and acknowledge the report • Work to confirm the report and its severity • Plan and develop an initial patch • All of this happens within 48-72 hours