Plug the Holes - Wordupness
-
Upload
caleuanhopkins -
Category
Technology
-
view
309 -
download
2
description
Transcript of Plug the Holes - Wordupness
![Page 1: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/1.jpg)
Plug the Holes#wordupness
(Taking security seriously when developing themes)
Presented by: Callum Hopkins
@caleuanhopkinscallumhopkins.co.uk
yeehah!
![Page 2: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/2.jpg)
Wordpress’ awesome attributes
Open Source - free to use + build
No rules, limits or restrictions
Huge development & user community
![Page 3: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/3.jpg)
Wordpress’ weakest attributes
Open Source - core exposed
no set standard - rubbish work accepted
ignorant users & arrogant devs
![Page 4: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/4.jpg)
my story - brute force exposure
adminusername
password
elephant
![Page 5: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/5.jpg)
my story - brute force exposure
wp footprints viewable in website’s source
no limit on number of login retries
admin login username wasn’t changed
![Page 6: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/6.jpg)
wordpress shock facts
Wordpress is not 100% secure out of the box
more than 30 known wp 3.x core vulnerabilities
http://bit.ly/ceh-wpinfo
83% of hacked wp blogs were not upgraded
![Page 7: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/7.jpg)
Let’s Improve Wordpress
Obscure Wordpress
Lock down Wordpress
secure wordpress
![Page 8: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/8.jpg)
Lock Wordpress down
Lock down login attempts
remove write access for wp-content
rename admin usernames
![Page 9: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/9.jpg)
secure Wordpress
high level password security for admins
remove editor from appearance panel
change admin user id from 1
![Page 10: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/10.jpg)
obscure Wordpress
encode wp-config
remove all wordpress footprints
rewrite for admin panel
![Page 11: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/11.jpg)
wordpress Resources
http://bit.ly/ceh-php
http://bit.ly/ceh-loginlogin lockdown plugin
Better wp security
Hide wp Footprints
http://bit.ly/ceh-security
![Page 12: Plug the Holes - Wordupness](https://reader036.fdocuments.us/reader036/viewer/2022081401/559a054b1a28aba35c8b483a/html5/thumbnails/12.jpg)
questions?
Things to remember
be serious about security
any website can be targeted despite status
always code to the best of your abilities