WordCamp US 2019 – Securing WordPress in the age of 0-Day Vulnerabilities – Rahul Nagare
- Recently discovered
- No current fix
- Already being attacked
Reference – wpvulndb.com
Why My Site?
- They want to send your traffic somewhere else to boost SEO rank
- They want to use your site as a “bot” to attack a targeted site.
How Do You Protect Your Site?
Protection Against Redirects
- Hardcode your site/home URL
- Protect your wp-config.php
Protect Against Automated Plugin Updates
- Limit access to wp-admin, white-list admin IPs
Protect Against Code Injections
- Block all POST requests without a valid referrer
- Set Content-Security-Policy header
You still need to follow the standard security best practices