|

WordCamp US 2019 – Securing WordPress in the age of 0-Day Vulnerabilities – Rahul Nagare

scaledynamix.com/WCUS

0-Day Vulnerabilities

  • Recently discovered
  • No current fix
  • Already being attacked

Reference – wpvulndb.com

Why My Site?

  • They want to send your traffic somewhere else to boost SEO rank
  • They want to use your site as a “bot” to attack a targeted site.

How Do You Protect Your Site?

Protection Against Redirects

  • Hardcode your site/home URL
  • Protect your wp-config.php

Protect Against Automated Plugin Updates

  • Limit access to wp-admin, white-list admin IPs

Protect Against Code Injections

  • Block all POST requests without a valid referrer
  • Set Content-Security-Policy header

You still need to follow the standard security best practices

Similar Posts

  • / /

    WordCamp US 2019 – Code Like A Writer – Alex Ball

    Writing Principles Punctuation Saves Lives Separate your metaphors separate your concerns making good comments Coding Principles Syntax Form – code formatting Spellcheck – code linting DRY – Don’t repeat yourself Redundant words just take up time Code is Poetry Being creative Clean and concise Doing as much as it can with as little as possible In Stories Someone Usually Dies in the End In AJAX function wp_die() at the end.
  • /

    WordCamp GR 2017 – WP-API: The Good, the Bad, and the Ugly – J Andrew Scott

    J Andrew Scott – http://rubberchickenfarm.com/ History of APIs RSS Advantages Fast & reliable Easy to consume Almost no technical footprint Disadvantages Read-only Static content No authentication No user-driven content (i.e. comments, favorites, etc) DIY API Advantages Dynamic content User-driven content App & user authentication Roles & permissions based Connected applications Disadvantages DIY OAuth Redundant URI scheme Mediocre performance Large technical footprint WP-API Advantages Succinct URI scheme Improved performance Small technical footprint Available in WordPress core Disadvantages Granular transactions No batch uploads Increased number of API calls What once required 2 web servers now required 12-15 servers WP-API Disadvantage Factors & Solutions Number of content types Solution: consolidate endpoints Volume of individual API calls Solution: batch processing endpoints Frequency of individual API calls Solution: page-level caching Lessons…
  • WordCamp US 2019 – How the WordPress Community Can Embrace the Next Generation (Talk + Panel)

    Talk – Olivia Bisset lemonadecode.com/WCUS If WordPress doesn’t become attractive to the next generation it will become a relic. WordCamps Don’t use the word kids, use words like teens and students Make regular tracks attractive to to young people Market to young people, don’t make it all about old people Meetups Don’t use foul language, make it family friendly Parents Take your kids to events Support your kids to see talks that are relevant for them Teachers WordPress is a good publishing tool for kids Writing content helps students develop their writing skills Have an “Hour of Code” Block Editor Students liked the Block Editor Panel Dina Butcher, Ema DeRosia, Emily Lema, Sophie DeRosia, Olivia Bisset, Natalie Bourn Kids are using the WordPress platform to…
  • /

    WordCamp US 2019 – Just Enough React for WordPress – Shannon Smith

    New Block Editor Discover the Possibilities Block templates Blocks instead of custom fields, shortcodes, etc How Does the New Block Editor Work? Uses React, JavaScript/JSX Blocks are like plugins There is a Core Layer & Editorial Layer React abstraction is built-in Cool Stuff Blocks can be reusable Backend Workflow-only blocks Block level locking – you can remove blocks that are not needed. React Uses JSON literals It’s in the HTML but doesn’t negatively affect the HTML Templates You can create block templates Can be assigned to existing post types You can have nested templates Compatibility Shortcodes Will continue to work as before but contained within a block Custom Post Types Metaboxes Can be converted to blocks Can be used in the block editor Themes You…
  • /

    WPGR: Learn about the Developer Tools in your browser

    Firefox Developer Tools – Topher Inspector – look at HTML/CSS behind a web page Responsive Display Mode Console – look for errors (security/resource loading issues) Different results depending on when you open – loading vs loaded Debugger – for JavaScript Style Editor – for changing CSS Performance – monitoring page load performance Network – Storage – Local browser items, page cache, cookies, etc. Chrome Developer Tools – Brian Shortcuts – keyboard commands to open dev tools (CTRL-OPT-I[Mac OS X]/CTRL-SHIFT-I[ChromeOS]) Docking – SHIFT-CMD-D(Mac OS X) / CTRL-SHIFT-D(Chrome OS) Elements (inspector) Styles – Filter allows for viewing specific CSS states (i.e. :hover) Add specific element styles Color Swatch – has a color picker, can save swatches Computed Styles View a visual representation of spacing See the CSS that…
  • WordCamp GR 2017 – Plugins: The WP Box of Chocolates – Stacy Vanden Heuvel

    Stacy Vanden Heuvel – http://www.mtnwebs.net/ (blog) http://mtnwebs.com/ What are they? Premanufactured code that adds function and features. 51,000+ plugins available today. Dropped into a site. There is a plugin or everything. Why does anyone care? Makes website building easier. How do you choose? How many active installs? Does it have reputable developers? When was it last updated? What are the ratings? – need to take these with a grain of salt Is it compatible with the current release? Does it fit with exactly what you need it to do? Plugin Examples WP-Polls Auto Terms of Service and Privacy Policy – doesn’t support translations WPFront Scroll – scroll-to-top button Hummingbird – page speed optimization, gives you an optimization report WP Smush – image optimization, optimizes as you upload,…

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

To respond on your own website, enter the URL of your response which should contain a link to this post's permalink URL. Your response will then appear (possibly after moderation) on this page. Want to update or remove your response? Update or delete your post and re-enter your post's URL again. (Find out more about Webmentions.)