OWASP
Top 10 vulnerabilities (data from 2013 below)
- Injection
- Broken Authentication and Session Management
- Cross-Site Scripting (XSS)
- Insecure Direct Object References
- Security Misconfiguration
- Sensitive Data Exposure
- Missing Function Level Access Control
- Cross-Site Request Forgery (CSRF)
- Using Known Vulnerable Components
- Unvalidated Redirects and Forwards
More info: Gary Hockin: top 10 OWASP at PHPUK 2015
Authentication and sessions
- Check browser user agent
- Check session remote IP address
Example: Zend Session Validator
Brute force attack
Fortunately, there is an article on brute force attacks on WordPress codex.
- Don't use "admin" as username (easy)
-
Use good password (recommended)
- Do not force complex passwords! => bad UX
- Do not force complex passwords! => people write them down
- Limit number of login attempt
Using Known Vulnerable Components
-
Update your servers (PHP, Mysql, Apache, Nginx)
-
Update WordPress, themes and plugins
- Disable auto-update for versionning, screen code in diffs
-
Source your plugins and themes correctly
- Read the code
- Use blog posts from security experts
Extending WordPress
Security
User authentication
Prevent brute force
User authentication
Use Two Factors Authentication
Consider users passwords as compromised (some people use the same password everywhere).
Use a known plugin, don't write your own.
Explain to your users, they will not understand. Explain why, and how.
Themes / Plugins
Filter inputs, escape outputs, never trust user input.
Data from database or APIs are considered as user input, as they can be modified somewhere.
Miscellaneous
- Don't auto-update, keep control on the files.
- Disable the file editor.
- Disable plugin/theme uploaders.
- Use a local configuration file (out of the document root), or use environment variables.
WordPress version control tips
