CIA For WordPress Developers

David Brumbaugh • @DavidEBrumbaugh • #Team10Up • www.10up.com

A C I A M I N D S E T
P L A N N I N G Y O U R W O R D P R E S S S I T E ’ S S E C U R I T Y ( F O R D E V E L O P E R S )
David Brumbaugh - Web Engineer 10Up
A premiere web design & development consulting service provider,
and a contributor to open platforms like WordPress.

7 0 % O F
W O R D P R E S S
S I T E S
V U L N E R A B L E
O C TO B E R 2 0 1 3 , I N F O R M AT I O N W E E K :
That’s Over 100M Sites
These Vulnerabilities are Preventable

I T S H O U L D P E R M E AT E H O W W E C O D E
Security is a Mindset

C . I . A Confidentiality
Integrity
Availability

W O R D P R E S S
C I A C O D I N G
• ENVIRONMENTAL
FACTORS
• CODE FOR
CONFIDENTIALITY
• CODE FOR INTEGRITY
• CODE FOR AVAILABILITY

C O N F I D E N T I A L I T Y
• Personal Information
• Names, Email Addresses
• Customer Information
• Order History
• Sensitive Information
• Payment Information, Passwords, Health Data

I F T H E H O S T I S C O M P R O M I S E D - Y O U R C O D I N G D O E S N ' T M AT T E R .
C O N F I D E N T I A L I T Y: H O S T I N G
C U LT I VAT E A G O O D R E L AT I O N S H I P W I T H T H E H O S T. AV O I D “ B L A M E G A M E ” .
W I T H A N E W ( O R L A R G E ) H O S T I U S U A L LY S TA RT T H E S U P P O RT T I C K E T
W I T H : “ I A M A D E V E L O P E R ”

C O N F I D E N T I A L I T Y - W O R D P R E S S
Front End vs. Back End
Roles and Capabilities
Built In and Custom
Business Decisions - Purpose of Code
Should Match Responsibilities

S TA N D A R D R O L E S
• Super Admin
• Administrator
• Editor
• Author
• Contributor
• Subscriber
S A M P L E C A PA B L I T I E S
• edit_users
• activate_plugins
• delete_others_pages
• upload_files
• edit_posts
• read
U S I N G C A PA B I L I T I E S I N C O D E

C U S TO M R O L E S A N D C A PA B I L I T I E S

C O D E E X A M P L E S F R O M R E P O S I TO RY
C O N F I D E N T I A L I T Y - W O R D P R E S S
Members (Justin Tadlock)
Eyes Only (Kevin Behrens & Thom Stark)
Restricted Site Access (10Up)
Editorial Access Manager (10Up)

P R O T E C T I O N A G A I N S T:
U N A U T H O R I Z E D
O R U N I N T E N D E D
M O D I F I C AT I O N ,
D E L E T I O N ,
O R A D D I T I O N
O F D ATA
A N D / O R P R O G R A M S .
I N T E G R I T Y

W P I N T E G R I T Y T H R E AT S
• Brute Force Attacks
• Another computer “guesses” username/password
• Username or password is intercepted (email)
• Injection Attacks
• Another computer exploits failure to comply with
best practices by injecting malicious code.

I N T E G R I T Y - W O R D P R E S S C O R E A D VA N TA G E S
• Open Source
• Thousands of Eyes
• Can Audit / Inspect
• YOU Should Inspect It
• https://make.wordpress.org/core/reports/
• Solid Organization Committed to Security
• Built In Security Functions (Only work if used)
• Version Updates - Automatic for Security Related,  
Can (usually should) be automated
• You Should Push Security Updates ASAP

I N Y O U R T H E M E S
A N D P L U G I N S
• Update Procedures (i.e.
WordPress.org Repository)
• Best Practices:
• Input Validation and
Sanitization
• Validate and Escape
Output
• Beware Feature Bloat
I N T E G R I T Y

B R U T E F O R C E D E F E N S E
• Check for Bad Usernames (admin,
administrator etc.)
• Captcha - Advantages and
disadvantages
• Enforce Strong Passwords
• Secure Password Delivery
• Don’t Email Passwords
• Use One Time Secret
I N T E G R I T Y

I N J E C T I O N D E F E N S E S
U S E B U I LT- I N E S C A P I N G , VA L I D AT I O N A N D S A N I T I Z I N G F U N C T I O N S
I N T E G R I T Y
Input Validation

I N T E G R I T Y
Sanitizing: Cleaning User Input

I N T E G R I T Y
Escaping: Securing Output
Why???

I N T E G R I T Y
Escaping: Securing Output
How???

• A L L P L U G I N S / T H E M E S R U N AT T H E S A M E P E R M I S S I O N L E V E L
• S O M E O T H E R P L U G I N C A N M A K E Y O U R S V U L N E R A B L E
• G I T A U T O M AT I C A L LY I N C L U D E S I N T E G R I T Y C H E C K I N G
• C O N S I D E R A “ C A N O N I C A L ” F I L E I N T E G R I T Y S O U R C E :
http://www.sitepoint.com/monitoring-file-integrity/
• S E A R C H P L U G I N R E P O S I T O RY F O R :
“ S E C U R I T Y M O N I T O R I N G ”
A N D / O R “ F I L E I N T E G R I T Y M O N I T O R I N G ”
F I L E & D ATA I N T E G R I T Y

Y O U R W O R D P R E S S S I T E
S H O U L D B E AVA I L A B L E
TO Y O U R C U S TO M E R S ,
U S E R S ,
A D M I N I S T R ATO R S
A N D C O N T E N T C R E ATO R S
W H E N T H E Y N E E D I T.
AVA I L A B I L I T Y

• O F T E N A F U N C T I O N O F I N T E G R I T Y
• AT TA C K E R L O C K S U S E R S O U T
• D D O S L A U N C H E D F R O M
C O M P R O M I S E D W P S I T E S I N
2 0 1 3
• W O R K W I T H T H E H O S T
• P E R F O R M A N C E
• O P T I M I Z AT I O N ( P R O F I L E )
• C A C H E I N G
• A S S E T M A N A G E M E N T ( C D N )
AVA I L A B I L I T Y

David Brumbaugh• @DavidEBrumbaugh • #Team10Up• www.10iup.com/cia-biz
C . I . A . R E S O U R C E S
• developer.wordpress.org
• codex.wordpress.org
• Sanitizing Input
• Escaping Output
• Open Web Application Security Project
• owasp.org
• CERT - Computer Emergency Readiness Team
• http://www.us-cert.gov
• Subscribe to Email Alerts
• Filter your inbox by sender, WordPress

• P R E V I O U S LY M E N T I O N E D P L U G I N S
( W O R D P R E S S . O R G )
• B E S T P R A C T I C E S
• h t t p s : / / 1 0 u p . g i t h u b . i o / E n g i n e e r i n g - B e s t - P r a c t i c e s /
• O N E T I M E S E C R E T: h t t p s : / / s e c r e t . 1 0 u p . c o m /
M O R E C . I . A . R E S O U R C E S - F R O M 1 0 U P

Q U E S T I O N S ?

CIA For WordPress Developers

Empfohlen

Empfohlen

Weitere ähnliche Inhalte

Was ist angesagt?

Was ist angesagt? (20)

Andere mochten auch

Andere mochten auch (17)

Ähnlich wie CIA For WordPress Developers

Ähnlich wie CIA For WordPress Developers (20)

Kürzlich hochgeladen

Kürzlich hochgeladen (20)

CIA For WordPress Developers