#TPR4: Securing the Open Source CMS Doesn’t Take a Dissertation

Thursday, August 9th, 2012

Chris Wiegman

103 C, Frontier Airlines Center

As the author of the Better WP Security WordPress plugin, Chris Wiegman has spent a bit of time over the last couple of years securing WordPress and other open source CMS installs and fixing sites for those who did not. That said, making a reasonably secure site with open source software isn’t all that hard if you know what to look for. This session will focus on the practical aspects of setting up a site with security in mind and maintaining it so as to keep the wolves at bay.  He’s spent the last 6 years focusing on the security of Drupal, WordPress, Joomlaand MediaWiki sites, which has included installation, configuration and response to numerous attacks. Over that time there are a number of vectors he’s found that, when implemented from the beginning and with the correct frame of mind, can make an open source website at least as secure, if not more secure, than any other product on the market. This session will cover the basics of why to secure, common vectors used by attackers, mitigation strategies and basic training strategies to help make sure your site is safe from attack. In short, Wiegman will show folks how securing their open source CMS doesn’t take a dissertation worth of work.

Notes:

Built a homegrown CMS. Later moved to drupal and WordPress
Developed the plugin: Better WP Security

Not trying to protect the data. Trying to protect the users of the data.

The protection of our brand and customers from malicious intent.

Open source means security by community.

3 words to live by:
⁃    Just because you can, doesn’t mean you should. Don’t give them a way to post SSN.
⁃    Keep it simple. Don’t use plugins you don’t need. If you want to try plugins and themes, use a dev site. Don’t change the core!
⁃    Be persistent

Tools:
⁃    Use sftp/ssh
⁃    SSL – if it takes data in
⁃    navigate – replaces phpmyadmin
⁃    WP Plugins

With multisite: make sure to aggregate all comments to a central location so that you can keep an eye  on them.

«
»

Leave a Reply

You know you want to...