Andrew Nacin, Lead Developer of WordPress.org, will provide a brief overview and take questions about WordPress's security, its core software and how WordPress approaches development.

1. WordPress as an
Open Source Project
(and Security)

2. • Andrew Nacin
• Lead Developer for WordPress
• Washington, D.C.
• Work for WP founder Matt Mullenweg
(Don't work for Automattic or WP.com)
• Full time on WordPress (the project)
and WordPress.org (the site)
• WordPress Security Team

3. A bit about WordPress releases
• You're not adopting WordPress 3.5
• You're not adopting WordPress 3
• You're adopting WordPress

4. current WordPress version
3.5.1

5. current WordPress version
3.5.1MAJOR
RELEASE
MINOR
RELEASE

6. These are major releases
• WordPress 2.8, 2.9, 3.0, 3.1, 3.2
• New features, enhancements, and bug fixes
• Every 4-6 months
These are minor releases
• WordPress 3.4.1, 3.4.2, 3.5.1
• Major bug fixes, sometimes security fixes
• As needed

7. Our philosophies are important
wordpress.org/about/philosophy

8. Backwards compatibility
• This is our commitment to users
• Code that works on WordPress now
should always work on WordPress
• Update to minor releases immediately
• If you must, wait for the .1 for major releases
• (But you shouldn't need to wait)
• Don't skip releases: There is no need to

9. How to justify this in government
• We don't have LTS (long term support)
releases (no demand for it)
• Semantic versioning dictates that a
major release is one that breaks compatibility
• Since we don't do that, government could
think of it as a minor release. Just upgrade :-)

10. Very basic* crash course in
WordPress security
* sysadmins may be bored

11. Keep everything updated
• Keep WordPress core updated
– Consider following all changes to the 3.5
branch, not just final releases 3.5.1, 3.5.2, etc.
• Keep plugins and themes updated
• (or if necessary, backport security fixes)
• No, seriously
• Consider a security audit by
WordPress experts (e.g. Automattic)

12. Prevent file changes in the admin
• Prevent upgrade of plugins, themes, core
• You should be using version control anyway
(Subversion or Git)
• In wp-config.php:
define('DISALLOW_FILE_MODS', true);

13. Locking down access
• In wp-config.php, force SSL:
define('FORCE_SSL_ADMIN', true);
• If necessary, lock down wp-login.php
and wp-admin:
– Restrict it to your VPN or proxy
– Restrict it using HTTP Basic Authentication
– Restrict it to your office IP addresses

14. Report potential
security vulnerabilities to:
security@wordpress.org

15. Report potential
security vulnerabilities
in plugins to:
plugins@wordpress.org

16. The WordPress security team
• 25 experts including lead developers
and security researchers
– About half are employees of Automattic
– A number work in the web security fieldWe
• We consult with well-known and trusted
security researchers
• We notify major hosting companies and
government agencies of critical issues
(contact us: security@wordpress.org)

17. Our (fairly standard) security process
• Receive and acknowledge the report
• Work to confirm the report and its severity
• Plan and develop an initial patch
• All of this happens within 48-72 hours

18. • nacin@wordpress.org
• security@wordpress.org
• Questions?