Please note: this post is incomplete & pending review.
OWASP, the Open Web Application Security Project, is a initiative to help educate, inform, and share information regarding the biggest threats to websites for developers.
OWASP offers a Top 10 list of vulnerabilities and prevention, it is known as the de facto application security standard. So how does WordPress, the engine powering 30% of the internet, hold up against these vulnerabilities? How can we as plugin and theme developers take advantage of the functions, methods, and APIs WordPress created for these security? Let’s break down the list and take a closer look.
The Top 10 OWASP Risks & WordPress:
- A1 – Injection
- A2 – Broken Authentication
- A3 – Sensitive Data Exposure
- A4 – XML External Entities (XXE)
- A5 – Broken Access Control
- A6 – Security Misconfiguration
- A7 – Cross-Site Scripting (XSS)
- A8 – Insecure Deserialization
- A9 – Using Components with Known Vulnerabilities
- A10 – Insufficient Logging & Monitoring
& More Vulnerabilities & Considerations outside of the Top 10 List:
- Cross-Site Request Forgery (CSRF)
- Open Redirects
- Executing Commands
& some Security Tidbits to make your install and code more secure:
- Hardening WordPress
- WordPress Coding Standards & Security
- WordPress Security Page
- 6G Firewall 2018 / Block Bad Queries
- Keeping up to date