OWASP Top 10 & WordPress Security (Page 13)

Please note: this post is incomplete & pending review.


Okay, so there’s a lot to consider, besides memorizing these and other exploits, what else can you do?

Harden WordPress

Mentioned throughout the document was Hardening WordPress. This article is WordPress.org’s own suggestion about what you should do to make your installation as secure as possible. They keep this document separate because its variable and mostly server-side, but every tip in this document is a great start.

WordPress Coding Standards & Security

Po ones nerfect, that’s widely understood, missing an escape function here or there is easy. It’s important to get your code editor to work for you and help you. When coding anything for WordPress always ensure you’re using PHPCS with the WPCS standard. The rulesets therein will notify you of many security exploits as you accidentally write them, and give you specific reference to the vulnerability in OWASP.

WordPress Security Page

I’ve heard many grumblings from non-WordPress developers that WP has a reputation of being insecure. I’ve never felt that way, and last I heard there was a team of 30 security experts working on WordPress. This document here wordpress.org/about/security/provides great assurance and details about the measures that go into WordPress’s security.

6G Firewall 2018 / Block Bad Queries

The 6G Firewall is an incredible standard for WordPress defence at the server level. Simply copy and paste into your Apache server’s .htaccess

..the 6G Firewall protects your site against a wide variety of malicious URI requests, bad bots, spam referrers, and other attacks.

Jeff Starr

If your server doesn’t use .htaccess, or just isn’t compatible, the author has also written two plugins that do essentially the same defence at the code level:

Keeping Up To Date

WordPress.org keeps it security releases at: wordpress.org/news/category/security/

OWASP is a great place to keep up to date with the lightening-fast changes our industry is subject to. They’ve got a twitter account, mailing list, blog with Atom feed.

Final Notes

Validate, sanitize, and escape. Escape everything. Code as if every user is malicious. Keep software up to date, and a vigilant eye. 


Please note: this post is incomplete & pending review.

Leave a Reply