Why 99% Of WordPress Vulnerabilities Are Utterly Irrelevant
Room B | Mon 20 Jan 4:40 p.m.–5:25 p.m.
Presented by
-
Cameron Jones
@cameronjonesweb
https://cameronjonesweb.com.au
Cameron Jones enjoys what could be described as the entrepreneur's dream; living by the beach in the coastal town of Victor Harbor in Australia while he runs his web development agency Shortie Designs. He is also the founder of the premium WordPress plugin store Mongoose Marketplace. You can find him online at @cameronjonesweb on most platforms.
Cameron Jones
@cameronjonesweb
https://cameronjonesweb.com.au
Abstract
WordPress has gone from strength to strength over a period of two decades and is now the most popular CMS around, powering close to half of the internet. As WordPress has grown, so has the target on its back for hackers. With about 60,000 free plugins available on WorPress.org alone and a traditionally low barrier of entry, it’s only a matter of time until hackers find a chink in a site’s armour.
Here at Shortie Designs one of our primary services is providing website maintenance and security services for WordPress sites. As part of our security services we keep a very close eye on vulnerability reports in the WordPress ecosystem, and with so many themes and plugins out there it is an endless stream. When a report comes across our desk we review the risk of it being exploited on our client sites, and it didn’t take long for us to realise CVE ratings are completely worthless when it comes to WordPress.
This presentation will break down a number of vulnerability reports and how their CVE ratings fail to accurately reflect the true risk to the site, a better methodology of rating vulnerability reports, and the strategies we take to protect our client’s sites from their biggest threat: the clients themselves.
WordPress has gone from strength to strength over a period of two decades and is now the most popular CMS around, powering close to half of the internet. As WordPress has grown, so has the target on its back for hackers. With about 60,000 free plugins available on WorPress.org alone and a traditionally low barrier of entry, it’s only a matter of time until hackers find a chink in a site’s armour. Here at Shortie Designs one of our primary services is providing website maintenance and security services for WordPress sites. As part of our security services we keep a very close eye on vulnerability reports in the WordPress ecosystem, and with so many themes and plugins out there it is an endless stream. When a report comes across our desk we review the risk of it being exploited on our client sites, and it didn’t take long for us to realise CVE ratings are completely worthless when it comes to WordPress. This presentation will break down a number of vulnerability reports and how their CVE ratings fail to accurately reflect the true risk to the site, a better methodology of rating vulnerability reports, and the strategies we take to protect our client’s sites from their biggest threat: the clients themselves.