With information security being one of my passions, it was great fun to present at the Melbourne WordPress Developers Meetup this week. The topic I chose was “Is My WordPress Site Hacked? Identifying a Compromised WordPress Website“.
There’s already a good pool of information on hardening WordPress and preventing attacks, as well as post-hack checklists, but I wanted to do something different. So, I thought I’d tackle the topic of how you can reliably detect security incidents before things turn bad. It covered a few tips on why you shouldn’t be complacent when it comes to security, and how you can spot early warning signs.
The saying is “if you can’t prevent, you must detect“. We already know there’s no such thing as absolute security, so detection is an essential function for the operation of any mission critical website.
With WordPress being the platform of choice for a growing number of web development projects, it’s now being used for many more types of websites than what most people may think. Long gone are the days of WordPress being only used for blogs and CMS-centric websites.
WordPress is now the core component for a variety of types of website, including ecommerce, digital distribution, membership, learning management, community (forums using bbPress and social glue using BuddyPress) and much more. From form processors capturing all sorts of data, using all types of custom workflows, to Advanced Custom Fields (ACF) where developers are building things we’ve never imagined, you can appreciate why WordPress security is such an important topic.
And don’t forget the WP API, this opens up WordPress to an even bigger audience of developers and applications.
I wanted to give a shout out to the team at Automattic and their VIP partners, Tony Perez, Daniel Cid and the rest of the Sucuri team, Jeff Star from Perishable Press, and Mark Abela from WP White Security. They’re some of the people I’ve long followed and keep learning from. You can find a lot of them on WPSecurityBloggers.com.
