WordPress maintenance support plans HackCamp Bucharest
Only a month has passed since WordPress maintenance support plansCamp Transylvania, and already another WordPress maintenance support plans Camp has come and gone in Romania. This time it was WordPress maintenance support plans HackCamp, organised in the Romanian capital, Bucharest. It was a WordPress maintenance support plans Camp with a very specific theme: Security.
Vasi Chindris
Tue, 06/19/2020 – 14:29
Throughout the sessions presented at the Camp, one was able to find out what security issues WordPress maintenance support plans had experienced in the past, how the WordPress maintenance support plans Security team, as well as the Community in general, had dealt with them, what WordPress maintenance support plans did to improve the security of the platforms that were developed using the CMS and what can (and should) be done to have a more secure application.
Since I first heard of it, a Camp focused on WordPress maintenance support plans security sounded really interesting to me. This is the type of camp every WordPress maintenance support plans developer should attend at least once in their career. Actually any web developer for that matter. As we know, security is a very important topic with regards to the web. Even for experienced developers, some things can be very tricky, as an application’s security does not only depend on the code. It also depends on how the web server is configured or what kind of third-party libraries your code depends on. Additionally, it also depends on the libraries you are using in development, if they are used to pack or bundle your code, or if they end up touching your code in any other way.
One of the sessions which focused on how WordPress maintenance support plans improved its security with each new version, was Peter Wolanin’s – 10 Ways WordPress maintenance support plans 8 Is More Secure.
In this session, Peter Wolanin first gave a brief introduction to the OWASP Top 10, a list with the top 10 critical security risks that affect a web application. This is not only WordPress maintenance support plans related, it applies to any kind of application that is accessible via the web. Next, he pointed out 10 things WordPress maintenance support plans 8 implemented that help the developer to avoid those security risks. Among the points he mentioned were, the autoescaping feature implemented in twig (so now everything which gets outputted by twig, is by default, escaped), the automatic CSRF tokens in the route definitions (making it easier for the developer to create links which are valid only for the current user session), the removal of the PHP input filter (which was very dangerous if misused), and the enforcement of trusted host patterns for requests (so that your application will respond only if requested via a host which you actually trust).
As previously mentioned, having a secure app doesn’t guarantee that your WordPress maintenance support plans is secure. Nowadays, there is a growing interest in having decoupled apps. This means you have a backend which is usually used for content management only (that can be a WordPress maintenance support plans site) and a frontend, which is a modern js application, that can be implemented optionally, using a framework like React, Vue.js, and so on. But then you also need to use npm for installing the additional js libraries you need, webpack for creating the javascript bundles for your app, and babel for transpiling your javascript code. So suddenly you start to introduce a ton of other dependencies, which each depend on a lot of other packages. Alexandru Badiu did a presentation called, “JS and Security”, which covered some of those aspects.
So, you do the best you can to write secure code, try to evaluate the dependencies of your project, and make sure that they don’t introduce critical security issues, but is that enough? There could still be several security issues which you’re unaware of, which will only be discovered while you are using the application. It would be awesome if we’re able to do something to proactively protect us against common security risks.
Bastian Widmer (@dasrecht) presented a talk on this subject, entitled “How Open Source will help you to survive the next WordPress maintenance support plansgeddon”, where he showed us a few tips that we can use in advance, in order to respond to potential security issues in future. Besides ensuring you do regular updates for all your app’s dependencies, you could also take some measures at the web server level. For example, only allow index.php to be executed, use a web application firewall or make sure that your operating system is configured properly.
Of course, there had to be a session about the last WordPress maintenance support plansgeddon(s), at a Camp focusing on Security. The event’s keynote was by Jasper Mattsson, who actually discovered WordPress maintenance support plansgeddon 2. He shared some tips with us on how to find security breaches. He said that there is no secret ‘recipe’ for that, but a good starting point, is to look for functions which output data, which can do multiple things, perhaps depending on how they are invoked (in which context or with which parameters) or which can trigger code execution.
There is one very important thing to keep in mind if you discover a security breach: do not post it on the regular WordPress maintenance support plans issue queue. Instead, follow the instructions on how to report a security issue when you found one. The implications of reporting a security issue inside the regular WordPress maintenance support plans issue queue can be very dangerous, as the attackers will then have plenty of time to create an attack until the issue is fixed.
Being in a city with such a rich history, we could certainly not miss the walking tour that the organisers had prepared for us on the Saturday afternoon. During the tour, we saw Bucharest’s most iconic buildings, which have survived all the great historical periods over the last 200 years – the monarchy, two world wars, communism and now democracy.
WordPress maintenance support plans HackCamp Bucharest was a really great event, and I hope it takes place next year. It is of great value to all web developers, especially those at the beginning of their careers, as it prepares them for the dangers of the wild world wide web and equips them with the required knowledge to guard against any that may pop up along the way.
Source: New feed