2. Why Security Matters
• Hacking on the rise
• Hacked sites lose traffic
• downtime
• security warnings
• A site getting hacked impacts
its rankings eventually
3. What’s Different about
AJAX?
• No more or less dangerous per se
• However, extra risks due to higher complexity
• Extra considerations to keep in mind
10. Typical Scenario
• A user is authenticated in the code when the page
is loaded
• A user ID or other credentials are displayed in the
URL unencoded, picked up by Javascipt
• Unencoded and unauthenticated credentials sent
back to server
• HACKED!
11. Insecure WP Plugin
Showcase
RevSlider
• First discovered in 2014
• Affects versions below 4.2
• Affects themes using it
inurl:/wp-admin/admin-ajax.php?action=revslider_ajax_action - to find vulnerable revslider plugins
!
13. Security Measures
• Proper authentication and authorisation checks
• User input validation against XSS and SQL injection
• Use HTTPS if transmitting sensitive data
14. HTTPS
• Implement correctly
• Double check for consistent implementation
throughout the site
• Incorrect implementation results in additional
security risks and hurts SEO performance
15. Plugins and Themes
• Know what you use
• Update to the latest (patched) versions
16. Bonus!
• Showcase: RevSlider vulnerability story
http://securityaffairs.co/wordpress/35431/cyber-crime/
revslider-plugin-vulnerable.html
• How to update a plugin if it’s included in a theme
http://www.themepunch.com/faq/update-plugin-packaged-
theme/
• Free website malware and security scanner
https://sitecheck.sucuri.net/ (WARNING: will not catch all
security issues but may be of help)
• Test your HTTPS https://www.ssllabs.com/ssltest/index.html
17. @irishwonder BAC, Berlin October 2015
Questions?
Feel free to get in touch!
• info@irishwonder.com
• Twitter: @irishwonder
• Slideshare:
http://www.slideshare.net/irishwonder/
• LinkedIn: linkedin.com/in/irishwonder
• Blogs:
http://www.irishwonder.com/blog/ - general
SEO
http://www.irishwonder.syndk8.co.uk/ -
darker areas
#LAC2016