Lessons Learned by the WordPress Security Team

DerbyCon 2018


Aaron D. Campbell

Top Secret

Aaron D. Campbell

WordPress Security Team Lead




Our Goal


Keep WordPress Users Secure

Lesson 1:

Users Over Software

Users on Out of Date Versions of WordPress are Less Secure – What do we do?

Upgrade for them

Auto Updates

Should We Backport?

Will it help keep WordPress users secure?


Backport it

Securing Users is Complex

Educate Users

Lesson 1b:

Educating Users is Hard

But Important

15 Years of WordPress

WordPress % of Internet

Extrapolated Terribly to # Sites

Lesson 2:

Reassess Regularly


  • Slack
  • Trac
  • HackerOne

Lesson 3:

Tools Don’t Fix Most Problems

Lesson 4:

Relationships are Important

Q & A

Aaron D. Campbell – @AaronCampbell

Slides: https://adcwp.me/derbycon2018

This presentation is running on WordPress using the Presenter plugin