Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WordPress Security
Search
Zachary A Skaggs
February 07, 2017
Technology
1
260
WordPress Security
Exploring and patching the weakest link in your WordPress site's security...you.
Zachary A Skaggs
February 07, 2017
Tweet
Share
Other Decks in Technology
See All in Technology
php-conference-nagoya-2025
fuwasegu
0
110
エンジニアのためのドキュメント力基礎講座〜構造化思考から始めよう〜(2025/02/15jbug広島#15発表資料)
yasuoyasuo
18
7.2k
データエンジニアリング領域におけるDuckDBのユースケース
chanyou0311
1
140
一度 Expo の採用を断念したけど、 再度 Expo の導入を検討している話
ichiki1023
1
240
EDRの検知の仕組みと検知回避について
chayakonanaika
4
2k
Cloud Spanner 導入で実現した快適な開発と運用について
colopl
1
920
PHPで印刷所に入稿できる名札データを作る / Generating Print-Ready Name Tag Data with PHP
tomzoh
0
150
Reading Code Is Harder Than Writing It
trishagee
2
110
なぜ私は自分が使わないサービスを作るのか? / Why would I create a service that I would not use?
aiandrox
0
880
コンピュータビジョンの社会実装について考えていたらゲームを作っていた話
takmin
1
500
30分でわかる『アジャイルデータモデリング』
hanon52_
10
2.9k
TAMとre:Capセキュリティ編 〜拡張脅威検出デモを添えて〜
fujiihda
2
370
Featured
See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
280
13k
Gamification - CAS2011
davidbonilla
80
5.1k
Side Projects
sachag
452
42k
GraphQLの誤解/rethinking-graphql
sonatard
68
10k
It's Worth the Effort
3n
184
28k
Mobile First: as difficult as doing things right
swwweet
223
9.3k
Statistics for Hackers
jakevdp
797
220k
Become a Pro
speakerdeck
PRO
26
5.1k
Build your cross-platform service in a week with App Engine
jlugia
229
18k
How to Ace a Technical Interview
jacobian
276
23k
Typedesign – Prime Four
hannesfritz
40
2.5k
Documentation Writing (for coders)
carmenintech
67
4.6k
Transcript
WP Chattanooga 2/6/2017 Securing your SELF (Basics)
Passwords
How do they work? - User inputs password - Website
“hashes” the password with complex mathematical formula - Website compares the hashed password with the stored hash - If they match, the site will log you in
Yours are bad and you should feel bad.
The Math of a 6 Character Password Character Types Equation
Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 5m 21s Mixed Case 52^6 20,158,268,676 5h 35m 58s Mixed Case Numeric 62^6 57,731,386,986 16h 2m 11s MCN w/ Symbols 76^6 195,269,260,956 2d 6h 14m 29s
AVERAGE Math of a 6 Character Password Character Types Equation
Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 2m 50s Mixed Case 52^6 20,158,268,676 2h 45m Mixed Case Numeric 62^6 57,731,386,986 8h MCN w/ Symbols 76^6 195,269,260,956 1d 3h
“Real” Math of an AVG 8 Character Password Character Types
Equation Possibilities Brute Forced In: Numeric 10^6 1,111,110 <1 second Lowercase 26^6 321,272,406 <1 second Mixed Case 52^6 20,158,268,676 <1 hr Mixed Case Numeric 62^6 57,731,386,986 <3 hr MCN w/ Symbols 76^6 195,269,260,956 <9 hr
Solutions for Brute Force
Plugins to Detect Brute Force - Jetpack’s “Protect” feature -
iThemes Security - WP Limit Login Attempts - Anti-Malware Security and Brute-Force Firewall - SiteGuard WP Plugin - Shield WordPress Security
But none of that even matters.
YOU are the weakest link, even with the best brute
force plugin.
You likely have been or will be pwned. https://haveibeenpwned.com/
None
Solutions for Being Pwned
Password Manager Options - LastPass - Password Manager (I use
this one and like it) - Dashlane 4 - Zoho Vault - LogMeOnce - RoboForm
Password Manager - Generates a (truly) random password for every
site you visit - Stores all password in an encrypted manner - One master password, protected locally, by 2FA, and brute force detection
What is 2FA?
How do you identify yourself? Three vectors: - Something you
are (Likeness, DNA, fingerprint) - Something you have (ID Card, Phone Number) - Something you know (Password, username)
Two Factor Authentication
WordPress 2FA Methods - Clef - Duo - Authy -
Google Authenticator - Rublon - WordFence
But none of that even matters.
YOU are the weakest link, even with the strongest password
manager
Encryption (SSL / VPN)
None
WITH Encryption (SSL / VPN)
PWNED Username / Password / Credit Cards
WITHOUT Encryption (SSL / VPN)
AWW :( 8a34ee6f0378bc4637635f771e966af1
None
WordPress Plugins for SSL (HTTPS redirect) - Really Simple SSL
- SSL Insecure Content Fixer - WP Force SSL
Easy VPN Services - PrivateTunnel - PIA (Private Internet Access
- Tor OR, set up your own on: - Linode - Digital Ocean - AWS
EL FIN