WordPress Security

Transcript

1. WP Chattanooga 2/6/2017 Securing your SELF (Basics)

2. Passwords

3. How do they work? - User inputs password - Website

   “hashes” the password with complex mathematical formula - Website compares the hashed password with the stored hash - If they match, the site will log you in

4. Yours are bad and you should feel bad.

5. The Math of a 6 Character Password Character Types Equation

   Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 5m 21s Mixed Case 52^6 20,158,268,676 5h 35m 58s Mixed Case Numeric 62^6 57,731,386,986 16h 2m 11s MCN w/ Symbols 76^6 195,269,260,956 2d 6h 14m 29s

6. AVERAGE Math of a 6 Character Password Character Types Equation

   Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 2m 50s Mixed Case 52^6 20,158,268,676 2h 45m Mixed Case Numeric 62^6 57,731,386,986 8h MCN w/ Symbols 76^6 195,269,260,956 1d 3h

7. “Real” Math of an AVG 8 Character Password Character Types

   Equation Possibilities Brute Forced In: Numeric 10^6 1,111,110 <1 second Lowercase 26^6 321,272,406 <1 second Mixed Case 52^6 20,158,268,676 <1 hr Mixed Case Numeric 62^6 57,731,386,986 <3 hr MCN w/ Symbols 76^6 195,269,260,956 <9 hr

8. Solutions for Brute Force

9. Plugins to Detect Brute Force - Jetpack’s “Protect” feature -

   iThemes Security - WP Limit Login Attempts - Anti-Malware Security and Brute-Force Firewall - SiteGuard WP Plugin - Shield WordPress Security

10. But none of that even matters.

11. YOU are the weakest link, even with the best brute

    force plugin.

12. You likely have been or will be pwned. https://haveibeenpwned.com/

13. None

14. Solutions for Being Pwned

15. Password Manager Options - LastPass - Password Manager (I use

    this one and like it) - Dashlane 4 - Zoho Vault - LogMeOnce - RoboForm

16. Password Manager - Generates a (truly) random password for every

    site you visit - Stores all password in an encrypted manner - One master password, protected locally, by 2FA, and brute force detection

17. What is 2FA?

18. How do you identify yourself? Three vectors: - Something you

    are (Likeness, DNA, fingerprint) - Something you have (ID Card, Phone Number) - Something you know (Password, username)

19. Two Factor Authentication

20. WordPress 2FA Methods - Clef - Duo - Authy -

    Google Authenticator - Rublon - WordFence

21. But none of that even matters.

22. YOU are the weakest link, even with the strongest password

    manager

23. Encryption (SSL / VPN)

24. None

25. WITH Encryption (SSL / VPN)

26. PWNED Username / Password / Credit Cards

27. WITHOUT Encryption (SSL / VPN)

28. AWW :( 8a34ee6f0378bc4637635f771e966af1

29. None

30. WordPress Plugins for SSL (HTTPS redirect) - Really Simple SSL

    - SSL Insecure Content Fixer - WP Force SSL

31. Easy VPN Services - PrivateTunnel - PIA (Private Internet Access

    - Tor OR, set up your own on: - Linode - Digital Ocean - AWS

32. EL FIN