Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WordPress Security
Search
Zachary A Skaggs
February 07, 2017
Technology
1
260
WordPress Security
Exploring and patching the weakest link in your WordPress site's security...you.
Zachary A Skaggs
February 07, 2017
Tweet
Share
Other Decks in Technology
See All in Technology
生成AIを活用したZennの取り組み事例
ryosukeigarashi
0
200
AI ReadyなData PlatformとしてのAutonomous Databaseアップデート
oracle4engineer
PRO
0
190
Shirankedo NOCで見えてきたeduroam/OpenRoaming運用ノウハウと課題 - BAKUCHIKU BANBAN #2
marokiki
0
150
Findy Team+のSOC2取得までの道のり
rvirus0817
0
340
綺麗なデータマートをつくろう_データ整備を前向きに考える会 / Let's create clean data mart
brainpadpr
2
100
フルカイテン株式会社 エンジニア向け採用資料
fullkaiten
0
9k
自動テストのコストと向き合ってみた
qa
0
160
OpenAI gpt-oss ファインチューニング入門
kmotohas
2
970
Where will it converge?
ibknadedeji
0
180
バイブコーディングと継続的デプロイメント
nwiizo
2
430
神回のメカニズムと再現方法/Mechanisms and Playbook for Kamikai scrumat2025
moriyuya
4
540
Large Vision Language Modelを用いた 文書画像データ化作業自動化の検証、運用 / shibuya_AI
sansan_randd
0
110
Featured
See All Featured
Scaling GitHub
holman
463
140k
Understanding Cognitive Biases in Performance Measurement
bluesmoon
29
2.6k
Building an army of robots
kneath
306
46k
Six Lessons from altMBA
skipperchong
28
4k
The Language of Interfaces
destraynor
162
25k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
657
61k
JavaScript: Past, Present, and Future - NDC Porto 2020
reverentgeek
52
5.6k
The Myth of the Modular Monolith - Day 2 Keynote - Rails World 2024
eileencodes
26
3.1k
Statistics for Hackers
jakevdp
799
220k
The Straight Up "How To Draw Better" Workshop
denniskardys
237
140k
How STYLIGHT went responsive
nonsquared
100
5.8k
Documentation Writing (for coders)
carmenintech
75
5k
Transcript
WP Chattanooga 2/6/2017 Securing your SELF (Basics)
Passwords
How do they work? - User inputs password - Website
“hashes” the password with complex mathematical formula - Website compares the hashed password with the stored hash - If they match, the site will log you in
Yours are bad and you should feel bad.
The Math of a 6 Character Password Character Types Equation
Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 5m 21s Mixed Case 52^6 20,158,268,676 5h 35m 58s Mixed Case Numeric 62^6 57,731,386,986 16h 2m 11s MCN w/ Symbols 76^6 195,269,260,956 2d 6h 14m 29s
AVERAGE Math of a 6 Character Password Character Types Equation
Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 2m 50s Mixed Case 52^6 20,158,268,676 2h 45m Mixed Case Numeric 62^6 57,731,386,986 8h MCN w/ Symbols 76^6 195,269,260,956 1d 3h
“Real” Math of an AVG 8 Character Password Character Types
Equation Possibilities Brute Forced In: Numeric 10^6 1,111,110 <1 second Lowercase 26^6 321,272,406 <1 second Mixed Case 52^6 20,158,268,676 <1 hr Mixed Case Numeric 62^6 57,731,386,986 <3 hr MCN w/ Symbols 76^6 195,269,260,956 <9 hr
Solutions for Brute Force
Plugins to Detect Brute Force - Jetpack’s “Protect” feature -
iThemes Security - WP Limit Login Attempts - Anti-Malware Security and Brute-Force Firewall - SiteGuard WP Plugin - Shield WordPress Security
But none of that even matters.
YOU are the weakest link, even with the best brute
force plugin.
You likely have been or will be pwned. https://haveibeenpwned.com/
None
Solutions for Being Pwned
Password Manager Options - LastPass - Password Manager (I use
this one and like it) - Dashlane 4 - Zoho Vault - LogMeOnce - RoboForm
Password Manager - Generates a (truly) random password for every
site you visit - Stores all password in an encrypted manner - One master password, protected locally, by 2FA, and brute force detection
What is 2FA?
How do you identify yourself? Three vectors: - Something you
are (Likeness, DNA, fingerprint) - Something you have (ID Card, Phone Number) - Something you know (Password, username)
Two Factor Authentication
WordPress 2FA Methods - Clef - Duo - Authy -
Google Authenticator - Rublon - WordFence
But none of that even matters.
YOU are the weakest link, even with the strongest password
manager
Encryption (SSL / VPN)
None
WITH Encryption (SSL / VPN)
PWNED Username / Password / Credit Cards
WITHOUT Encryption (SSL / VPN)
AWW :( 8a34ee6f0378bc4637635f771e966af1
None
WordPress Plugins for SSL (HTTPS redirect) - Really Simple SSL
- SSL Insecure Content Fixer - WP Force SSL
Easy VPN Services - PrivateTunnel - PIA (Private Internet Access
- Tor OR, set up your own on: - Linode - Digital Ocean - AWS
EL FIN