Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WordPress Security
Search
Zachary A Skaggs
February 07, 2017
Technology
1
260
WordPress Security
Exploring and patching the weakest link in your WordPress site's security...you.
Zachary A Skaggs
February 07, 2017
Tweet
Share
Other Decks in Technology
See All in Technology
Copilot coding agentにベットしたいCTOが開発組織で取り組んだこと / GitHub Copilot coding agent in Team
tnir
0
200
CDKコード品質UP!ナイスな自作コンストラクタを作るための便利インターフェース
harukasakihara
2
240
Introduction to Bill One Development Engineer
sansan33
PRO
0
260
「Chatwork」のEKS環境を支えるhelmfileを使用したマニフェスト管理術
hanayo04
1
410
LIXIL基幹システム刷新に立ち向かう技術的アプローチについて
tsukuha
1
390
Semantic Machine Intelligence for Vision, Language, and Actions
keio_smilab
PRO
1
170
Talk to Someone At Delta Airlines™️ USA Contact Numbers
travelcarecenter
0
160
Deep Security Conference 2025:生成AI時代のセキュリティ監視 /dsc2025-genai-secmon
mizutani
4
3.1k
ソフトウェアQAがハードウェアの人になったの
mineo_matsuya
3
220
サービスを止めるな! DDoS攻撃へのスマートな備えと最前線の事例
coconala_engineer
1
190
(HackFes)米国国防総省のDevSecOpsライフサイクルをAWSのセキュリティサービスとOSSで実現
syoshie
5
410
PHPからはじめるコンピュータアーキテクチャ / From Scripts to Silicon: A Journey Through the Layers of Computing
tomzoh
2
160
Featured
See All Featured
Let's Do A Bunch of Simple Stuff to Make Websites Faster
chriscoyier
507
140k
A Modern Web Designer's Workflow
chriscoyier
695
190k
[RailsConf 2023 Opening Keynote] The Magic of Rails
eileencodes
29
9.6k
Imperfection Machines: The Place of Print at Facebook
scottboms
267
13k
Documentation Writing (for coders)
carmenintech
72
4.9k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Docker and Python
trallard
45
3.5k
Scaling GitHub
holman
460
140k
Fight the Zombie Pattern Library - RWD Summit 2016
marcelosomers
233
17k
Large-scale JavaScript Application Architecture
addyosmani
512
110k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Why You Should Never Use an ORM
jnunemaker
PRO
58
9.5k
Transcript
WP Chattanooga 2/6/2017 Securing your SELF (Basics)
Passwords
How do they work? - User inputs password - Website
“hashes” the password with complex mathematical formula - Website compares the hashed password with the stored hash - If they match, the site will log you in
Yours are bad and you should feel bad.
The Math of a 6 Character Password Character Types Equation
Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 5m 21s Mixed Case 52^6 20,158,268,676 5h 35m 58s Mixed Case Numeric 62^6 57,731,386,986 16h 2m 11s MCN w/ Symbols 76^6 195,269,260,956 2d 6h 14m 29s
AVERAGE Math of a 6 Character Password Character Types Equation
Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 2m 50s Mixed Case 52^6 20,158,268,676 2h 45m Mixed Case Numeric 62^6 57,731,386,986 8h MCN w/ Symbols 76^6 195,269,260,956 1d 3h
“Real” Math of an AVG 8 Character Password Character Types
Equation Possibilities Brute Forced In: Numeric 10^6 1,111,110 <1 second Lowercase 26^6 321,272,406 <1 second Mixed Case 52^6 20,158,268,676 <1 hr Mixed Case Numeric 62^6 57,731,386,986 <3 hr MCN w/ Symbols 76^6 195,269,260,956 <9 hr
Solutions for Brute Force
Plugins to Detect Brute Force - Jetpack’s “Protect” feature -
iThemes Security - WP Limit Login Attempts - Anti-Malware Security and Brute-Force Firewall - SiteGuard WP Plugin - Shield WordPress Security
But none of that even matters.
YOU are the weakest link, even with the best brute
force plugin.
You likely have been or will be pwned. https://haveibeenpwned.com/
None
Solutions for Being Pwned
Password Manager Options - LastPass - Password Manager (I use
this one and like it) - Dashlane 4 - Zoho Vault - LogMeOnce - RoboForm
Password Manager - Generates a (truly) random password for every
site you visit - Stores all password in an encrypted manner - One master password, protected locally, by 2FA, and brute force detection
What is 2FA?
How do you identify yourself? Three vectors: - Something you
are (Likeness, DNA, fingerprint) - Something you have (ID Card, Phone Number) - Something you know (Password, username)
Two Factor Authentication
WordPress 2FA Methods - Clef - Duo - Authy -
Google Authenticator - Rublon - WordFence
But none of that even matters.
YOU are the weakest link, even with the strongest password
manager
Encryption (SSL / VPN)
None
WITH Encryption (SSL / VPN)
PWNED Username / Password / Credit Cards
WITHOUT Encryption (SSL / VPN)
AWW :( 8a34ee6f0378bc4637635f771e966af1
None
WordPress Plugins for SSL (HTTPS redirect) - Really Simple SSL
- SSL Insecure Content Fixer - WP Force SSL
Easy VPN Services - PrivateTunnel - PIA (Private Internet Access
- Tor OR, set up your own on: - Linode - Digital Ocean - AWS
EL FIN