Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordPress Security

Avatar for Zachary A Skaggs Zachary A Skaggs
February 07, 2017
Technology
1
260

WordPress Security

Exploring and patching the weakest link in your WordPress site's security...you.

Avatar for Zachary A Skaggs

Zachary A Skaggs

February 07, 2017
Tweet

Other Decks in Technology

See All in Technology
AIでデータ活用を加速させる取り組み / Leveraging AI to accelerate data utilization
Avatar for okiyuki okiyuki99
5
1.3k
プレイドのユニークな技術とインターンのリアル
Avatar for PLAID Tech plaidtech
PRO
1
480
アウトプットから始めるOSSコントリビューション 〜eslint-plugin-vueの場合〜 #vuefes
Avatar for 弁護士ドットコム bengo4com
3
1.8k
組織全員で向き合うAI Readyなデータ利活用
Avatar for harry gappy50
4
1.5k
プロダクト開発と社内データ活用での、BI×AIの現在地 / Data_Findy
Avatar for Sansan R&D sansan_randd
1
610
CNCFの視点で捉えるPlatform Engineering - 最新動向と展望 / Platform Engineering from the CNCF Perspective
Avatar for hhiroshell hhiroshell
0
140
DMMの検索システムをSolrからElasticCloudに移行した話
Avatar for 小山凌太 hmaa_ryo
0
180
re:Inventに行くまでにやっておきたいこと
Avatar for nagisa_53 nagisa53
0
700
だいたい分かった気になる 『SREの知識地図』 / introduction-to-sre-knowledge-map-book
Avatar for katsuhisa_ katsuhisa91
PRO
3
1.5k
現場の壁を乗り越えて、 「計装注入」が拓く オブザーバビリティ / Beyond the Field Barriers: Instrumentation Injection and the Future of Observability
Avatar for Kento Kimura aoto
PRO
1
680
ざっくり学ぶ 『エンジニアリングリーダー 技術組織を育てるリーダーシップと セルフマネジメント』 / 50 minute Engineering Leader
Avatar for iwashi iwashi86
5
2.8k
頭部ふわふわ浄酔器
Avatar for uyupun uyupun
0
230

Featured

See All Featured
Evolution of real-time – Irina Nazarova, EuRuKo, 2024
Avatar for Irina Nazarova irinanazarova
9
1k
Automating Front-end Workflow
Avatar for Addy Osmani addyosmani
1371
200k
Helping Users Find Their Own Way: Creating Modern Search Experiences
Avatar for Dan Newman danielanewman
31
2.9k
Build The Right Thing And Hit Your Dates
Avatar for Maggie C. maggiecrowley
38
2.9k
Context Engineering - Making Every Token Count
Avatar for Addy Osmani addyosmani
8
310
Code Reviewing Like a Champion
Avatar for maltzj maltzj
526
40k
Navigating Team Friction
Avatar for Lara Hogan lara
190
15k
Mobile First: as difficult as doing things right
Avatar for Swwweet swwweet
225
10k
個人開発の失敗を避けるイケてる考え方 / tips for indie hackers
Avatar for panda_program panda_program
116
20k
Unsuck your backbone
Avatar for Amy Palamountain ammeep
671
58k
RailsConf 2023
Avatar for Aaron Patterson tenderlove
30
1.3k
Building a Modern Day 
E-commerce SEO Strategy
Avatar for Aleyda Solis aleyda
44
7.9k

Transcript

  1. WP Chattanooga 2/6/2017 Securing your SELF (Basics)

  2. Passwords

  3. How do they work? - User inputs password - Website

    “hashes” the password with complex mathematical formula - Website compares the hashed password with the stored hash - If they match, the site will log you in

  4. Yours are bad and you should feel bad.

  5. The Math of a 6 Character Password Character Types Equation

    Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 5m 21s Mixed Case 52^6 20,158,268,676 5h 35m 58s Mixed Case Numeric 62^6 57,731,386,986 16h 2m 11s MCN w/ Symbols 76^6 195,269,260,956 2d 6h 14m 29s

  6. AVERAGE Math of a 6 Character Password Character Types Equation

    Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 2m 50s Mixed Case 52^6 20,158,268,676 2h 45m Mixed Case Numeric 62^6 57,731,386,986 8h MCN w/ Symbols 76^6 195,269,260,956 1d 3h

  7. “Real” Math of an AVG 8 Character Password Character Types

    Equation Possibilities Brute Forced In: Numeric 10^6 1,111,110 <1 second Lowercase 26^6 321,272,406 <1 second Mixed Case 52^6 20,158,268,676 <1 hr Mixed Case Numeric 62^6 57,731,386,986 <3 hr MCN w/ Symbols 76^6 195,269,260,956 <9 hr

  8. Solutions for Brute Force

  9. Plugins to Detect Brute Force - Jetpack’s “Protect” feature -

    iThemes Security - WP Limit Login Attempts - Anti-Malware Security and Brute-Force Firewall - SiteGuard WP Plugin - Shield WordPress Security

  10. But none of that even matters.

  11. YOU are the weakest link, even with the best brute

    force plugin.

  12. You likely have been or will be pwned. https://haveibeenpwned.com/

  13. None

  14. Solutions for Being Pwned

  15. Password Manager Options - LastPass - Password Manager (I use

    this one and like it) - Dashlane 4 - Zoho Vault - LogMeOnce - RoboForm

  16. Password Manager - Generates a (truly) random password for every

    site you visit - Stores all password in an encrypted manner - One master password, protected locally, by 2FA, and brute force detection

  17. What is 2FA?

  18. How do you identify yourself? Three vectors: - Something you

    are (Likeness, DNA, fingerprint) - Something you have (ID Card, Phone Number) - Something you know (Password, username)

  19. Two Factor Authentication

  20. WordPress 2FA Methods - Clef - Duo - Authy -

    Google Authenticator - Rublon - WordFence

  21. But none of that even matters.

  22. YOU are the weakest link, even with the strongest password

    manager

  23. Encryption (SSL / VPN)

  24. None

  25. WITH Encryption (SSL / VPN)

  26. PWNED Username / Password / Credit Cards

  27. WITHOUT Encryption (SSL / VPN)

  28. AWW :( 8a34ee6f0378bc4637635f771e966af1

  29. None

  30. WordPress Plugins for SSL (HTTPS redirect) - Really Simple SSL

    - SSL Insecure Content Fixer - WP Force SSL

  31. Easy VPN Services - PrivateTunnel - PIA (Private Internet Access

    - Tor OR, set up your own on: - Linode - Digital Ocean - AWS

  32. EL FIN