Upgrade to Pro
— share decks privately, control downloads, hide ads and more …
Speaker Deck
Features
Speaker Deck
PRO
Sign in
Sign up for free
Search
Search
WordPress Security
Search
Zachary A Skaggs
February 07, 2017
Technology
1
260
WordPress Security
Exploring and patching the weakest link in your WordPress site's security...you.
Zachary A Skaggs
February 07, 2017
Tweet
Share
Other Decks in Technology
See All in Technology
歴代のWeb Speed Hackathonの出題から考えるデグレしないパフォーマンス改善
shuta13
6
600
KiroでGameDay開催してみよう(準備編)
yuuuuuuu168
1
120
AIとTDDによるNext.js「隙間ツール」開発の実践
makotot
5
630
Browser
recruitengineers
PRO
3
220
自社製CMSからmicroCMSへのリプレースがプロダクトグロースを加速させた話
nextbeatdev
0
120
Android Studio の 新しいAI機能を試してみよう / Try out the new AI features in Android Studio
yanzm
0
260
AIドリブンのソフトウェア開発 - うまいやり方とまずいやり方
okdt
PRO
9
570
認知戦の理解と、市民としての対抗策
hogehuga
0
310
ABEMAにおける 生成AI活用の現在地 / The Current Status of Generative AI at ABEMA
dekatotoro
0
640
人と組織に偏重したEMへのアンチテーゼ──なぜ、EMに設計力が必要なのか/An antithesis to the overemphasis of people and organizations in EM
dskst
5
590
ZOZOTOWNフロントエンドにおけるディレクトリの分割戦略
zozotech
PRO
16
5.2k
見てわかるテスト駆動開発
recruitengineers
PRO
3
220
Featured
See All Featured
Cheating the UX When There Is Nothing More to Optimize - PixelPioneers
stephaniewalter
283
13k
Art, The Web, and Tiny UX
lynnandtonic
302
21k
For a Future-Friendly Web
brad_frost
179
9.9k
10 Git Anti Patterns You Should be Aware of
lemiorhan
PRO
656
61k
[Rails World 2023 - Day 1 Closing Keynote] - The Magic of Rails
eileencodes
36
2.5k
Practical Tips for Bootstrapping Information Extraction Pipelines
honnibal
PRO
23
1.4k
BBQ
matthewcrist
89
9.8k
We Have a Design System, Now What?
morganepeng
53
7.7k
The Art of Programming - Codeland 2020
erikaheidi
55
13k
Learning to Love Humans: Emotional Interface Design
aarron
273
40k
Six Lessons from altMBA
skipperchong
28
4k
Building Flexible Design Systems
yeseniaperezcruz
328
39k
Transcript
WP Chattanooga 2/6/2017 Securing your SELF (Basics)
Passwords
How do they work? - User inputs password - Website
“hashes” the password with complex mathematical formula - Website compares the hashed password with the stored hash - If they match, the site will log you in
Yours are bad and you should feel bad.
The Math of a 6 Character Password Character Types Equation
Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 5m 21s Mixed Case 52^6 20,158,268,676 5h 35m 58s Mixed Case Numeric 62^6 57,731,386,986 16h 2m 11s MCN w/ Symbols 76^6 195,269,260,956 2d 6h 14m 29s
AVERAGE Math of a 6 Character Password Character Types Equation
Possibilities Brute Forced In: Numeric 10^6 1,111,110 1 second Lowercase 26^6 321,272,406 2m 50s Mixed Case 52^6 20,158,268,676 2h 45m Mixed Case Numeric 62^6 57,731,386,986 8h MCN w/ Symbols 76^6 195,269,260,956 1d 3h
“Real” Math of an AVG 8 Character Password Character Types
Equation Possibilities Brute Forced In: Numeric 10^6 1,111,110 <1 second Lowercase 26^6 321,272,406 <1 second Mixed Case 52^6 20,158,268,676 <1 hr Mixed Case Numeric 62^6 57,731,386,986 <3 hr MCN w/ Symbols 76^6 195,269,260,956 <9 hr
Solutions for Brute Force
Plugins to Detect Brute Force - Jetpack’s “Protect” feature -
iThemes Security - WP Limit Login Attempts - Anti-Malware Security and Brute-Force Firewall - SiteGuard WP Plugin - Shield WordPress Security
But none of that even matters.
YOU are the weakest link, even with the best brute
force plugin.
You likely have been or will be pwned. https://haveibeenpwned.com/
None
Solutions for Being Pwned
Password Manager Options - LastPass - Password Manager (I use
this one and like it) - Dashlane 4 - Zoho Vault - LogMeOnce - RoboForm
Password Manager - Generates a (truly) random password for every
site you visit - Stores all password in an encrypted manner - One master password, protected locally, by 2FA, and brute force detection
What is 2FA?
How do you identify yourself? Three vectors: - Something you
are (Likeness, DNA, fingerprint) - Something you have (ID Card, Phone Number) - Something you know (Password, username)
Two Factor Authentication
WordPress 2FA Methods - Clef - Duo - Authy -
Google Authenticator - Rublon - WordFence
But none of that even matters.
YOU are the weakest link, even with the strongest password
manager
Encryption (SSL / VPN)
None
WITH Encryption (SSL / VPN)
PWNED Username / Password / Credit Cards
WITHOUT Encryption (SSL / VPN)
AWW :( 8a34ee6f0378bc4637635f771e966af1
None
WordPress Plugins for SSL (HTTPS redirect) - Really Simple SSL
- SSL Insecure Content Fixer - WP Force SSL
Easy VPN Services - PrivateTunnel - PIA (Private Internet Access
- Tor OR, set up your own on: - Linode - Digital Ocean - AWS
EL FIN