Here is the video for the WordPress Security presentation at WordCamp Phoenix 2013:
Here is the slide deck from the presentation:
Leave us your comments below.
Here is the video for the WordPress Security presentation at WordCamp Phoenix 2013:
Here is the slide deck from the presentation:
Leave us your comments below.
Dre Armeda was Sucuri’s founding CEO and Co-Founder who helped start up the company in 2010. Today, Dre is Sr. Director of Technical Program Management and serves as Head of Technical Program Management (TPM) for GoDaddy's Partners Business. As head of TPM, Dre leads the PMO and Program Delivery Teams, ultimately driving all the program management functions and supporting our partners. When Dre isn't executing strategic initiatives at GoDaddy, you can find him on the mat training in Jiu Jitsu as a Carlson Gracie brown belt. Connect with Dre on Twitter.
Sucuri Cookie Policy
See our policy>>
Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.
10 comments
Great general introduction to WordPress related security issues. I suggest you upload it to your YouTube channel (speaking of which, you readers may like to know they can find the video of the “WPScan Password Attack” on your YouTube channel as well).
Two things, if I may:
1) Is there a way to prohibit anyone from harvesting username on a WordPress installation?
2) At one point, you talked about 15-characters passwords. It surely applies to the WP admin password, but I believe the HTML password protection (the second layer one can put in place using htaccess) is limited to 8 characters.
Again, thanks for sharing this with us.
P.
Paul, thanks for the recommendation.
To your questions, there is no easy way to harvest usernames. Not publishing of course will reduce the risk a bit, but you can still pull them by author ID.
In terms of the password limitation with htaccess, it depends on how you encrypt. I believe the 8 character limitation only applies when using crypt() – https://httpd.apache.org/docs/current/programs/htpasswd.html
Thanks again for the note!
Dre
“To your questions, there is no easy way to harvest usernames. Not publishing of course will reduce the risk a bit, but you can still pull them by author ID.”
I only discovered recently that author ID showed the username – what a surprise that was!
I’m using a 20 character password on all my sites and client sites, so that makes me feel a little easier.
Scary! This presentation should be mandatory for anyone with a site or blog, WordPress especially. And signing up with Sucuri Security.
I’m running a non-commercial site, with no ‘donate’ button, no ads, not even Google Adsense or Amazon affiliate links — no monetary gain whatsoever — and I’m really extra cautious about adding to my list of expenses for that site. Sucuri Security is the only exception, the ONLY service/API/plugin I’m happy to pay for.
It’s either that, or giving up on that site altogether. It was already destroyed by iFrame injections and if it wasn’t for the Sucuri team, I wouldn’t have it today.
Thanks guys!
thanks for a great talk ! very useful ! I found your slides on slideshare and suggest you add them here, it’s not easy to read the slides on the video: https://www.slideshare.net/armeda/wordpress-security-wordcamp-phoenix-2013
thanks again !
Hey, Lilian! Glad it was useful, and I took your recommendation, slides have been added to the post 🙂
Thanks for making this presentation available; I found it very helpful and I feel a lot safer now that I’m beginning to follow your advice.
it is a time consuming problem to fix
I have a question? Is there a way to prohibit anyone from harvesting username on a WordPress installation?
it is a time consuming problem to fix
Comments are closed.