Dre Armeda Presenting on WordPress Security at WordCamp Phoenix 2013

Here is the video for the WordPress Security presentation at WordCamp Phoenix 2013:

Here is the slide deck from the presentation:

Leave us your comments below.

10 comments
  1. Great general introduction to WordPress related security issues. I suggest you upload it to your YouTube channel (speaking of which, you readers may like to know they can find the video of the “WPScan Password Attack” on your YouTube channel as well).

    Two things, if I may:

    1) Is there a way to prohibit anyone from harvesting username on a WordPress installation?

    2) At one point, you talked about 15-characters passwords. It surely applies to the WP admin password, but I believe the HTML password protection (the second layer one can put in place using htaccess) is limited to 8 characters.

    Again, thanks for sharing this with us.

    P.

    1. “To your questions, there is no easy way to harvest usernames. Not publishing of course will reduce the risk a bit, but you can still pull them by author ID.”

      I only discovered recently that author ID showed the username – what a surprise that was!

      I’m using a 20 character password on all my sites and client sites, so that makes me feel a little easier.

  2. Scary! This presentation should be mandatory for anyone with a site or blog, WordPress especially. And signing up with Sucuri Security.

    I’m running a non-commercial site, with no ‘donate’ button, no ads, not even Google Adsense or Amazon affiliate links — no monetary gain whatsoever — and I’m really extra cautious about adding to my list of expenses for that site. Sucuri Security is the only exception, the ONLY service/API/plugin I’m happy to pay for.

    It’s either that, or giving up on that site altogether. It was already destroyed by iFrame injections and if it wasn’t for the Sucuri team, I wouldn’t have it today.

    Thanks guys!

  3. Thanks for making this presentation available; I found it very helpful and I feel a lot safer now that I’m beginning to follow your advice.

  4. I have a question? Is there a way to prohibit anyone from harvesting username on a WordPress installation?

Comments are closed.

You May Also Like