Skip links

Dre Armeda Presenting on WordPress Security at WordCamp Phoenix 2013

Here is the video for the WordPress Security presentation at WordCamp Phoenix 2013:

Here is the slide deck from the presentation:

Leave us your comments below.

  • Paul

    Great general introduction to WordPress related security issues. I suggest you upload it to your YouTube channel (speaking of which, you readers may like to know they can find the video of the “WPScan Password Attack” on your YouTube channel as well).

    Two things, if I may:

    1) Is there a way to prohibit anyone from harvesting username on a WordPress installation?

    2) At one point, you talked about 15-characters passwords. It surely applies to the WP admin password, but I believe the HTML password protection (the second layer one can put in place using htaccess) is limited to 8 characters.

    Again, thanks for sharing this with us.

    P.

    • Paul, thanks for the recommendation.

      To your questions, there is no easy way to harvest usernames. Not publishing of course will reduce the risk a bit, but you can still pull them by author ID.

      In terms of the password limitation with htaccess, it depends on how you encrypt. I believe the 8 character limitation only applies when using crypt() – http://httpd.apache.org/docs/current/programs/htpasswd.html

      Thanks again for the note!

      Dre

      • “To your questions, there is no easy way to harvest usernames. Not publishing of course will reduce the risk a bit, but you can still pull them by author ID.”

        I only discovered recently that author ID showed the username – what a surprise that was!

        I’m using a 20 character password on all my sites and client sites, so that makes me feel a little easier.

  • Lana

    Scary! This presentation should be mandatory for anyone with a site or blog, WordPress especially. And signing up with Sucuri Security.

    I’m running a non-commercial site, with no ‘donate’ button, no ads, not even Google Adsense or Amazon affiliate links — no monetary gain whatsoever — and I’m really extra cautious about adding to my list of expenses for that site. Sucuri Security is the only exception, the ONLY service/API/plugin I’m happy to pay for.

    It’s either that, or giving up on that site altogether. It was already destroyed by iFrame injections and if it wasn’t for the Sucuri team, I wouldn’t have it today.

    Thanks guys!

  • lilian

    thanks for a great talk ! very useful ! I found your slides on slideshare and suggest you add them here, it’s not easy to read the slides on the video: http://www.slideshare.net/armeda/wordpress-security-wordcamp-phoenix-2013

    thanks again !

    • Hey, Lilian! Glad it was useful, and I took your recommendation, slides have been added to the post 🙂

  • Brian

    Thanks for making this presentation available; I found it very helpful and I feel a lot safer now that I’m beginning to follow your advice.

  • it is a time consuming problem to fix

  • I have a question? Is there a way to prohibit anyone from harvesting username on a WordPress installation?

  • it is a time consuming problem to fix