Dre Armeda Presenting on WordPress Security at WordCamp Phoenix 2013

Here is the video for the WordPress Security presentation at WordCamp Phoenix 2013:

Here is the slide deck from the presentation:

Leave us your comments below.

About Tony Perez

Tony works at Sucuri. His passion lies in educating and bringing awareness about online threats to business owners. He spends his time giving presentations and writing content that everyday website owners can appreciate. His passions revolve around understanding the psychology of bad actors, the impacts and havoc hacks have on website owners, and thinking through the evolution of attacks. You can find his personal thoughts on security at Tony on Security and you can follow him on Twitter at @perezbox.

  • Paul

    Great general introduction to WordPress related security issues. I suggest you upload it to your YouTube channel (speaking of which, you readers may like to know they can find the video of the “WPScan Password Attack” on your YouTube channel as well).

    Two things, if I may:

    1) Is there a way to prohibit anyone from harvesting username on a WordPress installation?

    2) At one point, you talked about 15-characters passwords. It surely applies to the WP admin password, but I believe the HTML password protection (the second layer one can put in place using htaccess) is limited to 8 characters.

    Again, thanks for sharing this with us.

    P.

    • http://armeda.com/ Andres Armeda

      Paul, thanks for the recommendation.

      To your questions, there is no easy way to harvest usernames. Not publishing of course will reduce the risk a bit, but you can still pull them by author ID.

      In terms of the password limitation with htaccess, it depends on how you encrypt. I believe the 8 character limitation only applies when using crypt() – http://httpd.apache.org/docs/current/programs/htpasswd.html

      Thanks again for the note!

      Dre

      • http://www.wmwebdesign.co.uk/ Keith Davis

        “To your questions, there is no easy way to harvest usernames. Not publishing of course will reduce the risk a bit, but you can still pull them by author ID.”

        I only discovered recently that author ID showed the username – what a surprise that was!

        I’m using a 20 character password on all my sites and client sites, so that makes me feel a little easier.

  • Lana

    Scary! This presentation should be mandatory for anyone with a site or blog, WordPress especially. And signing up with Sucuri Security.

    I’m running a non-commercial site, with no ‘donate’ button, no ads, not even Google Adsense or Amazon affiliate links — no monetary gain whatsoever — and I’m really extra cautious about adding to my list of expenses for that site. Sucuri Security is the only exception, the ONLY service/API/plugin I’m happy to pay for.

    It’s either that, or giving up on that site altogether. It was already destroyed by iFrame injections and if it wasn’t for the Sucuri team, I wouldn’t have it today.

    Thanks guys!

  • lilian

    thanks for a great talk ! very useful ! I found your slides on slideshare and suggest you add them here, it’s not easy to read the slides on the video: http://www.slideshare.net/armeda/wordpress-security-wordcamp-phoenix-2013

    thanks again !

    • http://armeda.com/ Andres Armeda

      Hey, Lilian! Glad it was useful, and I took your recommendation, slides have been added to the post :)

  • Brian

    Thanks for making this presentation available; I found it very helpful and I feel a lot safer now that I’m beginning to follow your advice.

  • http://www.frivmini.com/ friv

    it is a time consuming problem to fix

  • http://www.yepi-yepi.com/ Yepi

    I have a question? Is there a way to prohibit anyone from harvesting username on a WordPress installation?

  • http://www.yepididi.com/ Yepi Didi

    it is a time consuming problem to fix

Share This