p4sSw0rd5:the weakest link in wordpress security

@brennenbyrne

this talk is about

security

@brennenbyrne

a lot of people think security is

hard

@brennenbyrne

a lot of people think security is

hard

confusing

@brennenbyrne

a lot of people think security is

hard

confusingcomplicated

@brennenbyrne

a lot of people think security is

hard

confusingcomplicated

technical

impossible

frustratingnot for you

painful

infuriating

@brennenbyrne

but we all know that it’s

important

@brennenbyrne

but we all know that it’s

important

and my job is to make it

easy

@brennenbyrne

hello, my name is brennen (@brennenbyrne)

@brennenbyrne

I’m a founder of Clef (getclef.com)

@brennenbyrne

for the next 30 mins

★botnets

★ two-factor authentication

★ ssl

★password rot

★what you can do

@brennenbyrne

getclef.com/wcmpls2014

getclef.com/wordpress-security-checklist

slides

@brennenbyrne

p4sSw0rd5:the weakest link in wordpress security

@brennenbyrne

I don’t mean to scare you —

but there is a zombie army coming for

your WordPress site.

@brennenbyrne

the old way to break a password

@brennenbyrne

guess common passwords

virus that watches you type

“advanced interrogation”

@brennenbyrne

in order to defend myself

@brennenbyrne

limit wrong guesses

don’t download viruses

don’t anger enemy nation-states

@brennenbyrne

but attackers have gotten smarter

@brennenbyrne

botnets

@brennenbyrne

botnets are what happens to you when other people download viruses

@brennenbyrne

their computers become

zombies

@brennenbyrne

sites infect visitors’ computers

botnets attack sites

visitors join botnet

bigger botnet attacks more sites

@brennenbyrne

botnets swarm and attack your site from millions of different computers

@brennenbyrne

ban IPs that are guessing wrong

don’t download viruses

don’t piss off enemy nation-states

@brennenbyrne

botnets are the attackers’ response to our better defenses

as wordpress becomes a better target the incentives for breaking it rise

@brennenbyrne

two-factor

@brennenbyrne

something you

@brennenbyrne

the factors

know

something you

something you

@brennenbyrne

the factors

know

have

something you

@brennenbyrne

the factors

know

something you have

something you are

@brennenbyrne

the only thing better than one factor of authentication is…

two factors

the old way of doing this meant: !

1. typing your password 2. getting a text with a bunch of numbers 3. typing in the bunch of numbers !

(google authenticator)

@brennenbyrne

@brennenbyrne

clef, the plugin i work on, skips the password to make two-factor much easier.

ssl

@brennenbyrne

if you want to learn more about this, go see jesse’s crypto-101 at 3

@brennenbyrne

@brennenbyrne

for most of us, ssl might as well stand

for secure symbol lock

it actually stands for “secure socket layer”

without ssl, everything is public

@brennenbyrne

only do stuff you wouldn’t mind standing on a table

and yelling about in a coffee shop

i.e. no passwords or credit cards

password rot

@brennenbyrne

@brennenbyrne

your password is strongest on the day you set it

@brennenbyrne

your password is strongest on the day you set it

it gets weaker every day after that

more computer power available

more time for attacker to crack

greater chance you’ve reused

@brennenbyrne

passwords pit our memories against

computer brute force — we are going to lose

@brennenbyrne

what to do

@brennenbyrne

@brennenbyrne

one weird trick to protect your site from all attacks

@brennenbyrne

delete it.

use two factor for admin

@brennenbyrne

otherwise

install bruteprotect and cloak

read wordpress security checklistgetclef.com/wordpress-security-checklist

getclef.com/wcmpls2014

getclef.com/wordpress-security-checklist

slides

@brennenbyrne