passwordsthe weakest link in wordpress security
@brennenbyrne
this talk is about
security
@brennenbyrne
a lot of people think security is
hard
@brennenbyrne
a lot of people think security is
hard
confusing
@brennenbyrne
a lot of people think security is
hard
confusingcomplicated
@brennenbyrne
a lot of people think security is
hard
confusingcomplicated
technical
impossible
frustratingnot for you
painful
infuriating
@brennenbyrne
but we all know that it’s
important
@brennenbyrne
but we all know that it’s
important
and my job is to make it
easy
@brennenbyrne
hello, my name is brennen (@brennenbyrne)
@brennenbyrne
I’m a founder of Clef (getclef.com)
@brennenbyrne
for the next 30 mins
★ zombie army
★ two step (logins)
★ ssl
★password rot
★what you can do
@brennenbyrne
getclef.com/cloudflare-webinar
getclef.com/wordpress-security-checklist
slides
@brennenbyrne
passwords“The weakest link in the security of anything
you do online is your password.”
@brennenbyrne
—vip.wordpress.com/security
it’s time to talk about the zombie
army.
@brennenbyrne
the old way to break a password
@brennenbyrne
2. guess common passwords
1. virus that watches you type
3. “advanced interrogation”
@brennenbyrne
in order to defend myself
@brennenbyrne
2. limit wrong guesses
1. don’t download viruses
3. don’t anger enemy nation-states
@brennenbyrne
but attackers have gotten smarter
@brennenbyrne
zombie army
@brennenbyrne
the zombie army is what happens to you when other people download viruses
@brennenbyrne
their computers become
zombies
@brennenbyrne
sites infect visitors’ computers
zombies attack sites
visitors join zombie army
bigger army attacks more sites
@brennenbyrne
zombies swarm and attack your site from millions of different computers
@brennenbyrne
2. limit wrong guesses
1. don’t download viruses
3. don’t anger enemy nation-states
@brennenbyrne
the zombie army is attackers’ response to our better defenses
as wordpress becomes a better target the incentives for breaking it rise
@brennenbyrne
two step
@brennenbyrne
something you
something you
@brennenbyrne
the steps
know
have
something you are
the old way of doing this meant: !
1. typing your password 2. getting a text with a bunch of numbers 3. typing in the bunch of numbers !
(google authenticator)
@brennenbyrne
@brennenbyrne
clef, the plugin i work on, skips the password to make two-factor much easier.
ssl
@brennenbyrne
@brennenbyrne
!
ssl = safe safe lock
*it actually stands for “secure socket layer”
without ssl, everything is public
@brennenbyrne
only do stuff you wouldn’t mind standing on a table
and yelling about in a coffee shop
i.e. no passwords or credit cards
password rot
@brennenbyrne
@brennenbyrne
your password is strongest on the day you set it
2. more computer power available
1. more time for attacker to crack
3. greater chance you’ve reused
@brennenbyrne
passwords pit our memories against
computer brute force — we are going to lose
@brennenbyrne
what to do
@brennenbyrne
@brennenbyrne
one weird trick to protect your site from all attacks
@brennenbyrne
delete it.
use two factor for admin
@brennenbyrne
otherwise
install bruteprotect and cloak
read wordpress security checklistgetclef.com/wordpress-security-checklist
getclef.com/wordpress-security-checklist
slides
@brennenbyrne
getclef.com/cloudflare-webinar