July 17, 2017

I had an amazing time speaking and networking at the #WPCampus Event in Buffalo this past weekend.  I was fortunate to be able to share some insight on the realm of Security, and make it (hopefully) more than a fruitless, confusion quest.

First of all, here are my slides:

And now, the caveats/prologues:

  • I had someone reach out on Twitter and mention that the 56% was too low of a number to spend so much time on. We’ve since connected and expounded on that, but the biggest thing I want to mention is that this is a talk from the perspective of the WordPress user/administrator.  There are TONS of other ways that someone can hack into your website, and a lot of them have nothing to do with your code:
    • Social Engineering – people playing fast and loose with user information that protects their password identity
    • A 3rd party hack – Website A gets hacked, and since the passwords were stored incorrectly there that allows the hacker to gain access to Website B through the same password.
    • Bad Passwords – dictionary attacks on passwords that are just plain bad can be brute-forced and overcome in a few minutes (unless you disallow access based on failed password attempts!)
  • A lot of attendees explained that they don’t have a lot of control over the server-side of things. That’s fine – that’s why I positioned it like I did (as something that’s innate, but that you may not have a lot of sway over). That’s why the site-specific stuff is so important. It allows you to do something to prevent baddies from gettting in.
  • There are more items coming out nearly daily, which is why the external resources and information gathering is so important. Education on a problem means you know what to look for and how to fix it!

Thanks to everyone that came to the sessions – I hope I was able to teach something, and that you come away knowing even a tiny bit more about security than you did when you came in!

  • Thanks for a great talk Mitch! I’m using the wpscan.org open-source WordPress vulnerability scanning tool and it works great. And also the online version at WPScans.com