1. passwords
the weakest link in wordpress security
@brennenbyrne

2. this talk is about
security
@brennenbyrne

3. a lot of people think security is
hard
@brennenbyrne

4. a lot of people think security is
hard
confusing
@brennenbyrne

5. a lot of people think security is
hard
confusing complicated
@brennenbyrne

6. a lot of people think security is
hard
confusing complicated
technical
impossible
frustrating
not for you
painful
infuriating
@brennenbyrne

7. but we all know that it’s
important
@brennenbyrne

8. but we all know that it’s
important
and my job is to make it
easy
@brennenbyrne

9. hello, my name is brennen
(@brennenbyrne)
@brennenbyrne

10. I’m a founder of Clef
(getclef.com)
@brennenbyrne

11. for the next 30 mins
★ zombie army
★ two step (logins)
★ ssl
★ password rot
★ what you can do
@brennenbyrne

12. getclef.com/cloudflare-webinar
getclef.com/wordpress-security-checklist
slides
@brennenbyrne

13. passwords
“The weakest link in the security of anything
you do online is your password.”
@brennenbyrne
—vip.wordpress.com/security

14. it’s time to talk about
the zombie army.
@brennenbyrne

15. the old way to break a password
@brennenbyrne

16. 2. guess common passwords
1. virus that watches you type
3. “advanced interrogation”
@brennenbyrne

17. in order to defend myself
@brennenbyrne

18. 2. limit wrong guesses
1. don’t download viruses
3. don’t anger enemy nation-states
@brennenbyrne

19. but attackers have gotten smarter
@brennenbyrne

20. zombie
army
@brennenbyrne

21. the zombie army is what happens to you
when other people download viruses
@brennenbyrne

22. their computers become
zombies
@brennenbyrne

23. sites infect visitors’ computers
zombies attack sites
visitors join zombie army
bigger army attacks more sites
@brennenbyrne

24. zombies swarm and attack your site
from millions of different computers
@brennenbyrne

25. 2. limit wrong guesses
1. don’t download viruses
3. don’t anger enemy nation-states
@brennenbyrne

26. the zombie army is attackers’
response to our better defenses
as wordpress becomes a better target
the incentives for breaking it rise
@brennenbyrne

27. two step
@brennenbyrne

28. something you
something you
@brennenbyrne
the steps
know
have
something you are

29. the old way of doing this meant:
1. typing your password
2. getting a text with a bunch of numbers
3. typing in the bunch of numbers
(google authenticator)
@brennenbyrne

30. @brennenbyrne
clef, the plugin i work on, skips
the password to make
two-factor much easier.

31. ssl
@brennenbyrne

32. @brennenbyrne
ssl = safe safe lock
*it actually stands for “secure socket layer”

33. without ssl, everything is public
@brennenbyrne
only do stuff you wouldn’t
mind standing on a table and
yelling about in a coffee shop
i.e. no passwords or credit cards

34. password
rot
@brennenbyrne

35. @brennenbyrne
your password is strongest
on the day you set it

36. 2. more computer power available
1. more time for attacker to crack
3. greater chance you’ve reused
@brennenbyrne

37. passwords pit our
memories against
computer brute force —
we are going to lose
@brennenbyrne

38. what to do
@brennenbyrne

39. @brennenbyrne
one weird trick to protect
your site from all attacks

40. @brennenbyrne
delete it.

41. use two factor for admin
@brennenbyrne
otherwise
install bruteprotect and cloak
read wordpress security checklist
getclef.com/wordpress-security-checklist

42. getclef.com/wordpress-security-checklist
slides
@brennenbyrne
getclef.com/cloudflare-webinar