WordPress Security with Dre Armeda [LIVEBLOG]

Next up, @Dremeda’s talk on WordPress security.

Stay tuned below for live updates.

Jonathan Dingman March 23, 20139:07 am

WordCamp 2013…WOW we’re already here

Jonathan Dingman March 23, 20139:07 am

TITLE: “Real Security for WordPress”

Jonathan Dingman March 23, 20139:08 am

Shout to me, woot! @dingman

Jonathan Dingman March 23, 20139:08 am

Great to see you too Dre :)

Jonathan Dingman March 23, 20139:09 am

The Internet Rocks, a few stats:

* 2 billion Internet users today
* 480% growth in the last 11 years
* 100,000+ domains gained weekly
* 2 billion sites in 2015

Jonathan Dingman March 23, 20139:12 am

“It’s not all Peachy”

Malware, short for malicious software: a software designed to disrupt operations, gather information, or gain unauthorized access

* monitor your website browsing & internet usage

Malware is opportunistic attacks. Attack as many people as possible maximize their profitability, affiliate marketing and more.

[wow, Dre can talk REALLY fast, trying to stay up with him]

Jonathan Dingman March 23, 20139:13 am

“How bad is it?”

It’s pretty damn bad.

2 million+ new malware strings monthly
Costs US consumers over $2B yearly
Google issues 3MM+ warnings *DAILY*
Google blacklists 10k websites DAILY on average

Jonathan Dingman March 23, 20139:14 am

“Do you remember seeing that big red banner? “SOMETHING IS WRONG” and Google is REALLY accurate with this, so trust it”

Jonathan Dingman March 23, 20139:14 am

“Have you seen these popups? ‘your computer is infected’ .. they are targeting you to get an anti-virus that you don’t need, so you’re *paying* to infect yourself”

Jonathan Dingman March 23, 20139:15 am

Your SEO rankings say “buy amoxicillin, but you don’t see it when you look at the site. that’s malware.

Jonathan Dingman March 23, 20139:15 am

“How does this happen?”

1) Outdated software
2) exploited FTP passwords
3) Hosting issue
4) Exploit (ZERO DAY)

Jonathan Dingman March 23, 20139:17 am

Outdated software is your responsibility, keep it up to date. Unless you’re using a managed hosting, then it’s their responsibility.

Jonathan Dingman March 23, 20139:17 am


Jonathan Dingman March 23, 20139:20 am

from the audience, “a support tech answering your ticket should never be asking for your root password, right?”

Dre, “I wouldn’t be comfortable with that. your password is now in the clear”

Jonathan Dingman March 23, 20139:20 am

“Cut out the noise”

* Keep software updated
* no soup kitchen servers
* reduce access
* password management
* backup schedule

Jonathan Dingman March 23, 20139:21 am

When you have all your websites on your production server, the most risk you are at because one site could get infected and spread

Jonathan Dingman March 23, 20139:21 am

“password” is NOT A GOOD PASSWORD

Jonathan Dingman March 23, 20139:23 am

“Keep software updated”

* leading cause for infection along with passwords
* scared to upgrade because stuff breaks?
* major vs point release
* run upgrade tests
* do your homework

Jonathan Dingman March 23, 20139:25 am

“who’s scared to upgrade?”

We’ve all been there.

the challenge is that someone developed something in a poor way and they developed not using best-practices or using the WordPress API. Not maximizing the opportunity to upgrade.

Jonathan Dingman March 23, 20139:25 am

You will see a lot of the feature sets in the major release, 3.5, 3.6, etc. the minor releases, 3.5.1 are bug fixes, patches, etc.

You need to stay up to date.

Jonathan Dingman March 23, 20139:26 am

If you have a developer that throws up their arms when you want to upgrade, find a new developer that will help you find a way to upgrade.

Jonathan Dingman March 23, 20139:26 am

Don’t cowboy code, don’t test in production, always test stuff before going into production.

Do your homework.

Jonathan Dingman March 23, 20139:27 am

The Codex has a huge write-up on WordPress security

Reference: http://codex.wordpress.org/Hardening_WordPress

Jonathan Dingman March 23, 20139:28 am

“No soup kitchen servers”

* WordPressers act like they forgot about DEV
* Cross-contamination is a big deal
* segment by user and account
* Not active, not good enough.

SEGMENT where you can, different servers is better.

Jonathan Dingman March 23, 20139:29 am

Do you remember arbitrary PHP execution? Viva viagra.

If it’s not in use, get rid of it.

Jonathan Dingman March 23, 20139:29 am

“Reduce Access”

We talked about admin, everyone wants to be an admin.

Get rid of the admin user, that will help you.

It will only help a tiny bit, it’s easy to find an admin user for a WordPress site

Jonathan Dingman March 23, 20139:30 am

Typically, one of the first users will remain as an admin, which means it’s fairly easy to figure out an admin account.

Jonathan Dingman March 23, 20139:31 am

Limit failed login attempts, this is a big deal.

This is not part of WordPress natively, a user can just pound your WordPress site and keep trying different passwords.

If a user tries 2 or 3 times, lock them out

Jonathan Dingman March 23, 20139:33 am

[demoing a video right now]

Jonathan Dingman March 23, 20139:34 am

The video demo is demoing it on his own site, dremeda.com, because if you try it another site, it’s actually a felony.

Jonathan Dingman March 23, 20139:38 am

audience question, “the script you ran, is that actually getting the password from the DB or from the text file?”

Dre: “From the txt file, it’s not actually getting into the database”

Jonathan Dingman March 23, 20139:39 am

“Password management”

* Password still top 5 actively used password
* use unique passphrases
* use different passwords across accounts
* Password management tools

Jonathan Dingman March 23, 20139:40 am

it’s 2013 and people are still using “password” as their password”

Users on Linkedin are using “linkedin” in their password.

are you kidding me?

Jonathan Dingman March 23, 20139:42 am

If you’re using “01” or “password01” for bankofamerica and on wordpress.com and on aol.com, guess what, access to all the accounts.


Jonathan Dingman March 23, 20139:42 am

In the demo, Dre is using LastPass. GREAT TOOL

Jonathan Dingman March 23, 20139:43 am

If you don’t have a backup schedule in place, you’re doing it wrong.


Make sure you have a incremental backup routine in place in case your site explodes

Jonathan Dingman March 23, 20139:44 am

Two main tools, VaultPress and BackupBuddy (by iThemes)

Jonathan Dingman March 23, 20139:46 am

That’s it folks! Next up will be Michael Bastos, see tuned on the blog.


  1. By on

    A lot of important points, and VaultPress and BackupBuddy are both excellent tools, but good security doesn’t have to be expensive… there are a lot of solid free alternatives. eg I use Wordfence for daily malware scanning & login lockdowns, BackWPup for automated backups (it’ll backup offsite – very important if someone wipes your site out completely)

    One thing that Wordfence showed me was that my sites are all under constant attack. THOUSANDS of login attempts every week, even on sites that aren’t in active use. And guess what? Every single last one of them has been against the user ‘admin’. So, simply by making sure you don’t HAVE an admin user, you’re protecting yourself from a lot of potential danger. This is mostly a problem for sites created prior to WP 3.0 – I wrote about it in more detail a couple of weeks ago: http://topdownview.com/2013/03/im-telling-you-now-i-dont-have-an-admin-user/