May 13, 2016 — You always think it will never happen to you but when it does, it’s all hands on deck. My personal site was almost hacked and since then I actively looked at what I could improve. During this talk I will talk what I had before and show all the improvements I made since then. It will be a mixed of using using the existing tools and my own creation in managing my sites.
May 12, 2016 — Unfortunately WordPress has reputation of weak security and the web is full of guides and plugins to enhance WordPress security. Unfortunately some advice is misleading or just false sales pitch. Understanding what is truly essential for security and what is irrelevant can be difficult. In this talk Otto will explain, based on his experience of maintaining hundreds of WordPress sites, what he doesn’t consider relevant and what you don’t need to worry about, and what are the actually important things you need to care for.
May 11, 2016 — Porozprávam o tom ako mi pred rokom hackli blog aj Facebook Fanpage a ako som ich získala naspäť. Načo to bolo celé dobré a čo všetko som potrebovala zmeniť – zmena hesiel, prosebné maily, nový dizajn, zmena kódov, iné pluginy,…
April 29, 2016 — This intermediate to advanced developer talk will focus on the types of vulnerabilities common in WordPress plugins by providing insight into the common vulnerabilities prevalent in WordPress plugins and themes including what they are, how they work and what a developer can do to prevent them. Topics will include XSS, CSRF and various other vulnerabilities often seen in WordPress.
April 26, 2016 — Although many times an afterthought, security should be built into a website from the beginning of the development process. From Binod and Logan’s research, a comprehensive discussion will be had about how to protect a website from its inception. Binod and Logan will take attendees through best practices of secure product development, including how to incorporate White box testing to ensure code security and real-life examples will be presented. Finally, Binod and Logan will share insight on post-deployment and how to monitor and patch websites—mitigating future attacks.
April 25, 2016 — Security can be complex, intimidating, and even frightening. Don’t let the enormity of it scare you into inaction. Learn what some of the security researchers and security professionals deal with, and then find out some simple steps you can take to secure your sites.
April 21, 2016 — What does it mean when someone has abused your WordPress environment? How would you even know? We’ll explore the meaningful impacts as a website owner and attackers abusing your site, your brand, your audience and ultimately: your wallet.
I’ll touch on the following key items:
The types of attacks that can abuse a WordPress site (defacement, re-directs, phishing, etc.)
How a compromise can abuse your visitors and Google’s involvement in this process.
How does this affect you financially? I’ll convey stories on clients who lost massive income from the smallest of hacks.
April 20, 2016 — Security is hard. Over the last few months there have been a number of high-profile plugin security vulnerabilities, but there is surprisingly little familiarity in the developer community when it comes to properly evaluating and remedying issues when they are discovered.
In this talk, we’ll be explaining in basic terms how several types of vulnerabilities work (including Cross-Site Scripting (XSS), SQL Injection (SQLI), Cross-Site Request Forgeries (CSRF), and Clickjacking, see what can be done to defend against them, and what to do when you have a vulnerability reported to you.
Please Note: This is a development-oriented talk, but will not get too deep into code.
February 7, 2016 — Die Abwehr von Angriffen auf WordPress beginnt nicht erst nachdem die Installation erfolgt und die Seite online ist. Schon bei der Entwicklung von Themes und Plugins können Entwickler dazu beitragen ihre Produkte sicherer zu gestalten. Wir werfen einen Blick auf mögliche Angriffsvektoren und die Möglichkeiten, die WordPress von Haus aus bietet um diese abzusichern.
January 25, 2016 — Walka z zagrożeniami płynącymi z popularnych błędów nie jest łatwa. Szczególnie, gdy błędy te są związane z zabezpieczeniami, które włączamy z własnej woli.
Czym w praktyce są błędy o nazwie potocznej Zero-day? Dowiemy się tego na konkretnym przykładzie. Ignorowanie informacji o wymaganej aktualizacji do najnowszej wersji WordPressa przestanie przychodzić z łatwością, gdy poznamy mechanizm wstrzykiwania złośliwego kodu do modułu komentarzy, przy wykorzystaniu podatności na ataki typu XSS. Symulacja ataku zostanie przeprowadzona za pomocą narzędzia Metasploit na Kali Linux’ie.