Website Security is about Passwords?

Perhaps the thing that annoys me the most when I hear security being shared with end-users is when they get the information wrong or overemphasis on things they don’t understand or can’t support. This is the problem in the way we communicate, especially in the WordPress community. This is applicable to all communities though, regardless of platform.

To be clear, in case the title was misleading, this sentiment is wrong and we should do a better job at communicating security.

It All Lies Within the World of Passwords

Most of the nonsense I hear around this comes from folks with a very small perspective into the world of security, and as of late seems to stem from the access control guys (those that are fighting the password game). [Continue reading]

How we Think About Website Security

I recently attended WordCamp San Francisco (WCSF) where Matt Mullenwegg, founder of the WordPress project and CEO of Automattic, gave his annual State of the Word. WordCamps are informal, community-organized events that are put together by WordPress … [Continue reading]

Accounting for Security in Website Projects

Many know very little about me, my past what I used to do, most just know me for my time in security. There was a time though that I spent as Project / Program Manager for a couple different organizations. I even dabbled in a WordPress centric design … [Continue reading]

What’s wrong with your pa$$w0rd? – Lorrie Faith Cranor

The discussion on access control seems to be common place these days with the latest revelations news. Found this video on some research Lorrie is doing on the subject very interesting and insightful. … [Continue reading]

Importance of Updates in Website Security – WordPress, Joomla, Drupal and CMS’s

TonyonSecurity - Security Components

In my recent post talking to the dilemma that is WordPress Security, there seemed to be some confusion as to my position on updates. Allow me a moment to provide clarity on the subject, yes, updates are very important. My previous statements are … [Continue reading]

The Dilemma that is WordPress Security

The past few weeks WordPress Security has come to the forefront of the discussion again, as it often does every few months. As is often the case, it’s highly emotional and generates a lot of discussion. Chris Lema shared a post, Our discussions … [Continue reading]

Explaining XSS and CSRF By Google

Came across this video earlier today and found it very informative - explaining the difference between XSS and CSRF (XSRF). I find that most people rarely understand or differentiate between the two so hopefully this video helps. It's laid out in a … [Continue reading]

Secure Your Traffic on Public WiFi’s


Often when I give talks on website security one of the various discussion points is, and rightfully so, around your individual posture when interacting on the web. This often means being aware of things like transferring your data insecurely over the … [Continue reading]

Sucuri Is Hiring!!

Please pass this on to your contacts, my company, Sucuri, is actively hiring. If you think you'd make a good fit please let us know. … [Continue reading]

WordPress Security – Learning From Hacks

This evening I will be giving a presentation at WordSesh at midnight PST (0800 UTC). Here is the presentation I plan to give. When the video is published I will share it as well. This goal of this presentation is to learn from hacks as … [Continue reading]