Skip to content

Details

Join us for an evening about WordPress Security, Open Source, and the Cyber Resilience Directive (CRA).

🕡 18:30 live, SAE Vienna, Kaisersaal, 1st floor

  • Infornationen zu MeetUps und WordCamps

⏱️ 18:45 – Robert Abela, CEO Melapress;
“The Attacker That Never Logged In”
Session Hijacking, Stolen Cookies, and the Blind Spot in WordPress Security

They didn't guess the password. They didn't break 2FA, bypass the firewall, or trigger a single alert. The activity log shows no failed attempts, no unusual login times, no new accounts created.

And yet, the attacker is inside your WordPress site, accessing your WordPress dashboard.

Session hijacking leaves no login trace, because the attacker never logged in. They took an authentication cookie and reused an existing session. To WordPress, every request looks legitimate; the real user's credentials, their 2FA, their login restrictions, none of it applies. The session was already authenticated.

Most WordPress security advice is built around hardening and protecting, however, that leaves a critical blind spot: what happens after authentication succeeds?

In this talk, we'll walk through how WordPress creates and validates authentication cookies and session tokens, explore the real-world scenarios where sessions get stolen, and map out what an attacker can do with a hijacked session before the damage becomes visible.

Then we'll get practical. We will look into how session visibility, timeout policies, concurrent login controls, device recognition, and activity logging that captures post-login behaviour are the controls that catch what firewalls and 2FA miss.

Firewalls, 2FA, and passkeys are essential. This talk covers what comes after them.

⏱️ 20:00 – René Pfeiffer:
“Cyber Resilience Directive (CRA) und Freie Software”
Die EU Cyber Resilience Directive (CRA) ist aktiv und wird in den nächsten Jahren umgesetzt. Ziel ist es, digitale Produkte mit einem Mindestmaß an Sicherheit zu versehen. Damit sind Hersteller und Vertriebsfirmen gezwungen, Sicherheit in ihre Produkte einzubauen. Der Vortrag beleuchtet, wie das funktionieren soll, und was das für Komponenten bedeutet, die aus der Freien Software kommen.

🕘 21:00 We change to a restaurant:
„Stuwer – am Schottentor“, Rockhgasse 1, 1010 Wien: https://stuwer.com

See you in Vienna! 🍻

★ Speaker wanted! Please contact Dominik Liss
★ Hosts: Martin Mucha, Helmut Wandl & Dominik Liss

***************

Many thanks to our sponsors:

💛 Martin Mucha e.U. https://martinmucha.at

🩵 Helmut Wandl https://helmutwandl.com

💜 Dominik Liss https://dominikliss.com

💚 WP-Stars – WordPress agency for complex platforms, e-commerce, and website. https://wp-stars.com

🧡 SAE – Austria's leading addresses for education and training in the media sector. https://sae.at

***************

Related topics

Events in Wien
WordPress
WordPress for Business
WordPress Plugins
WordPress Themes
WordPress Developers

Sponsors

Woo

Woo

Woo is the leading open-source ecommerce platform, built on WordPress.

Jetpack

Jetpack

Safer, faster WordPress.

WordPress com

WordPress com

We're a hosted version of the open-source software

Hostinger

Hostinger

Helping people build their online presence

You may also like