Keep them often, keep them secure. Check them regularly. Do not presume anyone is keeping backups, be certain.
Did you lock your car here? Who is at fault if it's broken into (that's right , the burglar!) Choosing good passwords isn't about if you can remember the password to login, it's about policy. Do you feel it's necessary to have a unique password that will stop someone from getting into your site/FTP (if not? Just set it to abc123, password, or secret) More on policy, you have to think about where you can log in to your site's admin pages (is this network secure/safe? Back to car analogy regarding where you park it) Many of the remainder of the topics in this talk actually come down to this type of decision. For example lets think of backups as “how important is it that you have a copy of your site's data if it's lost?” Your answer is what you base your backup policies on!
Following right on in from passwords and policies. The longer you leave a site at the last security update, the longer you're exposing the domain to an attack. If there is a critical security update in the patch, then you need to upgarde ASAP (unless your site is not on the internet) Why ASAP? I'll show some graphs, but in the infamous words of MC Frontalot, “it's already too late.”
It's really a stop-gap concept. “It's already too late.” Sooner the better for incident response. You need to know ASAP about these events to be able to take action.
Knowing what you're up against is important! Knowing is half the battle! Common threats Low hanging fruit Ties back in to best practices Review monitored logs of attacks Attacker motivation Commonly seen activity
It's well known attackers go for the easy target. No matter how much you think “i'm too small to be targetted” it's not about that, every website is a possible target if not for anything more than to act as a small part in a bigger attack (add another bot to the pile!).
It's all automated (well mostly, but those are more unique cases) Bots hit sites every day, I know this because I monitor them, and unless there is an ritlain fueled obsessive compulsive freak of a person out there doing the same repetative attacks on tens of thousands of sites a date then these are bots.
You may ask yourself, why?
Money This is just the majority of attacks we see, which are connected to cyber criminal gangs. There are alternatives such as anonymous (who do it for awareness/causes) and cough governments (for espionage) but the vast majority is just gangs who want money.
Arbitrary file uploads (upload backdoors) Code execution (backdoor access) Password compromise (they can do what you can do) LFI/RFI (backdoors) SQLi (get your Dbs)
Phishing (Identity theft) BlackHat SEO (Affiliate services efrauding) Traffic Theft (Malware) Spam (All of the above) Backdoor installations (All of the above)
This is not to say the software listed is any less secure (each has patched the vulnerability) These are attempts, not successes All attacks were blocked
Lets call this “rimrum.php” Not part of wordpress core
OK lets get into some important steps in a cleanup.
Check for changes in files/db/logins (back to best practices) Check for upgrades Passowrd security It's easy , unless you weren't paying attention, then it's certainly far moer difficult! Services (my god ...) DIY. … My god it's only one line!
Why? Quarantine so the attackers can do no further harm. (to your visitors or your site)
Before you put things back online
Again before you put things back online
If someone had the key to your front door, would you not change it?
Shwo the find one-liner Note WP's built in file integrity rebuilder
Directories and file permissions
Shwo the find one-liner Note WP's built in file integrity rebuilder
Good – companies that release fixes for free, work with hosting providres, never play the blame game. Bad – companies that have no contributions to security community, high costs. Ugly – high costs, blame game posts in their blog! Charlatans (snakeoil) – how will they interact with you as a customer if they openly berate people on their blog?
Server side Site side Wordpress specific tricks Review
permissions, firewalls (mod_sec, cloudflare, htaccess) Database server (hostname access)
Monitor with rsync/git/svn on your backup server Stop using FTP! Https (who logged in today using the open wifi?) Permissions, always important.
Https logins, or two factor Admin, don't make your login name guessable Table prefixes help but don't prevent SQLi If you're uploading images, why would you execute them as PHP? How many plugins and themes do you have installed that are not in use?
There are a lot of options, just search for “security” in the plugins reposatory. Be warned, many end up unmaintained. Some claim to cover everything, but none cover all of your needs.
List/graph Cloudflare, vaultpress, sitemonitor, stopthehacker, sucuri Anyone in the audience from these services? “make checks payable to...” or talk with them after.
Most of these will be techniques I will quickly cover that are all handled via SSH Soryr, advanced topic. I can go over details in person.
Not supported with WP panel Use “last” command via SSH, this will verify if it was a SSH/FTP password compromise.
Tiemstamp coorealation with file creations, logs, etc... Note the POST request … shady!
It doesn't hurt to ask, and it's entirely possible they are familiar with that specific type of attack.
Do not be ashamed to post about your site being compromised, if anything it may help. Help not only you, your visitors, but the next webmaster that sees a similar attack against their site. Build a network of individual site owners who are all actively reporting these compormises, will be paying it forward.
No seriously, wordpress and automattic take security seriouesly. Following the steps in this URL which is well written will show you specific details on what to do. I just didn't want to waste time talking about only what's on this URL.
● Software vulnerabilities
Arbitrary file uploads, Code execution, LFI/RFI SQLi
● Password compromise
● Host based attacks
Are you on a shared host? (cloud?)
Show your work!
How does a compromised site equal profit?
● Phishing (Identity theft)
● BlackHat SEO (Affiliate services efraud)
● Traffic Theft (Malware)
● Spam (All of the above)
● Backdoor installations (All of the above)
● DreamHost attack logs
● Actual traffic from 8/20/2011 → 02/16/2012
Spot ALL THE “diff”erences!
● Use “diff” to compare directories.
● Works best with backups (or just download WP)
$ diff omgfire.com omgfire.com_lastbackup
Only in omgfire.com: this_could_be_a_backdoor.php
Common subdirectories: omgfire.com/wp-admin and
< <? /* this is a little bit of code changed! */ ?>
Pay for ALL THE fixes!!!
● The good, the bad and the ugly
Backups Prevention Cleanup Monitoring Authentication
Backups Prevention Cleanup Monitoring Price
X / X
Various others X