Your SlideShare is downloading. ×
Word press security
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

Word press security

210

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
210
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
3
Comments
0
Likes
0
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Pundits will argue that admin is half the battle and most users use poor passwords. Education is my focus. Using a strong password is arguably easier and more effective. randomly generated using characters, would
  • Transcript

    • 1. J I G A R P A N D Y A WordPress Security 1
    • 2. Know the Environment 7/30/2013 2 LAMPSTACK LINUX Apache MySQL PHP • This is what it takes to run WordPress • Each contains its own laundry list of known vulnerabilities • Bare-bones
    • 3. Know the application 7/30/2013 3 WordPress Core Themes Plugins End-User • Today‟s Problem
    • 4. Realistic Environment 7/30/2013 4 Linux Operating System Apache WordPress CPANEL Plesk MySQL myLittleAdmin PHPMyAdmin Etc.. PHP Modules
    • 5. Your Host 7/30/2013 5  Who is your host?  How do you connect to the server?  FTP, SFTP, SSH  What security does your host use? Do they use any web security?  What will your host do if you get hacked?  Will they shut your site down?  Will they kick you off their server?  Will they fix it for you? IF YOU DON”T KNOW WHAT YOU”RE DOING GO WITH A MANAGED SOLUTION
    • 6. Connecting 7/30/2013 6  If you don‟t need it, disable it  SFTP / SSH is preferred  FTP works fine – disable if you‟re not using, don‟t talk to me if you are  FTP/SFTP != WP-ADMIN  Least Privileged  You don‟t have to log in FTP / SFTP with full root access  Everyone doesn‟t need to be an admin  You don‟t need to log in as admin  The focus is on the role, not the name of the user  Accountability – kill generic accounts – who is doing what?
    • 7. Opportunistic Targeted 7/30/2013  Trolling the web looking for known vulnerabilities  Ability for mass exposure  Think “TimThumb”  Big enterprises with large followings:  WordPress.com  WooThemes  Worth Investing time and energy to compromise, bigger return 7 Attack Type
    • 8. Automation is KEY 7/30/2013 8 Automation Scan Detect Exploit PWN • Targeted / Opportunistic • Vulnerability Scans • Brute Force / Data Dictionary Attacks • DDOS / DOS • XSS / CSRF • SQLi
    • 9. Blacklisting 7/30/2013 9 • Take a chill pill.. Not the end of the world • Detect, Remove, Submit
    • 10. The MISTAKE 7/30/2013 10  But why me?!?!?!  Forget the why, look at the how!!
    • 11. N O T H I N G F A N C Y H E R E . . T H E F A C T S 7/30/2013 11 The How “Own one Own them All”
    • 12. Application Environment 7/30/2013  Injections  Remote File Inclusion  Remote File Execution  Brute Force / Data Dictionary  Privilege Escalation  Brute Force / Data Dictionary  Remote File Include  Remote File Execution 12 Today‟s Exploits You Control
    • 13. Top 5 WordPress Infections 7/30/2013 13  Backdoors  Difficult to Detect via HTTP  Injections  Easy to Detect via HTTP  Pharma Hack  Best person to detect is the owner, difficult to detect via HTTP  Malicious Redirects  Easy to Detect via HTTP  Defacements  Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish brothers
    • 14. Backdoor 7/30/2013 14 • Complete access via shell… kiss all hardening good bye • Sad day.. .. Good time to cry…
    • 15. Link Injection 7/30/2013 15 • Drive-by-Download attempt – think Fake AV / Adobe • Pharma Links – Erectile Dysfunction (Viagra)
    • 16. PHARMA 7/30/2013 16 • Affiliate Model • Multi-million dollar industry • Generate ~3.5k new clients daily
    • 17. Defacement 7/30/2013 17 • Hacktivism at its finest • Awareness to cause
    • 18. Common Vectors 7/30/2013 18  Vulnerable Software  Often associated with Out-of-date software  WordPress Themes / Plugins, more so than Core  Cross Site Contamination  Soup Kitchen Servers  Compromised Credentials  Password123, Password1, 111111a = not cool  Remote File Inclusion  Leads to Remote Execution  Think TimThumb, Uploadify, etc… “38% of us Would Rather Clean a Toilet Than Think of New Password” - Mashable
    • 19. S I M P L E I S S O M U C H S W E E T E R … 7/30/2013 19 Make it STOP “The question isn't who is going to let me; it's who is going to stop me.”
    • 20. The Key is Access 7/30/2013 20  In almost all instances the key is access, whether via:  WP-ADMIN  SSH / SFTP (Port 22)  FTP (Port 21) = > You are dead to me!!! : )  Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but you can stay proactive when identified  Doesn‟t include environmental issues  Myth: Remove Admin  Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts.  The “administrator” role matters more than the “administrator” or “admin” user name.
    • 21. This is What Matters - KISS 7/30/2013 21 Server WAF Application WAF Two Factor Authentication Strong / Unique Password Secure Environment From an access stand point: From a vulnerability stand point: Stay Current Use Trusted Sources Avoid Soup Kitchen Servers Separate Staging from Production Secure Environment
    • 22. To the Average Joe: To the Paranoid / Lucky: 7/30/2013 1. Kill PHP Execution 2. Disable Theme / Plugin Editing via Admin 3. Connect Securely – SFTP / SSH 4. Use Authentication Keys in wp-config 5. Use Trusted Sources 6. Use a local Antivirus – Yes, MAC‟s need one 7. Verify your permissions - D 755 | F 644 8. Least Privileged 9. Kill generic accounts - Accountability 10. Backup your site – yes, Database too 1. Don‟t let WordPress write to itself 2. Filter by IP  SSH Access  WP-ADMIN Access  Database Access 3. Use a dedicated server / VPS 4. Employ a WAF / Logging Solution 5. Enable SSL 22 My Advise
    • 23. Kill PHP Execution 7/30/2013 23  The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation:  WP-INCLUDES  UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files>
    • 24. Disable Plugin/Theme Editor 7/30/2013 24  Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);
    • 25. Clients Non-Clients 7/30/2013  Sucuri Security Premium  Duo Two-Factor Authentication  Theme-Check  BackupBuddy  Akismet  Duo Two-Factor Authentication  Limit Login Attempts  Theme-Check  BackupBuddy  Akismet 25 Recommended Plugins
    • 26. Support Forums Online Resources 7/30/2013  Hacked – http://wordpress.org/tag s/hacked  Malware – http://wordpress.org/tag s/malware  BadwareBusters – https://badwarebusters. org  Sucuri Blog: http://blog.sucuri.net  SiteCheck Scanner: http://sitecheck.sucuri.net  Unmask Parasites: http://unmaskparasites.com  Perishable Press: http://perishablepress.com/category /web-design/security/  Secunia Security Advisories: http://secunia.com/community/advi sories/search/?search=wordpress 26 Know Where to Go, If… It happens
    • 27. Blacklist entities 7/30/2013 27  Google  Chrome, FireFox  Search Engine Results Page (SERP)  http://www.google.com/webmaster/tools  http://www.google.com/safebrowsing/diagnostic?site=[your site]  Bing  Internet Explorer  Yahoo  http://www.bing.com/toolbox/webmaster/  Norton  SafeWeb Browsing  Facebook  http://safeweb.norton.com/  AVG  Opera  http://www.avgthreatlabs.com/sitereports/
    • 28. 7/30/2013 28 Jigar Pandya http://www.zealousweb.com http://youritcoach.wordpress.com
    • 29. 7/30/2013 29

    ×