J I G A R P A N D Y A
WordPress Security
1
Know the Environment
7/30/2013
2
LAMPSTACK
LINUX
Apache
MySQL
PHP
• This is what it
takes to run
WordPress
• Each contains...
Know the application
7/30/2013
3
WordPress
Core
Themes
Plugins
End-User
• Today‟s
Problem
Realistic Environment
7/30/2013
4
Linux Operating System
Apache
WordPress CPANEL Plesk
MySQL
myLittleAdmin PHPMyAdmin Etc....
Your Host
7/30/2013
5
 Who is your host?
 How do you connect to the server?
 FTP, SFTP, SSH
 What security does your h...
Connecting
7/30/2013
6
 If you don‟t need it, disable it
 SFTP / SSH is preferred
 FTP works fine – disable if you‟re n...
Opportunistic Targeted
7/30/2013
 Trolling the web looking for
known vulnerabilities
 Ability for mass exposure
 Think ...
Automation is KEY
7/30/2013
8
Automation
Scan
Detect
Exploit
PWN
• Targeted /
Opportunistic
• Vulnerability Scans
• Brute ...
Blacklisting
7/30/2013
9
• Take a chill pill.. Not the end of the world
• Detect, Remove, Submit
The MISTAKE
7/30/2013
10
 But why me?!?!?!
 Forget the why, look at the how!!
N O T H I N G F A N C Y H E R E . . T H E F A C T S
7/30/2013
11
The How
“Own one Own them All”
Application Environment
7/30/2013
 Injections
 Remote File Inclusion
 Remote File Execution
 Brute Force / Data Dictio...
Top 5 WordPress Infections
7/30/2013
13
 Backdoors
 Difficult to Detect via HTTP
 Injections
 Easy to Detect via HTTP
...
Backdoor
7/30/2013
14
• Complete access via shell… kiss all hardening good bye
• Sad day.. .. Good time to cry…
Link Injection
7/30/2013
15
• Drive-by-Download attempt – think Fake AV / Adobe
• Pharma Links – Erectile Dysfunction (Via...
PHARMA
7/30/2013
16
• Affiliate Model
• Multi-million dollar industry
• Generate ~3.5k new clients daily
Defacement
7/30/2013
17
• Hacktivism at its finest
• Awareness to cause
Common Vectors
7/30/2013
18
 Vulnerable Software
 Often associated with Out-of-date software
 WordPress Themes / Plugin...
S I M P L E I S S O M U C H S W E E T E R …
7/30/2013
19
Make it STOP
“The question isn't who is going to let
me; it's who...
The Key is Access
7/30/2013
20
 In almost all instances the key is access, whether via:
 WP-ADMIN
 SSH / SFTP (Port 22)...
This is What Matters - KISS
7/30/2013
21
Server WAF
Application
WAF
Two Factor
Authentication
Strong /
Unique
Password
Sec...
To the Average Joe: To the Paranoid / Lucky:
7/30/2013
1. Kill PHP Execution
2. Disable Theme / Plugin Editing via
Admin
3...
Kill PHP Execution
7/30/2013
23
 The idea is not to let them execute any PHP files. You
do so by adding this in an .htacc...
Disable Plugin/Theme Editor
7/30/2013
24
 Add to wp-config – if a user is compromised they
won‟t be able to add anything ...
Clients Non-Clients
7/30/2013
 Sucuri Security
Premium
 Duo Two-Factor
Authentication
 Theme-Check
 BackupBuddy
 Akis...
Support Forums Online Resources
7/30/2013
 Hacked –
http://wordpress.org/tag
s/hacked
 Malware –
http://wordpress.org/ta...
Blacklist entities
7/30/2013
27
 Google
 Chrome, FireFox
 Search Engine Results Page (SERP)
 http://www.google.com/web...
7/30/2013
28
Jigar Pandya
http://www.zealousweb.com
http://youritcoach.wordpress.com
7/30/2013
29
Upcoming SlideShare
Loading in...5
×

Word press security

237

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total Views
237
On Slideshare
0
From Embeds
0
Number of Embeds
0
Actions
Shares
0
Downloads
4
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Pundits will argue that admin is half the battle and most users use poor passwords. Education is my focus. Using a strong password is arguably easier and more effective. randomly generated using characters, would
  • Word press security

    1. 1. J I G A R P A N D Y A WordPress Security 1
    2. 2. Know the Environment 7/30/2013 2 LAMPSTACK LINUX Apache MySQL PHP • This is what it takes to run WordPress • Each contains its own laundry list of known vulnerabilities • Bare-bones
    3. 3. Know the application 7/30/2013 3 WordPress Core Themes Plugins End-User • Today‟s Problem
    4. 4. Realistic Environment 7/30/2013 4 Linux Operating System Apache WordPress CPANEL Plesk MySQL myLittleAdmin PHPMyAdmin Etc.. PHP Modules
    5. 5. Your Host 7/30/2013 5  Who is your host?  How do you connect to the server?  FTP, SFTP, SSH  What security does your host use? Do they use any web security?  What will your host do if you get hacked?  Will they shut your site down?  Will they kick you off their server?  Will they fix it for you? IF YOU DON”T KNOW WHAT YOU”RE DOING GO WITH A MANAGED SOLUTION
    6. 6. Connecting 7/30/2013 6  If you don‟t need it, disable it  SFTP / SSH is preferred  FTP works fine – disable if you‟re not using, don‟t talk to me if you are  FTP/SFTP != WP-ADMIN  Least Privileged  You don‟t have to log in FTP / SFTP with full root access  Everyone doesn‟t need to be an admin  You don‟t need to log in as admin  The focus is on the role, not the name of the user  Accountability – kill generic accounts – who is doing what?
    7. 7. Opportunistic Targeted 7/30/2013  Trolling the web looking for known vulnerabilities  Ability for mass exposure  Think “TimThumb”  Big enterprises with large followings:  WordPress.com  WooThemes  Worth Investing time and energy to compromise, bigger return 7 Attack Type
    8. 8. Automation is KEY 7/30/2013 8 Automation Scan Detect Exploit PWN • Targeted / Opportunistic • Vulnerability Scans • Brute Force / Data Dictionary Attacks • DDOS / DOS • XSS / CSRF • SQLi
    9. 9. Blacklisting 7/30/2013 9 • Take a chill pill.. Not the end of the world • Detect, Remove, Submit
    10. 10. The MISTAKE 7/30/2013 10  But why me?!?!?!  Forget the why, look at the how!!
    11. 11. N O T H I N G F A N C Y H E R E . . T H E F A C T S 7/30/2013 11 The How “Own one Own them All”
    12. 12. Application Environment 7/30/2013  Injections  Remote File Inclusion  Remote File Execution  Brute Force / Data Dictionary  Privilege Escalation  Brute Force / Data Dictionary  Remote File Include  Remote File Execution 12 Today‟s Exploits You Control
    13. 13. Top 5 WordPress Infections 7/30/2013 13  Backdoors  Difficult to Detect via HTTP  Injections  Easy to Detect via HTTP  Pharma Hack  Best person to detect is the owner, difficult to detect via HTTP  Malicious Redirects  Easy to Detect via HTTP  Defacements  Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish brothers
    14. 14. Backdoor 7/30/2013 14 • Complete access via shell… kiss all hardening good bye • Sad day.. .. Good time to cry…
    15. 15. Link Injection 7/30/2013 15 • Drive-by-Download attempt – think Fake AV / Adobe • Pharma Links – Erectile Dysfunction (Viagra)
    16. 16. PHARMA 7/30/2013 16 • Affiliate Model • Multi-million dollar industry • Generate ~3.5k new clients daily
    17. 17. Defacement 7/30/2013 17 • Hacktivism at its finest • Awareness to cause
    18. 18. Common Vectors 7/30/2013 18  Vulnerable Software  Often associated with Out-of-date software  WordPress Themes / Plugins, more so than Core  Cross Site Contamination  Soup Kitchen Servers  Compromised Credentials  Password123, Password1, 111111a = not cool  Remote File Inclusion  Leads to Remote Execution  Think TimThumb, Uploadify, etc… “38% of us Would Rather Clean a Toilet Than Think of New Password” - Mashable
    19. 19. S I M P L E I S S O M U C H S W E E T E R … 7/30/2013 19 Make it STOP “The question isn't who is going to let me; it's who is going to stop me.”
    20. 20. The Key is Access 7/30/2013 20  In almost all instances the key is access, whether via:  WP-ADMIN  SSH / SFTP (Port 22)  FTP (Port 21) = > You are dead to me!!! : )  Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but you can stay proactive when identified  Doesn‟t include environmental issues  Myth: Remove Admin  Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts.  The “administrator” role matters more than the “administrator” or “admin” user name.
    21. 21. This is What Matters - KISS 7/30/2013 21 Server WAF Application WAF Two Factor Authentication Strong / Unique Password Secure Environment From an access stand point: From a vulnerability stand point: Stay Current Use Trusted Sources Avoid Soup Kitchen Servers Separate Staging from Production Secure Environment
    22. 22. To the Average Joe: To the Paranoid / Lucky: 7/30/2013 1. Kill PHP Execution 2. Disable Theme / Plugin Editing via Admin 3. Connect Securely – SFTP / SSH 4. Use Authentication Keys in wp-config 5. Use Trusted Sources 6. Use a local Antivirus – Yes, MAC‟s need one 7. Verify your permissions - D 755 | F 644 8. Least Privileged 9. Kill generic accounts - Accountability 10. Backup your site – yes, Database too 1. Don‟t let WordPress write to itself 2. Filter by IP  SSH Access  WP-ADMIN Access  Database Access 3. Use a dedicated server / VPS 4. Employ a WAF / Logging Solution 5. Enable SSL 22 My Advise
    23. 23. Kill PHP Execution 7/30/2013 23  The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation:  WP-INCLUDES  UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files>
    24. 24. Disable Plugin/Theme Editor 7/30/2013 24  Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);
    25. 25. Clients Non-Clients 7/30/2013  Sucuri Security Premium  Duo Two-Factor Authentication  Theme-Check  BackupBuddy  Akismet  Duo Two-Factor Authentication  Limit Login Attempts  Theme-Check  BackupBuddy  Akismet 25 Recommended Plugins
    26. 26. Support Forums Online Resources 7/30/2013  Hacked – http://wordpress.org/tag s/hacked  Malware – http://wordpress.org/tag s/malware  BadwareBusters – https://badwarebusters. org  Sucuri Blog: http://blog.sucuri.net  SiteCheck Scanner: http://sitecheck.sucuri.net  Unmask Parasites: http://unmaskparasites.com  Perishable Press: http://perishablepress.com/category /web-design/security/  Secunia Security Advisories: http://secunia.com/community/advi sories/search/?search=wordpress 26 Know Where to Go, If… It happens
    27. 27. Blacklist entities 7/30/2013 27  Google  Chrome, FireFox  Search Engine Results Page (SERP)  http://www.google.com/webmaster/tools  http://www.google.com/safebrowsing/diagnostic?site=[your site]  Bing  Internet Explorer  Yahoo  http://www.bing.com/toolbox/webmaster/  Norton  SafeWeb Browsing  Facebook  http://safeweb.norton.com/  AVG  Opera  http://www.avgthreatlabs.com/sitereports/
    28. 28. 7/30/2013 28 Jigar Pandya http://www.zealousweb.com http://youritcoach.wordpress.com
    29. 29. 7/30/2013 29
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×