Word press security
Upcoming SlideShare
Loading in...5
×
 

Word press security

on

  • 271 views

 

Statistics

Views

Total Views
271
Slideshare-icon Views on SlideShare
271
Embed Views
0

Actions

Likes
0
Downloads
2
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment
  • Pundits will argue that admin is half the battle and most users use poor passwords. Education is my focus. Using a strong password is arguably easier and more effective. randomly generated using characters, would

Word press security Word press security Presentation Transcript

  • J I G A R P A N D Y A WordPress Security 1
  • Know the Environment 7/30/2013 2 LAMPSTACK LINUX Apache MySQL PHP • This is what it takes to run WordPress • Each contains its own laundry list of known vulnerabilities • Bare-bones
  • Know the application 7/30/2013 3 WordPress Core Themes Plugins End-User • Today‟s Problem
  • Realistic Environment 7/30/2013 4 Linux Operating System Apache WordPress CPANEL Plesk MySQL myLittleAdmin PHPMyAdmin Etc.. PHP Modules
  • Your Host 7/30/2013 5  Who is your host?  How do you connect to the server?  FTP, SFTP, SSH  What security does your host use? Do they use any web security?  What will your host do if you get hacked?  Will they shut your site down?  Will they kick you off their server?  Will they fix it for you? IF YOU DON”T KNOW WHAT YOU”RE DOING GO WITH A MANAGED SOLUTION
  • Connecting 7/30/2013 6  If you don‟t need it, disable it  SFTP / SSH is preferred  FTP works fine – disable if you‟re not using, don‟t talk to me if you are  FTP/SFTP != WP-ADMIN  Least Privileged  You don‟t have to log in FTP / SFTP with full root access  Everyone doesn‟t need to be an admin  You don‟t need to log in as admin  The focus is on the role, not the name of the user  Accountability – kill generic accounts – who is doing what?
  • Opportunistic Targeted 7/30/2013  Trolling the web looking for known vulnerabilities  Ability for mass exposure  Think “TimThumb”  Big enterprises with large followings:  WordPress.com  WooThemes  Worth Investing time and energy to compromise, bigger return 7 Attack Type
  • Automation is KEY 7/30/2013 8 Automation Scan Detect Exploit PWN • Targeted / Opportunistic • Vulnerability Scans • Brute Force / Data Dictionary Attacks • DDOS / DOS • XSS / CSRF • SQLi
  • Blacklisting 7/30/2013 9 • Take a chill pill.. Not the end of the world • Detect, Remove, Submit
  • The MISTAKE 7/30/2013 10  But why me?!?!?!  Forget the why, look at the how!!
  • N O T H I N G F A N C Y H E R E . . T H E F A C T S 7/30/2013 11 The How “Own one Own them All”
  • Application Environment 7/30/2013  Injections  Remote File Inclusion  Remote File Execution  Brute Force / Data Dictionary  Privilege Escalation  Brute Force / Data Dictionary  Remote File Include  Remote File Execution 12 Today‟s Exploits You Control
  • Top 5 WordPress Infections 7/30/2013 13  Backdoors  Difficult to Detect via HTTP  Injections  Easy to Detect via HTTP  Pharma Hack  Best person to detect is the owner, difficult to detect via HTTP  Malicious Redirects  Easy to Detect via HTTP  Defacements  Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish brothers
  • Backdoor 7/30/2013 14 • Complete access via shell… kiss all hardening good bye • Sad day.. .. Good time to cry…
  • Link Injection 7/30/2013 15 • Drive-by-Download attempt – think Fake AV / Adobe • Pharma Links – Erectile Dysfunction (Viagra)
  • PHARMA 7/30/2013 16 • Affiliate Model • Multi-million dollar industry • Generate ~3.5k new clients daily
  • Defacement 7/30/2013 17 • Hacktivism at its finest • Awareness to cause
  • Common Vectors 7/30/2013 18  Vulnerable Software  Often associated with Out-of-date software  WordPress Themes / Plugins, more so than Core  Cross Site Contamination  Soup Kitchen Servers  Compromised Credentials  Password123, Password1, 111111a = not cool  Remote File Inclusion  Leads to Remote Execution  Think TimThumb, Uploadify, etc… “38% of us Would Rather Clean a Toilet Than Think of New Password” - Mashable
  • S I M P L E I S S O M U C H S W E E T E R … 7/30/2013 19 Make it STOP “The question isn't who is going to let me; it's who is going to stop me.”
  • The Key is Access 7/30/2013 20  In almost all instances the key is access, whether via:  WP-ADMIN  SSH / SFTP (Port 22)  FTP (Port 21) = > You are dead to me!!! : )  Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but you can stay proactive when identified  Doesn‟t include environmental issues  Myth: Remove Admin  Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts.  The “administrator” role matters more than the “administrator” or “admin” user name.
  • This is What Matters - KISS 7/30/2013 21 Server WAF Application WAF Two Factor Authentication Strong / Unique Password Secure Environment From an access stand point: From a vulnerability stand point: Stay Current Use Trusted Sources Avoid Soup Kitchen Servers Separate Staging from Production Secure Environment
  • To the Average Joe: To the Paranoid / Lucky: 7/30/2013 1. Kill PHP Execution 2. Disable Theme / Plugin Editing via Admin 3. Connect Securely – SFTP / SSH 4. Use Authentication Keys in wp-config 5. Use Trusted Sources 6. Use a local Antivirus – Yes, MAC‟s need one 7. Verify your permissions - D 755 | F 644 8. Least Privileged 9. Kill generic accounts - Accountability 10. Backup your site – yes, Database too 1. Don‟t let WordPress write to itself 2. Filter by IP  SSH Access  WP-ADMIN Access  Database Access 3. Use a dedicated server / VPS 4. Employ a WAF / Logging Solution 5. Enable SSL 22 My Advise
  • Kill PHP Execution 7/30/2013 23  The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation:  WP-INCLUDES  UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files>
  • Disable Plugin/Theme Editor 7/30/2013 24  Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);
  • Clients Non-Clients 7/30/2013  Sucuri Security Premium  Duo Two-Factor Authentication  Theme-Check  BackupBuddy  Akismet  Duo Two-Factor Authentication  Limit Login Attempts  Theme-Check  BackupBuddy  Akismet 25 Recommended Plugins
  • Support Forums Online Resources 7/30/2013  Hacked – http://wordpress.org/tag s/hacked  Malware – http://wordpress.org/tag s/malware  BadwareBusters – https://badwarebusters. org  Sucuri Blog: http://blog.sucuri.net  SiteCheck Scanner: http://sitecheck.sucuri.net  Unmask Parasites: http://unmaskparasites.com  Perishable Press: http://perishablepress.com/category /web-design/security/  Secunia Security Advisories: http://secunia.com/community/advi sories/search/?search=wordpress 26 Know Where to Go, If… It happens
  • Blacklist entities 7/30/2013 27  Google  Chrome, FireFox  Search Engine Results Page (SERP)  http://www.google.com/webmaster/tools  http://www.google.com/safebrowsing/diagnostic?site=[your site]  Bing  Internet Explorer  Yahoo  http://www.bing.com/toolbox/webmaster/  Norton  SafeWeb Browsing  Facebook  http://safeweb.norton.com/  AVG  Opera  http://www.avgthreatlabs.com/sitereports/
  • 7/30/2013 28 Jigar Pandya http://www.zealousweb.com http://youritcoach.wordpress.com
  • 7/30/2013 29