Wordpress Security 101


Published on

Published in: Technology, Business
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Wordpress Security 101

  1. 1. Wordpress Security 101 Ensuring security through better understanding Developer Brown Bag Session June 17, 2008
  2. 2. Agenda <ul><li>Know Your Enemy </li></ul><ul><li>Know Your Platform </li></ul><ul><li>Know Your Hacks </li></ul><ul><li>Specific Wordpress Attacks </li></ul><ul><li>The Good News </li></ul><ul><li>Discussion </li></ul>Developer Brown Bag Session June 17, 2008
  3. 3. Know Your Enemy Hacker a hacker is someone involved in computer security / insecurity , specializing in the discovery of exploits in systems (for exploitation or prevention), or in obtaining or preventing unauthorized access to systems through skills, tactics and detailed knowledge. In the most common general form of this usage, &quot;hacker&quot; refers to a black-hat hacker (a malicious or criminal hacker). Wikipedia Developer Brown Bag Session June 17, 2008
  4. 4. Know Your Enemy White Hats, Blue Hats, Grey Hats White Hats: Altruistic hackers, hacking for good. Blue Hats: Hackers who hire out to companies to help test sites. Grey Hats: Hackers who’s ethics and reasons for hacking are suspect. Developer Brown Bag Session June 17, 2008
  5. 5. Know Your Enemy Black Hats, Script Kiddies, Hactivists Black Hats: Stealing credit cards, etc. Script Kiddies: A script kiddie is a person, usually not an expert in computer security, who breaks into computer systems by using pre-packaged automated tools written by others. Hactivists: Hackers with a political agenda. Think of a PETA supporter hacking “EatBeef.com” Developer Brown Bag Session June 17, 2008
  6. 6. Know Your Platform Wordpress Latest Version: 2.5.1 released April 25, 2008 Wordpress is the standard open source blogging platform, and is commonly used as a CMS for sites around the web. From TechCrunch last week: Due to its popularity as a blogging platform, Wordpress has become a prime target for hackers looking to take over blogs for search-engine optimization (SEO) of other sites they control, traffic-redirection and other purposes. Developer Brown Bag Session June 17, 2008
  7. 7. Know Your Platform <ul><li>Best Practices </li></ul><ul><li>Keep the software up to date </li></ul><ul><li>Be very careful what plugins you use </li></ul><ul><li>Secure Wp_Admin, and use strong passwords </li></ul><ul><li>Sanitize anything you’re accepting via a post, such as comments or user generated anything using Nonce </li></ul><ul><li>Avoid coding directly to the database where functions already exist. </li></ul><ul><li>Be aware of how the current “exploits” work </li></ul><ul><li>Test your site (safely) </li></ul><ul><li>Share information with the team </li></ul>Developer Brown Bag Session June 17, 2008
  8. 8. Know Your Hacks <ul><li>The Basic Types of Attack </li></ul><ul><li>Trojans – Generally these are associated with plugins. </li></ul><ul><li>SQL Injection – Poorly handled posts allow direct execution of SQL statements, to either gain access, or manipulate the database. </li></ul><ul><li>Code Uploads – Poorly handled forms allow code to be uploaded, sometime hidden as an image. </li></ul><ul><li>Script Execution – Holes in code that allow script to be executed, either directly affecting the server or opening a shell session giving the user control. </li></ul><ul><li>Attacks via Third Party software – Gallery2, BBPress, etc. </li></ul><ul><li>Apache/PHP Exploits – to be covered in a separate session </li></ul>Developer Brown Bag Session June 17, 2008
  9. 9. Specific Wordpress Attacks <ul><li>Most, if not all affect earlier versions than 2.5.1 </li></ul><ul><li>WordPress 2.3.3 Invaded by Wily JavaScript </li></ul><ul><li>WP-Download SQL-Injection </li></ul><ul><li>Protecting Wordpress from Magic Include Shell </li></ul><ul><li>Wordpress 2.1.3 admin- ajax.php SQL Injection Blind Fishing Exploit </li></ul><ul><li>Wordpress 2.1.2 xmlrpc Security Issues </li></ul>Developer Brown Bag Session June 17, 2008
  10. 10. The Good News <ul><li>We have a plan to update all our sites to Wordpress 2.5.1 shortly (everything but Geek by 7/15) </li></ul><ul><li>We’re looking for ways to become more secure </li></ul><ul><li>We’re talking, and together we’ll make it work. </li></ul>Developer Brown Bag Session June 17, 2008
  11. 11. Discussion Developer Brown Bag Session June 17, 2008