Your SlideShare is downloading. ×
WordPress Security - The "No-BS" Version
Upcoming SlideShare
Loading in...5
×

Thanks for flagging this SlideShare!

Oops! An error has occurred.

×
Saving this for later? Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime – even offline.
Text the download link to your phone
Standard text messaging rates apply

WordPress Security - The "No-BS" Version

22,367
views

Published on

A presentation I put together for WordCamp Chicago 2012.

A presentation I put together for WordCamp Chicago 2012.

Published in: Technology, Business

0 Comments
11 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
22,367
On Slideshare
0
From Embeds
0
Number of Embeds
20
Actions
Shares
0
Downloads
124
Comments
0
Likes
11
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
No notes for slide
  • Pundits will argue that admin is half the battle and most users use poor passwords. Education is my focus. Using a strong password is arguably easier and more effective. randomly generated using characters, would
  • Transcript

    • 1. WORDPRESS SECURITY The “No-BS” Version
    • 2. SUCURI@WORDCAMP# WHOIS PEREZBOX• Name: Tony Perez• Street name: The Hulk• Handle: Perezbox• Company: Sucuri• Occupation: Executive / Owner• Likes: Guns, InfoSec, Harley‟s, MMA• Personality: Rational / Objective = Turd• Location: Menifee, California@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 2
    • 3. TODAY‟S CHALLENGES• Administration• Extensibility• Credentials• End-users• Education@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 3
    • 4. “The user’s going to pick dancing pigs over security every time.” - Bruce SchneierCheck yourself before you wreck yourselfKNOWLEDGE@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 4
    • 5. KNOW THE ENVIRONMENT • This is what it takes to LINUXLAMP STACK run WordPress Apache • Each contains its own laundry list of known MySQL vulnerabilities • Bare-bones PHP @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 5
    • 6. KNOW THE APPLICATION CoreWordPress Themes • Today‟s Problem Plugins End-User @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 6
    • 7. REALISTIC ENVIRONMENT Linux Operating System Apache MySQL PHP WordPress CPANEL Plesk myLittleAdmin PHPMyAdmin Etc.. Modules@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 7
    • 8. YOUR HOST IF YOU DON”T KNOW WHAT• Who is your host? YOU”RE DOING GO WITH A MANAGED SOLUTION• How do you connect to the server? • FTP, SFTP, SSH• What security does your host use? Do they use any web security?• What will your host do if you get hacked? • Will they shut your site down? • Will they kick you off their server? • Will they fix it for you?@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 8
    • 9. CONNECTING• If you don‟t need it, disable it • SFTP / SSH is preferred • FTP works fine – disable if you‟re not using, don‟t talk to me if you are • FTP/SFTP != WP-ADMIN• Least Privileged • You don‟t have to log in FTP / SFTP with full root access • Everyone doesn‟t need to be an admin • You don‟t need to log in as admin • The focus is on the role, not the name of the user • Accountability – kill generic accounts – who is doing what?@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 9
    • 10. ATTACK TYPE Opportunistic Targeted • Trolling the web looking for • Big enterprises with large known vulnerabilities followings: • Ability for mass exposure • WordPress.com • Think “TimThumb” • WooThemes • Worth Investing time and energy to compromise, bigger return@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 10
    • 11. AUTOMATION IS KEY • Targeted / Scan Opportunistic • Vulnerability Scans • Brute Force / Data PWN Automation Detect Dictionary Attacks • DDOS / DOS • XSS / CSRF Exploit • SQLi@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 11
    • 12. BLACKLISTING• Take a chill pill.. Not the end of the world• Detect, Remove, Submit @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 12
    • 13. THE MISTAKE• But why me?!?!?!• Forget the why, look at the how!!@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 13
    • 14. “Own one Own them All”Nothing fancy here.. The factsTHE HOW@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 14
    • 15. TODAY‟S EXPLOITS YouApplication Control Environment• Injections • Privilege Escalation• Remote File Inclusion • Brute Force / Data Dictionary• Remote File Execution • Remote File Include• Brute Force / Data Dictionary • Remote File Execution@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 15
    • 16. TOP 5 WORDPRESS INFECTIONS• Backdoors • Difficult to Detect via HTTP• Injections • Easy to Detect via HTTP• Pharma Hack • Best person to detect is the owner, difficult to detect via HTTP• Malicious Redirects • Easy to Detect via HTTP• Defacements • Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish brothers@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 16
    • 17. BACKDOOR• Complete access via shell… kiss all hardening good bye• Sad day.. .. Good time to cry… @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 17
    • 18. LINK INJECTION• Drive-by-Download attempt – think Fake AV / Adobe• Pharma Links – Erectile Dysfunction (Viagra) @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 18
    • 19. PHARMA• Affiliate Model• Multi-million dollar industry• Generate ~3.5k new clients daily @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 19
    • 20. DEFACEMENT• Hacktivism at its finest• Awareness to cause @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 20
    • 21. COMMON VECTORS “38% of us Would Rather Clean a• Vulnerable Software Toilet Than Think of New • Often associated with Out-of-date software Password” - Mashable • WordPress Themes / Plugins, more so than Core• Cross Site Contamination • Soup Kitchen Servers• Compromised Credentials • Password123, Password1, 111111a = not cool• Remote File Inclusion • Leads to Remote Execution • Think TimThumb, Uploadify, etc…@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 21
    • 22. “The question isnt who is going to let me; its who is going to stop me.”Simple is so much sweeter…MAKE IT STOP@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 22
    • 23. THE KEY IS ACCESS• In almost all instances the key is access, whether via: • WP-ADMIN • SSH / SFTP (Port 22) • FTP (Port 21) = > You are dead to me!!! : ) • Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but you can stay proactive when identified • Doesn‟t include environmental issues• Myth: Remove Admin • Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts. • The “administrator” role matters more than the “administrator” or “admin” user name. @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 23
    • 24. THIS IS WHAT MATTERS - KISSFrom an access stand point: Strong / Application Two Factor Secure Server WAF Unique WAF Authentication Environment Password From a vulnerability stand point: Avoid Soup Separate Use Trusted Secure Stay Current Kitchen Staging from Sources Environment Servers Production @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 24
    • 25. MY ADVISETo the Average Joe: To the Paranoid / Lucky:1. Kill PHP Execution 1. Don‟t let WordPress write to itself2. Disable Theme / Plugin Editing via Admin 2. Filter by IP3. Connect Securely – SFTP / SSH4. Use Authentication Keys in wp-config • SSH Access5. Use Trusted Sources • WP-ADMIN Access6. Use a local Antivirus – Yes, MAC‟s need one • Database Access7. Verify your permissions - D 755 | F 644 3. Use a dedicated server / VPS8. Least Privileged9. Kill generic accounts - Accountability 4. Employ a WAF / Logging Solution10. Backup your site – yes, Database too 5. Enable SSL@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 25
    • 26. KILL PHP EXECUTION• The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation: • WP-INCLUDES • UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files>@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 26
    • 27. DISABLE PLUGIN/THEME EDITOR• Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 27
    • 28. RECOMMENDED PLUGINSClients Non-Clients• Sucuri Security Premium • Duo Two-Factor Authentication• Duo Two-Factor Authentication • Limit Login Attempts• Theme-Check • Theme-Check• BackupBuddy • BackupBuddy• Akismet • Akismet@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 28
    • 29. KNOW WHERE TO GO, IF… IT HAPPENSSupport Forums Online Resources• Hacked – • Sucuri Blog: http://blog.sucuri.net http://wordpress.org/tags/hacked • SiteCheck Scanner: http://sitecheck.sucuri.net• Malware – • Unmask Parasites: http://wordpress.org/tags/malware http://unmaskparasites.com • Perishable Press:• BadwareBusters – http://perishablepress.com/category/web- design/security/ https://badwarebusters.org • Secunia Security Advisories: http://secunia.com/community/advisories/searc h/?search=wordpress@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 29
    • 30. BLACKLIST ENTITIES• Google • Chrome, FireFox • Search Engine Results Page (SERP) • http://www.google.com/webmaster/tools • http://www.google.com/safebrowsing/diagnostic?site=[your site]• Bing • Internet Explorer • Yahoo • http://www.bing.com/toolbox/webmaster/• Norton • SafeWeb Browsing • Facebook • http://safeweb.norton.com/• AVG • Opera • http://www.avgthreatlabs.com/sitereports/@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 30
    • 31. Sucuri Tony Perez http://sucuri.net http://blog.sucuri.net http://perezbox.com & http://tonyonsecurity.com @perezbox and @tonyonsecurity@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 31
    • 32. @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 32