WordPress Security - The "No-BS" Version
Upcoming SlideShare
Loading in...5

WordPress Security - The "No-BS" Version



A presentation I put together for WordCamp Chicago 2012.

A presentation I put together for WordCamp Chicago 2012.



Total Views
Views on SlideShare
Embed Views



27 Embeds 14,582

http://blog.sucuri.net 13627
http://tonyonsecurity.com 367
http://wpforce.com 318
http://sadikrabdi.blogspot.in 71
http://feeds.feedburner.com 68
http://www.securitybloggersnetwork.com 28
http://sadikrabdi.blogspot.com 18
http://know.fixed 16
http://translate.googleusercontent.com 16
http://newsblur.com 11
http://docs.wpnet.technion.ac.il 9
http://www.linkedin.com 8
http://news.google.com 4
http://www.newsblur.com 3
http://secure.hostragon.com 2
http://0.gravatar.com 2
http://webcache.googleusercontent.com 2
http://landofblog.com 2
http://www.hanrss.com 2
https://stefpause.com 1
http://newsconsole.com 1
http://www.sf.airnet.ne.jp 1
https://twitter.com 1
http://sadikrabdi.blogspot.mx 1
http://feeds2.feedburner.com 1
http://sadikrabdi.blogspot.co.uk 1
http://stefpause.com 1


Upload Details

Uploaded via as Microsoft PowerPoint

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
Post Comment
Edit your comment
  • Pundits will argue that admin is half the battle and most users use poor passwords. Education is my focus. Using a strong password is arguably easier and more effective. randomly generated using characters, would

WordPress Security - The "No-BS" Version WordPress Security - The "No-BS" Version Presentation Transcript

  • SUCURI@WORDCAMP# WHOIS PEREZBOX• Name: Tony Perez• Street name: The Hulk• Handle: Perezbox• Company: Sucuri• Occupation: Executive / Owner• Likes: Guns, InfoSec, Harley‟s, MMA• Personality: Rational / Objective = Turd• Location: Menifee, California@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 2
  • TODAY‟S CHALLENGES• Administration• Extensibility• Credentials• End-users• Education@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 3 View slide
  • “The user’s going to pick dancing pigs over security every time.” - Bruce SchneierCheck yourself before you wreck yourselfKNOWLEDGE@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 4 View slide
  • KNOW THE ENVIRONMENT • This is what it takes to LINUXLAMP STACK run WordPress Apache • Each contains its own laundry list of known MySQL vulnerabilities • Bare-bones PHP @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 5
  • KNOW THE APPLICATION CoreWordPress Themes • Today‟s Problem Plugins End-User @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 6
  • REALISTIC ENVIRONMENT Linux Operating System Apache MySQL PHP WordPress CPANEL Plesk myLittleAdmin PHPMyAdmin Etc.. Modules@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 7
  • YOUR HOST IF YOU DON”T KNOW WHAT• Who is your host? YOU”RE DOING GO WITH A MANAGED SOLUTION• How do you connect to the server? • FTP, SFTP, SSH• What security does your host use? Do they use any web security?• What will your host do if you get hacked? • Will they shut your site down? • Will they kick you off their server? • Will they fix it for you?@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 8
  • CONNECTING• If you don‟t need it, disable it • SFTP / SSH is preferred • FTP works fine – disable if you‟re not using, don‟t talk to me if you are • FTP/SFTP != WP-ADMIN• Least Privileged • You don‟t have to log in FTP / SFTP with full root access • Everyone doesn‟t need to be an admin • You don‟t need to log in as admin • The focus is on the role, not the name of the user • Accountability – kill generic accounts – who is doing what?@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 9
  • ATTACK TYPE Opportunistic Targeted • Trolling the web looking for • Big enterprises with large known vulnerabilities followings: • Ability for mass exposure • WordPress.com • Think “TimThumb” • WooThemes • Worth Investing time and energy to compromise, bigger return@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 10
  • AUTOMATION IS KEY • Targeted / Scan Opportunistic • Vulnerability Scans • Brute Force / Data PWN Automation Detect Dictionary Attacks • DDOS / DOS • XSS / CSRF Exploit • SQLi@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 11
  • BLACKLISTING• Take a chill pill.. Not the end of the world• Detect, Remove, Submit @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 12
  • THE MISTAKE• But why me?!?!?!• Forget the why, look at the how!!@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 13
  • “Own one Own them All”Nothing fancy here.. The factsTHE HOW@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 14
  • TODAY‟S EXPLOITS YouApplication Control Environment• Injections • Privilege Escalation• Remote File Inclusion • Brute Force / Data Dictionary• Remote File Execution • Remote File Include• Brute Force / Data Dictionary • Remote File Execution@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 15
  • TOP 5 WORDPRESS INFECTIONS• Backdoors • Difficult to Detect via HTTP• Injections • Easy to Detect via HTTP• Pharma Hack • Best person to detect is the owner, difficult to detect via HTTP• Malicious Redirects • Easy to Detect via HTTP• Defacements • Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish brothers@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 16
  • BACKDOOR• Complete access via shell… kiss all hardening good bye• Sad day.. .. Good time to cry… @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 17
  • LINK INJECTION• Drive-by-Download attempt – think Fake AV / Adobe• Pharma Links – Erectile Dysfunction (Viagra) @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 18
  • PHARMA• Affiliate Model• Multi-million dollar industry• Generate ~3.5k new clients daily @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 19
  • DEFACEMENT• Hacktivism at its finest• Awareness to cause @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 20
  • COMMON VECTORS “38% of us Would Rather Clean a• Vulnerable Software Toilet Than Think of New • Often associated with Out-of-date software Password” - Mashable • WordPress Themes / Plugins, more so than Core• Cross Site Contamination • Soup Kitchen Servers• Compromised Credentials • Password123, Password1, 111111a = not cool• Remote File Inclusion • Leads to Remote Execution • Think TimThumb, Uploadify, etc…@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 21
  • “The question isnt who is going to let me; its who is going to stop me.”Simple is so much sweeter…MAKE IT STOP@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 22
  • THE KEY IS ACCESS• In almost all instances the key is access, whether via: • WP-ADMIN • SSH / SFTP (Port 22) • FTP (Port 21) = > You are dead to me!!! : ) • Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but you can stay proactive when identified • Doesn‟t include environmental issues• Myth: Remove Admin • Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts. • The “administrator” role matters more than the “administrator” or “admin” user name. @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 23
  • THIS IS WHAT MATTERS - KISSFrom an access stand point: Strong / Application Two Factor Secure Server WAF Unique WAF Authentication Environment Password From a vulnerability stand point: Avoid Soup Separate Use Trusted Secure Stay Current Kitchen Staging from Sources Environment Servers Production @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 24
  • MY ADVISETo the Average Joe: To the Paranoid / Lucky:1. Kill PHP Execution 1. Don‟t let WordPress write to itself2. Disable Theme / Plugin Editing via Admin 2. Filter by IP3. Connect Securely – SFTP / SSH4. Use Authentication Keys in wp-config • SSH Access5. Use Trusted Sources • WP-ADMIN Access6. Use a local Antivirus – Yes, MAC‟s need one • Database Access7. Verify your permissions - D 755 | F 644 3. Use a dedicated server / VPS8. Least Privileged9. Kill generic accounts - Accountability 4. Employ a WAF / Logging Solution10. Backup your site – yes, Database too 5. Enable SSL@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 25
  • KILL PHP EXECUTION• The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation: • WP-INCLUDES • UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files>@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 26
  • DISABLE PLUGIN/THEME EDITOR• Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 27
  • RECOMMENDED PLUGINSClients Non-Clients• Sucuri Security Premium • Duo Two-Factor Authentication• Duo Two-Factor Authentication • Limit Login Attempts• Theme-Check • Theme-Check• BackupBuddy • BackupBuddy• Akismet • Akismet@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 28
  • KNOW WHERE TO GO, IF… IT HAPPENSSupport Forums Online Resources• Hacked – • Sucuri Blog: http://blog.sucuri.net http://wordpress.org/tags/hacked • SiteCheck Scanner: http://sitecheck.sucuri.net• Malware – • Unmask Parasites: http://wordpress.org/tags/malware http://unmaskparasites.com • Perishable Press:• BadwareBusters – http://perishablepress.com/category/web- design/security/ https://badwarebusters.org • Secunia Security Advisories: http://secunia.com/community/advisories/searc h/?search=wordpress@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 29
  • BLACKLIST ENTITIES• Google • Chrome, FireFox • Search Engine Results Page (SERP) • http://www.google.com/webmaster/tools • http://www.google.com/safebrowsing/diagnostic?site=[your site]• Bing • Internet Explorer • Yahoo • http://www.bing.com/toolbox/webmaster/• Norton • SafeWeb Browsing • Facebook • http://safeweb.norton.com/• AVG • Opera • http://www.avgthreatlabs.com/sitereports/@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 30
  • Sucuri Tony Perez http://sucuri.net http://blog.sucuri.net http://perezbox.com & http://tonyonsecurity.com @perezbox and @tonyonsecurity@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 31