0
WORDPRESS SECURITY    The “No-BS” Version
SUCURI@WORDCAMP# WHOIS PEREZBOX•   Name: Tony Perez•   Street name: The Hulk•   Handle: Perezbox•   Company: Sucuri•   Occ...
TODAY‟S CHALLENGES• Administration• Extensibility• Credentials• End-users• Education@PEREZBOX @SUCURI_SECURITY @TONYONSECU...
“The user’s going to pick dancing pigs over security every time.”                                              - Bruce Sch...
KNOW THE ENVIRONMENT                                               • This is what it takes to                    LINUXLAMP...
KNOW THE APPLICATION                   CoreWordPress                 Themes                                               ...
REALISTIC ENVIRONMENT         Linux Operating System             Apache                                          MySQL    ...
YOUR HOST                                                            IF YOU DON”T KNOW WHAT•   Who is your host?          ...
CONNECTING•   If you don‟t need it, disable it      • SFTP / SSH is preferred      • FTP works fine – disable if you‟re no...
ATTACK TYPE Opportunistic                               Targeted • Trolling the web looking for              • Big enterpr...
AUTOMATION IS KEY                                                      • Targeted /                         Scan          ...
BLACKLISTING• Take a chill pill.. Not the end of the world• Detect, Remove, Submit @PEREZBOX @SUCURI_SECURITY @TONYONSECUR...
THE MISTAKE• But why me?!?!?!• Forget the why, look at the how!!@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX          ...
“Own one Own them All”Nothing fancy here.. The factsTHE HOW@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX               ...
TODAY‟S EXPLOITS                                YouApplication                    Control       Environment• Injections   ...
TOP 5 WORDPRESS INFECTIONS•   Backdoors      • Difficult to Detect via HTTP•   Injections      • Easy to Detect via HTTP• ...
BACKDOOR• Complete access via shell… kiss all hardening good bye• Sad day.. .. Good time to cry… @PEREZBOX @SUCURI_SECURI...
LINK INJECTION• Drive-by-Download attempt – think Fake AV / Adobe• Pharma Links – Erectile Dysfunction (Viagra) @PEREZBOX ...
PHARMA• Affiliate Model• Multi-million dollar industry• Generate ~3.5k new clients daily @PEREZBOX @SUCURI_SECURITY @TONYO...
DEFACEMENT• Hacktivism at its finest• Awareness to cause @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX                ...
COMMON VECTORS                                                        “38% of us Would Rather Clean a•   Vulnerable Softwa...
“The question isnt who is going to let me; its                               who is going to stop me.”Simple is so much sw...
THE KEY IS ACCESS•   In almost all instances the key is access, whether via:     •   WP-ADMIN     •   SSH / SFTP (Port 22)...
THIS IS WHAT MATTERS - KISSFrom an access stand point:                                                                    ...
MY ADVISETo the Average Joe:                                 To the Paranoid / Lucky:1.    Kill PHP Execution             ...
KILL PHP EXECUTION•   The idea is not to let them execute any PHP files. You do so by adding this in an    .htaccess file ...
DISABLE PLUGIN/THEME EDITOR•   Add to wp-config – if a user is compromised they won‟t be able to add anything to the    co...
RECOMMENDED PLUGINSClients                                      Non-Clients•   Sucuri Security Premium                  • ...
KNOW WHERE TO GO, IF… IT HAPPENSSupport Forums                               Online Resources•   Hacked –                 ...
BLACKLIST ENTITIES•   Google      •      Chrome, FireFox      •      Search Engine Results Page (SERP)      •      http://...
Sucuri                 Tony Perez                     http://sucuri.net                   http://blog.sucuri.net    http:/...
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX                                             10/15/2012   32
Upcoming SlideShare
Loading in...5
×

WordPress Security - The "No-BS" Version

22,802

Published on

A presentation I put together for WordCamp Chicago 2012.

Published in: Technology, Business
0 Comments
11 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
22,802
On Slideshare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
127
Comments
0
Likes
11
Embeds 0
No embeds

No notes for slide
  • Pundits will argue that admin is half the battle and most users use poor passwords. Education is my focus. Using a strong password is arguably easier and more effective. randomly generated using characters, would
  • Transcript of "WordPress Security - The "No-BS" Version"

    1. 1. WORDPRESS SECURITY The “No-BS” Version
    2. 2. SUCURI@WORDCAMP# WHOIS PEREZBOX• Name: Tony Perez• Street name: The Hulk• Handle: Perezbox• Company: Sucuri• Occupation: Executive / Owner• Likes: Guns, InfoSec, Harley‟s, MMA• Personality: Rational / Objective = Turd• Location: Menifee, California@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 2
    3. 3. TODAY‟S CHALLENGES• Administration• Extensibility• Credentials• End-users• Education@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 3
    4. 4. “The user’s going to pick dancing pigs over security every time.” - Bruce SchneierCheck yourself before you wreck yourselfKNOWLEDGE@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 4
    5. 5. KNOW THE ENVIRONMENT • This is what it takes to LINUXLAMP STACK run WordPress Apache • Each contains its own laundry list of known MySQL vulnerabilities • Bare-bones PHP @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 5
    6. 6. KNOW THE APPLICATION CoreWordPress Themes • Today‟s Problem Plugins End-User @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 6
    7. 7. REALISTIC ENVIRONMENT Linux Operating System Apache MySQL PHP WordPress CPANEL Plesk myLittleAdmin PHPMyAdmin Etc.. Modules@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 7
    8. 8. YOUR HOST IF YOU DON”T KNOW WHAT• Who is your host? YOU”RE DOING GO WITH A MANAGED SOLUTION• How do you connect to the server? • FTP, SFTP, SSH• What security does your host use? Do they use any web security?• What will your host do if you get hacked? • Will they shut your site down? • Will they kick you off their server? • Will they fix it for you?@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 8
    9. 9. CONNECTING• If you don‟t need it, disable it • SFTP / SSH is preferred • FTP works fine – disable if you‟re not using, don‟t talk to me if you are • FTP/SFTP != WP-ADMIN• Least Privileged • You don‟t have to log in FTP / SFTP with full root access • Everyone doesn‟t need to be an admin • You don‟t need to log in as admin • The focus is on the role, not the name of the user • Accountability – kill generic accounts – who is doing what?@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 9
    10. 10. ATTACK TYPE Opportunistic Targeted • Trolling the web looking for • Big enterprises with large known vulnerabilities followings: • Ability for mass exposure • WordPress.com • Think “TimThumb” • WooThemes • Worth Investing time and energy to compromise, bigger return@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 10
    11. 11. AUTOMATION IS KEY • Targeted / Scan Opportunistic • Vulnerability Scans • Brute Force / Data PWN Automation Detect Dictionary Attacks • DDOS / DOS • XSS / CSRF Exploit • SQLi@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 11
    12. 12. BLACKLISTING• Take a chill pill.. Not the end of the world• Detect, Remove, Submit @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 12
    13. 13. THE MISTAKE• But why me?!?!?!• Forget the why, look at the how!!@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 13
    14. 14. “Own one Own them All”Nothing fancy here.. The factsTHE HOW@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 14
    15. 15. TODAY‟S EXPLOITS YouApplication Control Environment• Injections • Privilege Escalation• Remote File Inclusion • Brute Force / Data Dictionary• Remote File Execution • Remote File Include• Brute Force / Data Dictionary • Remote File Execution@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 15
    16. 16. TOP 5 WORDPRESS INFECTIONS• Backdoors • Difficult to Detect via HTTP• Injections • Easy to Detect via HTTP• Pharma Hack • Best person to detect is the owner, difficult to detect via HTTP• Malicious Redirects • Easy to Detect via HTTP• Defacements • Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish brothers@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 16
    17. 17. BACKDOOR• Complete access via shell… kiss all hardening good bye• Sad day.. .. Good time to cry… @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 17
    18. 18. LINK INJECTION• Drive-by-Download attempt – think Fake AV / Adobe• Pharma Links – Erectile Dysfunction (Viagra) @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 18
    19. 19. PHARMA• Affiliate Model• Multi-million dollar industry• Generate ~3.5k new clients daily @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 19
    20. 20. DEFACEMENT• Hacktivism at its finest• Awareness to cause @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 20
    21. 21. COMMON VECTORS “38% of us Would Rather Clean a• Vulnerable Software Toilet Than Think of New • Often associated with Out-of-date software Password” - Mashable • WordPress Themes / Plugins, more so than Core• Cross Site Contamination • Soup Kitchen Servers• Compromised Credentials • Password123, Password1, 111111a = not cool• Remote File Inclusion • Leads to Remote Execution • Think TimThumb, Uploadify, etc…@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 21
    22. 22. “The question isnt who is going to let me; its who is going to stop me.”Simple is so much sweeter…MAKE IT STOP@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 22
    23. 23. THE KEY IS ACCESS• In almost all instances the key is access, whether via: • WP-ADMIN • SSH / SFTP (Port 22) • FTP (Port 21) = > You are dead to me!!! : ) • Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but you can stay proactive when identified • Doesn‟t include environmental issues• Myth: Remove Admin • Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts. • The “administrator” role matters more than the “administrator” or “admin” user name. @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 23
    24. 24. THIS IS WHAT MATTERS - KISSFrom an access stand point: Strong / Application Two Factor Secure Server WAF Unique WAF Authentication Environment Password From a vulnerability stand point: Avoid Soup Separate Use Trusted Secure Stay Current Kitchen Staging from Sources Environment Servers Production @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 24
    25. 25. MY ADVISETo the Average Joe: To the Paranoid / Lucky:1. Kill PHP Execution 1. Don‟t let WordPress write to itself2. Disable Theme / Plugin Editing via Admin 2. Filter by IP3. Connect Securely – SFTP / SSH4. Use Authentication Keys in wp-config • SSH Access5. Use Trusted Sources • WP-ADMIN Access6. Use a local Antivirus – Yes, MAC‟s need one • Database Access7. Verify your permissions - D 755 | F 644 3. Use a dedicated server / VPS8. Least Privileged9. Kill generic accounts - Accountability 4. Employ a WAF / Logging Solution10. Backup your site – yes, Database too 5. Enable SSL@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 25
    26. 26. KILL PHP EXECUTION• The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation: • WP-INCLUDES • UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files>@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 26
    27. 27. DISABLE PLUGIN/THEME EDITOR• Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 27
    28. 28. RECOMMENDED PLUGINSClients Non-Clients• Sucuri Security Premium • Duo Two-Factor Authentication• Duo Two-Factor Authentication • Limit Login Attempts• Theme-Check • Theme-Check• BackupBuddy • BackupBuddy• Akismet • Akismet@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 28
    29. 29. KNOW WHERE TO GO, IF… IT HAPPENSSupport Forums Online Resources• Hacked – • Sucuri Blog: http://blog.sucuri.net http://wordpress.org/tags/hacked • SiteCheck Scanner: http://sitecheck.sucuri.net• Malware – • Unmask Parasites: http://wordpress.org/tags/malware http://unmaskparasites.com • Perishable Press:• BadwareBusters – http://perishablepress.com/category/web- design/security/ https://badwarebusters.org • Secunia Security Advisories: http://secunia.com/community/advisories/searc h/?search=wordpress@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 29
    30. 30. BLACKLIST ENTITIES• Google • Chrome, FireFox • Search Engine Results Page (SERP) • http://www.google.com/webmaster/tools • http://www.google.com/safebrowsing/diagnostic?site=[your site]• Bing • Internet Explorer • Yahoo • http://www.bing.com/toolbox/webmaster/• Norton • SafeWeb Browsing • Facebook • http://safeweb.norton.com/• AVG • Opera • http://www.avgthreatlabs.com/sitereports/@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 30
    31. 31. Sucuri Tony Perez http://sucuri.net http://blog.sucuri.net http://perezbox.com & http://tonyonsecurity.com @perezbox and @tonyonsecurity@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 31
    32. 32. @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 32
    1. A particular slide catching your eye?

      Clipping is a handy way to collect important slides you want to go back to later.

    ×