WordPress Security - The "No-BS" Version

WORDPRESS SECURITY The “No-BS” Version

SUCURI@WORDCAMP# WHOIS PEREZBOX• Name: Tony Perez• Street name: The Hulk• Handle: Perezbox• Company: Sucuri• Occupation: Executive / Owner• Likes: Guns, InfoSec, Harley‟s, MMA• Personality: Rational / Objective = Turd• Location: Menifee, California@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 2

TODAY‟S CHALLENGES• Administration• Extensibility• Credentials• End-users• Education@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 3

“The user’s going to pick dancing pigs over security every time.” - Bruce SchneierCheck yourself before you wreck yourselfKNOWLEDGE@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 4

KNOW THE ENVIRONMENT • This is what it takes to LINUXLAMP STACK run WordPress Apache • Each contains its own laundry list of known MySQL vulnerabilities • Bare-bones PHP @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 5

KNOW THE APPLICATION CoreWordPress Themes • Today‟s Problem Plugins End-User @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 6

REALISTIC ENVIRONMENT Linux Operating System Apache MySQL PHP WordPress CPANEL Plesk myLittleAdmin PHPMyAdmin Etc.. Modules@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 7

YOUR HOST IF YOU DON”T KNOW WHAT• Who is your host? YOU”RE DOING GO WITH A MANAGED SOLUTION• How do you connect to the server? • FTP, SFTP, SSH• What security does your host use? Do they use any web security?• What will your host do if you get hacked? • Will they shut your site down? • Will they kick you off their server? • Will they fix it for you?@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 8

CONNECTING• If you don‟t need it, disable it • SFTP / SSH is preferred • FTP works fine – disable if you‟re not using, don‟t talk to me if you are • FTP/SFTP != WP-ADMIN• Least Privileged • You don‟t have to log in FTP / SFTP with full root access • Everyone doesn‟t need to be an admin • You don‟t need to log in as admin • The focus is on the role, not the name of the user • Accountability – kill generic accounts – who is doing what?@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 9

ATTACK TYPE Opportunistic Targeted • Trolling the web looking for • Big enterprises with large known vulnerabilities followings: • Ability for mass exposure • WordPress.com • Think “TimThumb” • WooThemes • Worth Investing time and energy to compromise, bigger return@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 10

AUTOMATION IS KEY • Targeted / Scan Opportunistic • Vulnerability Scans • Brute Force / Data PWN Automation Detect Dictionary Attacks • DDOS / DOS • XSS / CSRF Exploit • SQLi@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 11

BLACKLISTING• Take a chill pill.. Not the end of the world• Detect, Remove, Submit @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 12

THE MISTAKE• But why me?!?!?!• Forget the why, look at the how!!@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 13

“Own one Own them All”Nothing fancy here.. The factsTHE HOW@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 14

TODAY‟S EXPLOITS YouApplication Control Environment• Injections • Privilege Escalation• Remote File Inclusion • Brute Force / Data Dictionary• Remote File Execution • Remote File Include• Brute Force / Data Dictionary • Remote File Execution@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 15

TOP 5 WORDPRESS INFECTIONS• Backdoors • Difficult to Detect via HTTP• Injections • Easy to Detect via HTTP• Pharma Hack • Best person to detect is the owner, difficult to detect via HTTP• Malicious Redirects • Easy to Detect via HTTP• Defacements • Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish brothers@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 16

BACKDOOR• Complete access via shell… kiss all hardening good bye• Sad day.. .. Good time to cry… @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 17

LINK INJECTION• Drive-by-Download attempt – think Fake AV / Adobe• Pharma Links – Erectile Dysfunction (Viagra) @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 18

PHARMA• Affiliate Model• Multi-million dollar industry• Generate ~3.5k new clients daily @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 19

DEFACEMENT• Hacktivism at its finest• Awareness to cause @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 20

COMMON VECTORS “38% of us Would Rather Clean a• Vulnerable Software Toilet Than Think of New • Often associated with Out-of-date software Password” - Mashable • WordPress Themes / Plugins, more so than Core• Cross Site Contamination • Soup Kitchen Servers• Compromised Credentials • Password123, Password1, 111111a = not cool• Remote File Inclusion • Leads to Remote Execution • Think TimThumb, Uploadify, etc…@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 21

“The question isnt who is going to let me; its who is going to stop me.”Simple is so much sweeter…MAKE IT STOP@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 22

THE KEY IS ACCESS• In almost all instances the key is access, whether via: • WP-ADMIN • SSH / SFTP (Port 22) • FTP (Port 21) = > You are dead to me!!! : ) • Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but you can stay proactive when identified • Doesn‟t include environmental issues• Myth: Remove Admin • Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts. • The “administrator” role matters more than the “administrator” or “admin” user name. @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 23

THIS IS WHAT MATTERS - KISSFrom an access stand point: Strong / Application Two Factor Secure Server WAF Unique WAF Authentication Environment Password From a vulnerability stand point: Avoid Soup Separate Use Trusted Secure Stay Current Kitchen Staging from Sources Environment Servers Production @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 24

MY ADVISETo the Average Joe: To the Paranoid / Lucky:1. Kill PHP Execution 1. Don‟t let WordPress write to itself2. Disable Theme / Plugin Editing via Admin 2. Filter by IP3. Connect Securely – SFTP / SSH4. Use Authentication Keys in wp-config • SSH Access5. Use Trusted Sources • WP-ADMIN Access6. Use a local Antivirus – Yes, MAC‟s need one • Database Access7. Verify your permissions - D 755 | F 644 3. Use a dedicated server / VPS8. Least Privileged9. Kill generic accounts - Accountability 4. Employ a WAF / Logging Solution10. Backup your site – yes, Database too 5. Enable SSL@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 25

KILL PHP EXECUTION• The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation: • WP-INCLUDES • UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files>@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 26

DISABLE PLUGIN/THEME EDITOR• Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 27

RECOMMENDED PLUGINSClients Non-Clients• Sucuri Security Premium • Duo Two-Factor Authentication• Duo Two-Factor Authentication • Limit Login Attempts• Theme-Check • Theme-Check• BackupBuddy • BackupBuddy• Akismet • Akismet@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 28

KNOW WHERE TO GO, IF… IT HAPPENSSupport Forums Online Resources• Hacked – • Sucuri Blog: http://blog.sucuri.net http://wordpress.org/tags/hacked • SiteCheck Scanner: http://sitecheck.sucuri.net• Malware – • Unmask Parasites: http://wordpress.org/tags/malware http://unmaskparasites.com • Perishable Press:• BadwareBusters – http://perishablepress.com/category/web- design/security/ https://badwarebusters.org • Secunia Security Advisories: http://secunia.com/community/advisories/searc h/?search=wordpress@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 29

BLACKLIST ENTITIES• Google • Chrome, FireFox • Search Engine Results Page (SERP) • http://www.google.com/webmaster/tools • http://www.google.com/safebrowsing/diagnostic?site=[your site]• Bing • Internet Explorer • Yahoo • http://www.bing.com/toolbox/webmaster/• Norton • SafeWeb Browsing • Facebook • http://safeweb.norton.com/• AVG • Opera • http://www.avgthreatlabs.com/sitereports/@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 30

Sucuri Tony Perez http://sucuri.net http://blog.sucuri.net http://perezbox.com & http://tonyonsecurity.com @perezbox and @tonyonsecurity@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 31

@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 32

http://blog.sucuri.net	5050
http://tonyonsecurity.com	323
http://wpforce.com	303
http://feeds.feedburner.com	68
http://sadikrabdi.blogspot.in	62
http://www.securitybloggersnetwork.com	28
http://sadikrabdi.blogspot.com	18
http://know.fixed	14
http://translate.googleusercontent.com	11
http://newsblur.com	11
http://docs.wpnet.technion.ac.il	8
http://www.newsblur.com	3
http://landofblog.com	2
http://webcache.googleusercontent.com	2
http://www.hanrss.com	2
http://secure.hostragon.com	2
http://0.gravatar.com	1
http://feeds2.feedburner.com	1
http://sadikrabdi.blogspot.co.uk	1

WordPress Security - The "No-BS" Version

by perezbox on Aug 21, 2012

Accessibility

Categories

Upload Details

Usage Rights

19 Embeds 5,910

Statistics