Your SlideShare is downloading. ×
  • Like
WordPress Security - The "No-BS" Version
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Now you can save presentations on your phone or tablet

Available for both IPhone and Android

Text the download link to your phone

Standard text messaging rates apply

WordPress Security - The "No-BS" Version


A presentation I put together for WordCamp Chicago 2012.

A presentation I put together for WordCamp Chicago 2012.

Published in Technology , Business
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads


Total Views
On SlideShare
From Embeds
Number of Embeds



Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

    No notes for slide
  • Pundits will argue that admin is half the battle and most users use poor passwords. Education is my focus. Using a strong password is arguably easier and more effective. randomly generated using characters, would


  • 1. WORDPRESS SECURITY The “No-BS” Version
  • 2. SUCURI@WORDCAMP# WHOIS PEREZBOX• Name: Tony Perez• Street name: The Hulk• Handle: Perezbox• Company: Sucuri• Occupation: Executive / Owner• Likes: Guns, InfoSec, Harley‟s, MMA• Personality: Rational / Objective = Turd• Location: Menifee, California@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 2
  • 3. TODAY‟S CHALLENGES• Administration• Extensibility• Credentials• End-users• Education@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 3
  • 4. “The user’s going to pick dancing pigs over security every time.” - Bruce SchneierCheck yourself before you wreck yourselfKNOWLEDGE@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 4
  • 5. KNOW THE ENVIRONMENT • This is what it takes to LINUXLAMP STACK run WordPress Apache • Each contains its own laundry list of known MySQL vulnerabilities • Bare-bones PHP @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 5
  • 6. KNOW THE APPLICATION CoreWordPress Themes • Today‟s Problem Plugins End-User @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 6
  • 7. REALISTIC ENVIRONMENT Linux Operating System Apache MySQL PHP WordPress CPANEL Plesk myLittleAdmin PHPMyAdmin Etc.. Modules@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 7
  • 8. YOUR HOST IF YOU DON”T KNOW WHAT• Who is your host? YOU”RE DOING GO WITH A MANAGED SOLUTION• How do you connect to the server? • FTP, SFTP, SSH• What security does your host use? Do they use any web security?• What will your host do if you get hacked? • Will they shut your site down? • Will they kick you off their server? • Will they fix it for you?@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 8
  • 9. CONNECTING• If you don‟t need it, disable it • SFTP / SSH is preferred • FTP works fine – disable if you‟re not using, don‟t talk to me if you are • FTP/SFTP != WP-ADMIN• Least Privileged • You don‟t have to log in FTP / SFTP with full root access • Everyone doesn‟t need to be an admin • You don‟t need to log in as admin • The focus is on the role, not the name of the user • Accountability – kill generic accounts – who is doing what?@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 9
  • 10. ATTACK TYPE Opportunistic Targeted • Trolling the web looking for • Big enterprises with large known vulnerabilities followings: • Ability for mass exposure • • Think “TimThumb” • WooThemes • Worth Investing time and energy to compromise, bigger return@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 10
  • 11. AUTOMATION IS KEY • Targeted / Scan Opportunistic • Vulnerability Scans • Brute Force / Data PWN Automation Detect Dictionary Attacks • DDOS / DOS • XSS / CSRF Exploit • SQLi@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 11
  • 12. BLACKLISTING• Take a chill pill.. Not the end of the world• Detect, Remove, Submit @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 12
  • 13. THE MISTAKE• But why me?!?!?!• Forget the why, look at the how!!@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 13
  • 14. “Own one Own them All”Nothing fancy here.. The factsTHE HOW@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 14
  • 15. TODAY‟S EXPLOITS YouApplication Control Environment• Injections • Privilege Escalation• Remote File Inclusion • Brute Force / Data Dictionary• Remote File Execution • Remote File Include• Brute Force / Data Dictionary • Remote File Execution@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 15
  • 16. TOP 5 WORDPRESS INFECTIONS• Backdoors • Difficult to Detect via HTTP• Injections • Easy to Detect via HTTP• Pharma Hack • Best person to detect is the owner, difficult to detect via HTTP• Malicious Redirects • Easy to Detect via HTTP• Defacements • Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish brothers@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 16
  • 17. BACKDOOR• Complete access via shell… kiss all hardening good bye• Sad day.. .. Good time to cry… @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 17
  • 18. LINK INJECTION• Drive-by-Download attempt – think Fake AV / Adobe• Pharma Links – Erectile Dysfunction (Viagra) @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 18
  • 19. PHARMA• Affiliate Model• Multi-million dollar industry• Generate ~3.5k new clients daily @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 19
  • 20. DEFACEMENT• Hacktivism at its finest• Awareness to cause @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 20
  • 21. COMMON VECTORS “38% of us Would Rather Clean a• Vulnerable Software Toilet Than Think of New • Often associated with Out-of-date software Password” - Mashable • WordPress Themes / Plugins, more so than Core• Cross Site Contamination • Soup Kitchen Servers• Compromised Credentials • Password123, Password1, 111111a = not cool• Remote File Inclusion • Leads to Remote Execution • Think TimThumb, Uploadify, etc…@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 21
  • 22. “The question isnt who is going to let me; its who is going to stop me.”Simple is so much sweeter…MAKE IT STOP@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 22
  • 23. THE KEY IS ACCESS• In almost all instances the key is access, whether via: • WP-ADMIN • SSH / SFTP (Port 22) • FTP (Port 21) = > You are dead to me!!! : ) • Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but you can stay proactive when identified • Doesn‟t include environmental issues• Myth: Remove Admin • Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts. • The “administrator” role matters more than the “administrator” or “admin” user name. @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 23
  • 24. THIS IS WHAT MATTERS - KISSFrom an access stand point: Strong / Application Two Factor Secure Server WAF Unique WAF Authentication Environment Password From a vulnerability stand point: Avoid Soup Separate Use Trusted Secure Stay Current Kitchen Staging from Sources Environment Servers Production @PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX 10/15/2012 24
  • 25. MY ADVISETo the Average Joe: To the Paranoid / Lucky:1. Kill PHP Execution 1. Don‟t let WordPress write to itself2. Disable Theme / Plugin Editing via Admin 2. Filter by IP3. Connect Securely – SFTP / SSH4. Use Authentication Keys in wp-config • SSH Access5. Use Trusted Sources • WP-ADMIN Access6. Use a local Antivirus – Yes, MAC‟s need one • Database Access7. Verify your permissions - D 755 | F 644 3. Use a dedicated server / VPS8. Least Privileged9. Kill generic accounts - Accountability 4. Employ a WAF / Logging Solution10. Backup your site – yes, Database too 5. Enable SSL@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 25
  • 26. KILL PHP EXECUTION• The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation: • WP-INCLUDES • UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files>@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 26
  • 27. DISABLE PLUGIN/THEME EDITOR• Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 27
  • 28. RECOMMENDED PLUGINSClients Non-Clients• Sucuri Security Premium • Duo Two-Factor Authentication• Duo Two-Factor Authentication • Limit Login Attempts• Theme-Check • Theme-Check• BackupBuddy • BackupBuddy• Akismet • Akismet@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 28
  • 29. KNOW WHERE TO GO, IF… IT HAPPENSSupport Forums Online Resources• Hacked – • Sucuri Blog: • SiteCheck Scanner:• Malware – • Unmask Parasites: • Perishable Press:• BadwareBusters – design/security/ • Secunia Security Advisories: h/?search=wordpress@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 29
  • 30. BLACKLIST ENTITIES• Google • Chrome, FireFox • Search Engine Results Page (SERP) • •[your site]• Bing • Internet Explorer • Yahoo •• Norton • SafeWeb Browsing • Facebook •• AVG • Opera • @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 30
  • 31. Sucuri Tony Perez & @perezbox and @tonyonsecurity@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY#WCCHX 10/15/2012 31