Security + with WordPress.org Self-installation

  • 2,650 views
Uploaded on

You’re proud of your self-installed WordPress.org site but you can be sure that the hackers are already at the door, testing for vulnerabilities. With millions of WordPress.org sites in operation …

You’re proud of your self-installed WordPress.org site but you can be sure that the hackers are already at the door, testing for vulnerabilities. With millions of WordPress.org sites in operation hackers have a gigantic, soft target for their redirects, downloads, backdoors and other sinister malware. And research shows that most WordPress site owners aren’t even aware they’ve been hacked — until the damage is done and evident. WordCamp Nashville 2013 speaker (and WordPress maven) Judy Wilson shows you how to protect your WordPress site with solid, best-pratice safeguards.

More in: Technology
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Be the first to comment
No Downloads

Views

Total Views
2,650
On Slideshare
0
From Embeds
0
Number of Embeds
3

Actions

Shares
Downloads
0
Comments
0
Likes
2

Embeds 0

No embeds

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
    No notes for slide

Transcript

  • 1. ____________________________copyright 2013 Site Shack Web Designall rights reserved
  • 2. Nashville native. Web site designer, developer. Writer.Photographer. Traveler. Gardener. Internet aficionado.First computer: Apple III (1985)First Web site: 1994.First Webmaster job: 1997 - 2000Catholic Charities of the Archdiocese of San FranciscoSecond Webmaster job: 2000 - 2004Owen Graduate School of Management - Vanderbilt UniversityOpened Site Shack: 2004www.site-shack.comOwner, Site Shack Web Design
  • 3. Your WordPress siteis living in a high crime neighborhood.** Doesn’t matter if you’re on WordPress.comorusing Wordpress.org.Access is the key.
  • 4. Think it won’t happen to you?
  • 5. What makes WordPress so vulnerable to hacks?WordPress is used by 54.8% of all the websites whose contentmanagement system we know. This is 17.6% of all websites.-- http://w3techs.com/technologies/details/cm-wordpress/all/allhttp://wordpress.org/download/counter/How many times has Wordpress.org been downloaded?
  • 6. How do they get in?Hacks are most often delivered through cheesy credentials, oldand/or evil software, themes, plugins + vulnerable scripts (suchas the “timthumb script”) and cheap, poor-security hostingenvironments.IMO: Most often the result of hackers exploiting(it’s a no-brainer) really bad credentials:WRONG:Username: adminPassword: mypassword
  • 7. BackdoorsDrive-by DownloadsPharma HacksMalicious RedirectsMain Types of WordPress HacksPhishingDefacements
  • 8. BackdoorsA backdoor in a computer system is a method of bypassing normalauthentication to secure illegal remote access to a computer (or aWordPress site).Once they’re in, they will take over your site and the other sitesaround you (including via other sites on a shared server with poorsecurity). Sometimes use to create “BotNets” or “MalNets.”The initial entry is typically made through compromised credentials ora vulnerable plugin etc. Detecting the hack and cleaning the site maynot remove the backdoor.
  • 9. BackdoorsBackdoors can have a full fledged UI that allows them to send emails as yourserver, execute SQL queries, and everything else they want to do. This isbasically the same thing as having a Control Panel on the Web site.Why? It varies based on what the hacker does for a living. They might upload acouple of phishing pages to the site. Phishing pages have a very short shelf life andneed to be regularly updated.If they’re spammers, they’re getting paid to add links so they might come in andadd some pharma links on the sites they have access to.Backdoor site access can provide opportunities for introducing any type ofmalware. You can also be blacklisted by Google and other search engines andservers.
  • 10. Drive-by DownloadsWhy? Once installed, malware delivered by a drive-by download can do anumber of different things: log keystrokes, scan the system for files of a personalnature, herd the system into a botnet of similarly compromised machines, infectthe Web browser with a banking Trojan that hijacks online-banking sessions, andinstall a "backdoor" that will let in even more malware.The point of a drive-by download is often to download a payload onto your user’slocal machine. One of the most common payloads informs the user that theirwebsite has been infected and that they need to install an anti-virus product.The initial entry is typically made through compromised credentialsand SQL injection in which a SQL command can be inserted into the database.
  • 11. Pharma HacksGain access via a backdoor or compromised credentials, comment or otherform injection.For this reason, it can take many months to recover from a pharma hack (they can begenerated from your database) so it is important that you find and remove the hackas quickly as possible.The pharma hack is an exploit that takes advantage of vulnerabilities in WordPress(or Joomla) Web sites to cause search engines (usually Google) to return ads forpharmaceutical products (or other types of products and merchandise) along withlegitimate listings. Can be hard to detect because it may appear only at specific timesand does not affect the displayed pages of the compromised Web site. This lattermethod is referred to as a “Google conditional hack.”Pharma hacks are a multi-million dollar business.They’re not about spreading malware, viruses etc.Often used to increase ad impressions (not clicks) for Affiliate Marketing.
  • 12. A malicious redirect sends a user to a site promoting malware (“It looks likeyou’re site has been compromised etc” like a big old rootkit virus). Unlike aniframe injection (for example, that executes in your browser.) Your entire sitegets redirected (not just a page or link) and at the same time, you may beunable to login.You may be redirected to a site in Russia (Russian sites are popular destinationsfor malicious redirects). These sites may be selling something, or maybe part of a larger MalNet (or BotNet) that is spreading malware.One of the easier ones to clean.Often found in your .htaccess file.May be part of a backdoor, which points to a larger problem.Malicious Redirects
  • 13. DefacementsPhishingOther Ugly Hacks
  • 14. How Can I Tell if I’ve Been Hacked?Fire up Google and do a search for “site:yoursite.com”. Check to see if there are anyweird titles, text or spam type results returned on your search. Obvious words: Viagra,Vicodin, Dr. Dre’s headphones etc.The Backup Buddy plugin has a scan for malware tool.Google Webmaster Tools has a scan for malware tool.Sucuri.net has scan for malware tool that also tells you your blacklist status:i.e., if your site has been blacklisted.The Proactive ApproachOh, and by the way:Do not login to your WordPress site at your local coffee house over “http.”
  • 15. • Displaying popups that you didnt implement.• Displaying odd text in your footer or in the "View Source."• Links to other sites or auto-linking of keywords that you didnt create links for.• Seeing obfuscated / encoded text in plugins.• Website redirecting (immediately or after a short length of time) to another URL.• A friend calls/texts/emails you that your site is directing users to Dr. Dre’sHeadphones, or “performance enhancing” or pain medication drugs etc.• Style sheet formatting has disappeared.• You can’t login to your wp-admin.• New files appearing in themes folder or anywhere else (look for a recent or atypicaldate via FTP; when you open these pages, they may appear to contain binary code.)More: How Can I Tell if I’ve Been Hacked?Uh oh. I think it’s too late.
  • 16. More: How Can I Tell if I’ve Been Hacked?
  • 17. More: How Can I Tell if I’ve Been Hacked?
  • 18. 1. Before You Install: Map out your strategy2. The Installation: Solid padlocks + lock your doors and windows3. Advanced Security: Multiple locks,+ burglar bars +alarm systems + guard dogPrevention and Protection
  • 19. Do not use a “soup kitchen” host = high risk of cross-contamination.Does your host disclose what software its running & what versions?How often do they patch/upgrade?What kind of security measures do they provide?Do they provide backups? How often? Where?Consider using a “Managed” WordPress host with malware scanning in place.These include curated plugins.Do not use any old free theme!Vet your premium theme! (including version appropriate)Run a virus/malware check on it after you buy it.Stay informed!Before You Install: Map out your Strategy
  • 20. Don’t use 1-click install unless you are prepared togo back and make some changes to the installation.Before You Install: Map out Your Strategycont.Consider a sandbox site and test your backup and restore procedure -- morethan once. Then delete it before you forget about it.BTW: Do you know where your backup is? Can you restore from it?Optional but an excellent idea: Setup a monitor account:http://www.sucuri.netThink in terms of “Layered Defenses.”
  • 21. The Installation: Solid padlocks and locked windowsDo NOT use “admin”for your user name.Do NOT use a password that can be found in a dictionary orthat you’ve ever used anywhere else at any time.Do NOT use sequential numbers and/or letters.Your wp-admin AND your FTPpasswordshould be at least 8-15 characters.MN&4^z%Kq94*BG6tGet insanely complicated with your credentials.Stop using FTP. Use SFTP -- call your host if you’re not sure about using SFTP.cont.
  • 22. cont.The Installation: Solid padlocks + locked windowsIn your wp-config.php file: Salt your hashes aka the “secret words.”Do not use “wp” for your table prefix. Make up something non-sequential like “jnm.”The wp-config.php file<files wp-config.php>order allow,denydeny from all</files>If you use a server with .htaccess, you can put this in that file (atthe very top) to deny access to anyone surfing for wp-config.php:
  • 23. Folder permissions: 755File permissions: 644index.php: 666wp-config.php: 600cont.The Installation: Solid padlocks + locked windowsRemove themes and plugins that are not being used.Use your Administrator accounts for Administrator work(like setting up a new user). Use Editor, Author, Contributor andSubscriber for their appropriate tasks.Turn off trackbacks and pingbacks.Comments ONLY when appropriate with Akismet.http://codex.wordpress.org/Changing_File_PermissionsCheck and set your folder and file permissions.
  • 24. Advanced Security:Multiple locks + burglar bars + alarm system + guard dogUse 2-factor authentication:Already in place at Wordpress.com but you can use Google 2-stepAuthentication with Wordpress.org.WP-app firewallcont.There are many security modifications you can make to your .htaccess file.http://www.tipsandtricks-hq.com/cool-wordpress-htaccess-tips-to-boost-your-wordpress-sites-s6The .htaccess filehttp://wordpress.org/extend/plugins/ose-firewall/NOTE: .htaccess files (distributed configuration files) are processed firstbefore any other code on your website.http://wordpress.org/extend/plugins/bulletproof-security/http://wordpress.org/extend/plugins/wordfence/
  • 25. <Files *.php>deny from all</Files>Disable PHPexecution in certain directories.Create a new .htaccess file and upload to your uploads and wp-includes folders.You can have as many .htaccess levels as you want, but theyre processedin order of directory tree depth.Disable theme and plugin editing.define(DISALLOW_FILE_EDIT,true);In wp-config.php, add:Administration over SSL(You’ll need a SSL certificate)cont.Advanced Security:Multiple locks + burglar bars + alarm system + guard doghttp://www.wpbeginner.com/wp-tutorials/how-to-limit-access-by-ip-to-your-wp-login-php-file-iIPWhitelist (uses .htaccess)
  • 26. Cleaning & Remediation1. Stay calm. You could make it worse by anxiously jumping in and trying to fixthe problem.2. Scan your local machine / hard drive.3. Scan your site. There are many good tools and WordPress plugins to helpwith this. This will help identify the infected files and folder etc.4. Check with your hosting provider. Call them. You can call them, yes?5. You’ve already updated, changed all passwords?6. Add new salts or “secret keys.”7. Check your files. Start with your .htaccess file to being looking for maliciouscode.WordPress (with some help) suggests:
  • 27. Cleaning & Remediation1. Can you identify the type of hack? This may make the cleanup easier.2. Run a fresh backup and then . . .3. Backup from an older backup that you believe predates the hack.4. No backup? Hmm. Seriously consider taking down and trashing the site.5. Restored from backup? Change passwords again.6. Secure your site with recommended security measures.7. Do a post-mortem. How did this happen?Compare your WordPress files to those in a clean install.Open up files. Do you see something that refers to base64_decode? That’s atleast one of the hack.Can’t find the malware? Disable your plugins (rename the directory).If the infection is in a plugin, the scan will show as clean.Have SSH root access?cont.http://wp.smashingmagazine.com/2012/10/09/four-malware-infections-wordpress/
  • 28. Cleaning & Remediation:If all else fails (and before you torchthe site): Hire someone:http://www.stopthehacker.comhttp://www.sucuri.nethttp://www.sparktrust.com
  • 29. Appendix1. Main Types of WordPress Hacks2. How Can I Tell I’ve Been Hacked?3. Prevention and Protection4. Cleaning & Remediation
  • 30. http://blog.page.ly/2012/12/wordpress-security-an-infographic-on-common-malwarMain Types of WordPress Hackshttp://blog.aw-snap.info/2011/02/pharmacy-hack.htmlhttp://blog.aw-snap.info/p/example-of-backdoor-script.htmlhttp://www.cmswire.com/cms/web-cms/how-they-hack-your-website-overview-of-common-techniq
  • 31. How Can I Tell I’ve Been Hacked?http://aw-snap.info/file-viewer/Do some scanning:Allows you to scan from different User Agents:Use http://sitecheck.sucuri.net to run a scan to findmalware and blacklist info.http://wordpress.org/extend/plugins/sucuri-scanner/http://wordpress.org/extend/plugins/gotmls/http://wordpress.org/extend/plugins/wordfence/WordPress PluginsWordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, maliciousURL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify andrepair your core, theme and plugin files, even if you dont have backups.Wordfence is now Multi-Site compatible.
  • 32. Prevention and ProtectionMap out a StrategySetup Google Webmaster ToolsGoogle Webmaster tools are an important resource for many reasons. Butfor site security, one of their best features is their email notifications ofmalware when it’s found on your site. As the verified site owner, you’ll benotified by email if malware is detected.http://www.wpreads.com/2013/03/protecting-wp-config-and-htaccess-files-for-wordpress.htmlhttps://www.google.com/webmasters/tools/home?hl=enhttp://codex.wordpress.org/Hardening_WordPress
  • 33. http://www.wpbeginner.com/plugins/improve-wordpress-security-with-google-authenticator/Setting up 2-step authentication for Wordpress.orghttp://codex.wordpress.org/Editing_wp-config.php#Disable_the_Plugin_and_Theme_Editorhttp://codex.wordpress.org/Editing_wp-config.phphttp://yoast.com/wordpress-ssl-setup/SSL setup info and tips from YoastModifying the wp-config.filePrevention and ProtectionMultiple locks + burglar bars + alarmsystem+ guard dogHire Sucuri to monitor your sitehttp://www.sucuri.net
  • 34. Cleaning & Remediationhttp://codex.wordpress.org/FAQ_My_site_was_hackedhttp://www.unmaskparasites.com/http://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-hack.htmlhttp://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips-tricks.htmlKnow command line and have SSH access?Cleaning up your site at google http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163634https://raamdev.com/2013/cleaning-evalbase64_decode-from-a-hacked-wordpress-website-via-ssh/
  • 35. http://www.unmaskparasites.com/malware-warning-guide/#request4. Cleaning & Remediation: Toolshttp://www.stopbadware.org/request-reviewStopBadware performs independent reviews of websites that are blacklistedfor badware by our data providers.http://wordpress.org/extend/plugins/wordfence/http://blog.aw-snap.info/2012/07/malware-removal-vendors.htmlWordfence Security is a free enterprise class security plugin that includes a firewall, anti-virus scanning, maliciousURL scanning and live traffic including crawlers. Wordfence is the only WordPress security plugin that can verify andrepair your core, theme and plugin files, even if you dont have backups.Wordfence is now Multi-Site compatible.
  • 36. http://wpengine.com/http://websynthesis.com(Yoast hosts here.)http://page.lyRecommended Managed WPHosts
  • 37. Miscellaneous Helphttp://wp.smashingmagazine.comhttp://tonyonsecurity.com/Excellent forum on malware:https://www.badwarebusters.org/http://aw-snap.info/Tony Perez’s blog COO/CFO SucuriSmashing Magazine WordPress siteExcellent hacked info and toolshttps://www.udemy.com/how-to-secure-wordpress-blog-or-website-for-beginners/?http://labs.sucuri.net/?malwareSee what Sucuri picks up in its malware scans.http://support.wpengine.com/sftp/Using SFTP instead of FTPhttp://www.techblogistech.com/2012/03/enabling-sshsftp-updates-in-wordpress-on-amazon-ec2-and-centos/
  • 38. Safe travels and happy trails with WordPress!Judy Wilsonwww.Site-Shack.comNashville, TN