2. http://lynt.cz
Content
• Some facts
• Common attack types
• Recovery after infection
• Security chain
• Security plugins
27. 5. 2015 2
„WordPress = Plugins“
3. http://lynt.cz27. 5. 2015 3
The most serious vulnerability
Question: „What is the most serious WP vulnerability?“
Answer: „Outdated Slider Revolution.“
http://blog.sucuri.net/2014/09/slider-revolution-plugin-critical-vulnerability-being-exploited.html
verze 4.1.4 are vulnerable
• Probably the most stolen plugin
• Included in many premium themes (sometimes no chance to update)
• No auto-update in older versions
• Easy to detect
4. http://lynt.cz27. 5. 2015 4
5 + 2 security tips
Update
Backup
Use a security plugin
Be careful
Delete unnecessary stuff, don‘t provide sensitive information
Update!
UPDATE!!!
5. http://lynt.cz
WordCamp HACK campaign
• I found more than 400 vulnerable Czech WP
sites in an hour
• I was finding common (and just patched)
vulnerabilities in 3 popular plugins
• I informed creators/owners by mail and
invited them to the WordCamp
27. 5. 2015 5
7. http://lynt.cz
How?
27. 5. 2015 7
Vulnerable plugins and themes
Brute force on administration
Comment Spam (+pingbacks)
Password and cookie tapping
„Neighbour“ sites
on shared hosting
Indirect ways– phishing, malware
(keylogger, saved FTP password)Vulnerabilities in WP core
8. http://lynt.cz
Why and What?
27. 5. 2015 8
• „Alien“ code
– Spammy links, adverts, redirection
– Malware downloading
– DDoS to other targets
• Info stealing
– E.g. Personal information
of your customers
• Out of service
– web/server shutdown (DOS)
9. http://lynt.cz
Facts
27. 5. 2015 9
http://www.akamai.com/stateoftheinternet/
43% of attacks have origin in China
Do I need Chinese traffic?
How about to block the whole China?
Block USA?
Rather not (search engines, CDN,…)
Block everything except the Czech Republic?
Definitely not - IP geolocation isn‘t 100% accurate.
Corporate users sometimes connect from a different country (proxy).
How about vacation in foreign country?
11. http://lynt.cz
How to block China? – homework
27. 5. 2015 11
List of IP address: http://www.ip2location.com/blockvisitorsbycountry.aspx
• Iptables
– Don‘t use generated configuration from previous link –
thousands of rules for every packet
– iptables -A INPUT -m tcp -m state --state NEW -j
CHINA_WALL
– Advanced: optimization – more chains for different octets
• .htaccess/nginx
• mod_geoIP
• Plugins (e.g. Premium Wordfence)
• HW box (WAF appliance, Smarter firewall)
• Another possibility – redirect to CAPTCHA
instead of blocking
//mod_geoIP in Apache
GeoIPEnable On
GeoIPDBFile /path/to/GeoIP.dat
SetEnvIf GEOIP_COUNTRY_CODE CN BlockCountry
SetEnvIf GEOIP_COUNTRY_CODE RU BlockCountry
Deny from env=BlockCountry
//mod_geoIP in .htaccess
RewriteCond %{ENV:GEOIP_COUNTRY_CODE}
^(CN|RU)$
RewriteRule ^(.*)$ - [F,L]
14. http://lynt.cz
What happens if…
• Web is hacked?
• Loss of sensitive data, loss of trust, out of service,
penalization
• Web is incredibly slow?
• Visitors are annoyed, search engines don‘t want
to index your site
• There is no cool slider?
• Nothing?
27. 5. 2015 14
17. http://lynt.cz
Slider Revolution - LFI
• Version 4.1.4 and lower
• Enable to download any source file
• Cause: Ajax call registration for all users
(privileged/non privileged)
• /wp-admin/admin-
ajax.php?action=revslider_show_image&img=../
wp-config.php
• Details (CZ): http://lynt.cz/blog/zranitelnost-ve-
wordpress-pluginu-slider-revolution-4-1-4
27. 5. 2015 17
18. http://lynt.cz
FancyBox for Wordpress - XSS
• Version 3.0.2 and lower
• Enable to include an alien javascript into all pages
• Cause: using admin_init hook without appropriate
privileges check (it is activated by all requests to the
administration – admin-ajax.php, admin-post.php)
• /wp-admin/admin-ajax.php?page=fancybox-for-
wordpress +
variable mfbfw[padding]=</script><script>evil
code</script>
• Details (CZ): http://lynt.cz/blog/zranitelnost-ve-
wordpress-pluginu-fancybox-for-wordpress-3-0-2
27. 5. 2015 18
19. http://lynt.cz
Mail Poet – Upload PHP
• Version 2.6.8 and lower
• Enable to upload PHP file and execute
• Cause: Misuse of admin_init again + use of
$_REQUEST in the first patch
• /wp-admin/admin-
post.php?page=wysija_campaigns&action=them
eupload + variable my-theme = evil zip file
• Details (CZ): http://lynt.cz/blog/zranitelnost-ve-
wordpress-pluginu-mail-poet-2-6-8
27. 5. 2015 19
20. http://lynt.cz
Wordpress Video Gallery - SQLi
• Version 2.7
• SQL injection – enable to get any data from database
• Cause: Insufficient user inputs sanitization
• /wp-admin/admin-
ajax.php?action=rss&type=video&vid=-1 UNION
SELECT
1,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,
22,23,24,25,26,27,28,29,30,31,32,33,34,35,36,37,38,3
9 FROM wp_users ;--
• Details (CZ): http://lynt.cz/blog/zranitelnost-ve-
wordpress-pluginu-wordpress-video-gallery-2-7
27. 5. 2015 20
21. http://lynt.cz
Wordpress 3.9.2 - XSS
„Wordpress version 3.9.2 is safe.“
Vladimír Smitka, 4th WP community conference, December 2014
27. 5. 2015 21
„Secure today != secure tomorrow.“
Vladimír Smitka, 4th WP community conference, December 2014
• Allowed HTML tags bypass in comments
• [<blockquote cite="]">[" onmouseover="alert('evil!');
" style="background-color:red;position:absolute;top:0;
left:0;height:100%;width:100%;"][<a href="]>hi there
22. http://lynt.cz
What might reduce impacts?
• Turn off PHP processing in
/wp-content/uploads
.htaccess in this folder:
php_flag engine off
27. 5. 2015 22
Different option:
<FilesMatch .php$>
Order allow,deny
Deny from all
</FilesMatch>
• Updates
• To block requests including „wp-config.php“
global .htaccess:
RewriteCond %{QUERY_STRING} wp-config.php
RewriteRule ^(.*)$ - [F,L]
23. http://lynt.cz
How do I know that I also use a vulnerable plugin?
• Read all news
• Plugin Vulnerabilities
• https://wordpress.org/plugins/plugin-vulnerabilities/
27. 5. 2015 23
24. http://lynt.cz
How does the attacker know that you
use a vulnerable plugin?
• He performs reconnaissance
• WPScan – very popular tool to do it
27. 5. 2015 24
26. http://lynt.cz
Recovery after infection
• Restoring from a clean backup
– Delete everything and upload pure data from backup
• Reinstall + disinfection by hand
– FAR
• If all php files were infected by the same evil code
– SQL dump examination
• Try to find <iframe, <script, x-shockwave-flash, eval,
base64_decode, gzip_, preg_replace
• Try to identify the evil ones
• Malware removal isn‘t the final solution!
27. 5. 2015 26
28. http://lynt.cz
Checklist
• Disinfection, imitate the cause (update)
• Change FTP password
• Change DB password
• Change user passwords
• New salts: https://api.wordpress.org/secret-
key/1.1/salt/
– WP before 3.1.:
define('AUTH_SALT', 'put your unique phrase here');
• Check files by a security plugin (Wordfence,
Sucuri Scanner)
27. 5. 2015 28
29. http://lynt.cz
Backup
„Backup is the alpha and omega of Computing“
27. 5. 2015 29
By hand
Sometimes I copy everything somewhere. Not ideal but better than nothing.
By server
Unattented - ideal situation (ask your webhoster).
By plugin
Also a good solution, it can provide some benefits.
30. http://lynt.cz
Backup plugins
• BackWPup
– Only backup – no automatic recovery
– Backup to more places
– You can trigger backup by external request
• UpdraftPlus
– Backup & recovery
– Only one place (but there is Pro version available)
• BackupBuddy
– Not free
– Complete solution (migration, per file recovery, …)
27. 5. 2015 30
31. http://lynt.cz
How to backup via plugin
• External storage is better
• If local storage:
– Check if backups aren‘t accessible from web browser
– Check if folder with backups is excluded from backup
(backup loop)
• Backup scheduling
– WP-Cron – almost in all plugins, it is triggered only if there
is some traffic (you can check settings via Crontrol plugin)
– External trigger – preferred way (server‘s cron, minicron,
cron service e.g. http://www.webcron.org/,
https://www.setcronjob.com, https://www.easycron.com)
• Email notification after backup
27. 5. 2015 31
34. http://lynt.cz
How to improve security by
performance?
• WP Super Cache
– prevent (D)DoS attacks which consume all resources
– dynamic pages to static
• Autoptimize
– hides „revealing“ js and css
– reduces HTTP requests
• Side effects: faster site, happier visitors, tastier
SEO
27. 5. 2015 34
36. http://lynt.cz
Cloud
27. 5. 2015 36
HTTP Server
(Apache/Nginx)
PHP
Internet
Cloud security services (WAF)– attack is
blocked before it reaches server
Block bad behaving IP, common exploits,
DDoS,…
Incapsula, Sucuri, CloudFlare
log
37. http://lynt.cz
Webhoster
27. 5. 2015 37
HTTP Server
(Apache/Nginx)
PHP
Internet
Security appliance/firewall – some
provides another security level, some not.
Reduce DDoS impact, block some kind of
network attacks, etc.
log
38. http://lynt.cz
Server
27. 5. 2015 38
HTTP Server
(Apache/Nginx)
PHP
Internet
Firewall, WAF, configuration – block some
network attacks, IP addresses (whole
ranges, countries)
WAF – block exploits (XSS, SQLi,…) –
mod_security, naxsi.
Restrict file permissions, detect file changes.
Backups log
39. http://lynt.cz
Server – homework
• Detecting changes in PHP files during last 24 hours:
find /srv/htdocs/my_web/ -name '*.php' -type f -mtime -1 > output ; mail
-s „Today changes" "vladimir.smitka@lynt.cz" < output
27. 5. 2015 39
root directory 755
wp-includes/ 755
.htaccess 644
wp-admin/index.php 644
wp-admin/js/ 755
wp-content/themes/ 755
wp-content/plugins/ 755
wp-admin/ 755
wp-content/ 755
wp-config.php 644
Permissions by All In One WP Security:Another country IP list:
http://www.iwik.org/ipcountry/
Basic mod_security settings for WP:
http://blog.erben.sk/2015/02/11/p
rotecting-wordpress-with-mod-
security/
40. http://lynt.cz
HTTP Server & PHP
27. 5. 2015 40
HTTP Server
(Apache/Nginx)
PHP
Internet
HTTP server & PHP configuration – site
isolation on shared hosting, filter suspicious
URLs, restricting access, HTTPS enforcing,
block countries (mod_geoip), logging
log
41. http://lynt.cz
Log analytics
27. 5. 2015 41
HTTP Server
(Apache/Nginx)
PHP
Internet
Realtime log analytics – if someting strange
happens you can perform actions. One log
record isn‘t a clue.
Logstash, ElasticSearch, Kibana
log
43. http://lynt.cz
Countermeasure
27. 5. 2015 43
HTTP Server
(Apache/Nginx)
PHP
Internet
Actions – block after many 404 logged
(scanning), many failed logins, …
Ban in firewall, notify
Fail2Ban
log
45. http://lynt.cz
WordPress settings
27. 5. 2015 45
HTTP Server
(Apache/Nginx)
PHP
Internet
Good WP setting – everything is updated,
well written plugins, usage of a security
plugin (blocks access to administration,
scanning attempts, dangerous URLs,
monitors files for changes, searches for
malaware, hides some sensitive data)
iThemes Security, All in One WP security &
Firewall, WordFence
log
62. http://lynt.cz
iThemes security - configuration
• Global Settings
– Write to Files - Allow iThemes Security to write to wp-
config.php and .htaccess – if disabled, I can copy config
from dashboard to relevant files by hand
– Lockout White List – set my IP to prevent lockout
– Log Type - Database Only (small sites, available from
administration), File Only (large sites, it can be used in
fail2ban)
– Path to Log Files – set path outside web if possible
• 404 detection
– Enable 404 detection – block scanning for vulnerably
27. 5. 2015 62
RED = important settings
63. http://lynt.cz
iThemes security - configuration
• Away Mode – e.g. to disable administration
outside working hours
• Banned Users
– Default Blacklist - Enable HackRepair.com's
blacklist feature – add known bad behaving user-
agents to .htaccess
– Enable ban Users - banned IP and user-agents by
hand (it is also connected to the Enable Blacklist
Repeat Offender in Global settings)
27. 5. 2015 63
64. http://lynt.cz
iThemes security - configuration
• Brute Force Protection
– Get your iThemes Brute Force Protection API Key –
access to global IP blacklist by iThemes.com
– Enable iThemes Brute Force Network Protection – to
use global blacklist
– Enable local brute force protection – block attempts
to guess passwords (table _itsec_lockouts in DB)
– Automatically ban "admin" user - Immediately ban a
host that attempts to login using the "admin"
username – good honeypot trick
27. 5. 2015 64
65. http://lynt.cz
iThemes security - configuration
• Database Backups
– Backup Method - Email Only, Save local only – if it is possible to save backup files to public
inaccessible folder (Backup Location)
– Schedule Database Backups - Enable Scheduled Database Backups – automatic backup/by
hand on the Backups tab
– Notice: it is really only DB backup
• File Change Detection
– File Change Detection - Enable File Change detection
– Split File Scanning - Split file checking into chunks – consumes less RAM, generates more
mails
– Files and Folders List – exclude folder contains cache when you use a caching plugin
• Hide Login Area
– Hide Backend- Enable the hide backend feature – redirect /wp-admin to different URL
– Login Slug – new address, e.g. admin5547
– Enable Theme Compatibility - Enable theme compatibility – turn on if redirection caused
problems with some plugins
27. 5. 2015 65
66. http://lynt.cz
iThemes security - configuration
• Malware Scanning
– Enable Malware scanning - API key fromVirusTotal.com – you
can check your homepage against about 60 blacklists (Sucuri
SiteCheck, Google Safebrowsing,...)
• Secure Socket Layers (SSL)
– Enforce https to access in the administration – try if https is
really available before enabling this option
• Strong Passwords
– Strong Passwords - Enable strong password enforcement – new
passwords must be strong
– Select Role for Strong Passwords – Set to „Editor“ at least (he
can put JS in comments)
27. 5. 2015 66
67. http://lynt.cz
iThemes security - configuration
• System Tweaks
– System Files - protect System Files – disallow access to sensitive files
(readme.html, .htaccess, readme.txt)
– Suspicious Query Strings - Filter Suspicious Query Strings in the URL –
prevents simple SQL injections (be careful with nginx , see next slides)
– Long URL Strings - Filter Long URL Strings – block very long URLs (over
255 chars) and URLs containing „eval“, „base64“ and „union select“
(like Block Bad Queries (BBQ) plugin)
+ you should also add rule to block URLs containing „wp-config.php“
– Non-English Characters - Filter Non-English Characters –not good for
Czech environment
– File Writing Permissions – set right permissions for .htaccess and wp-
config.php – it is better to do so by hand
– Uploads - Disable PHP in Uploads
27. 5. 2015 67
68. http://lynt.cz
iThemes security - configuration
• System Tweaks
– Generator Meta Tag + Display Random Version – hide WP version
– Windows Live Writer Header & EditURI Header – they are used rarely
– Comment Spam – check comment origin (your web or
wordpress.com), block comments from clients without user-agent
– File Editor – similar to define('DISALLOW_FILE_EDIT', true ); in wp-
config.php
– XML-RPC - "Completely Disable XMLRPC" disables all XML-RPC
requests e.g. Trackbacks (if you want to use trackbacks securely, try
https://wordpress.org/plugins/simple-trackback-validation-with-
topsy-blocker/)
– Login Error Messages – hide „wrong password“ notice
– Force Unique Nickname – prevent users to take the same login and
„real“ name
– Disable Extra User Archives – hide users without (e.g. admins)
27. 5. 2015 68
69. http://lynt.cz
iThemes security – advanced
• Advanced
– Admin user – tool to change admin login name
• Better way is to create new admin user
• Login as him and delete old admin user (there will be a form
to move content under the new user)
– Change content directory – rename wp-content, may
caused some troubles and brings only little benefit
(you can see renamed folder in HTML source)
– Change database prefix – tool to change default
prefix table wp_ to something else (to prevent some
kinds of automatized attacks)
27. 5. 2015 69
70. http://lynt.cz
iThemes security – homework
Suspicious Query Strings in Nginx:
set $susquery 0;
if ($args ~* "wp-config.php") { set $susquery 1; } # + block query do download wp-config.php
if ($args ~* "../") { set $susquery 1; }
if ($args ~* ".(bash|git|hg|log|svn|swp|cvs)") { set $susquery 1; }
if ($args ~* "etc/passwd") { set $susquery 1; }
if ($args ~* "boot.ini") { set $susquery 1; }
if ($args ~* "ftp:") { set $susquery 1; }
if ($args ~* "http:") { set $susquery 1; }
if ($args ~* "https:") { set $susquery 1; }
if ($args ~* "(<|%3C).*script.*(>|%3E)") { set $susquery 1; }
if ($args ~* "mosConfig_[a-zA-Z_]{1,21}(=|%3D)") { set $susquery 1; }
if ($args ~* "base64_encode") { set $susquery 1; }
if ($args ~* "(%24&x)") { set $susquery 1; }
if ($args ~* "("|'|<|>|\|{|||%24&x)"){ set $susquery 1; }
if ($args ~* "(127.0)") { set $susquery 1; }
if ($args ~* "(globals|encode|localhost|loopback)") { set $susquery 1; }
if ($args ~* "(request|insert|concat|union|declare)") { set $susquery 1; }
if ($args !~ "^loggedout=true"){ set $susquery 0; } # <= bad logic, correct: ~*
if ($args !~ "^action=jetpack-sso"){ set $susquery 0; } # <= bad logic, correct: ~*
if ($args !~ "^action=rp"){ set $susquery 0; } # <= bad logic, correct: ~*
if ($http_cookie !~ "^.*wordpress_logged_in_.*$"){ set $susquery 0; } # <= bad logic, correct: ~*
if ($http_referer !~ "^http://maps.googleapis.com(.*)$"){ set $susquery 0; } # <= bad logic, correct: ~*
if ($susquery = 1) { return 403; }
27. 5. 2015 70
Block query do download wp-config.php in .htaccess:
RewriteCond %{QUERY_STRING} wp-config.php [NC,OR]
71. http://lynt.cz
iThemes security – homework
Better version hiding:
functions.php / plugin in mu-plugins:
function remove_wp_version()
{ return ; }
add_filter('the_generator', remove_wp_version');
27. 5. 2015 71
Off topic: MU-plugins (Must Use Plugins)
There is a special folder: /wp-content/mu-plugins
Skripts/plugins in this folders are interpreted everytime, you cannot disable them in
administration. It is useful for some security settings, e.g. automatic updates of plugins and
themes:
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
72. http://lynt.cz
Users
27. 5. 2015 72
HTTP Server
(Apache/Nginx)
PHP
Internet
User and admin behavior – strong
passwords, connect from trusted
networks only, backup, antivirus
software, certificate checking,
phishing-proof
log
73. http://lynt.cz
Tips for WP admins
• Use HTTPS in administration
– https://wordpress.org/plugins/wordpress-https/
– VPN is also a good choice
• Backup regularly – both: files and database
• Don‘t test plugins in production environment
• Remove unnecessary stuff (users, themes, plugins, content)
• Set up appropriate permissions to your users
• Use tools for bulk management if you administer more WP
sites (InfiniteWP, ManageWP), for a smaller number of sites
use WP Updates Notifier plugin
• Maintain list of all used plugins and themes
• If somebody tells you: „don‘t update this “, ask „Why?“,
there is usually no serious reason! (if somebody did some
changes in original files, ask him for a patch file)
27. 5. 2015 73
74. http://lynt.cz
Tips for everyone
• Use strong passwords (use password manager
e.g. Keepass)
• Be careful of bad certificates
• Use good and updated antivirus software
• Don‘t use unknown Wi-Fi
• Delete all saved unprotected Wi-Fi networks
from your cellphone/tablet/laptop
• Don‘t believe everything that comes by mail
27. 5. 2015 74
76. http://lynt.cz
Homework due tomorrow
□ Check for vulnerable plugins
□ Check hashes in wp-config.php
□ Make a backup
□ Remove unnecessary plugins
□ Remove unnecessary themes (keep one
default template and parent theme if used)
□ Lower user rights, if they don‘t need them
□ Update everything possible
27. 5. 2015 76
77. http://lynt.cz
And that's all, folks
27. 5. 2015 77
Update, backup, use security plugin, be careful
Also check my research about WP in the Czech Republic!