SlideShare a Scribd company logo

WPM: Wordpress IN Paranoid MODE

Download as PPTX, PDF
Telefónica
Telefónica

Project developed by Chema Alonso & Pablo Gonzalez from Eleven Paths about configure WordPress in Paranoid Mode using Latch at SQL queries operations in MySQL. The idea is to Latch INSERT, UPDATE and DELETE Operations in Worpress tables with MySQL triggers. More info at: https://github.com/ElevenPaths/WPM-Wordpress-in-Paranoid-Mode

Technology
1 of 19
MY WORDPRESS IN PARANOID MODE Chema Alonso (@chemaalonso) https://www.elevenpaths.com http://www.elladodelmal.com
(SOME) WORDPRESS RISKS  My plugin has a Code Injection Bug  Someone stole an identity  My WordPress is under Attack!!
HARDEN IT!  Harden OS  (GNU/Linux Hardening)  Harden DB  (MySQL Hardenig)  Harden WordPress  (Main & Plugins)  Harden Users  (Awarness & Tools) www.0xword.com
PUT A LATCH ON IT!
1) HARDEN WORDPRESS USERS http://www.slideshare.net/elevenpaths/instalacin-de-latch-en-word-press
2) HARDEN OS: GNU/LINUX SSH http://www.slideshare.net/elevenpaths/latch-unix-espaol
3) WORDPRESS IN PARANOID MODE (LATCHING MYSQL DB)  Create triggers in critical tables of Wordpress  This triggers allow or deny 3 actions:  Insert  Update  Delete  Trigger verify Latch to carry out an action:  Latch ON = Action  Latch OFF = Blocked
CREATE LATH APP (LATCH DEVELOPER AREA) https://latch.elevenpaths.com
INSTALL WPM (./INSTALL.SH <APPID> <SECRET>)
STEP 1: PAIRING MYSQL & LATCH (GIVE ME TOKEN => PAIRING)
STEP 2&3: CREATING OPERATIONS (RELAX AND ENJOY)
STEP 4: COMPILATION & INSTALL (LIB_MYSQL_UDF.SO)
STEP 5: UNLOAD MYSQL PROFILE (MYSQL APPARMOR PROFILE BLOCK CODE EXECUTION)
STEP 6: CREATING MYSQL TRIGGERS (READ-ONLY, ADMINISTRATION, EDITION)
YOU GOT LATCH IN WPM
LATCH WPM: READ-ONLY MODE  Read-Only Mode:  Nobody can login in WordPress.  No one can make changes in MySQL.  wp_usermeta Table:  insert, delete and update blocked if ‘read-only’ operation enabled  If ‘read-only’ mode is deactivated then you can login
LATCH: ADMINISTRATION MODE  Protects:  Delete on wp_users  Update on wp_users  Insert on wp_users  SQL Injection Bugs:  No Delete  No Update  No Insert
LATCH: ADMINISTRATION MODE  Trigger on wp_users:  Delete Action  Verify Latch  Abort SQL Operation
QUESTIONS?  WPM -WordPress in Paranoid Mode  https://github.com/elevenpaths  Https://community.elevenpahts.com  Chema Alonso  (@chemaalonso)  https://www.elevenpaths.com  http://www.elladodelmal.com

Recommended

Latch MyCar: Documentation
Latch MyCar: DocumentationLatch MyCar: Documentation
Latch MyCar: DocumentationTelefónica
 
Owning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsOwning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsChema Alonso
 
Protect your website
Protect your websiteProtect your website
Protect your websiteMuthu Natarajan
 
Hackers secrets
Hackers secretsHackers secrets
Hackers secretsTengku Maulana
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!Dougal Campbell
 
Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.Marcin Chwedziak
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 

Recommended

Latch MyCar: Documentation
Latch MyCar: DocumentationLatch MyCar: Documentation
Latch MyCar: DocumentationTelefónica
 
Owning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsOwning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsChema Alonso
 
Protect your website
Protect your websiteProtect your website
Protect your websiteMuthu Natarajan
 
Hackers secrets
Hackers secretsHackers secrets
Hackers secretsTengku Maulana
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!Dougal Campbell
 
Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.Marcin Chwedziak
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationAnant Shrivastava
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - BeginnersHimanshu Kumar Das
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressJeroen van Dijk
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
Digital Strategy Works - Moving Wordpress
Digital Strategy Works - Moving WordpressDigital Strategy Works - Moving Wordpress
Digital Strategy Works - Moving WordpressDigital Strategy Works LLC
 
Wampserver installation ajay-di-sharma
Wampserver installation ajay-di-sharmaWampserver installation ajay-di-sharma
Wampserver installation ajay-di-sharmaAjay Di Sharma
 
WP Sandbox Presentation WordCamp Toronto 2011
WP Sandbox Presentation WordCamp Toronto 2011WP Sandbox Presentation WordCamp Toronto 2011
WP Sandbox Presentation WordCamp Toronto 2011Alfred Ayache
 
Setting Up Wordpress Offline
Setting Up Wordpress OfflineSetting Up Wordpress Offline
Setting Up Wordpress OfflineAmol Dhir
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.DrupalCampDN
 
Vagrant WordCamp Hamilton
Vagrant WordCamp HamiltonVagrant WordCamp Hamilton
Vagrant WordCamp HamiltonPaul Bearne
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressJeroen van Dijk
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Jim Birch
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press BlogChetan Gole
 
Locking down word press
Locking down word pressLocking down word press
Locking down word pressZachary Russell
 
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011Tareq Hasan
 
Разработка плагина для Wordpress
Разработка плагина для Wordpress Разработка плагина для Wordpress
Разработка плагина для Wordpress Amin Benarieb
 
"><h1>muthu</h1>
"><h1>muthu</h1>"><h1>muthu</h1>
"><h1>muthu</h1>muthu muthu
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWordÍndice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWordTelefónica
 
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...Telefónica
 

More Related Content

Similar to WPM: Wordpress IN Paranoid MODE

The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressJeroen van Dijk
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
Wampserver installation ajay-di-sharma
Wampserver installation ajay-di-sharmaWampserver installation ajay-di-sharma
Wampserver installation ajay-di-sharmaAjay Di Sharma
 
WP Sandbox Presentation WordCamp Toronto 2011
WP Sandbox Presentation WordCamp Toronto 2011WP Sandbox Presentation WordCamp Toronto 2011
WP Sandbox Presentation WordCamp Toronto 2011Alfred Ayache
 
Setting Up Wordpress Offline
Setting Up Wordpress OfflineSetting Up Wordpress Offline
Setting Up Wordpress OfflineAmol Dhir
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.DrupalCampDN
 
Vagrant WordCamp Hamilton
Vagrant WordCamp HamiltonVagrant WordCamp Hamilton
Vagrant WordCamp HamiltonPaul Bearne
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressJeroen van Dijk
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Jim Birch
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press BlogChetan Gole
 
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011Tareq Hasan
 
Разработка плагина для Wordpress
Разработка плагина для Wordpress Разработка плагина для Wordpress
Разработка плагина для Wordpress Amin Benarieb
 
"><h1>muthu</h1>
"><h1>muthu</h1>"><h1>muthu</h1>
"><h1>muthu</h1>muthu muthu
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Vasile
 

Similar to WPM: Wordpress IN Paranoid MODE (20)

The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
Digital Strategy Works - Moving Wordpress
Digital Strategy Works - Moving WordpressDigital Strategy Works - Moving Wordpress
Digital Strategy Works - Moving Wordpress
 
Wampserver installation ajay-di-sharma
Wampserver installation ajay-di-sharmaWampserver installation ajay-di-sharma
Wampserver installation ajay-di-sharma
 
WP Sandbox Presentation WordCamp Toronto 2011
WP Sandbox Presentation WordCamp Toronto 2011WP Sandbox Presentation WordCamp Toronto 2011
WP Sandbox Presentation WordCamp Toronto 2011
 
Setting Up Wordpress Offline
Setting Up Wordpress OfflineSetting Up Wordpress Offline
Setting Up Wordpress Offline
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.
 
Vagrant WordCamp Hamilton
Vagrant WordCamp HamiltonVagrant WordCamp Hamilton
Vagrant WordCamp Hamilton
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
 
Разработка плагина для Wordpress
Разработка плагина для Wordpress Разработка плагина для Wordpress
Разработка плагина для Wordpress
 
"><h1>muthu</h1>
"><h1>muthu</h1>"><h1>muthu</h1>
"><h1>muthu</h1>
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 

More from Telefónica

Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWordÍndice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWordTelefónica
 
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...Telefónica
 
Índice del libro "Hacking Web3: Challenge Acepted!" de 0xWord
Índice del libro "Hacking Web3: Challenge Acepted!" de 0xWordÍndice del libro "Hacking Web3: Challenge Acepted!" de 0xWord
Índice del libro "Hacking Web3: Challenge Acepted!" de 0xWordTelefónica
 
Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...
Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...
Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...Telefónica
 
Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...
Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...
Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...Telefónica
 
Índice del Libro "Storytelling para Emprendedores"
Índice del Libro "Storytelling para Emprendedores"Índice del Libro "Storytelling para Emprendedores"
Índice del Libro "Storytelling para Emprendedores"Telefónica
 
Digital Latches for Hacker & Developer
Digital Latches for Hacker & DeveloperDigital Latches for Hacker & Developer
Digital Latches for Hacker & DeveloperTelefónica
 
Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"
Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"
Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"Telefónica
 
WhatsApp INT: OSINT en WhatsApp
WhatsApp INT: OSINT en WhatsAppWhatsApp INT: OSINT en WhatsApp
WhatsApp INT: OSINT en WhatsAppTelefónica
 
Índice del libro "De la Caverna al Metaverso" de 0xWord.com
Índice del libro "De la Caverna al Metaverso" de 0xWord.comÍndice del libro "De la Caverna al Metaverso" de 0xWord.com
Índice del libro "De la Caverna al Metaverso" de 0xWord.comTelefónica
 
20º Máster Universitario de Ciberseguridad UNIR
20º Máster Universitario de Ciberseguridad UNIR20º Máster Universitario de Ciberseguridad UNIR
20º Máster Universitario de Ciberseguridad UNIRTelefónica
 
BootCamp Online en DevOps (and SecDevOps) de GeeksHubs Academy
BootCamp Online en DevOps (and SecDevOps) de GeeksHubs AcademyBootCamp Online en DevOps (and SecDevOps) de GeeksHubs Academy
BootCamp Online en DevOps (and SecDevOps) de GeeksHubs AcademyTelefónica
 
Índice del libro "Ciberseguridad de tú a tú" de 0xWord
Índice del libro "Ciberseguridad de tú a tú" de 0xWordÍndice del libro "Ciberseguridad de tú a tú" de 0xWord
Índice del libro "Ciberseguridad de tú a tú" de 0xWordTelefónica
 
Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...
Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...
Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...Telefónica
 
Índice del libro "Social Hunters" de 0xWord
Índice del libro "Social Hunters" de 0xWordÍndice del libro "Social Hunters" de 0xWord
Índice del libro "Social Hunters" de 0xWordTelefónica
 
Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...
Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...
Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...Telefónica
 
Los retos sociales y éticos del Metaverso
Los retos sociales y éticos del MetaversoLos retos sociales y éticos del Metaverso
Los retos sociales y éticos del MetaversoTelefónica
 
Índice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWord
Índice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWordÍndice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWord
Índice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWordTelefónica
 
Índice del libro "Docker: SecDevOps" 2ª Edición de 0xWord
Índice del libro "Docker: SecDevOps" 2ª Edición de 0xWordÍndice del libro "Docker: SecDevOps" 2ª Edición de 0xWord
Índice del libro "Docker: SecDevOps" 2ª Edición de 0xWordTelefónica
 
Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...
Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...
Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...Telefónica
 

More from Telefónica (20)

Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWordÍndice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
 
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
 
Índice del libro "Hacking Web3: Challenge Acepted!" de 0xWord
Índice del libro "Hacking Web3: Challenge Acepted!" de 0xWordÍndice del libro "Hacking Web3: Challenge Acepted!" de 0xWord
Índice del libro "Hacking Web3: Challenge Acepted!" de 0xWord
 
Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...
Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...
Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...
 
Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...
Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...
Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...
 
Índice del Libro "Storytelling para Emprendedores"
Índice del Libro "Storytelling para Emprendedores"Índice del Libro "Storytelling para Emprendedores"
Índice del Libro "Storytelling para Emprendedores"
 
Digital Latches for Hacker & Developer
Digital Latches for Hacker & DeveloperDigital Latches for Hacker & Developer
Digital Latches for Hacker & Developer
 
Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"
Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"
Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"
 
WhatsApp INT: OSINT en WhatsApp
WhatsApp INT: OSINT en WhatsAppWhatsApp INT: OSINT en WhatsApp
WhatsApp INT: OSINT en WhatsApp
 
Índice del libro "De la Caverna al Metaverso" de 0xWord.com
Índice del libro "De la Caverna al Metaverso" de 0xWord.comÍndice del libro "De la Caverna al Metaverso" de 0xWord.com
Índice del libro "De la Caverna al Metaverso" de 0xWord.com
 
20º Máster Universitario de Ciberseguridad UNIR
20º Máster Universitario de Ciberseguridad UNIR20º Máster Universitario de Ciberseguridad UNIR
20º Máster Universitario de Ciberseguridad UNIR
 
BootCamp Online en DevOps (and SecDevOps) de GeeksHubs Academy
BootCamp Online en DevOps (and SecDevOps) de GeeksHubs AcademyBootCamp Online en DevOps (and SecDevOps) de GeeksHubs Academy
BootCamp Online en DevOps (and SecDevOps) de GeeksHubs Academy
 
Índice del libro "Ciberseguridad de tú a tú" de 0xWord
Índice del libro "Ciberseguridad de tú a tú" de 0xWordÍndice del libro "Ciberseguridad de tú a tú" de 0xWord
Índice del libro "Ciberseguridad de tú a tú" de 0xWord
 
Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...
Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...
Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...
 
Índice del libro "Social Hunters" de 0xWord
Índice del libro "Social Hunters" de 0xWordÍndice del libro "Social Hunters" de 0xWord
Índice del libro "Social Hunters" de 0xWord
 
Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...
Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...
Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...
 
Los retos sociales y éticos del Metaverso
Los retos sociales y éticos del MetaversoLos retos sociales y éticos del Metaverso
Los retos sociales y éticos del Metaverso
 
Índice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWord
Índice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWordÍndice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWord
Índice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWord
 
Índice del libro "Docker: SecDevOps" 2ª Edición de 0xWord
Índice del libro "Docker: SecDevOps" 2ª Edición de 0xWordÍndice del libro "Docker: SecDevOps" 2ª Edición de 0xWord
Índice del libro "Docker: SecDevOps" 2ª Edición de 0xWord
 
Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...
Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...
Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...
 

Recently uploaded

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfAlex Barbosa Coqueiro
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):comworks
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfjimielynbastida
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr BaganFwdays
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr LapshynFwdays
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024The Digital Insurer
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubKalema Edgar
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Patryk Bandurski
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfngoud9212
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...shyamraj55
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationSafe Software
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Commit University
 

Recently uploaded (20)

Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Unraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdfUnraveling Multimodality with Large Language Models.pdf
Unraveling Multimodality with Large Language Models.pdf
 
CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):CloudStudio User manual (basic edition):
CloudStudio User manual (basic edition):
 
Science&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdfScience&tech:THE INFORMATION AGE STS.pdf
Science&tech:THE INFORMATION AGE STS.pdf
 
"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan"ML in Production",Oleksandr Bagan
"ML in Production",Oleksandr Bagan
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
"Federated learning: out of reach no matter how close",Oleksandr Lapshyn
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024My INSURER PTE LTD - Insurtech Innovation Award 2024
My INSURER PTE LTD - Insurtech Innovation Award 2024
 
Unleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding ClubUnleash Your Potential - Namagunga Girls Coding Club
Unleash Your Potential - Namagunga Girls Coding Club
 
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
Integration and Automation in Practice: CI/CD in Mule Integration and Automat...
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
Bluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdfBluetooth Controlled Car with Arduino.pdf
Bluetooth Controlled Car with Arduino.pdf
 
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
Automating Business Process via MuleSoft Composer | Bangalore MuleSoft Meetup...
 
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry InnovationBeyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
Beyond Boundaries: Leveraging No-Code Solutions for Industry Innovation
 
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort ServiceHot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
Hot Sexy call girls in Panjabi Bagh 🔝 9953056974 🔝 Delhi escort Service
 
Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!Nell’iperspazio con Rocket: il Framework Web di Rust!
Nell’iperspazio con Rocket: il Framework Web di Rust!
 

WPM: Wordpress IN Paranoid MODE

  • 1. MY WORDPRESS IN PARANOID MODE Chema Alonso (@chemaalonso) https://www.elevenpaths.com http://www.elladodelmal.com
  • 2. (SOME) WORDPRESS RISKS  My plugin has a Code Injection Bug  Someone stole an identity  My WordPress is under Attack!!
  • 3. HARDEN IT!  Harden OS  (GNU/Linux Hardening)  Harden DB  (MySQL Hardenig)  Harden WordPress  (Main & Plugins)  Harden Users  (Awarness & Tools) www.0xword.com
  • 4. PUT A LATCH ON IT!
  • 5. 1) HARDEN WORDPRESS USERS http://www.slideshare.net/elevenpaths/instalacin-de-latch-en-word-press
  • 6. 2) HARDEN OS: GNU/LINUX SSH http://www.slideshare.net/elevenpaths/latch-unix-espaol
  • 7. 3) WORDPRESS IN PARANOID MODE (LATCHING MYSQL DB)  Create triggers in critical tables of Wordpress  This triggers allow or deny 3 actions:  Insert  Update  Delete  Trigger verify Latch to carry out an action:  Latch ON = Action  Latch OFF = Blocked
  • 8. CREATE LATH APP (LATCH DEVELOPER AREA) https://latch.elevenpaths.com
  • 10. STEP 1: PAIRING MYSQL & LATCH (GIVE ME TOKEN => PAIRING)
  • 11. STEP 2&3: CREATING OPERATIONS (RELAX AND ENJOY)
  • 12. STEP 4: COMPILATION & INSTALL (LIB_MYSQL_UDF.SO)
  • 13. STEP 5: UNLOAD MYSQL PROFILE (MYSQL APPARMOR PROFILE BLOCK CODE EXECUTION)
  • 14. STEP 6: CREATING MYSQL TRIGGERS (READ-ONLY, ADMINISTRATION, EDITION)
  • 15. YOU GOT LATCH IN WPM
  • 16. LATCH WPM: READ-ONLY MODE  Read-Only Mode:  Nobody can login in WordPress.  No one can make changes in MySQL.  wp_usermeta Table:  insert, delete and update blocked if ‘read-only’ operation enabled  If ‘read-only’ mode is deactivated then you can login
  • 17. LATCH: ADMINISTRATION MODE  Protects:  Delete on wp_users  Update on wp_users  Insert on wp_users  SQL Injection Bugs:  No Delete  No Update  No Insert
  • 18. LATCH: ADMINISTRATION MODE  Trigger on wp_users:  Delete Action  Verify Latch  Abort SQL Operation
  • 19. QUESTIONS?  WPM -WordPress in Paranoid Mode  https://github.com/elevenpaths  Https://community.elevenpahts.com  Chema Alonso  (@chemaalonso)  https://www.elevenpaths.com  http://www.elladodelmal.com