Hacking the
Wordpress Ecosystem
About Me

Dan Catalin VASILE
• Information Security Consultant
• Researcher / Writer / Presenter
• OWASP Romania Board Mem...
About the talk

Hacking the Wordpress Ecosystem
WHY?
About the talk

More numbers
About the talk

Finding Wordpress!
Scope
Scope

TO SCARE!!!!
Attacks on:
-

The Worpress platform
Plugins
Themes
Infrastructure
Humans
Scope

and TO REPAIR.
Focus on:

-

Infrastructure
Installation process
Protective server side measures
Protective client ...
Wordpress Ecosystem

Infrastructure

Users
Base platform
Themes

Plugins
Hacking the infrastructure

Physical security
Hacking the infrastructure

Common web server vulnerabilities
•
•
•
•
•

Overflows
DoS
Remote command execution
XSS in int...
Hacking the infrastructure

PHP vulnerabilities
• DoS
• Overflows
• Remote command execution
•
•
•
•
•

SQL injection
XSS
...
Hacking the Wordpress platform

One example from the CVE Database
Hacking the plugins

How many plugins are there?
27,596 PLUGINS, 536,317,915 DOWNLOADS
(as of October 2013)
How many of th...
Hacking the themes

Themes can be vulnerable!
They sometimes come up with other plugins
necessary to get the functionality...
Hacking the themes

What is TimThumb?
A small php script for cropping, zooming and resizing web images (jpg,
png, gif). Pe...
TimThumb hack

The easiest way to trick TimThumb into believing a remotely stored image
(that also contains evil PHP code)...
TimThumb hack

Uploading the file
TimThumb hack

Additional problems with the TimThumb hack
- When uploading the image, the php script will be located in
th...
TimThumb hack

We’re IN!
Hacking the users

Last but not least, hacking the human element:
- Social engineering
- Phishing
- Exploiting bad habits
Let’s fix it

Let’s start fixing the Wordpress Ecosystem
Short recap:
- Infrastructure
- Wordpress base platform
- Wordpre...
Fixing the Infrastructure

INFRASTRUCTURE
- Choose a decent data-center
- Use encryption for physical disks
- Use secure c...
Fixing the Wordpress platform

WORDPRESS PLATFORM - INSTALLATION
- Always download the platform from a trusted
source; use...
Fixing the Wordpress platform

WORDPRESS PLATFORM - MAINTENANCE
-

BACKUP!!! (BackWPup plugin)
Update!
Use SSL for authent...
Fixing the themes

THEMES

- Update
- Review the code
Fixing the plugins

PLUGINS
-

Delete unused plugins
Update
Review ratings and user comments
Source code audit
Fixing the users

USERS
- Awareness
- Set user roles and give only the privileges they
need
- Log & audit user actions (AR...
Further actions

Install one or more security plugins
•
•
•
•
•
•
•

Login Security Solution
AntiVirus
WP Security Scan
Wo...
Further actions

Monitor the website from an external party
• WebsiteDefender
• Pingdom
• Change Detection
Further actions

Source code audit
What to do

If you know what you’re doing, do the whole
ecosystem yourself.
Otherwise go with a managed solution:
• Wordpr...
Goal

Wordpress Security Checklist project on OWASP
https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Pro...
Questions

Thank you!
Upcoming SlideShare
Loading in …5
×

Dan Catalin Vasile - Hacking the Wordpress Ecosystem

4,358 views

Published on

Dan Catalin Vasile - Hacking the Wordpress Ecosystem
OWASP Romania InfoSec Conference, Bucharest, October 25, 2013

Published in: Technology, Business
0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
4,358
On SlideShare
0
From Embeds
0
Number of Embeds
3,179
Actions
Shares
0
Downloads
12
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Dan Catalin Vasile - Hacking the Wordpress Ecosystem

  1. 1. Hacking the Wordpress Ecosystem
  2. 2. About Me Dan Catalin VASILE • Information Security Consultant • Researcher / Writer / Presenter • OWASP Romania Board Member • Online presence – http://www.pentest.ro – dan@pentest.ro / @DanCVASILE
  3. 3. About the talk Hacking the Wordpress Ecosystem WHY?
  4. 4. About the talk More numbers
  5. 5. About the talk Finding Wordpress!
  6. 6. Scope
  7. 7. Scope TO SCARE!!!! Attacks on: - The Worpress platform Plugins Themes Infrastructure Humans
  8. 8. Scope and TO REPAIR. Focus on: - Infrastructure Installation process Protective server side measures Protective client side measures Reviewing source code Maintenance
  9. 9. Wordpress Ecosystem Infrastructure Users Base platform Themes Plugins
  10. 10. Hacking the infrastructure Physical security
  11. 11. Hacking the infrastructure Common web server vulnerabilities • • • • • Overflows DoS Remote command execution XSS in internal tools Security Misconfiguration … just to name a few http://httpd.apache.org/security/vulnerabilities_22.html & more
  12. 12. Hacking the infrastructure PHP vulnerabilities • DoS • Overflows • Remote command execution • • • • • SQL injection XSS Source code disclosure RFI CSRF &more
  13. 13. Hacking the Wordpress platform One example from the CVE Database
  14. 14. Hacking the plugins How many plugins are there? 27,596 PLUGINS, 536,317,915 DOWNLOADS (as of October 2013) How many of them are vulnerable?  Not as many as you’ve expected. CVE lists ‘only’ 164 vulnerabilities (not all related to plugins) Fear not! New plugins everyday & new disclosures on old plugins.
  15. 15. Hacking the themes Themes can be vulnerable! They sometimes come up with other plugins necessary to get the functionality needed Think about TimThumb vulnerability!
  16. 16. Hacking the themes What is TimThumb? A small php script for cropping, zooming and resizing web images (jpg, png, gif). Perfect for use on blogs and other applications. The problem! “TimThumb” essentially, caches even remote files locally, without doing any proper sanitization. The problem for hackers The file “timthumb.php” does however, check if to see if the target file is actually an image or not. This timthumb file is also quite often renamed to something else and is used in many themes.
  17. 17. TimThumb hack The easiest way to trick TimThumb into believing a remotely stored image (that also contains evil PHP code) is an actual image (with timthumbcraft)
  18. 18. TimThumb hack Uploading the file
  19. 19. TimThumb hack Additional problems with the TimThumb hack - When uploading the image, the php script will be located in the cache directory with a ‘random’ name
  20. 20. TimThumb hack We’re IN!
  21. 21. Hacking the users Last but not least, hacking the human element: - Social engineering - Phishing - Exploiting bad habits
  22. 22. Let’s fix it Let’s start fixing the Wordpress Ecosystem Short recap: - Infrastructure - Wordpress base platform - Wordpress plugins - Wordpress themes - Users
  23. 23. Fixing the Infrastructure INFRASTRUCTURE - Choose a decent data-center - Use encryption for physical disks - Use secure communication channels with the server (SSH, SFTP); do you still use FTP? You should be banned from the world. - Keep the Web Server, PHP and Database updated to the latest version - Secure configurations (disable directory listing, secure php.ini configuration, etc.) - Log and analyze
  24. 24. Fixing the Wordpress platform WORDPRESS PLATFORM - INSTALLATION - Always download the platform from a trusted source; use https://wordpress.org/download/ - Change the default ‘admin’ username - Set a strong password - Change the default ‘wp_’ table prefix - Set an insane database password - Move wp-config.php outside /public_html
  25. 25. Fixing the Wordpress platform WORDPRESS PLATFORM - MAINTENANCE - BACKUP!!! (BackWPup plugin) Update! Use SSL for authentication Use CAPTCHA for logging in (Captcha on Login plugin) - Limit the access to /wp-admin (form .htaccess) - Source code audit
  26. 26. Fixing the themes THEMES - Update - Review the code
  27. 27. Fixing the plugins PLUGINS - Delete unused plugins Update Review ratings and user comments Source code audit
  28. 28. Fixing the users USERS - Awareness - Set user roles and give only the privileges they need - Log & audit user actions (ARYO Activity Log plugin) - Personal computer security - Enforce the use of strong passwords (Minimum Password Strength plugin)
  29. 29. Further actions Install one or more security plugins • • • • • • • Login Security Solution AntiVirus WP Security Scan WordPress File Monitor Plus OSE Firewall Security Block Bad Queries Wordfence
  30. 30. Further actions Monitor the website from an external party • WebsiteDefender • Pingdom • Change Detection
  31. 31. Further actions Source code audit
  32. 32. What to do If you know what you’re doing, do the whole ecosystem yourself. Otherwise go with a managed solution: • Wordpress.org • Wpengine.com • Godaddy.com Etc.
  33. 33. Goal Wordpress Security Checklist project on OWASP https://www.owasp.org/index.php/OWASP_Wordpress_Security_Checklist_Project My part: - Establish the structure - Contribute with content I need help for: - Content - Plugin suggestions and reviews - Source code audits
  34. 34. Questions Thank you!

×