Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
WordPress Security 101++
Introduction
Break down
● Security basics
● Attacker motives
● Clean up
● Prevention
● Auditing!
whoami
● Robert Rowley
● Security guy
● Websites, Server, Social Engineering, Mobile
● DreamHost security “one size fits a...
DreamHost
● 1million+ websites
● Huge WordPress install base.
YOU!
● Security core concepts
● It is easy
Security core concepts
● Backups
● Passwords
● Updates
● Monitoring
Backups
● Keep them regularly
● Keep them secure and off site
Passwords
● Easy!
● “Passphrase” alphanumeric and other characters
● Better!
● Two factor.
Updates
● Automate if possible.
● On the first day it's already too late.
Monitoring
● Prevent the attack from going unnoticed.
The bad guys
Fruit?
Low hanging fruit
Bots!
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Wh...
$ $ $ $ $ $ $ $
$$ $ $ $
$ $$ $ $ $ $ $$ $ $
$ $ $$ $ $ $ $ $$ $
$ $ $ $$ $ $ $ $ $$
$ $ $ $ $$ $ $ $ $
$ $ $ $ $$ $ $
$ $...
How?
● Software vulnerabilities
Arbitrary file uploads, Code execution, LFI/RFI SQLi
● Password compromise
Spyware/Brute f...
Show your work!
How does a compromised site equal profit?
● Phishing (Identity theft)
● BlackHat SEO (Affiliate services e...
Graphs
● DreamHost attack logs
● Actual traffic from 8/20/2011 → 02/16/2012
Graph: zenCart
You're not helping!!!
Clean up ALL THE THINGS!!!!
Not that hard
●All
●The
●Things
If you plan to audit, do that first!
● Take the site offline
● Backup ALL THE THINGS:
● Files
● Databases
● Logs
Update ALL THE software!!!
● Core software
● Plugins
● Themes?
● Other?
Check ALL THE files!!!
● Does this belong here?
● Backups help
Change ALL THE passwords!!!
● Set the policy
● Need more? Use two-factor.
Re-install ALL THE THINGS!!!
● Backups.
● Re-install.
● No backups? Can't re-install?
● Just one line …. what? What? WHAT?...
find ALL THE insecure permissions!!
Permissions issues:
find /path/ -type d -perm 777 -print
better:
find /path/ -type d -...
find ALL THE backdoors!!!
find /path/ -name “*php” -exec grep “fingerprint” {} ; -print
find /path/ -name “*php” -exec gre...
Destroy ALL THE backdoors!!!
find /path/ -name “*php” -exec 
● grep “FilesMan|eval(base64_decode(|eval(gzinflate(“ {} ; 
●...
Spot ALL THE “diff”erences!
● Use “diff” to compare directories.
● Works best with backups (or just download WP)
$ diff om...
Pay for ALL THE fixes!!!
● The good, the bad and the ugly
Preventative
Server options
● Firewall
mod_security, cloudflare
● Database
Restrict by hostname
Site configuration
● File Monitoring
● Stop using FTP
● HTTPS
● Lock down directory/file permission
Wordpress tricks
● Enable auto-update
● Don't login as “admin”
● Database table prefix
● Disable PHP/CGI in upload/include...
Security Plugins
Backups Prevention Cleanup Monitoring Authentication
File Monitor
plus X
VaultPress
X X
Google Auth.
Yubi...
Security Services
Backups Prevention Cleanup Monitoring Price
Cloudflare
X /
Free-20+5/month
VaultPress
X / X
15-350/month...
Auditing
Who logged in?
● Via SSH: “last”
● Via WordPress: “simple login log” plugin
Digging in with timestamps.
$ ls -la omgfire.com/backdoor.php
-rw-rw-r-- 1 user grp 0 Feb 13 21:52 omgfire.com/backdoor.ph...
Digging in with HTTP logs
$ awk '{print $7}' access.log | sort | uniq -c | sort -n
Digging in with HTTP logs
$ awk '{print $7}' access.log | sort | uniq -c | sort -n
1 /phpMyAdmin-2.2.3/index.php
1 /phpMyA...
Ask your host!
● You may not be alone.
followup
● Take ownership and post your experience
● Help the next website owner.
Further reading
http://codex.wordpress.org/Hardening_WordPress
Wordpress Security 101
Wordpress Security 101
Upcoming SlideShare
Loading in …5
×

Wordpress Security 101

6,581 views

Published on

Tons of details from basics of security to how to handle a compromised website yourself.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Wordpress Security 101

  1. 1. WordPress Security 101++
  2. 2. Introduction
  3. 3. Break down ● Security basics ● Attacker motives ● Clean up ● Prevention ● Auditing!
  4. 4. whoami ● Robert Rowley ● Security guy ● Websites, Server, Social Engineering, Mobile ● DreamHost security “one size fits all” person
  5. 5. DreamHost ● 1million+ websites ● Huge WordPress install base.
  6. 6. YOU! ● Security core concepts ● It is easy
  7. 7. Security core concepts ● Backups ● Passwords ● Updates ● Monitoring
  8. 8. Backups ● Keep them regularly ● Keep them secure and off site
  9. 9. Passwords ● Easy! ● “Passphrase” alphanumeric and other characters ● Better! ● Two factor.
  10. 10. Updates ● Automate if possible. ● On the first day it's already too late.
  11. 11. Monitoring ● Prevent the attack from going unnoticed.
  12. 12. The bad guys
  13. 13. Fruit?
  14. 14. Low hanging fruit
  15. 15. Bots!
  16. 16. Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Attacker motivation Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why?Why? Why? Why? Why? Why? Why? Why?Why? Why? Why? WHY?WHY?
  17. 17. $ $ $ $ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $ $ $ $ $$ $ $ $ $ $ $ $ $ $$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $ Attacker motivation  $$
  18. 18. How? ● Software vulnerabilities Arbitrary file uploads, Code execution, LFI/RFI SQLi ● Password compromise Spyware/Brute force ● Host based attacks Are you on a shared host? (cloud?)
  19. 19. Show your work! How does a compromised site equal profit? ● Phishing (Identity theft) ● BlackHat SEO (Affiliate services efraud) ● Traffic Theft (Malware) ● Spam (All of the above) ● Backdoor installations (All of the above)
  20. 20. Graphs ● DreamHost attack logs ● Actual traffic from 8/20/2011 → 02/16/2012
  21. 21. Graph: zenCart
  22. 22. You're not helping!!!
  23. 23. Clean up ALL THE THINGS!!!!
  24. 24. Not that hard ●All ●The ●Things
  25. 25. If you plan to audit, do that first! ● Take the site offline ● Backup ALL THE THINGS: ● Files ● Databases ● Logs
  26. 26. Update ALL THE software!!! ● Core software ● Plugins ● Themes? ● Other?
  27. 27. Check ALL THE files!!! ● Does this belong here? ● Backups help
  28. 28. Change ALL THE passwords!!! ● Set the policy ● Need more? Use two-factor.
  29. 29. Re-install ALL THE THINGS!!! ● Backups. ● Re-install. ● No backups? Can't re-install? ● Just one line …. what? What? WHAT? ● Magical “find”
  30. 30. find ALL THE insecure permissions!! Permissions issues: find /path/ -type d -perm 777 -print better: find /path/ -type d -exec chmod 755 {} ; -print alternative: find /path/ -type d -perm 777 -exec chmod 755 {} ; -print find /path/ -type f -exec chmod 644 {} ; -print
  31. 31. find ALL THE backdoors!!! find /path/ -name “*php” -exec grep “fingerprint” {} ; -print find /path/ -name “*php” -exec grep “fingerprint” {} ; -exec rm {} ; -print (or use chmod 0 {} instead of rm {} ) find /path/ -name “*php” -exec grep “all|the|things” {} ; -print
  32. 32. Destroy ALL THE backdoors!!! find /path/ -name “*php” -exec ● grep “FilesMan|eval(base64_decode(|eval(gzinflate(“ {} ; ● -exec chmod 0 {} ; -or -exec ● grep “(base64_decode){10,}|(){30,}” {} ; ● -exec sed -i.backup “/(base64_decode){10,}|(){30,}/d” {} ; -print ● ●
  33. 33. Spot ALL THE “diff”erences! ● Use “diff” to compare directories. ● Works best with backups (or just download WP) $ diff omgfire.com omgfire.com_lastbackup Only in omgfire.com: this_could_be_a_backdoor.php Common subdirectories: omgfire.com/wp-admin and omgfire.com_lastbackup/wp-admin diff omgfire.com/wp-config.php omgfire.com_lastbackup/wp-config.php 1d0 < <? /* this is a little bit of code changed! */ ?>
  34. 34. Pay for ALL THE fixes!!! ● The good, the bad and the ugly
  35. 35. Preventative
  36. 36. Server options ● Firewall mod_security, cloudflare ● Database Restrict by hostname
  37. 37. Site configuration ● File Monitoring ● Stop using FTP ● HTTPS ● Lock down directory/file permission
  38. 38. Wordpress tricks ● Enable auto-update ● Don't login as “admin” ● Database table prefix ● Disable PHP/CGI in upload/include directories ● Plugins!
  39. 39. Security Plugins Backups Prevention Cleanup Monitoring Authentication File Monitor plus X VaultPress X X Google Auth. Yubikey Etc... X Exploit Scanner / X Backup Buddy X
  40. 40. Security Services Backups Prevention Cleanup Monitoring Price Cloudflare X / Free-20+5/month VaultPress X / X 15-350/month StoptheHacker X Free-100+/month URLvoid.com Various others X Free Sucuri X X 90-290/month
  41. 41. Auditing
  42. 42. Who logged in? ● Via SSH: “last” ● Via WordPress: “simple login log” plugin
  43. 43. Digging in with timestamps. $ ls -la omgfire.com/backdoor.php -rw-rw-r-- 1 user grp 0 Feb 13 21:52 omgfire.com/backdoor.php $ grep 21:52: logs/omgfire.com/access.log.2012-02-13 123.125.71.31 - - [13/Feb/2012:21:52:53 -0800] "POST /wp-content/plugins/hello.php HTTP/1.1" 200 158 "-" "Mozilla"
  44. 44. Digging in with HTTP logs $ awk '{print $7}' access.log | sort | uniq -c | sort -n
  45. 45. Digging in with HTTP logs $ awk '{print $7}' access.log | sort | uniq -c | sort -n 1 /phpMyAdmin-2.2.3/index.php 1 /phpMyAdmin-2.5.5-pl1/index.php 1 /phpMyAdmin-2.5.5/index.php 1 /phpMyAdmin-2.5.6-rc2/index.php 1 /phpMyAdmin/index.php 1 /phpmyadmin1/index.php 1 /pma/index.php 1 /web/phpMyAdmin/index.php 1 /websql/index.php 2 /phpmyadmin/index.php 4 /robots.txt 242 /
  46. 46. Ask your host! ● You may not be alone.
  47. 47. followup ● Take ownership and post your experience ● Help the next website owner.
  48. 48. Further reading http://codex.wordpress.org/Hardening_WordPress

×