Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
Identifying a Compromised WordPress Site @chrisburgess #wpmelb
Prevention is the holy grail, however it’s not the topic of this talk.
You can’t always prevent, so you must detect.
Even if we’re doing everything possible to harden and maintain our installations, we should still care about security to m...
Is Penetration Testing Worth it? There are two reasons why you might want to conduct a penetration test. One, you want to ...
The following examples are often the first signs of a successful attack.
Ahrefs and Google Search Console
Real example of anchor text from Ahrefs
Real example of a malicious plugin.
Real example of a malicious plugin.
This shouldn’t be the first sign of a compromised site. There are usually plenty of early warning signs.
But first…
Links to the Quora Article •  https://www.quora.com/I-am-powering-a- banks-website-using-WordPress-What- security-measures...
h"ps://www.quora.com/I-am-powering-a-banks-website-using-WordPress-What-security- measures-should-I-take/answer/Karol-Krol...
Let’s ask another question. Is Linux secure? Is Django secure? Is iOS secure? Is MySQL secure? Is Drupal secure? Is Node.J...
So.. banks aside, what would constitute as a high value target?
High traffic sites, anything with Personally Identifiable Information (PII), software vendors, service providers?
Credit card numbers aren’t the only form of sensitive information.
It’s really easy to say “something isn’t secure”.
It’s much harder to actually build something that is secure (knowing that there’s no such thing as absolute security).
The best answer is that if security is important, you need “people” working on it.
The Internet is a hostile environment. We need to have a healthy respect for this fact.
The current dilemma…
Hosting Providers
Plugins
Systems and Services
Users
Good Developers
Good Support, Ops and SysAdmins
A high value business needs good people, from all of these disciplines, working together.
h"p://www.sentrillion.com/images/img_defense-in-depth.jpg
Real example of a malicious file
You can’t rely only on tools, they won’t always detect a compromise.
Most WordPress security tools work by using signatures. For context, Kaspersky AV for Windows currently has around 500,000...
Scanning your site with online tools work only if your site has active malware, is defaced or blacklisted.
If a site has been compromised, it cannot be trusted.
example.com/index.php
example.com/otherapp/
example.com/*
example.com/*
Isolation Look out for a shared web root, addon domains in cPanel, or other web apps in subfolders.
We’re going to assume a fresh WordPress install, or restoration from a clean backup is needed
Places/things to check… •  Content/files (htaccess, index.php, sitemap.xml, anything custom) •  Running processes •  Runnin...
Checking Content •  grep •  Screaming Frog (useful for finding JS) •  Sucuri SiteCheck •  UnmaskParasites.com •  Safe Brows...
Once the server has been compromised, it cannot be trusted.
Tools for Detection •  System Monitoring •  Integrity Monitoring •  Firewalls •  IDS/IPS •  Malware Scanners •  Logging
System Monitoring •  Resources (Bandwidth/CPU/RAM/IO) •  Logins •  Processes
Integrity Monitoring •  git •  wp-cli •  Any diff tools •  Plugins •  Tripwire (and similar)
wp-cli’s Verify Checksums $ wp core verify-checksums Success: WordPress install verifies against checksums. Thanks to @dave...
Firewalls •  Network Firewalls •  Web Application Firewalls •  Security Services
IDS/IPS •  Typically at the host level •  OSSEC
Malware Detection •  Security Plugins •  Commercial AV •  Public Site Scanning •  Google Search Console •  ConfigServer eXp...
Logging •  /var/log (access, error, php) •  Centralised Logging or Log Shipping (Papertrail, Loggly, Splunk, Logstash etc....
WPScan WordPress Scanner
WPSecurityBloggers.com
Use a security plugin (or manually harden) https://www.wordfence.com/ https://sucuri.net/ https://ithemes.com/security/
Final Words… Security issues typically occur because of certain patterns. Cleaning, restoring or rebuilding doesn’t addres...
Prevention and Response Hardening/Prevention: •  https://codex.wordpress.org/ Hardening_WordPress Post-hack/Response: •  h...
•  WordPress.org – wordpress.org/about/security – wordpress.org/news/category/security •  Verizon DBIR http://www.verizone...
wpmelb.org/slack
Thanks and stay safe! @chrisburgess #wpmelb
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Identifying a Compromised WordPress Site
Upcoming SlideShare
Loading in …5
×

Identifying a Compromised WordPress Site

4,591 views

Published on

This talk was originally delivered at the Melbourne WordPress Developer Meetup in July 2016. Rather than the common talks on hardening and prevention, this presentation covered how you can identify a WordPress website is compromised, and some of the early warning signs.

Published in: Software
no profile picture user

  • Be the first to comment

Identifying a Compromised WordPress Site

  1. 1. Identifying a Compromised WordPress Site @chrisburgess #wpmelb
  2. 2. Prevention is the holy grail, however it’s not the topic of this talk.
  3. 3. You can’t always prevent, so you must detect.
  4. 4. Even if we’re doing everything possible to harden and maintain our installations, we should still care about security to monitor our high value sites.
  5. 5. Is Penetration Testing Worth it? There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you're going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I'm going to save you a lot of money by giving you this free penetration test: You're vulnerable. Now, go do something useful about it. -- Bruce Schneier http://www.schneier.com/blog/archives/2007/05/is_penetration.html
  6. 6. The following examples are often the first signs of a successful attack.
  7. 7. Ahrefs and Google Search Console
  8. 8. Real example of anchor text from Ahrefs
  9. 9. Real example of a malicious plugin.
  10. 10. Real example of a malicious plugin.
  11. 11. This shouldn’t be the first sign of a compromised site. There are usually plenty of early warning signs.
  12. 12. But first…
  13. 13. Links to the Quora Article •  https://www.quora.com/I-am-powering-a- banks-website-using-WordPress-What- security-measures-should-I-take •  https://ma.tt/2015/04/a-bank-website-on- wordpress/ •  https://wptavern.com/banking-on-wordpress- matt-mullenweg-weighs-in-on-security- concerns
  14. 14. h"ps://www.quora.com/I-am-powering-a-banks-website-using-WordPress-What-security- measures-should-I-take/answer/Karol-Krol?srid=uD68
  15. 15. Let’s ask another question. Is Linux secure? Is Django secure? Is iOS secure? Is MySQL secure? Is Drupal secure? Is Node.JS secure? Is <insert browser> secure? Is Android secure? Is Rails secure? Is Windows Server secure? Is Shopify secure? You get the idea… This can get subjective, since some have a much better track record than others, and some are designed with security as a priority.
  16. 16. So.. banks aside, what would constitute as a high value target?
  17. 17. High traffic sites, anything with Personally Identifiable Information (PII), software vendors, service providers?
  18. 18. Credit card numbers aren’t the only form of sensitive information.
  19. 19. It’s really easy to say “something isn’t secure”.
  20. 20. It’s much harder to actually build something that is secure (knowing that there’s no such thing as absolute security).
  21. 21. The best answer is that if security is important, you need “people” working on it.
  22. 22. The Internet is a hostile environment. We need to have a healthy respect for this fact.
  23. 23. The current dilemma…
  24. 24. Hosting Providers
  25. 25. Plugins
  26. 26. Systems and Services
  27. 27. Users
  28. 28. Good Developers
  29. 29. Good Support, Ops and SysAdmins
  30. 30. A high value business needs good people, from all of these disciplines, working together.
  31. 31. h"p://www.sentrillion.com/images/img_defense-in-depth.jpg
  32. 32. Real example of a malicious file
  33. 33. You can’t rely only on tools, they won’t always detect a compromise.
  34. 34. Most WordPress security tools work by using signatures. For context, Kaspersky AV for Windows currently has around 500,000 signatures.
  35. 35. Scanning your site with online tools work only if your site has active malware, is defaced or blacklisted.
  36. 36. If a site has been compromised, it cannot be trusted.
  37. 37. example.com/index.php
  38. 38. example.com/otherapp/
  39. 39. example.com/*
  40. 40. example.com/*
  41. 41. Isolation Look out for a shared web root, addon domains in cPanel, or other web apps in subfolders.
  42. 42. We’re going to assume a fresh WordPress install, or restoration from a clean backup is needed
  43. 43. Places/things to check… •  Content/files (htaccess, index.php, sitemap.xml, anything custom) •  Running processes •  Running scripts, open files (look at full paths in processes) •  Memory •  Cron jobs •  Database •  Date and timestamps •  Suspicious plugins •  Suspicious directories/files •  Sitemaps/SERPs •  WordPress Admin Users •  Other users in GSC/WMT •  Code audit
  44. 44. Checking Content •  grep •  Screaming Frog (useful for finding JS) •  Sucuri SiteCheck •  UnmaskParasites.com •  Safe Browsing Site Status (Google)
  45. 45. Once the server has been compromised, it cannot be trusted.
  46. 46. Tools for Detection •  System Monitoring •  Integrity Monitoring •  Firewalls •  IDS/IPS •  Malware Scanners •  Logging
  47. 47. System Monitoring •  Resources (Bandwidth/CPU/RAM/IO) •  Logins •  Processes
  48. 48. Integrity Monitoring •  git •  wp-cli •  Any diff tools •  Plugins •  Tripwire (and similar)
  49. 49. wp-cli’s Verify Checksums $ wp core verify-checksums Success: WordPress install verifies against checksums. Thanks to @davemac for this Kp!
  50. 50. Firewalls •  Network Firewalls •  Web Application Firewalls •  Security Services
  51. 51. IDS/IPS •  Typically at the host level •  OSSEC
  52. 52. Malware Detection •  Security Plugins •  Commercial AV •  Public Site Scanning •  Google Search Console •  ConfigServer eXpliot Scanner (for WHM/ cPanel) •  Maldet/ClamAV
  53. 53. Logging •  /var/log (access, error, php) •  Centralised Logging or Log Shipping (Papertrail, Loggly, Splunk, Logstash etc.) •  Audit trails (Stream/WP Audit Trail etc.)
  54. 54. WPScan WordPress Scanner
  55. 55. WPSecurityBloggers.com
  56. 56. Use a security plugin (or manually harden) https://www.wordfence.com/ https://sucuri.net/ https://ithemes.com/security/
  57. 57. Final Words… Security issues typically occur because of certain patterns. Cleaning, restoring or rebuilding doesn’t address that. Compromised sites are much more likely to become compromised again. Get everyone on board to take security seriously.
  58. 58. Prevention and Response Hardening/Prevention: •  https://codex.wordpress.org/ Hardening_WordPress Post-hack/Response: •  https://sucuri.net/website-security/what- to-do-after-a-website-hack/
  59. 59. •  WordPress.org – wordpress.org/about/security – wordpress.org/news/category/security •  Verizon DBIR http://www.verizonenterprise.com/ •  verizon-insights-lab/dbir/ •  Sucuri https://sucuri.net/ •  WP White Security https://www.wpwhitesecurity.com/ •  OWASP http://owasp.org/
  60. 60. wpmelb.org/slack
  61. 61. Thanks and stay safe! @chrisburgess #wpmelb

×