SlideShare a Scribd company logo

Access Denied

Paul Gilzow
Paul Gilzow

Keeping yourself off an attacker's radar. After performing the basic WordPress hardening steps, what next? In this talk we look at black box scanning tools to discover what data our sites are leaking, and steps to stops those leaks.

Technology
1 of 70
Download to read offline
ACCESS DENIEDKEEPING YOURSELF OFF AN ATTACKER’S RADAR Paul Gilzow
 gilzow@missouri.edu
 Twitter: @gilzow
 Facebook: https://fb.com/gilzow
 https://www.linkedin.com/in/gilzow
TL;DSWTGMC SUMMARY ▸Implicitly Deny ▸Defense-in-Depth (Too Long; Didn’t Stay, Went to Get More Coffee)
WHY DO ATTACKERS TARGET YOU ▸Your site resources ▸Your domain ▸Your SEO reputation ▸Your visitors
WHY WORDPRESS IS AN ATTRACTIVE TARGET ▸ Market share ▸ Open Source ▸ Extremely easy to set up and get running, not so easy to secure ▸ Anyone can create and submit a theme/ plugin
“WHAT MAKES WORDPRESS SO INSECURE IS THAT IT'S HIGHLY EXTENSIBLE AND EASY TO USE; WORDPRESS SECURITY ISSUES REVOLVE ALMOST ENTIRELY AROUND THIS EXTENSIBILITY AND EASYNESS OF USE.” Tony Perez, @perezbox
CURRENT STATE OF WORDPRESS SECURITY ▸Most compromises occur through ▸vulnerable plugins and themes ▸Weak passwords ▸Wordpress out-of-date
AS AN OWNER/MAINTAINER OF A 
 WORDPRESS SITE, IT IS YOUR 
 RESPONSIBILITY TO BE PARANOID
SO WHAT DO WE DO?
DEFENSE-IN-DEPTH
WPSCAN ▸ Robots.txt ▸ Interesting headers ▸ Multisite ▸ Must-use plugins ▸ Xml-rpc ▸ Wordpress version ▸ Plugins/themes Passive (non-intrusive) Scan
WPSCAN Active scan ▸ Scans for signs of vulnerable plugins ▸ Scans for signs of vulnerable themes ▸ Scans for signs of timthumb ▸ Attempts to enumerate user account names
COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/
COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/ ▸ Protect wp-content completely ▸ Not only prevent php execution, but ▸ Implicit deny (only allow what is necessary and expected)
COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes
COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin
64.85.59.68 —> 64.85.0.0/16
COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin ▸ Protect the root
COUNTER MEASURES ▸ Prevent ?author= redirection Account enumeration
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink Account enumeration
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration ▸ Remove user “slug” property from users endpoint in 
 REST API
COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes ▸ Remove users endpoint from REST API Account enumeration ▸ Remove default login failure error messages
SUMMARY ▸ Be paranoid; be skeptical ▸ Uninstall plugins/themes that aren’t in use ▸ Disable php from executing where it shouldn’t ▸ Limit access to everything where you can
SUMMARY CONT. ▸Implicitly deny ▸Defense-in-depth In other words…
“[SECURITY IS A] CONTINUOUSLY MOVING TARGET… THAT REQUIRES CONSTANT VIGILANCE TO UNDERSTAND AND APPRECIATE.” Tony Perez, @perezbox
WHAT QUESTIONS DO YOU HAVE FOR ME?
CONTACT ▸ Contact ▸ gilzow@missouri.edu ▸ @gilzow on twitter ▸ gilzow on wordpress.org ▸ Files: https://github.com/gilzow/access-denied/, wckc2017 branch

Recommended

Website Security AMA: Best Practices
Website Security AMA: Best Practices Website Security AMA: Best Practices
Website Security AMA: Best Practices
Adam W. Warner
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
Tony Perez
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016
Ruben van Vreeland
 
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Joshua McNary
 
Cloud with A Chance of Security Breach
Cloud with A Chance of Security BreachCloud with A Chance of Security Breach
Cloud with A Chance of Security Breach
Yeni Setiawan
 

Recommended

Website Security AMA: Best Practices
Website Security AMA: Best Practices Website Security AMA: Best Practices
Website Security AMA: Best Practices
Adam W. Warner
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
Tony Perez
 
WordPress Security - Learning From Hacks
WordPress Security - Learning From HacksWordPress Security - Learning From Hacks
WordPress Security - Learning From Hacks
Tony Perez
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
Acodez IT Solutions
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
Francois Marier
 
How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016How We Hacked LinkedIn and What Happened Next | JFall 2016
How We Hacked LinkedIn and What Happened Next | JFall 2016
Ruben van Vreeland
 
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Protect Your Site: Security Tips For WordPress (GoDaddy "The Campfire" Hangout)
Joshua McNary
 
Cloud with A Chance of Security Breach
Cloud with A Chance of Security BreachCloud with A Chance of Security Breach
Cloud with A Chance of Security Breach
Yeni Setiawan
 
WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
Tony Perez
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress site
firojkhansahu
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
Tony Perez
 
SEO Sanity During a Redesign
SEO Sanity During a RedesignSEO Sanity During a Redesign
SEO Sanity During a Redesign
Mike Gracen
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
ajitdhumale
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site Clean
Sucuri
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
Source Conference
 
How to get recover from a hacked website
How to get recover from a hacked websiteHow to get recover from a hacked website
How to get recover from a hacked website
mounika k
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir Goldshlager
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
Tony Perez
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
Sucuri
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
Shubham Gupta
 
Click jacking
Click jackingClick jacking
Click jacking
Ronan Dunne, CEH, SSCP
 
Locking Down Your WordPress Site
Locking Down Your WordPress SiteLocking Down Your WordPress Site
Locking Down Your WordPress Site
Frank Corso
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri
 
The 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress SecurityThe 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress Security
Joseph Herbrandson
 
From delivering plugins to delivering "as a Service" - Atlassian connect 2017
From delivering plugins to delivering "as a Service" - Atlassian connect 2017From delivering plugins to delivering "as a Service" - Atlassian connect 2017
From delivering plugins to delivering "as a Service" - Atlassian connect 2017
Quentin Adam
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
Jennifer Riehle McFarland
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
Zachary Klein
 

More Related Content

What's hot

WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
Tony Perez
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
ajitdhumale
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
Chelsea O'Brien
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri
 

What's hot (20)

WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of Security
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress site
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good Posture
 
SEO Sanity During a Redesign
SEO Sanity During a RedesignSEO Sanity During a Redesign
SEO Sanity During a Redesign
 
Protecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environmentProtecting Web App users in today’s hostile environment
Protecting Web App users in today’s hostile environment
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site Clean
 
Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
How to get recover from a hacked website
How to get recover from a hacked websiteHow to get recover from a hacked website
How to get recover from a hacked website
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! website
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
 
Bug Bounty - Play For Money
Bug Bounty - Play For MoneyBug Bounty - Play For Money
Bug Bounty - Play For Money
 
Click jacking
Click jackingClick jacking
Click jacking
 
Locking Down Your WordPress Site
Locking Down Your WordPress SiteLocking Down Your WordPress Site
Locking Down Your WordPress Site
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your Wordpress
 
Sucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best PerformanceSucuri Webinar: How to Optimize Your Website for Best Performance
Sucuri Webinar: How to Optimize Your Website for Best Performance
 
The 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress SecurityThe 7 Deadly Sins of WordPress Security
The 7 Deadly Sins of WordPress Security
 
From delivering plugins to delivering "as a Service" - Atlassian connect 2017
From delivering plugins to delivering "as a Service" - Atlassian connect 2017From delivering plugins to delivering "as a Service" - Atlassian connect 2017
From delivering plugins to delivering "as a Service" - Atlassian connect 2017
 

Similar to Access Denied

Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
Zachary Klein
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
Thor Kristiansen
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
Ajin Abraham
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
Chris Watts
 

Similar to Access Denied (20)

WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Shields Up! Securing React Apps
Shields Up! Securing React AppsShields Up! Securing React Apps
Shields Up! Securing React Apps
 
RVASec AWS Survival Guide 2.0
RVASec AWS Survival Guide 2.0RVASec AWS Survival Guide 2.0
RVASec AWS Survival Guide 2.0
 
Professional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security PluginsProfessional WordPress Security: Beyond Security Plugins
Professional WordPress Security: Beyond Security Plugins
 
Aws security Fundamentals
Aws security Fundamentals Aws security Fundamentals
Aws security Fundamentals
 
Technical Architecture of RASP Technology
Technical Architecture of RASP TechnologyTechnical Architecture of RASP Technology
Technical Architecture of RASP Technology
 
WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013WordPress Security - WordPress Meetup Copenhagen 2013
WordPress Security - WordPress Meetup Copenhagen 2013
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
 
WebHack #13 Web authentication essentials
WebHack #13 Web authentication essentialsWebHack #13 Web authentication essentials
WebHack #13 Web authentication essentials
 
Secure Wordpress - 2016[17May - Mashhad]
Secure Wordpress - 2016[17May - Mashhad]Secure Wordpress - 2016[17May - Mashhad]
Secure Wordpress - 2016[17May - Mashhad]
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
Injecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at RuntimeInjecting Security into vulnerable web apps at Runtime
Injecting Security into vulnerable web apps at Runtime
 
Pentesting RESTful webservices
Pentesting RESTful webservicesPentesting RESTful webservices
Pentesting RESTful webservices
 
Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)Hardening WordPress - Friends of Search 2014 (WordPress Security)
Hardening WordPress - Friends of Search 2014 (WordPress Security)
 
Basic Plugin Recommendations to get your WordPress Website Started
Basic Plugin Recommendations to get your WordPress Website StartedBasic Plugin Recommendations to get your WordPress Website Started
Basic Plugin Recommendations to get your WordPress Website Started
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
How not to suck at Cyber Security
How not to suck at Cyber SecurityHow not to suck at Cyber Security
How not to suck at Cyber Security
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Victor Rentea
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
JohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptxJohnPollard-hybrid-app-RailsConf2024.pptx
JohnPollard-hybrid-app-RailsConf2024.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
AI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by AnitarajAI in Action: Real World Use Cases by Anitaraj
AI in Action: Real World Use Cases by Anitaraj
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
Modular Monolith - a Practical Alternative to Microservices @ Devoxx UK 2024
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 

Access Denied

  • 1. ACCESS DENIEDKEEPING YOURSELF OFF AN ATTACKER’S RADAR Paul Gilzow
 gilzow@missouri.edu
 Twitter: @gilzow
 Facebook: https://fb.com/gilzow
 https://www.linkedin.com/in/gilzow
  • 2. TL;DSWTGMC SUMMARY ▸Implicitly Deny ▸Defense-in-Depth (Too Long; Didn’t Stay, Went to Get More Coffee)
  • 3. WHY DO ATTACKERS TARGET YOU ▸Your site resources ▸Your domain ▸Your SEO reputation ▸Your visitors
  • 4. WHY WORDPRESS IS AN ATTRACTIVE TARGET ▸ Market share ▸ Open Source ▸ Extremely easy to set up and get running, not so easy to secure ▸ Anyone can create and submit a theme/ plugin
  • 5. “WHAT MAKES WORDPRESS SO INSECURE IS THAT IT'S HIGHLY EXTENSIBLE AND EASY TO USE; WORDPRESS SECURITY ISSUES REVOLVE ALMOST ENTIRELY AROUND THIS EXTENSIBILITY AND EASYNESS OF USE.” Tony Perez, @perezbox
  • 6. CURRENT STATE OF WORDPRESS SECURITY ▸Most compromises occur through ▸vulnerable plugins and themes ▸Weak passwords ▸Wordpress out-of-date
  • 7. AS AN OWNER/MAINTAINER OF A 
 WORDPRESS SITE, IT IS YOUR 
 RESPONSIBILITY TO BE PARANOID
  • 8. SO WHAT DO WE DO?
  • 10. WPSCAN ▸ Robots.txt ▸ Interesting headers ▸ Multisite ▸ Must-use plugins ▸ Xml-rpc ▸ Wordpress version ▸ Plugins/themes Passive (non-intrusive) Scan
  • 11.
  • 12.
  • 13.
  • 14.
  • 15.
  • 16.
  • 17. WPSCAN Active scan ▸ Scans for signs of vulnerable plugins ▸ Scans for signs of vulnerable themes ▸ Scans for signs of timthumb ▸ Attempts to enumerate user account names
  • 18.
  • 19.
  • 20.
  • 21.
  • 22.
  • 23. COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/
  • 24.
  • 25. COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/ ▸ Protect wp-content completely ▸ Not only prevent php execution, but ▸ Implicit deny (only allow what is necessary and expected)
  • 26.
  • 27.
  • 28.
  • 29.
  • 30. COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes
  • 31.
  • 32. COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin
  • 33.
  • 35.
  • 36.
  • 37. COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin ▸ Protect the root
  • 38.
  • 39.
  • 40.
  • 41.
  • 42. COUNTER MEASURES ▸ Prevent ?author= redirection Account enumeration
  • 43.
  • 44.
  • 45. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink Account enumeration
  • 46.
  • 47.
  • 48.
  • 49.
  • 50. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration
  • 51.
  • 52.
  • 53.
  • 54.
  • 55. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration ▸ Remove user “slug” property from users endpoint in 
 REST API
  • 56.
  • 57.
  • 58.
  • 59.
  • 60.
  • 61.
  • 62.
  • 63. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes ▸ Remove users endpoint from REST API Account enumeration ▸ Remove default login failure error messages
  • 64.
  • 65.
  • 66. SUMMARY ▸ Be paranoid; be skeptical ▸ Uninstall plugins/themes that aren’t in use ▸ Disable php from executing where it shouldn’t ▸ Limit access to everything where you can
  • 68. “[SECURITY IS A] CONTINUOUSLY MOVING TARGET… THAT REQUIRES CONSTANT VIGILANCE TO UNDERSTAND AND APPRECIATE.” Tony Perez, @perezbox
  • 69. WHAT QUESTIONS DO YOU HAVE FOR ME?
  • 70. CONTACT ▸ Contact ▸ gilzow@missouri.edu ▸ @gilzow on twitter ▸ gilzow on wordpress.org ▸ Files: https://github.com/gilzow/access-denied/, wckc2017 branch