Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

Access Denied

293 views

Published on

Keeping yourself off an attacker's radar. After performing the basic WordPress hardening steps, what next? In this talk we look at black box scanning tools to discover what data our sites are leaking, and steps to stops those leaks.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

Access Denied

  1. 1. ACCESS DENIEDKEEPING YOURSELF OFF AN ATTACKER’S RADAR Paul Gilzow
 gilzow@missouri.edu
 Twitter: @gilzow
 Facebook: https://fb.com/gilzow
 https://www.linkedin.com/in/gilzow
  2. 2. TL;DSWTGMC SUMMARY ▸Implicitly Deny ▸Defense-in-Depth (Too Long; Didn’t Stay, Went to Get More Coffee)
  3. 3. WHY DO ATTACKERS TARGET YOU ▸Your site resources ▸Your domain ▸Your SEO reputation ▸Your visitors
  4. 4. WHY WORDPRESS IS AN ATTRACTIVE TARGET ▸ Market share ▸ Open Source ▸ Extremely easy to set up and get running, not so easy to secure ▸ Anyone can create and submit a theme/ plugin
  5. 5. “WHAT MAKES WORDPRESS SO INSECURE IS THAT IT'S HIGHLY EXTENSIBLE AND EASY TO USE; WORDPRESS SECURITY ISSUES REVOLVE ALMOST ENTIRELY AROUND THIS EXTENSIBILITY AND EASYNESS OF USE.” Tony Perez, @perezbox
  6. 6. CURRENT STATE OF WORDPRESS SECURITY ▸Most compromises occur through ▸vulnerable plugins and themes ▸Weak passwords ▸Wordpress out-of-date
  7. 7. AS AN OWNER/MAINTAINER OF A 
 WORDPRESS SITE, IT IS YOUR 
 RESPONSIBILITY TO BE PARANOID
  8. 8. SO WHAT DO WE DO?
  9. 9. DEFENSE-IN-DEPTH
  10. 10. WPSCAN ▸ Robots.txt ▸ Interesting headers ▸ Multisite ▸ Must-use plugins ▸ Xml-rpc ▸ Wordpress version ▸ Plugins/themes Passive (non-intrusive) Scan
  11. 11. WPSCAN Active scan ▸ Scans for signs of vulnerable plugins ▸ Scans for signs of vulnerable themes ▸ Scans for signs of timthumb ▸ Attempts to enumerate user account names
  12. 12. COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/
  13. 13. COUNTER MEASURES ▸ Prevent php execution in /wp-content/uploads/ ▸ Protect wp-content completely ▸ Not only prevent php execution, but ▸ Implicit deny (only allow what is necessary and expected)
  14. 14. COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes
  15. 15. COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin
  16. 16. 64.85.59.68 —> 64.85.0.0/16
  17. 17. COUNTER MEASURES ▸ Protect wp-content ▸ Prevent php execution ▸ Implicit deny (only allow what is necessary and expected) ▸ Protect wp-includes ▸ Protect wp-admin ▸ Protect the root
  18. 18. COUNTER MEASURES ▸ Prevent ?author= redirection Account enumeration
  19. 19. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink Account enumeration
  20. 20. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration
  21. 21. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes Account enumeration ▸ Remove user “slug” property from users endpoint in 
 REST API
  22. 22. COUNTER MEASURES ▸ Prevent ?author= redirection ▸ Disable account name as author permalink ▸ Remove author account from classes ▸ Remove users endpoint from REST API Account enumeration ▸ Remove default login failure error messages
  23. 23. SUMMARY ▸ Be paranoid; be skeptical ▸ Uninstall plugins/themes that aren’t in use ▸ Disable php from executing where it shouldn’t ▸ Limit access to everything where you can
  24. 24. SUMMARY CONT. ▸Implicitly deny ▸Defense-in-depth In other words…
  25. 25. “[SECURITY IS A] CONTINUOUSLY MOVING TARGET… THAT REQUIRES CONSTANT VIGILANCE TO UNDERSTAND AND APPRECIATE.” Tony Perez, @perezbox
  26. 26. WHAT QUESTIONS DO YOU HAVE FOR ME?
  27. 27. CONTACT ▸ Contact ▸ gilzow@missouri.edu ▸ @gilzow on twitter ▸ gilzow on wordpress.org ▸ Files: https://github.com/gilzow/access-denied/, wckc2017 branch

×