Word press security

446 views

Published on

Published in: Technology
0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
446
On SlideShare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide
  • Pundits will argue that admin is half the battle and most users use poor passwords. Education is my focus. Using a strong password is arguably easier and more effective. randomly generated using characters, would
  • Word press security

    1. 1. J I G A R P A N D Y A WordPress Security 1
    2. 2. Know the Environment 7/30/2013 2 LAMPSTACK LINUX Apache MySQL PHP • This is what it takes to run WordPress • Each contains its own laundry list of known vulnerabilities • Bare-bones
    3. 3. Know the application 7/30/2013 3 WordPress Core Themes Plugins End-User • Today‟s Problem
    4. 4. Realistic Environment 7/30/2013 4 Linux Operating System Apache WordPress CPANEL Plesk MySQL myLittleAdmin PHPMyAdmin Etc.. PHP Modules
    5. 5. Your Host 7/30/2013 5  Who is your host?  How do you connect to the server?  FTP, SFTP, SSH  What security does your host use? Do they use any web security?  What will your host do if you get hacked?  Will they shut your site down?  Will they kick you off their server?  Will they fix it for you? IF YOU DON”T KNOW WHAT YOU”RE DOING GO WITH A MANAGED SOLUTION
    6. 6. Connecting 7/30/2013 6  If you don‟t need it, disable it  SFTP / SSH is preferred  FTP works fine – disable if you‟re not using, don‟t talk to me if you are  FTP/SFTP != WP-ADMIN  Least Privileged  You don‟t have to log in FTP / SFTP with full root access  Everyone doesn‟t need to be an admin  You don‟t need to log in as admin  The focus is on the role, not the name of the user  Accountability – kill generic accounts – who is doing what?
    7. 7. Opportunistic Targeted 7/30/2013  Trolling the web looking for known vulnerabilities  Ability for mass exposure  Think “TimThumb”  Big enterprises with large followings:  WordPress.com  WooThemes  Worth Investing time and energy to compromise, bigger return 7 Attack Type
    8. 8. Automation is KEY 7/30/2013 8 Automation Scan Detect Exploit PWN • Targeted / Opportunistic • Vulnerability Scans • Brute Force / Data Dictionary Attacks • DDOS / DOS • XSS / CSRF • SQLi
    9. 9. Blacklisting 7/30/2013 9 • Take a chill pill.. Not the end of the world • Detect, Remove, Submit
    10. 10. The MISTAKE 7/30/2013 10  But why me?!?!?!  Forget the why, look at the how!!
    11. 11. N O T H I N G F A N C Y H E R E . . T H E F A C T S 7/30/2013 11 The How “Own one Own them All”
    12. 12. Application Environment 7/30/2013  Injections  Remote File Inclusion  Remote File Execution  Brute Force / Data Dictionary  Privilege Escalation  Brute Force / Data Dictionary  Remote File Include  Remote File Execution 12 Today‟s Exploits You Control
    13. 13. Top 5 WordPress Infections 7/30/2013 13  Backdoors  Difficult to Detect via HTTP  Injections  Easy to Detect via HTTP  Pharma Hack  Best person to detect is the owner, difficult to detect via HTTP  Malicious Redirects  Easy to Detect via HTTP  Defacements  Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish brothers
    14. 14. Backdoor 7/30/2013 14 • Complete access via shell… kiss all hardening good bye • Sad day.. .. Good time to cry…
    15. 15. Link Injection 7/30/2013 15 • Drive-by-Download attempt – think Fake AV / Adobe • Pharma Links – Erectile Dysfunction (Viagra)
    16. 16. PHARMA 7/30/2013 16 • Affiliate Model • Multi-million dollar industry • Generate ~3.5k new clients daily
    17. 17. Defacement 7/30/2013 17 • Hacktivism at its finest • Awareness to cause
    18. 18. Common Vectors 7/30/2013 18  Vulnerable Software  Often associated with Out-of-date software  WordPress Themes / Plugins, more so than Core  Cross Site Contamination  Soup Kitchen Servers  Compromised Credentials  Password123, Password1, 111111a = not cool  Remote File Inclusion  Leads to Remote Execution  Think TimThumb, Uploadify, etc… “38% of us Would Rather Clean a Toilet Than Think of New Password” - Mashable
    19. 19. S I M P L E I S S O M U C H S W E E T E R … 7/30/2013 19 Make it STOP “The question isn't who is going to let me; it's who is going to stop me.”
    20. 20. The Key is Access 7/30/2013 20  In almost all instances the key is access, whether via:  WP-ADMIN  SSH / SFTP (Port 22)  FTP (Port 21) = > You are dead to me!!! : )  Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but you can stay proactive when identified  Doesn‟t include environmental issues  Myth: Remove Admin  Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts.  The “administrator” role matters more than the “administrator” or “admin” user name.
    21. 21. This is What Matters - KISS 7/30/2013 21 Server WAF Application WAF Two Factor Authentication Strong / Unique Password Secure Environment From an access stand point: From a vulnerability stand point: Stay Current Use Trusted Sources Avoid Soup Kitchen Servers Separate Staging from Production Secure Environment
    22. 22. To the Average Joe: To the Paranoid / Lucky: 7/30/2013 1. Kill PHP Execution 2. Disable Theme / Plugin Editing via Admin 3. Connect Securely – SFTP / SSH 4. Use Authentication Keys in wp-config 5. Use Trusted Sources 6. Use a local Antivirus – Yes, MAC‟s need one 7. Verify your permissions - D 755 | F 644 8. Least Privileged 9. Kill generic accounts - Accountability 10. Backup your site – yes, Database too 1. Don‟t let WordPress write to itself 2. Filter by IP  SSH Access  WP-ADMIN Access  Database Access 3. Use a dedicated server / VPS 4. Employ a WAF / Logging Solution 5. Enable SSL 22 My Advise
    23. 23. Kill PHP Execution 7/30/2013 23  The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation:  WP-INCLUDES  UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files>
    24. 24. Disable Plugin/Theme Editor 7/30/2013 24  Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);
    25. 25. Clients Non-Clients 7/30/2013  Sucuri Security Premium  Duo Two-Factor Authentication  Theme-Check  BackupBuddy  Akismet  Duo Two-Factor Authentication  Limit Login Attempts  Theme-Check  BackupBuddy  Akismet 25 Recommended Plugins
    26. 26. Support Forums Online Resources 7/30/2013  Hacked – http://wordpress.org/tag s/hacked  Malware – http://wordpress.org/tag s/malware  BadwareBusters – https://badwarebusters. org  Sucuri Blog: http://blog.sucuri.net  SiteCheck Scanner: http://sitecheck.sucuri.net  Unmask Parasites: http://unmaskparasites.com  Perishable Press: http://perishablepress.com/category /web-design/security/  Secunia Security Advisories: http://secunia.com/community/advi sories/search/?search=wordpress 26 Know Where to Go, If… It happens
    27. 27. Blacklist entities 7/30/2013 27  Google  Chrome, FireFox  Search Engine Results Page (SERP)  http://www.google.com/webmaster/tools  http://www.google.com/safebrowsing/diagnostic?site=[your site]  Bing  Internet Explorer  Yahoo  http://www.bing.com/toolbox/webmaster/  Norton  SafeWeb Browsing  Facebook  http://safeweb.norton.com/  AVG  Opera  http://www.avgthreatlabs.com/sitereports/
    28. 28. 7/30/2013 28 Jigar Pandya http://www.zealousweb.com http://youritcoach.wordpress.com
    29. 29. 7/30/2013 29

    ×