Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

The moment my site got hacked - WordCamp Sofia


Published on

You always think it will never happen to you but when it does, it’s all hands on deck. My personal site was almost hacked and since then I actively looked at what I could improve. During this talk I will talk what I had before and show all the improvements I made since then. It will be a mixed of using using the existing tools and my own creation in managing my sites.

Published in: Technology
  • Be the first to comment

The moment my site got hacked - WordCamp Sofia

  1. 1. CODEKITCHEN AT: WORDCAMP SOFIA 2015 Marko Heijnen presents The moment my site got hacked
  2. 2. 0. The Story
  3. 3. I have set things up
  4. 4. Hardening WordPress Difficult password VPN access is required for admins to login Files can’t be changed by PHP define('DISALLOW_FILE_MODS', true); Renamed wp-content folder
  5. 5. Other positive effects PHP FPM with Opcache requires restart WordPress Network install A lot of functionality is custom written
  6. 6. And then it’s all for having things up-to-date
  7. 7. Normally I keep everything up-to-date
  8. 8. But one plugin slipped my attention
  9. 9. It all started with an internal e-mail at my job
  10. 10. I start checking to see if I can reproduce it
  11. 11. 😱😱😱
  12. 12. 1. Shock & Denial
  13. 13. Checking the log files showed how they managed it
  14. 14. Checking the log files showed the failed
  15. 15. - - [20/Feb/2015:14:34:51 +0200] "POST //?var=upload HTTP/1.1" 200 116 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-" - - [20/Feb/2015:14:34:51 +0200] "GET /wp-content/file.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-" - - [20/Feb/2015:14:34:52 +0200] "GET /content/file.php HTTP/1.1" 404 11767 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"
  16. 16. 2. Anger
  17. 17. Having that stupid rewrite
  18. 18. Why didn’t I updated my plugins?
  19. 19. Why didn’t I had any protecting for this in place
  20. 20. 3. Understanding
  21. 21. Understanding Where do I need to fix it Is it something a host could have prevented Why was someone trying to hack my site Where do you protect
  22. 22. Protection flow Server (DDOS / rate limits / login attempts) App / Site (App specific security / support) Network (DDOS protection)
  23. 23. 4. Working Through
  24. 24. Start fixing things
  25. 25. Start fixing things Check the upload directory for more PHP files Don’t allow PHP to be ever executed inside uploads Update all plugins See if everything still is untouched
  26. 26. I was lucky I have git but what about you?
  27. 27. Checksum checker Not for WordPress core but for your plugins and themes Checks the hash of your files with hashes of the original
  28. 28. How to prevent things like this happening again?
  29. 29. Application firewall Something that actively protects you against vulnerabilities such as cross-site scripting (XSS) and SQL injection Sucuri or CloudFlare as a service NinjaFirewall as a plugin Currently I’m using modSecurity Now looking at the rule sets of
  30. 30. How to detect if it happens
  31. 31. Builded a custom tool
  32. 32. List of all sites
  33. 33. General overview of a site
  34. 34. Security checks for the site
  35. 35. Security checks for the site
  36. 36. Security checks for the site
  37. 37. List of all servers
  38. 38. 5. Acceptance & Hope
  39. 39. Things I learned from this
  40. 40. It can happen to anyone
  41. 41. Things I learned Read the log files more often Don’t expect plugin developer to announce publicly that they have or had security issues Work pro active on securing my site Check out the latest and greatest tools for securing and checking your sites
  42. 42. Last but not least: Some questions for you
  43. 43. Some questions for you What do you do yourself? How good is your wp-login.php protected? What does your host do to protect you? Did you hardening your site? How secure are your backups?
  44. 44. Do you know what people trying to do to your site?
  45. 45. Marko Heijnen Founder of CodeKitchen Ex-lead developer of GlotPress Core contributor for WordPress Organizer for WordCamp Belgrade
  46. 46. Marko Heijnen @markoheijnen
  47. 47. Thank you for listening Questions?