This document discusses ways to detect security issues on a WordPress site and server. It recommends using tools like ModSecurity, fail2ban, Apticron, and Apt-dater to monitor for updates, failed login attempts, and other security events. It also proposes building a WordPress plugin called WP Central that would aggregate security data from all sites and servers and provide a central dashboard. The plugin would monitor files, permissions, login attempts, and perform checksum scans to detect any changes or additions.

1. CODEKITCHENMarko Heijnen
Protecting your site by
detection

2. Marko Heijnen
• Founder of CodeKitchen
• Lead developer of GlotPress
• Core contributor for
WordPress
• Plugin developer
• Organizer for WordCamp
Belgrade
• Using lots of (new)
technologies

3. Recently lot’s of security
issues got reported

4. Stats first 5 months of 2015
• 3 core security updates
• Cross-site Scripting (XSS) due to the misuse of the
add_query_arg() and remove_query_arg()
functions
• Cross-site scripting (XSS) vulnerability inside the
popular JetPack plugin. and the default Twenty
Fifteen theme because of genericons.

5. I almost got hacked

6. Not only your site but
also your server

7. My server setup
Loadbalancer
Webserver 1
Webserver 2
Memcached
Elasticsearch
MariaDB

8. My server setup
Public Private
Loadbalancer
Webserver 1
Webserver 2
Memcached
Elasticsearch
MariaDB

9. Do you know if you are
currently hacked???

10. Protecting is silver

11. Detecting is gold

12. What can you detect

13. Detection of your install
• Updates of WordPress, Plugins and themes
• Failed login attempts
• Security issues in plugins and themes
• Security enhancements reported by core
• List of plugins/themes you don’t use

14. Detection of the server
• Updates of server software
• Failed login attempts

15. Detection what is going on
• Requests to plugins you don’t have (404’s)
• Permissions of your folders/files
• Check if files got changed (Core, plugins, themes)
• Check if files got added (Core, plugins, themes)
• What is in your uploads folder (PHP files)

16. How I do it

17. Software for security I use
• modsecurity / UFW on every server (default blocks
all)
• fail2ban
• apticron (only 1 per matching type)
• apt-dater-host (in combination with apt-dater)
• Own code

18. Apticron
• Cronjob checking if there are updates
• Mail you when there are updates
• Can mail the total list or only new updates

19. Apt-dater and Apt-dater-host
• Terminal-based remote package update manager
• A tool to manage a lot of servers
• Grouped same servers
• Install and update packages

20. My server setup
fail2ban
modsecurity
ufw
apticron
apt-dater-host
ufw
apticron (web1)
apt-dater-host ufw
apticron
apt-dater-host
Loadbalancer
Webserver 1
Webserver 2
Memcached
Elasticsearch
MariaDB

21. Use WordPress to
manage WordPress

22. Features
• List all Linux packages
• List all PECL updates
• Shows if WP-CLI needs updating
• Restart services

23. Features
• List all WordPress updates
• Ability to perform updates when allowed
• Checksum scans
• Upload directory scans
• Doing backups
• Send WP CLI command

24. List of all servers

25. List of all sites

26. General overview of a site

27. Security checks for the site

28. WP Central

29. WP Central API
• http://wpcentral.io/api/
• First started with contributors
• After that stats
• Now creating checksums for plugins and themes
• Soon similar functionality as wpvulndb.com

30. Node.js server
• WordPress calls a microserver (nginx)
• nginx calls node.js server
• Returns the data when exists
• Will return error when not and generates the
checksums behind the scene

31. WP Central API
• http://wpcentral.io/api/checksums/theme/
twentyfifteen/1.2
• [{"code":"wpcentral_server_error","message":"Gener
ating checksums”}]
• [{"file":"header.php","checksum":"c0919b5f4b6e4f3a
58b858b2305e9146"},{},{},{},{},{},{},{},{},{},{},{},{},{}]

32. WP-CLI

33. Ideas are more then
welcome

35. Other solutions

36. Other solutions
• VaultPress
• ManageWP / WP Remote / InfiniteWP
• Sucuri

37. There are WordPress
plugins you could use
But you should not trust that they do it all

38. The next steps

39. Log aggregation
• Logstash
• Fluentd
• OSSEC

40. OSSEC
• An Open Source Host-based Intrusion Detection
System
• Performs log analysis, file integrity checking, policy
monitoring, rootkit detection, real-time alerting and
active response
• Works with a manager and agents
• https://hackertarget.com/defending-wordpress-
ossec/

41. Thank you for
listening
Questions?
@markoheijnen
markoheijnen.com
codekitchen.eu