WordPress Security - The "No-BS" Version

WORDPRESS SECURITY
The “No-BS” Version

SUCURI@WORDCAMP# WHOIS PEREZBOX
• Name: Tony Perez
• Street name: The Hulk
• Handle: Perezbox
• Company: Sucuri
• Occupation: Executive / Owner
• Likes: Guns, InfoSec, Harley‟s, MMA
• Personality: Rational / Objective = Turd
• Location: Menifee, California

@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 2

TODAY‟S CHALLENGES
• Administration
• Extensibility
• Credentials
• End-users
• Education

#WCCHX
10/15/2012 3

“The user’s going to pick dancing pigs over security every time.”
- Bruce Schneier

Check yourself before you wreck yourself

KNOWLEDGE

#WCCHX
10/15/2012 4

KNOW THE ENVIRONMENT

• This is what it takes to
LINUX
LAMP STACK

run WordPress
Apache • Each contains its own
laundry list of known
MySQL vulnerabilities
• Bare-bones
PHP

#WCCHX
10/15/2012 5

KNOW THE APPLICATION

Core
WordPress

Themes
• Today‟s Problem
Plugins
End-User

#WCCHX
10/15/2012 6

REALISTIC ENVIRONMENT

Linux Operating System
Apache MySQL PHP

WordPress CPANEL Plesk myLittleAdmin PHPMyAdmin Etc.. Modules

#WCCHX
10/15/2012 7

YOUR HOST
IF YOU DON”T KNOW WHAT
• Who is your host?
YOU”RE DOING GO WITH A
MANAGED SOLUTION
• How do you connect to the server?
• FTP, SFTP, SSH

• What security does your host use? Do they use any web security?

• What will your host do if you get hacked?
• Will they shut your site down?
• Will they kick you off their server?
• Will they fix it for you?

#WCCHX
10/15/2012 8

CONNECTING
• If you don‟t need it, disable it
• SFTP / SSH is preferred
• FTP works fine – disable if you‟re not using, don‟t talk to me if you are
• FTP/SFTP != WP-ADMIN

• Least Privileged
• You don‟t have to log in FTP / SFTP with full root access
• Everyone doesn‟t need to be an admin
• You don‟t need to log in as admin
• The focus is on the role, not the name of the user
• Accountability – kill generic accounts – who is doing what?

#WCCHX
10/15/2012 9

ATTACK TYPE

Opportunistic Targeted
• Trolling the web looking for • Big enterprises with large
known vulnerabilities followings:
• Ability for mass exposure • WordPress.com
• Think “TimThumb” • WooThemes
• Worth Investing time and energy
to compromise, bigger return

#WCCHX
10/15/2012 10

AUTOMATION IS KEY
• Targeted /
Scan Opportunistic
• Vulnerability Scans
• Brute Force / Data
PWN Automation Detect Dictionary Attacks
• DDOS / DOS
• XSS / CSRF
Exploit
• SQLi

#WCCHX
10/15/2012 11

BLACKLISTING
• Take a chill pill.. Not the end of the world
• Detect, Remove, Submit

#WCCHX
10/15/2012 12

THE MISTAKE
• But why me?!?!?!

• Forget the why, look at the how!!

#WCCHX
10/15/2012 13

“Own one Own them All”

Nothing fancy here.. The facts

THE HOW

#WCCHX
10/15/2012 14

TODAY‟S EXPLOITS
You
Application Control Environment
• Injections • Privilege Escalation

• Remote File Inclusion • Brute Force / Data Dictionary

• Remote File Execution • Remote File Include

• Brute Force / Data Dictionary • Remote File Execution

#WCCHX
10/15/2012 15

TOP 5 WORDPRESS INFECTIONS
• Backdoors
• Difficult to Detect via HTTP
• Injections
• Easy to Detect via HTTP
• Pharma Hack
• Best person to detect is the owner, difficult to detect via HTTP
• Malicious Redirects
• Easy to Detect via HTTP
• Defacements
• Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish
brothers

#WCCHX
10/15/2012 16

BACKDOOR
• Complete access via shell… kiss all hardening good bye
• Sad day.. .. Good time to cry…

#WCCHX
10/15/2012 17

LINK INJECTION
• Drive-by-Download attempt – think Fake AV / Adobe
• Pharma Links – Erectile Dysfunction (Viagra)

#WCCHX
10/15/2012 18

PHARMA
• Affiliate Model
• Multi-million dollar industry
• Generate ~3.5k new clients daily

#WCCHX
10/15/2012 19

DEFACEMENT
• Hacktivism at its finest
• Awareness to cause

#WCCHX
10/15/2012 20

COMMON VECTORS
“38% of us Would Rather Clean a
• Vulnerable Software Toilet Than Think of New
• Often associated with Out-of-date software Password”
- Mashable
• WordPress Themes / Plugins, more so than Core
• Cross Site Contamination
• Soup Kitchen Servers
• Compromised Credentials
• Password123, Password1, 111111a = not cool
• Remote File Inclusion
• Leads to Remote Execution
• Think TimThumb, Uploadify, etc…

#WCCHX
10/15/2012 21

“The question isn't who is going to let me; it's
who is going to stop me.”

Simple is so much sweeter…

MAKE IT STOP

#WCCHX
10/15/2012 22

THE KEY IS ACCESS
• In almost all instances the key is access, whether via:
• WP-ADMIN
• SSH / SFTP (Port 22)
• FTP (Port 21) = > You are dead to me!!! : )
• Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but
you can stay proactive when identified
• Doesn‟t include environmental issues

• Myth: Remove Admin
• Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are
the preferred method. Either way, requires multiple scan attempts.

• The “administrator” role matters more than the “administrator” or “admin” user name.

#WCCHX
10/15/2012 23

THIS IS WHAT MATTERS - KISS
From an access stand point:

Strong /
Application Two Factor Secure
Server WAF Unique
WAF Authentication Environment
Password

From a vulnerability stand point:

Avoid Soup Separate
Use Trusted Secure
Stay Current Kitchen Staging from
Sources Environment
Servers Production

#WCCHX
10/15/2012 24

MY ADVISE

To the Average Joe: To the Paranoid / Lucky:
1. Kill PHP Execution 1. Don‟t let WordPress write to itself
2. Disable Theme / Plugin Editing via Admin
2. Filter by IP
3. Connect Securely – SFTP / SSH
4. Use Authentication Keys in wp-config
• SSH Access
5. Use Trusted Sources • WP-ADMIN Access
6. Use a local Antivirus – Yes, MAC‟s need one • Database Access
7. Verify your permissions - D 755 | F 644
3. Use a dedicated server / VPS
8. Least Privileged
9. Kill generic accounts - Accountability
4. Employ a WAF / Logging Solution
10. Backup your site – yes, Database too 5. Enable SSL

#WCCHX
10/15/2012 25

KILL PHP EXECUTION
• The idea is not to let them execute any PHP files. You do so by adding this in an
.htaccess file in the directory of choice. Recommendation:
• WP-INCLUDES
• UPLOADS

#PROTECT [Directory Name]
<Files *.php>
Deny from all
</Files>

#WCCHX
10/15/2012 26

DISABLE PLUGIN/THEME EDITOR
• Add to wp-config – if a user is compromised they won‟t be able to add anything to the
core theme or plugin files.

# Disable Plugin / Theme Editor
Define(„DISALLOW_FILE_EDIT‟,true);

#WCCHX
10/15/2012 27

RECOMMENDED PLUGINS

Clients Non-Clients
• Sucuri Security Premium • Duo Two-Factor Authentication
• Duo Two-Factor Authentication • Limit Login Attempts
• Theme-Check • Theme-Check
• BackupBuddy • BackupBuddy
• Akismet • Akismet

#WCCHX
10/15/2012 28

KNOW WHERE TO GO, IF… IT HAPPENS

Support Forums Online Resources
• Hacked – • Sucuri Blog: http://blog.sucuri.net
http://wordpress.org/tags/hacked
• SiteCheck Scanner: http://sitecheck.sucuri.net

• Malware – • Unmask Parasites:
http://wordpress.org/tags/malware http://unmaskparasites.com

• Perishable Press:
• BadwareBusters – http://perishablepress.com/category/web-
design/security/
https://badwarebusters.org
• Secunia Security Advisories:
http://secunia.com/community/advisories/searc
h/?search=wordpress

#WCCHX
10/15/2012 29

BLACKLIST ENTITIES
• Google
• Chrome, FireFox
• Search Engine Results Page (SERP)
• http://www.google.com/webmaster/tools
• http://www.google.com/safebrowsing/diagnostic?site=[your site]
• Bing
• Internet Explorer
• Yahoo
• http://www.bing.com/toolbox/webmaster/
• Norton
• SafeWeb Browsing
• Facebook
• http://safeweb.norton.com/
• AVG
• Opera
• http://www.avgthreatlabs.com/sitereports/

#WCCHX
10/15/2012 30

Sucuri
Tony Perez
http://sucuri.net
http://blog.sucuri.net
http://perezbox.com & http://tonyonsecurity.com
@perezbox and @tonyonsecurity

#WCCHX
10/15/2012 31

#WCCHX
10/15/2012 32

WordPress Security - The "No-BS" Version

More Related Content

What's hot

Viewers also liked

Similar to WordPress Security - The "No-BS" Version

More from Tony Perez

Recently uploaded

WordPress Security - The "No-BS" Version

Editor's Notes