Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
http://lynt.cz
WordPress Security:
Defend yourself against digital invaders
Vláďa Smitka
vladimir.smitka@lynt.cz
@smitka
L...
http://lynt.cz
WP leaks like a sieve
10. 7. 2016 2
Have you ever heard that?
Let's tell the truth.
http://lynt.cz10. 7. 2016 3
Updated / Obsolete
Web developers should push their customers to pay for
support and provide r...
http://lynt.cz
What is the current status?
• Complex research of 65 000 czech sites 04/2015
10. 7. 2016 4
http://lynt.cz/b...
http://lynt.cz
Status 2 days ago (02/2016)
10. 7. 2016 5
16 639
WP versions – 02/2016
unknown
http://lynt.cz
Status 2 days ago
10. 7. 2016 6
3.7.13
247
3.8.13
1779
3.9.10
2229
4.0.10
2570
4.1.10
2946
4.2.7
4305
4.3.3...
http://lynt.cz
Status 2 days ago (02/2016)
10. 7. 2016 7
25 % WP sites run on 3.6 or lower – security updates are no longe...
http://lynt.cz
What does it mean?
• I ran the annual WordCamp HACK campaign!
• Almost 1000 reports about critical
vulnerab...
http://lynt.cz
How to manage updates?
• WP Updates Notifier plugin sends an e-mail when
an update is available
• Tools all...
http://lynt.cz
Infinite WP
• Self-hosted
• Base version for free (fully funcional, no limits)
• Just install InfiniteWP Cl...
http://lynt.cz
UPDATE 05/2016
• MainWP – new self-hosted bulk management
system – looks very promising
10. 7. 2016 11
http://lynt.cz
Automated testing
• If you are afraid that something important breaks
after an update, it is possible to wr...
http://lynt.cz
Hackers?
10. 7. 2016 13
http://lynt.cz
What the hell do they want?
• How do I know?
=> I analyzed many compromised systems + I
run Honey Pots
• ht...
http://lynt.cz
Honey Pot
• How long did it take from the launch of a new
machine to the first attacks?
10. 7. 2016 15
12 m...
http://lynt.cz
Ok, what do they want?
• Inject malicious code to infect visitors and to
show their ads
• Send a SPAM
• Att...
http://lynt.cz
What does the uploaded evil code do?
10. 7. 2016 17
The first mention about Simple UDP
flood is from 2004:
...
http://lynt.cz
What methods do they use?
• Login
• Comments
• Particular bugs in
plugins, themes or WP
core
• Tapping
• Ph...
http://lynt.cz
Cross infection
• Common problem on multihosting
10. 7. 2016 19
Folderwithallsites
Web1
Web2
Web3
http://lynt.cz
How to login into WP?
• /wp-admin + user name & password
• XML-RPC (/xmlrpc.php)
• Cookie
• REST-API (/wp-j...
http://lynt.cz
Harvesting user logins
• /?author=1 => /author/admin/
• Password admin, admin0, admin1,… Brute
force
Rules ...
http://lynt.cz
A hacker can tap your credentials
10. 7. 2016 22
http://lynt.cz
…or ask you directly
Subject: A security problem on wordcamp.cz
Date: Sat, 20 FEB 2016 09:51:48 +0200
From:...
http://lynt.cz
XML RPC
• /xmlrpc.php
• This protocol allows remote control of your site from various
applications – e.g. p...
http://lynt.cz
Cookie
10. 7. 2016 25
http://lynt.cz
Cookie
wordpress_9338f7bf999516f89fdc070299cf0b82=admin
%7C1456673124%7COB8LpfMl7ZqlMm1zuN23LMBGOna
0IdLmz4...
http://lynt.cz
Crypto keys in wp-config.php
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', '...
http://lynt.cz
WordPress 4.0+
10. 7. 2016 28
You can invalidate the „remember me“ token and log off all users
36 % WP webs...
http://lynt.cz
Cookie tapping
10. 7. 2016 29
Na rozdíl od jména a hesla, se cookie posílají stále.
http://lynt.cz
Higher rights – higher risks
10. 7. 2016 30
• Subscriber
– Can read posts, edit their profile. The main ben...
http://lynt.cz
Privileges customization
• Rights are editable – e.g. If a person needs to
change the menu, they don‘t need...
http://lynt.cz
HTTPS
• SSL cerificates are cheap (finally):
• < 8 $/year – e.g. ssls.cz
• Free – Let‘s Encrypt
(needs supp...
http://lynt.cz
Deploy HTTPS – whole web
• Ask your host/admin to set up the certificate
• Try if it works
• Settings - Gen...
http://lynt.cz
Deploy HTTPS – administration only
Place this code into wp-config.php:
define( 'FORCE_SSL_ADMIN', true );
T...
http://lynt.cz10. 7. 2016 35
Fixes CSS, JS
and Images
in the Media
Gallery
Fixes
incorrect
URLs in the
content
SSL Insecur...
http://lynt.cz
Redirect from HTTP to HTTPS
In .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PO...
http://lynt.cz
Other encrypted protocols
• SFTP/SCP instead FTP
• SSH instead Telnet
• IMAPs (POP3s) instead IMAP (POP3)
•...
http://lynt.cz
How does the attack proceed?
• Check publicly known information (domain
owners, e-mail addresses, IPs, empl...
http://lynt.cz
XSS
10. 7. 2016 39
http://lynt.cz
XSS – worse
10. 7. 2016 40
http://lynt.cz
XSS – really dangerous
10. 7. 2016 41
Overlay reacts on mouse movement:
onMouseMove
Edit Themes
http://lynt.cz
XSS – at its maximum
10. 7. 2016 42
http://lynt.cz
Ask admin for help
Subject: A security problem on wordcamp.cz
Date: Sat, 20 FEB 2016 09:59:02 +0200
From: H...
http://lynt.cz
Cross-site request forgery
• When the system doesn‘t check the origin of the request
10. 7. 2016 44
Hi Admi...
http://lynt.cz
SQL Injection
• Unsanitized inputs (again)
• It is possible to modify DB queries and
consequently obtain th...
http://lynt.cz
Security plugins
• My favourite combo:
• WordFence + BBQ: Bad Block Queries
• Blocks invalid login attempts...
http://lynt.cz10. 7. 2016 47
http://lynt.cz
WordFence – after installation
10. 7. 2016 48
Level 2: more notifications, limiting invalid logins
Level 3:...
http://lynt.cz
WordFence – Live Traffic
10. 7. 2016 49
http://lynt.cz
WordFence – file changes detection
10. 7. 2016 50
http://lynt.cz
WordFence – traffic limiting
10. 7. 2016 51
http://lynt.cz
WordFence – login security
10. 7. 2016 52
http://lynt.cz
WordFence – other options
10. 7. 2016 53
http://lynt.cz
WordFence – other options
10. 7. 2016 54
Great plugin but unfortunatelly it lacks blocking of suspicious qu...
http://lynt.cz10. 7. 2016 55
Simple plugin, no configuration – blocks suspicious queries
E.g.: eval(, base64_, UNION * SEL...
http://lynt.cz
UPDATE 05/2016
• There is a new „Firewall“ feature in
WordFence since 6.1.1
• It blocks suspicious queries
...
http://lynt.cz
Recovery after infection
• Stop the web (e.g. deny all in .htaccess)
• Remove everything, restore from clea...
http://lynt.cz
Inspiration – how do we protect our sites?
• wp-login.php only from the Czech Republic (GeoIP module)
• Blo...
http://lynt.cz
Inspiration – how do we protect our sites?
• Fail2Ban (invalid login attempts, too many 404,
https://wordpr...
http://lynt.cz
Resources
• Information about vulnerabilities
• https://www.owasp.org/
• https://wpvulndb.com/
• https://bl...
http://lynt.cz
Homework for tomorrow
□ Check unique crypto keys in the wp-config.php
□ Create backup
□ Remove unused plugi...
http://lynt.cz
Thank you for your attention
10. 7. 2016 62
Update, backup, use a security plugin, be careful
Upcoming SlideShare
Loading in …5
×

of

WordPress Security:Defend yourself against digital invaders Slide 1 WordPress Security:Defend yourself against digital invaders Slide 2 WordPress Security:Defend yourself against digital invaders Slide 3 WordPress Security:Defend yourself against digital invaders Slide 4 WordPress Security:Defend yourself against digital invaders Slide 5 WordPress Security:Defend yourself against digital invaders Slide 6 WordPress Security:Defend yourself against digital invaders Slide 7 WordPress Security:Defend yourself against digital invaders Slide 8 WordPress Security:Defend yourself against digital invaders Slide 9 WordPress Security:Defend yourself against digital invaders Slide 10 WordPress Security:Defend yourself against digital invaders Slide 11 WordPress Security:Defend yourself against digital invaders Slide 12 WordPress Security:Defend yourself against digital invaders Slide 13 WordPress Security:Defend yourself against digital invaders Slide 14 WordPress Security:Defend yourself against digital invaders Slide 15 WordPress Security:Defend yourself against digital invaders Slide 16 WordPress Security:Defend yourself against digital invaders Slide 17 WordPress Security:Defend yourself against digital invaders Slide 18 WordPress Security:Defend yourself against digital invaders Slide 19 WordPress Security:Defend yourself against digital invaders Slide 20 WordPress Security:Defend yourself against digital invaders Slide 21 WordPress Security:Defend yourself against digital invaders Slide 22 WordPress Security:Defend yourself against digital invaders Slide 23 WordPress Security:Defend yourself against digital invaders Slide 24 WordPress Security:Defend yourself against digital invaders Slide 25 WordPress Security:Defend yourself against digital invaders Slide 26 WordPress Security:Defend yourself against digital invaders Slide 27 WordPress Security:Defend yourself against digital invaders Slide 28 WordPress Security:Defend yourself against digital invaders Slide 29 WordPress Security:Defend yourself against digital invaders Slide 30 WordPress Security:Defend yourself against digital invaders Slide 31 WordPress Security:Defend yourself against digital invaders Slide 32 WordPress Security:Defend yourself against digital invaders Slide 33 WordPress Security:Defend yourself against digital invaders Slide 34 WordPress Security:Defend yourself against digital invaders Slide 35 WordPress Security:Defend yourself against digital invaders Slide 36 WordPress Security:Defend yourself against digital invaders Slide 37 WordPress Security:Defend yourself against digital invaders Slide 38 WordPress Security:Defend yourself against digital invaders Slide 39 WordPress Security:Defend yourself against digital invaders Slide 40 WordPress Security:Defend yourself against digital invaders Slide 41 WordPress Security:Defend yourself against digital invaders Slide 42 WordPress Security:Defend yourself against digital invaders Slide 43 WordPress Security:Defend yourself against digital invaders Slide 44 WordPress Security:Defend yourself against digital invaders Slide 45 WordPress Security:Defend yourself against digital invaders Slide 46 WordPress Security:Defend yourself against digital invaders Slide 47 WordPress Security:Defend yourself against digital invaders Slide 48 WordPress Security:Defend yourself against digital invaders Slide 49 WordPress Security:Defend yourself against digital invaders Slide 50 WordPress Security:Defend yourself against digital invaders Slide 51 WordPress Security:Defend yourself against digital invaders Slide 52 WordPress Security:Defend yourself against digital invaders Slide 53 WordPress Security:Defend yourself against digital invaders Slide 54 WordPress Security:Defend yourself against digital invaders Slide 55 WordPress Security:Defend yourself against digital invaders Slide 56 WordPress Security:Defend yourself against digital invaders Slide 57 WordPress Security:Defend yourself against digital invaders Slide 58 WordPress Security:Defend yourself against digital invaders Slide 59 WordPress Security:Defend yourself against digital invaders Slide 60 WordPress Security:Defend yourself against digital invaders Slide 61 WordPress Security:Defend yourself against digital invaders Slide 62
Upcoming SlideShare
Wordfence 2016
Next
Download to read offline and view in fullscreen.

2 Likes

Share

Download to read offline

WordPress Security: Defend yourself against digital invaders

Download to read offline

My speech at WordCamp Prague 2016 about WordPress security.

Related Books

Free with a 30 day trial from Scribd

See all

WordPress Security: Defend yourself against digital invaders

  1. 1. http://lynt.cz WordPress Security: Defend yourself against digital invaders Vláďa Smitka vladimir.smitka@lynt.cz @smitka Lynt services s.r.o. Update! Backup! Be careful!
  2. 2. http://lynt.cz WP leaks like a sieve 10. 7. 2016 2 Have you ever heard that? Let's tell the truth.
  3. 3. http://lynt.cz10. 7. 2016 3 Updated / Obsolete Web developers should push their customers to pay for support and provide responsibly. Customers should be willing to accept it – the website is one of their empoyee in fact.
  4. 4. http://lynt.cz What is the current status? • Complex research of 65 000 czech sites 04/2015 10. 7. 2016 4 http://lynt.cz/blog/wordpress-in-the-czech-complex-research WP versions
  5. 5. http://lynt.cz Status 2 days ago (02/2016) 10. 7. 2016 5 16 639 WP versions – 02/2016 unknown
  6. 6. http://lynt.cz Status 2 days ago 10. 7. 2016 6 3.7.13 247 3.8.13 1779 3.9.10 2229 4.0.10 2570 4.1.10 2946 4.2.7 4305 4.3.3 4695 4.4.2 15225 Still updated versions
  7. 7. http://lynt.cz Status 2 days ago (02/2016) 10. 7. 2016 7 25 % WP sites run on 3.6 or lower – security updates are no longer provided 18 % WP sites on 3.7 or higher haven‘t installed the latest security updates yet =At least 40 % of Czech WP sites contains security issues Current version 27 % Supported versions with updates 30 % Suported versions, without updates 18% Unsupported versions 28% WP versions recency
  8. 8. http://lynt.cz What does it mean? • I ran the annual WordCamp HACK campaign! • Almost 1000 reports about critical vulnerabilities or hacked sites were sent • More than 300 vulnerable Slider Revolution plugins discovered! • A WordCamp invitation was included • Responses from owners and developers of the affected sites were less than warm… 10. 7. 2016 8
  9. 9. http://lynt.cz How to manage updates? • WP Updates Notifier plugin sends an e-mail when an update is available • Tools allowing bulk management: – InfiniteWP – ManageWP – WP Remote • How to turn on the auto-update feature (mu- plugins): add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' ); 10. 7. 2016 9
  10. 10. http://lynt.cz Infinite WP • Self-hosted • Base version for free (fully funcional, no limits) • Just install InfiniteWP Client plugin + copy&paste credentials 10. 7. 2016 10
  11. 11. http://lynt.cz UPDATE 05/2016 • MainWP – new self-hosted bulk management system – looks very promising 10. 7. 2016 11
  12. 12. http://lynt.cz Automated testing • If you are afraid that something important breaks after an update, it is possible to write automated tests • Casper.js • Selenuium • GhostPy • Online services: http://www.testomato.com/,... 10. 7. 2016 12
  13. 13. http://lynt.cz Hackers? 10. 7. 2016 13
  14. 14. http://lynt.cz What the hell do they want? • How do I know? => I analyzed many compromised systems + I run Honey Pots • http://pot.lynt.cz – it emulates an older WP with some vulnerabilites and there is also a fake SSH access 10. 7. 2016 14
  15. 15. http://lynt.cz Honey Pot • How long did it take from the launch of a new machine to the first attacks? 10. 7. 2016 15 12 minutes • The Internet is dangerous – accept this fact and be prepared
  16. 16. http://lynt.cz Ok, what do they want? • Inject malicious code to infect visitors and to show their ads • Send a SPAM • Attack other servers • Gain sensitive data • Shut down your site/the whole server 10. 7. 2016 16
  17. 17. http://lynt.cz What does the uploaded evil code do? 10. 7. 2016 17 The first mention about Simple UDP flood is from 2004: https://forums.cpanel.net/threads/scr ipt-in-tmp-made-by-hacker.33184/ The most simple backdoor: eval($_POST[sam]); Remote shell – e.g. b374k Scripts to enable more attacks: • Password cracking • SPAM sending • Script Simple UDP flood
  18. 18. http://lynt.cz What methods do they use? • Login • Comments • Particular bugs in plugins, themes or WP core • Tapping • Phishing • Cross site infection through other sites on a shared hosting 10. 7. 2016 18 Prepared backdoors: Hi, does anyone have an experience with ### site? They offer plugins just for few bucks They sell stolen plugins without the license, you can download them for free somewhere on the Internet
  19. 19. http://lynt.cz Cross infection • Common problem on multihosting 10. 7. 2016 19 Folderwithallsites Web1 Web2 Web3
  20. 20. http://lynt.cz How to login into WP? • /wp-admin + user name & password • XML-RPC (/xmlrpc.php) • Cookie • REST-API (/wp-json) – coming soon 10. 7. 2016 20
  21. 21. http://lynt.cz Harvesting user logins • /?author=1 => /author/admin/ • Password admin, admin0, admin1,… Brute force Rules into .htaccess: RewriteCond %{QUERY_STRING} author= RewriteRule ^(.*)$ http://uckf.you? [L,R=301] 10. 7. 2016 21
  22. 22. http://lynt.cz A hacker can tap your credentials 10. 7. 2016 22
  23. 23. http://lynt.cz …or ask you directly Subject: A security problem on wordcamp.cz Date: Sat, 20 FEB 2016 09:51:48 +0200 From: HOSTING <your@amazing.hosting> To: <you> Dear customer, Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some Amazing Plugin“ which enables to gain full control over your website and attack other sites consequently. There is no official patch available yet but our team can fix the issue manually. For this purpose we need your credentials to your WP administration. Send them ASAP to stop the attacks. Otherwise we will be forced to turn off your site. Regards, Your Amazing Hosting, Inc. 10. 7. 2016 23
  24. 24. http://lynt.cz XML RPC • /xmlrpc.php • This protocol allows remote control of your site from various applications – e.g. post publishing • The protocol is used rarely • But some plugins use it – JetPack • system.multicall function which allowed an attacker to test hundreds of passwords with one call (disclosured and fixed in September 2015) • If you want to use XML RPC, allow it only form particular IP addresses 10. 7. 2016 24 Block via .htaccess <Files "xmlrpc.php"> Order Allow,Deny deny from all </Files>
  25. 25. http://lynt.cz Cookie 10. 7. 2016 25
  26. 26. http://lynt.cz Cookie wordpress_9338f7bf999516f89fdc070299cf0b82=admin %7C1456673124%7COB8LpfMl7ZqlMm1zuN23LMBGOna 0IdLmz4g7JQBwtYn%7Cb73f661495e9323a6df2dffe8001 5360b41ed8970a5cf05dd4053aecc4109a40 10. 7. 2016 26 • md5(URL) = http://pot.lynt.cz • User name • Validity = 28.2.2016 15:25:24 (+14 days) • Hash – AUTH_KEY + AUTH_SALT + 4 chars from password‘s hash • Token (od 4.0) hash 43 random chars
  27. 27. http://lynt.cz Crypto keys in wp-config.php define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); You can obtain new ones from: https://api.wordpress.org/secret-key/1.1/salt/ The HACK campaing discovered that 16 % of sites with a vulnerability in Slider Revolution also used default crypt keys. If you install WP via wp-config-sample.php renaming, don‘t forget to change the crypto keys! 10. 7. 2016 27
  28. 28. http://lynt.cz WordPress 4.0+ 10. 7. 2016 28 You can invalidate the „remember me“ token and log off all users 36 % WP websites uses older version User profile:
  29. 29. http://lynt.cz Cookie tapping 10. 7. 2016 29 Na rozdíl od jména a hesla, se cookie posílají stále.
  30. 30. http://lynt.cz Higher rights – higher risks 10. 7. 2016 30 • Subscriber – Can read posts, edit their profile. The main benefit is easier commenting. • Contributor – Can write new posts but can‘t publish them (Editor or Administrator have to publish them). Doesn‘t have access to the Media Gallery (can embed images form external sources) – useful for guest blogging. • Author – Can manage their posts, manage comments on these posts. Had access to the Media Gallery. Can‘t manage pages. • Editor – Can manage all content – posts, pages, comments, categories. Can use javascript in comments. • Administrator – All rights – content, plugins, themes, widgets, menus. A good practice is not to create content with the admin account. • SuperAdministrator (only in WP multisite) – manages the network
  31. 31. http://lynt.cz Privileges customization • Rights are editable – e.g. If a person needs to change the menu, they don‘t need the admin rights: • Use plugin User Role Editor • Or use a similar code: 10. 7. 2016 31 https://codex.wordpress.org/Roles_and_Capabilities $role_object = get_role( 'editor' ); $role_object->add_cap( 'edit_theme_options' );
  32. 32. http://lynt.cz HTTPS • SSL cerificates are cheap (finally): • < 8 $/year – e.g. ssls.cz • Free – Let‘s Encrypt (needs support on server) • 2 options – Whole web on HTTPS (better) – Only administration on HTTPS 10. 7. 2016 32 git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt ./letsencrypt-auto --apache -d <my-web> -d www. <my-web> Obnovovací skript: http://do.co/le-renew (le-renew <my-web>)
  33. 33. http://lynt.cz Deploy HTTPS – whole web • Ask your host/admin to set up the certificate • Try if it works • Settings - General 10. 7. 2016 33 You can set up it also in the wp-config.php, - it saves DB queries: define('WP_HOME', 'https://<my-web>'); define('WP_SITEURL', 'http://<my-web>'); • There is a problem with the mixed content – WP makes absolute links – you need to fix it • SSL Insecure Content Fixer • Fix in admin – one by one • Fix in DB: UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://<my-web>', 'https://<my-web>')
  34. 34. http://lynt.cz Deploy HTTPS – administration only Place this code into wp-config.php: define( 'FORCE_SSL_ADMIN', true ); There is a problem with the mixed content in the Media Gallery: SSL Insecure Content Fixer + the „Simple“ settings 10. 7. 2016 34
  35. 35. http://lynt.cz10. 7. 2016 35 Fixes CSS, JS and Images in the Media Gallery Fixes incorrect URLs in the content SSL Insecure Content - settings
  36. 36. http://lynt.cz Redirect from HTTP to HTTPS In .htaccess: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> 10. 7. 2016 36 * May differ on some hostings
  37. 37. http://lynt.cz Other encrypted protocols • SFTP/SCP instead FTP • SSH instead Telnet • IMAPs (POP3s) instead IMAP (POP3) • SMTP TLS/SMTP STARTTLS instead SMTP • VPN 10. 7. 2016 37
  38. 38. http://lynt.cz How does the attack proceed? • Check publicly known information (domain owners, e-mail addresses, IPs, employees‘ names… recon-ng) • Active scan, identification - WP-scan • Agressive scan – e.g. DirBuster (tries if particular folders exist - /phpmyadmin/,…) • Vulnerabilities tests – generate suspicious queries • Can be detected - causes many 404 10. 7. 2016 38
  39. 39. http://lynt.cz XSS 10. 7. 2016 39
  40. 40. http://lynt.cz XSS – worse 10. 7. 2016 40
  41. 41. http://lynt.cz XSS – really dangerous 10. 7. 2016 41 Overlay reacts on mouse movement: onMouseMove Edit Themes
  42. 42. http://lynt.cz XSS – at its maximum 10. 7. 2016 42
  43. 43. http://lynt.cz Ask admin for help Subject: A security problem on wordcamp.cz Date: Sat, 20 FEB 2016 09:59:02 +0200 From: HOSTING <your@amazing.hosting> To: <you> Dear customer, Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some Amazing Plugin“ which enables to gain full control over your website and attack other sites consequently. You need to disable the funcion „Uglyness “ until a patch is available – you can do so simply via following link: http://<your-web>/wp-content/plugins/amazing-plugin/abc.php?xy=dG9obGUgamUgemx5IGtvZCA6LSk Please disable the function or delete the plugin, otherwise we will be forced to turn off your site. Regards, Your Amazing Hosting, Inc. 10. 7. 2016 43
  44. 44. http://lynt.cz Cross-site request forgery • When the system doesn‘t check the origin of the request 10. 7. 2016 44 Hi Admin, check this cool site! Cool site Lorem ipsum /create new user for the attacker • The prevention are the „signed“ forms (there is a unique token added by server and checked after the submision) • WP uses „nonces“ (no all plugins use them…) /wp-admin/post.php?post=1&action=trash&_wpnonce=b192fc4204
  45. 45. http://lynt.cz SQL Injection • Unsanitized inputs (again) • It is possible to modify DB queries and consequently obtain the complete data from DB • Interesting stuff in the DB: – E-mails – User names, hashed passwords – Auth Token for autologin Cookie – Credentials to external services 10. 7. 2016 45
  46. 46. http://lynt.cz Security plugins • My favourite combo: • WordFence + BBQ: Bad Block Queries • Blocks invalid login attempts • Limits scans • File changes detection • Denies user logins harvesting • Denies PHP execution in uploads • Limits SPAM • Accesses to the global attackers list • Filters out the suspicious queries 10. 7. 2016 46
  47. 47. http://lynt.cz10. 7. 2016 47
  48. 48. http://lynt.cz WordFence – after installation 10. 7. 2016 48 Level 2: more notifications, limiting invalid logins Level 3: starts with the traffic limiting Level 4: blocks invalid login names immediately
  49. 49. http://lynt.cz WordFence – Live Traffic 10. 7. 2016 49
  50. 50. http://lynt.cz WordFence – file changes detection 10. 7. 2016 50
  51. 51. http://lynt.cz WordFence – traffic limiting 10. 7. 2016 51
  52. 52. http://lynt.cz WordFence – login security 10. 7. 2016 52
  53. 53. http://lynt.cz WordFence – other options 10. 7. 2016 53
  54. 54. http://lynt.cz WordFence – other options 10. 7. 2016 54 Great plugin but unfortunatelly it lacks blocking of suspicious queries
  55. 55. http://lynt.cz10. 7. 2016 55 Simple plugin, no configuration – blocks suspicious queries E.g.: eval(, base64_, UNION * SELECT, wp-config.php, < …
  56. 56. http://lynt.cz UPDATE 05/2016 • There is a new „Firewall“ feature in WordFence since 6.1.1 • It blocks suspicious queries  10. 7. 2016 56
  57. 57. http://lynt.cz Recovery after infection • Stop the web (e.g. deny all in .htaccess) • Remove everything, restore from clean backup/ manual disinfection if no clean backup available (FAR) • Imitate the cause (usually update) • Change FTP password • Change DB password • Change users‘ passwords, check unknown users • New crypto keys into wp-config.php: https://api.wordpress.org/secret-key/1.1/salt/ • Check files for changes and evil code (Wordfence, Sucuri Scanner) 10. 7. 2016 57
  58. 58. http://lynt.cz Inspiration – how do we protect our sites? • wp-login.php only from the Czech Republic (GeoIP module) • Blocked xmlrpc.php and some other files + disabled PHP in uploads • Comments spam blocking (NoSpamNX) + Ping/Track Back filter (Topsy Blocker) • Bulk updates management • Sites isolation • HTTP headers: – X-Frame-Options SAMEORIGIN; – X-XSS-Protection "1; mode=block" – X-Content-Type-Options nosniff • Deletion unused themes and plugins 10. 7. 2016 58
  59. 59. http://lynt.cz Inspiration – how do we protect our sites? • Fail2Ban (invalid login attempts, too many 404, https://wordpress.org/plugins/wp-fail2ban/ ) • Suspicious queries filtering (serverside) • Realtime log (Log Stash) and error (Sentry) analysis • Server monitoring (Zabbix) • File changes detection + malware analysis – Maldet + Yara • Daily serverside backups (plugins can be used as well: BackWPup, UpdraftPlus, BackupBuddy) • Watch current resources about new threats 10. 7. 2016 59
  60. 60. http://lynt.cz Resources • Information about vulnerabilities • https://www.owasp.org/ • https://wpvulndb.com/ • https://blog.sucuri.net/ • https://www.wordfence.com/blog/ • https://packetstormsecurity.com/ • https://www.reddit.com/r/xss • My presentation from last year: • http://www.slideshare.net/vsmitka/wordpress-security-for- everone 10. 7. 2016 60
  61. 61. http://lynt.cz Homework for tomorrow □ Check unique crypto keys in the wp-config.php □ Create backup □ Remove unused plugins □ Remove all unused themes (you can keep one of the default themes and the parent theme) □ Lower user rights □ Update everything 10. 7. 2016 61
  62. 62. http://lynt.cz Thank you for your attention 10. 7. 2016 62 Update, backup, use a security plugin, be careful
  • milosjanda

    Nov. 25, 2016
  • VanDaGrant

    Jul. 13, 2016

My speech at WordCamp Prague 2016 about WordPress security.

Views

Total views

2,642

On Slideshare

0

From embeds

0

Number of embeds

52

Actions

Downloads

24

Shares

0

Comments

0

Likes

2

×