Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

WordPress Security: Defend yourself against digital invaders

1,747 views

Published on

My speech at WordCamp Prague 2016 about WordPress security.

Published in: Technology
  • Be the first to comment

WordPress Security: Defend yourself against digital invaders

  1. 1. http://lynt.cz WordPress Security: Defend yourself against digital invaders Vláďa Smitka vladimir.smitka@lynt.cz @smitka Lynt services s.r.o. Update! Backup! Be careful!
  2. 2. http://lynt.cz WP leaks like a sieve 10. 7. 2016 2 Have you ever heard that? Let's tell the truth.
  3. 3. http://lynt.cz10. 7. 2016 3 Updated / Obsolete Web developers should push their customers to pay for support and provide responsibly. Customers should be willing to accept it – the website is one of their empoyee in fact.
  4. 4. http://lynt.cz What is the current status? • Complex research of 65 000 czech sites 04/2015 10. 7. 2016 4 http://lynt.cz/blog/wordpress-in-the-czech-complex-research WP versions
  5. 5. http://lynt.cz Status 2 days ago (02/2016) 10. 7. 2016 5 16 639 WP versions – 02/2016 unknown
  6. 6. http://lynt.cz Status 2 days ago 10. 7. 2016 6 3.7.13 247 3.8.13 1779 3.9.10 2229 4.0.10 2570 4.1.10 2946 4.2.7 4305 4.3.3 4695 4.4.2 15225 Still updated versions
  7. 7. http://lynt.cz Status 2 days ago (02/2016) 10. 7. 2016 7 25 % WP sites run on 3.6 or lower – security updates are no longer provided 18 % WP sites on 3.7 or higher haven‘t installed the latest security updates yet =At least 40 % of Czech WP sites contains security issues Current version 27 % Supported versions with updates 30 % Suported versions, without updates 18% Unsupported versions 28% WP versions recency
  8. 8. http://lynt.cz What does it mean? • I ran the annual WordCamp HACK campaign! • Almost 1000 reports about critical vulnerabilities or hacked sites were sent • More than 300 vulnerable Slider Revolution plugins discovered! • A WordCamp invitation was included • Responses from owners and developers of the affected sites were less than warm… 10. 7. 2016 8
  9. 9. http://lynt.cz How to manage updates? • WP Updates Notifier plugin sends an e-mail when an update is available • Tools allowing bulk management: – InfiniteWP – ManageWP – WP Remote • How to turn on the auto-update feature (mu- plugins): add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' ); 10. 7. 2016 9
  10. 10. http://lynt.cz Infinite WP • Self-hosted • Base version for free (fully funcional, no limits) • Just install InfiniteWP Client plugin + copy&paste credentials 10. 7. 2016 10
  11. 11. http://lynt.cz UPDATE 05/2016 • MainWP – new self-hosted bulk management system – looks very promising 10. 7. 2016 11
  12. 12. http://lynt.cz Automated testing • If you are afraid that something important breaks after an update, it is possible to write automated tests • Casper.js • Selenuium • GhostPy • Online services: http://www.testomato.com/,... 10. 7. 2016 12
  13. 13. http://lynt.cz Hackers? 10. 7. 2016 13
  14. 14. http://lynt.cz What the hell do they want? • How do I know? => I analyzed many compromised systems + I run Honey Pots • http://pot.lynt.cz – it emulates an older WP with some vulnerabilites and there is also a fake SSH access 10. 7. 2016 14
  15. 15. http://lynt.cz Honey Pot • How long did it take from the launch of a new machine to the first attacks? 10. 7. 2016 15 12 minutes • The Internet is dangerous – accept this fact and be prepared
  16. 16. http://lynt.cz Ok, what do they want? • Inject malicious code to infect visitors and to show their ads • Send a SPAM • Attack other servers • Gain sensitive data • Shut down your site/the whole server 10. 7. 2016 16
  17. 17. http://lynt.cz What does the uploaded evil code do? 10. 7. 2016 17 The first mention about Simple UDP flood is from 2004: https://forums.cpanel.net/threads/scr ipt-in-tmp-made-by-hacker.33184/ The most simple backdoor: eval($_POST[sam]); Remote shell – e.g. b374k Scripts to enable more attacks: • Password cracking • SPAM sending • Script Simple UDP flood
  18. 18. http://lynt.cz What methods do they use? • Login • Comments • Particular bugs in plugins, themes or WP core • Tapping • Phishing • Cross site infection through other sites on a shared hosting 10. 7. 2016 18 Prepared backdoors: Hi, does anyone have an experience with ### site? They offer plugins just for few bucks They sell stolen plugins without the license, you can download them for free somewhere on the Internet
  19. 19. http://lynt.cz Cross infection • Common problem on multihosting 10. 7. 2016 19 Folderwithallsites Web1 Web2 Web3
  20. 20. http://lynt.cz How to login into WP? • /wp-admin + user name & password • XML-RPC (/xmlrpc.php) • Cookie • REST-API (/wp-json) – coming soon 10. 7. 2016 20
  21. 21. http://lynt.cz Harvesting user logins • /?author=1 => /author/admin/ • Password admin, admin0, admin1,… Brute force Rules into .htaccess: RewriteCond %{QUERY_STRING} author= RewriteRule ^(.*)$ http://uckf.you? [L,R=301] 10. 7. 2016 21
  22. 22. http://lynt.cz A hacker can tap your credentials 10. 7. 2016 22
  23. 23. http://lynt.cz …or ask you directly Subject: A security problem on wordcamp.cz Date: Sat, 20 FEB 2016 09:51:48 +0200 From: HOSTING <your@amazing.hosting> To: <you> Dear customer, Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some Amazing Plugin“ which enables to gain full control over your website and attack other sites consequently. There is no official patch available yet but our team can fix the issue manually. For this purpose we need your credentials to your WP administration. Send them ASAP to stop the attacks. Otherwise we will be forced to turn off your site. Regards, Your Amazing Hosting, Inc. 10. 7. 2016 23
  24. 24. http://lynt.cz XML RPC • /xmlrpc.php • This protocol allows remote control of your site from various applications – e.g. post publishing • The protocol is used rarely • But some plugins use it – JetPack • system.multicall function which allowed an attacker to test hundreds of passwords with one call (disclosured and fixed in September 2015) • If you want to use XML RPC, allow it only form particular IP addresses 10. 7. 2016 24 Block via .htaccess <Files "xmlrpc.php"> Order Allow,Deny deny from all </Files>
  25. 25. http://lynt.cz Cookie 10. 7. 2016 25
  26. 26. http://lynt.cz Cookie wordpress_9338f7bf999516f89fdc070299cf0b82=admin %7C1456673124%7COB8LpfMl7ZqlMm1zuN23LMBGOna 0IdLmz4g7JQBwtYn%7Cb73f661495e9323a6df2dffe8001 5360b41ed8970a5cf05dd4053aecc4109a40 10. 7. 2016 26 • md5(URL) = http://pot.lynt.cz • User name • Validity = 28.2.2016 15:25:24 (+14 days) • Hash – AUTH_KEY + AUTH_SALT + 4 chars from password‘s hash • Token (od 4.0) hash 43 random chars
  27. 27. http://lynt.cz Crypto keys in wp-config.php define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); You can obtain new ones from: https://api.wordpress.org/secret-key/1.1/salt/ The HACK campaing discovered that 16 % of sites with a vulnerability in Slider Revolution also used default crypt keys. If you install WP via wp-config-sample.php renaming, don‘t forget to change the crypto keys! 10. 7. 2016 27
  28. 28. http://lynt.cz WordPress 4.0+ 10. 7. 2016 28 You can invalidate the „remember me“ token and log off all users 36 % WP websites uses older version User profile:
  29. 29. http://lynt.cz Cookie tapping 10. 7. 2016 29 Na rozdíl od jména a hesla, se cookie posílají stále.
  30. 30. http://lynt.cz Higher rights – higher risks 10. 7. 2016 30 • Subscriber – Can read posts, edit their profile. The main benefit is easier commenting. • Contributor – Can write new posts but can‘t publish them (Editor or Administrator have to publish them). Doesn‘t have access to the Media Gallery (can embed images form external sources) – useful for guest blogging. • Author – Can manage their posts, manage comments on these posts. Had access to the Media Gallery. Can‘t manage pages. • Editor – Can manage all content – posts, pages, comments, categories. Can use javascript in comments. • Administrator – All rights – content, plugins, themes, widgets, menus. A good practice is not to create content with the admin account. • SuperAdministrator (only in WP multisite) – manages the network
  31. 31. http://lynt.cz Privileges customization • Rights are editable – e.g. If a person needs to change the menu, they don‘t need the admin rights: • Use plugin User Role Editor • Or use a similar code: 10. 7. 2016 31 https://codex.wordpress.org/Roles_and_Capabilities $role_object = get_role( 'editor' ); $role_object->add_cap( 'edit_theme_options' );
  32. 32. http://lynt.cz HTTPS • SSL cerificates are cheap (finally): • < 8 $/year – e.g. ssls.cz • Free – Let‘s Encrypt (needs support on server) • 2 options – Whole web on HTTPS (better) – Only administration on HTTPS 10. 7. 2016 32 git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt ./letsencrypt-auto --apache -d <my-web> -d www. <my-web> Obnovovací skript: http://do.co/le-renew (le-renew <my-web>)
  33. 33. http://lynt.cz Deploy HTTPS – whole web • Ask your host/admin to set up the certificate • Try if it works • Settings - General 10. 7. 2016 33 You can set up it also in the wp-config.php, - it saves DB queries: define('WP_HOME', 'https://<my-web>'); define('WP_SITEURL', 'http://<my-web>'); • There is a problem with the mixed content – WP makes absolute links – you need to fix it • SSL Insecure Content Fixer • Fix in admin – one by one • Fix in DB: UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://<my-web>', 'https://<my-web>')
  34. 34. http://lynt.cz Deploy HTTPS – administration only Place this code into wp-config.php: define( 'FORCE_SSL_ADMIN', true ); There is a problem with the mixed content in the Media Gallery: SSL Insecure Content Fixer + the „Simple“ settings 10. 7. 2016 34
  35. 35. http://lynt.cz10. 7. 2016 35 Fixes CSS, JS and Images in the Media Gallery Fixes incorrect URLs in the content SSL Insecure Content - settings
  36. 36. http://lynt.cz Redirect from HTTP to HTTPS In .htaccess: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> 10. 7. 2016 36 * May differ on some hostings
  37. 37. http://lynt.cz Other encrypted protocols • SFTP/SCP instead FTP • SSH instead Telnet • IMAPs (POP3s) instead IMAP (POP3) • SMTP TLS/SMTP STARTTLS instead SMTP • VPN 10. 7. 2016 37
  38. 38. http://lynt.cz How does the attack proceed? • Check publicly known information (domain owners, e-mail addresses, IPs, employees‘ names… recon-ng) • Active scan, identification - WP-scan • Agressive scan – e.g. DirBuster (tries if particular folders exist - /phpmyadmin/,…) • Vulnerabilities tests – generate suspicious queries • Can be detected - causes many 404 10. 7. 2016 38
  39. 39. http://lynt.cz XSS 10. 7. 2016 39
  40. 40. http://lynt.cz XSS – worse 10. 7. 2016 40
  41. 41. http://lynt.cz XSS – really dangerous 10. 7. 2016 41 Overlay reacts on mouse movement: onMouseMove Edit Themes
  42. 42. http://lynt.cz XSS – at its maximum 10. 7. 2016 42
  43. 43. http://lynt.cz Ask admin for help Subject: A security problem on wordcamp.cz Date: Sat, 20 FEB 2016 09:59:02 +0200 From: HOSTING <your@amazing.hosting> To: <you> Dear customer, Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some Amazing Plugin“ which enables to gain full control over your website and attack other sites consequently. You need to disable the funcion „Uglyness “ until a patch is available – you can do so simply via following link: http://<your-web>/wp-content/plugins/amazing-plugin/abc.php?xy=dG9obGUgamUgemx5IGtvZCA6LSk Please disable the function or delete the plugin, otherwise we will be forced to turn off your site. Regards, Your Amazing Hosting, Inc. 10. 7. 2016 43
  44. 44. http://lynt.cz Cross-site request forgery • When the system doesn‘t check the origin of the request 10. 7. 2016 44 Hi Admin, check this cool site! Cool site Lorem ipsum /create new user for the attacker • The prevention are the „signed“ forms (there is a unique token added by server and checked after the submision) • WP uses „nonces“ (no all plugins use them…) /wp-admin/post.php?post=1&action=trash&_wpnonce=b192fc4204
  45. 45. http://lynt.cz SQL Injection • Unsanitized inputs (again) • It is possible to modify DB queries and consequently obtain the complete data from DB • Interesting stuff in the DB: – E-mails – User names, hashed passwords – Auth Token for autologin Cookie – Credentials to external services 10. 7. 2016 45
  46. 46. http://lynt.cz Security plugins • My favourite combo: • WordFence + BBQ: Bad Block Queries • Blocks invalid login attempts • Limits scans • File changes detection • Denies user logins harvesting • Denies PHP execution in uploads • Limits SPAM • Accesses to the global attackers list • Filters out the suspicious queries 10. 7. 2016 46
  47. 47. http://lynt.cz10. 7. 2016 47
  48. 48. http://lynt.cz WordFence – after installation 10. 7. 2016 48 Level 2: more notifications, limiting invalid logins Level 3: starts with the traffic limiting Level 4: blocks invalid login names immediately
  49. 49. http://lynt.cz WordFence – Live Traffic 10. 7. 2016 49
  50. 50. http://lynt.cz WordFence – file changes detection 10. 7. 2016 50
  51. 51. http://lynt.cz WordFence – traffic limiting 10. 7. 2016 51
  52. 52. http://lynt.cz WordFence – login security 10. 7. 2016 52
  53. 53. http://lynt.cz WordFence – other options 10. 7. 2016 53
  54. 54. http://lynt.cz WordFence – other options 10. 7. 2016 54 Great plugin but unfortunatelly it lacks blocking of suspicious queries
  55. 55. http://lynt.cz10. 7. 2016 55 Simple plugin, no configuration – blocks suspicious queries E.g.: eval(, base64_, UNION * SELECT, wp-config.php, < …
  56. 56. http://lynt.cz UPDATE 05/2016 • There is a new „Firewall“ feature in WordFence since 6.1.1 • It blocks suspicious queries  10. 7. 2016 56
  57. 57. http://lynt.cz Recovery after infection • Stop the web (e.g. deny all in .htaccess) • Remove everything, restore from clean backup/ manual disinfection if no clean backup available (FAR) • Imitate the cause (usually update) • Change FTP password • Change DB password • Change users‘ passwords, check unknown users • New crypto keys into wp-config.php: https://api.wordpress.org/secret-key/1.1/salt/ • Check files for changes and evil code (Wordfence, Sucuri Scanner) 10. 7. 2016 57
  58. 58. http://lynt.cz Inspiration – how do we protect our sites? • wp-login.php only from the Czech Republic (GeoIP module) • Blocked xmlrpc.php and some other files + disabled PHP in uploads • Comments spam blocking (NoSpamNX) + Ping/Track Back filter (Topsy Blocker) • Bulk updates management • Sites isolation • HTTP headers: – X-Frame-Options SAMEORIGIN; – X-XSS-Protection "1; mode=block" – X-Content-Type-Options nosniff • Deletion unused themes and plugins 10. 7. 2016 58
  59. 59. http://lynt.cz Inspiration – how do we protect our sites? • Fail2Ban (invalid login attempts, too many 404, https://wordpress.org/plugins/wp-fail2ban/ ) • Suspicious queries filtering (serverside) • Realtime log (Log Stash) and error (Sentry) analysis • Server monitoring (Zabbix) • File changes detection + malware analysis – Maldet + Yara • Daily serverside backups (plugins can be used as well: BackWPup, UpdraftPlus, BackupBuddy) • Watch current resources about new threats 10. 7. 2016 59
  60. 60. http://lynt.cz Resources • Information about vulnerabilities • https://www.owasp.org/ • https://wpvulndb.com/ • https://blog.sucuri.net/ • https://www.wordfence.com/blog/ • https://packetstormsecurity.com/ • https://www.reddit.com/r/xss • My presentation from last year: • http://www.slideshare.net/vsmitka/wordpress-security-for- everone 10. 7. 2016 60
  61. 61. http://lynt.cz Homework for tomorrow □ Check unique crypto keys in the wp-config.php □ Create backup □ Remove unused plugins □ Remove all unused themes (you can keep one of the default themes and the parent theme) □ Lower user rights □ Update everything 10. 7. 2016 61
  62. 62. http://lynt.cz Thank you for your attention 10. 7. 2016 62 Update, backup, use a security plugin, be careful

×