Identifying a Compromised WordPress Site

@chrisburgess #wpmelb

Prevention is the holy grail, however it’s not the topic of this

talk.

You can’t always prevent, so you must detect.

Even if we’re doing everything possible to harden and maintain our

installations, we should still care about security to monitor our high

value sites.

Is Penetration Testing Worth it? There are two reasons why you might want to conduct a penetration test. One, you want to know whether a certain vulnerability is present because you're going to fix it if it is. And two, you need a big, scary report to persuade your boss to spend more money. If neither is true, I'm going to save you a lot of money by giving you this free penetration test: You're vulnerable. Now, go do something useful about it. -- Bruce Schneier

http://www.schneier.com/blog/archives/2007/05/is_penetration.html

The following examples are often the first signs of a

successful attack.

Ahrefs and Google Search Console

Real example of anchor text from Ahrefs

Real example of a malicious plugin.

Real example of a malicious plugin.

This shouldn’t be the first sign of a compromised site. There

are usually plenty of early warning signs.

But first…

Links to the Quora Article

•  https://www.quora.com/I-am-powering-a-banks-website-using-WordPress-What-security-measures-should-I-take

•  https://ma.tt/2015/04/a-bank-website-on-wordpress/

•  https://wptavern.com/banking-on-wordpress-matt-mullenweg-weighs-in-on-security-concerns

h"ps://www.quora.com/I-am-powering-a-banks-website-using-WordPress-What-security-measures-should-I-take/answer/Karol-Krol?srid=uD68

Let’s ask another question. Is Linux secure? Is Django secure? Is iOS

secure? Is MySQL secure? Is Drupal secure? Is Node.JS secure? Is <insert browser> secure? Is

Android secure? Is Rails secure? Is Windows Server secure? Is Shopify

secure? You get the idea…

This can get subjective, since some have a much better track record than others, and

some are designed with security as a priority.

So.. banks aside, what would constitute as a high value

target?

High traffic sites, anything with Personally Identifiable

Information (PII), software vendors, service providers?

Credit card numbers aren’t the only form of sensitive

information.

It’s really easy to say “something isn’t secure”.

It’s much harder to actually build something that is secure (knowing that there’s no such

thing as absolute security).

The best answer is that if security is important, you need

“people” working on it.

The Internet is a hostile environment. We need to have a healthy respect for this fact.

The current dilemma…

Hosting Providers

Plugins

Systems and Services

Users

Good Developers

Good Support, Ops and SysAdmins

A high value business needs good people, from all of these disciplines, working together.

h"p://www.sentrillion.com/images/img_defense-in-depth.jpg

Real example of a malicious file

You can’t rely only on tools, they won’t always detect a

compromise.

Most WordPress security tools work by using signatures.

For context, Kaspersky AV for Windows currently has around

500,000 signatures.

Scanning your site with online tools work only if your site has active malware, is defaced or

blacklisted.

If a site has been compromised, it cannot be trusted.

example.com/index.php

example.com/otherapp/

example.com/*

example.com/*

Isolation

Look out for a shared web root, addon domains in cPanel, or other web apps in

subfolders.

We’re going to assume a fresh WordPress install, or restoration from a clean backup is needed

Places/things to check… •  Content/files (htaccess, index.php, sitemap.xml, anything

custom) •  Running processes •  Running scripts, open files (look at full paths in processes) •  Memory •  Cron jobs •  Database •  Date and timestamps •  Suspicious plugins •  Suspicious directories/files •  Sitemaps/SERPs •  WordPress Admin Users •  Other users in GSC/WMT •  Code audit

Checking Content

•  grep •  Screaming Frog (useful for finding JS) •  Sucuri SiteCheck •  UnmaskParasites.com •  Safe Browsing Site Status (Google)

Once the server has been compromised, it cannot be

trusted.

Tools for Detection

•  System Monitoring •  Integrity Monitoring •  Firewalls •  IDS/IPS •  Malware Scanners •  Logging

System Monitoring

•  Resources (Bandwidth/CPU/RAM/IO) •  Logins •  Processes

Integrity Monitoring

•  git •  wp-cli •  Any diff tools •  Plugins •  Tripwire (and similar)

wp-cli’s Verify Checksums

$ wp core verify-checksums Success: WordPress install verifies against checksums.

Thanksto@davemacforthisKp!

Firewalls

•  Network Firewalls •  Web Application Firewalls •  Security Services

IDS/IPS

•  Typically at the host level •  OSSEC

Malware Detection

•  Security Plugins •  Commercial AV •  Public Site Scanning •  Google Search Console •  ConfigServer eXpliot Scanner (for WHM/

cPanel) •  Maldet/ClamAV

Logging

•  /var/log (access, error, php) •  Centralised Logging or Log Shipping

(Papertrail, Loggly, Splunk, Logstash etc.) •  Audit trails (Stream/WP Audit Trail etc.)

WPScan WordPress Scanner

WPSecurityBloggers.com

Use a security plugin (or manually harden)

https://www.wordfence.com/

https://sucuri.net/

https://ithemes.com/security/

Final Words… Security issues typically occur because of certain patterns. Cleaning, restoring or rebuilding doesn’t address that. Compromised sites are much more likely to become compromised again. Get everyone on board to take security seriously.

Prevention and Response

Hardening/Prevention: •  https://codex.wordpress.org/

Hardening_WordPress Post-hack/Response: •  https://sucuri.net/website-security/what-

to-do-after-a-website-hack/

•  WordPress.org – wordpress.org/about/security – wordpress.org/news/category/security

•  Verizon DBIR http://www.verizonenterprise.com/

•  verizon-insights-lab/dbir/ •  Sucuri https://sucuri.net/ •  WP White Security

https://www.wpwhitesecurity.com/ •  OWASP http://owasp.org/

wpmelb.org/slack

Thanks and stay safe!

@chrisburgess #wpmelb