word press security
TRANSCRIPT
J IGAR PANDYA
WordPress Security1
04/11/2023
Know the Environment2
LA
MP
S
TA
CK
LINUX
Apache
MySQL
PHP
• This is what it takes to run WordPress
• Each contains its own laundry list of known vulnerabilities
• Bare-bones
04/11/2023
Know the application3
Word
Pre
ss CoreTheme
sPlugins
End-User
• Today’s Problem
04/11/2023
Realistic Environment4
Linux Operating System
Apache
WordPress CPANEL Plesk
MySQL
myLittleAdmin
PHPMyAdmin Etc..
PHP
Modules
04/11/2023
5
Your Host
Who is your host?
How do you connect to the server? FTP, SFTP, SSH
What security does your host use? Do they use any web security?
What will your host do if you get hacked? Will they shut your site down? Will they kick you off their server? Will they fix it for you?
IF YOU DON”T KNOW WHAT YOU”RE DOING GO WITH A MANAGED
SOLUTION
04/11/2023
6
Connecting
If you don’t need it, disable it SFTP / SSH is preferred FTP works fine – disable if you’re not using, don’t talk to
me if you are FTP/SFTP != WP-ADMIN
Least Privileged You don’t have to log in FTP / SFTP with full root access Everyone doesn’t need to be an admin You don’t need to log in as admin The focus is on the role, not the name of the user Accountability – kill generic accounts – who is doing what?
04/11/2023
7
Opportunistic Targeted
Trolling the web looking for known vulnerabilities
Ability for mass exposure
Think “TimThumb”
Big enterprises with large followings: WordPress.com WooThemes
Worth Investing time and energy to compromise, bigger return
Attack Type
04/11/2023
8
Automation is KEY
Automation
Scan
Detect
Exploit
PWN
• Targeted / Opportunistic
• Vulnerability Scans• Brute Force / Data
Dictionary Attacks• DDOS / DOS• XSS / CSRF• SQLi
04/11/2023
9
Blacklisting
• Take a chill pill.. Not the end of the world• Detect, Remove, Submit
04/11/2023
10
The MISTAKE
But why me?!?!?!
Forget the why, look at the how!!
04/11/2023
11
NOTHING FANCY HERE. . THE FACTS
The How
“Own one Own them All”
04/11/2023
12
Application Environment
Injections
Remote File Inclusion
Remote File Execution
Brute Force / Data Dictionary
Privilege Escalation
Brute Force / Data Dictionary
Remote File Include
Remote File Execution
Today’s Exploits
You Control
04/11/2023
13
Top 5 WordPress Infections
Backdoors Difficult to Detect via HTTP
Injections Easy to Detect via HTTP
Pharma Hack Best person to detect is the owner, difficult to detect via
HTTPMalicious Redirects
Easy to Detect via HTTPDefacements
Pretty obvious – you’re now supporting the Syrian fight or preaching to your Turkish brothers
04/11/2023
14
Backdoor• Complete access via shell… kiss all hardening good bye • Sad day.. .. Good time to cry…
04/11/2023
15
Link Injection• Drive-by-Download attempt – think Fake AV / Adobe• Pharma Links – Erectile Dysfunction (Viagra)
04/11/2023
16
PHARMA• Affiliate Model• Multi-million dollar industry • Generate ~3.5k new clients daily
04/11/2023
17
Defacement• Hacktivism at its finest • Awareness to cause
04/11/2023
18
Common Vectors
Vulnerable Software Often associated with Out-of-date software WordPress Themes / Plugins, more so than Core
Cross Site Contamination Soup Kitchen Servers
Compromised Credentials Password123, Password1, 111111a = not cool
Remote File Inclusion Leads to Remote Execution Think TimThumb, Uploadify, etc…
“38% of us Would Rather Clean a Toilet Than Think of New
Password”- Mashable
04/11/2023
19
SIMPLE IS SO MUCH SWEETER…
Make it STOP
“The question isn't who is going to let me; it's who is going to stop
me.”
04/11/2023
20
The Key is Access
In almost all instances the key is access, whether via: WP-ADMIN SSH / SFTP (Port 22) FTP (Port 21) = > You are dead to me!!! : ) Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can’t avoid
Zero day events, but you can stay proactive when identified Doesn’t include environmental issues
Myth: Remove Admin Fact: to crack a 10 character password = 1,700 years via brute-force. Today,
dictionary attacks are the preferred method. Either way, requires multiple scan attempts.
The “administrator” role matters more than the “administrator” or “admin” user name.
04/11/2023
21
This is What Matters - KISS
Server WAF
Application
WAF
Two Facto
r Authenticat
ion
Strong /
Unique
Password
Secure
Environment
From an access stand point:
From a vulnerability stand point:
Stay Current
Use Trusted Sources
Avoid Soup
Kitchen Servers
Separate Staging
from Producti
on
Secure Environ
ment
04/11/2023
22
To the Average Joe: To the Paranoid / Lucky:
1. Kill PHP Execution 2. Disable Theme / Plugin Editing via
Admin3. Connect Securely – SFTP / SSH4. Use Authentication Keys in wp-
config5. Use Trusted Sources6. Use a local Antivirus – Yes, MAC’s
need one7. Verify your permissions - D 755 | F
6448. Least Privileged9. Kill generic accounts -
Accountability10. Backup your site – yes, Database
too
1. Don’t let WordPress write to itself
2. Filter by IP SSH Access WP-ADMIN Access Database Access
3. Use a dedicated server / VPS
4. Employ a WAF / Logging Solution
5. Enable SSL
My Advise
04/11/2023
23
Kill PHP Execution
The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation: WP-INCLUDES UPLOADS
#PROTECT [Directory Name] <Files *.php> Deny from all </Files>
04/11/2023
24
Disable Plugin/Theme Editor
Add to wp-config – if a user is compromised they won’t be able to add anything to the core theme or plugin files.
# Disable Plugin / Theme Editor Define(‘DISALLOW_FILE_EDIT’,true);
04/11/2023
25
Clients Non-Clients
Sucuri Security Premium
Duo Two-Factor Authentication
Theme-CheckBackupBuddyAkismet
Duo Two-Factor Authentication
Limit Login Attempts
Theme-CheckBackupBuddyAkismet
Recommended Plugins
04/11/2023
26
Support Forums Online Resources
Hacked – http://wordpress.org/tags/hacked
Malware – http://wordpress.org/tags/malware
BadwareBusters – https://badwarebusters.org
Sucuri Blog: http://blog.sucuri.net
SiteCheck Scanner: http://sitecheck.sucuri.net
Unmask Parasites: http://unmaskparasites.com
Perishable Press: http://perishablepress.com/category/web-design/security/
Secunia Security Advisories: http://secunia.com/community/advisories/search/?search=wordpress
Know Where to Go, If… It happens
04/11/2023
27
Blacklist entities
Google Chrome, FireFox Search Engine Results Page (SERP) http://www.google.com/webmaster/tools http://www.google.com/safebrowsing/diagnostic?site=[your site]
Bing Internet Explorer Yahoo http://www.bing.com/toolbox/webmaster/
Norton SafeWeb Browsing Facebook http://safeweb.norton.com/
AVG Opera http://www.avgthreatlabs.com/sitereports/
04/11/2023
28
Jigar Pandya
http://www.zealousweb.comhttp://
youritcoach.wordpress.com
04/11/2023
29