wordpress security 101
TRANSCRIPT
WordPress Security 101++
Introduction
WelcomeI want so show security is easy, I'm giving out the keys to the castle and want everyone to be able to do this.
Break down
Security basics
Attacker motives
Clean up
Prevention
Auditing!
Security Concepts
Know your attacker
Cleanup
Prevention
Auditing
whoami
Robert Rowley
Security guyWebsites, Server, Social Engineering, Mobile
DreamHost security one size fits all person
Robert R Silly acronyms like CISSP10ish years experience in multiple arenas of security (mobile, websites, administration, networking)Customer facing security concerns at Dreamhost.
DreamHost
1million+ websites
Huge WordPress install base.
Goes beyond wordpress, but we see it all and monitor it, which makes for a great conversation piece!
YOU!
Security core concepts
It is easy
It's all about how easy security is. Everything goes back to the core concepts so lets get into that!
Security core concepts
Backups
Passwords
Updates
Monitoring
Backups, password (policy) mgmnt, updating software, monitor
Backups
Keep them regularly
Keep them secure and off site
Keep them often, keep them secure. Check them regularly.Do not presume anyone is keeping backups, be certain.
Passwords
Easy!Passphrase alphanumeric and other characters
Better!Two factor.
Did you lock your car here? Who is at fault if it's broken into (that's right , the burglar!) Choosing good passwords isn't about if you can remember the password to login, it's about policy. Do you feel it's necessary to have a unique password that will stop someone from getting into your site/FTP (if not? Just set it to abc123, password, or secret)More on policy, you have to think about where you can log in to your site's admin pages (is this network secure/safe? Back to car analogy regarding where you park it)Many of the remainder of the topics in this talk actually come down to this type of decision. For example lets think of backups as how important is it that you have a copy of your site's data if it's lost? Your answer is what you base your backup policies on!
Updates
Automate if possible.
On the first day it's already too late.
Following right on in from passwords and policies. The longer you leave a site at the last security update, the longer you're exposing the domain to an attack. If there is a critical security update in the patch, then you need to upgarde ASAP (unless your site is not on the internet)Why ASAP? I'll show some graphs, but in the infamous words of MC Frontalot, it's already too late.
Monitoring
Prevent the attack from going unnoticed.
It's really a stop-gap concept.It's already too late.Sooner the better for incident response.You need to know ASAP about these events to be able to take action.
The bad guys
Knowing what you're up against is important! Knowing is half the battle!
Common threats
Low hanging fruit
Ties back in to best practices
Review monitored logs of attacks
Attacker motivation
Commonly seen activity
Fruit?
Low hanging fruit
It's well known attackers go for the easy target.No matter how much you think i'm too small to be targetted it's not about that, every website is a possible target if not for anything more than to act as a small part in a bigger attack (add another bot to the pile!).
Bots!
It's all automated (well mostly, but those are more unique cases)Bots hit sites every day, I know this because I monitor them, and unless there is an ritlain fueled obsessive compulsive freak of a person out there doing the same repetative attacks on tens of thousands of sites a date then these are bots.
Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why?
Attacker motivation
Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why?Why? Why? Why? Why? Why? Why? Why?Why? Why? Why?
WHY?
You may ask yourself, why?
$ $ $ $ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $ $ $ $ $$ $ $ $ $ $ $ $ $ $$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $
Attacker motivation
$
MoneyThis is just the majority of attacks we see, which are connected to cyber criminal gangs. There are alternatives such as anonymous (who do it for awareness/causes) and cough governments (for espionage) but the vast majority is just gangs who want money.
How?
Software vulnerabilities Arbitrary file uploads, Code execution, LFI/RFI SQLi
Password compromiseSpyware/Brute force
Host based attacksAre you on a shared host? (cloud?)
Arbitrary file uploads (upload backdoors)Code execution (backdoor access)Password compromise (they can do what you can do)LFI/RFI (backdoors)SQLi (get your Dbs)
Show your work!
How does a compromised site equal profit?
Phishing (Identity theft)
BlackHat SEO (Affiliate services efraud)
Traffic Theft (Malware)
Spam (All of the above)
Backdoor installations (All of the above)
Phishing (Identity theft)BlackHat SEO (Affiliate services efrauding)Traffic Theft (Malware)Spam (All of the above)Backdoor installations (All of the above)
Graphs
DreamHost attack logs
Actual traffic from 8/20/2011 02/16/2012
This is not to say the software listed is any less secure (each has patched the vulnerability)These are attempts, not successesAll attacks were blocked
Graph: zenCart
zencart
e107
Lets call this rimrum.phpNot part of wordpress core
You're not helping!!!
OK lets get into some important steps in a cleanup.
Clean up ALL THE THINGS!!!!
Check for changes in files/db/logins (back to best practices)
Check for upgrades
Passowrd security
It's easy , unless you weren't paying attention, then it's certainly far moer difficult!
Services (my god ...)
DIY. My god it's only one line!
Not that hard
All
The
Things
If you plan to audit, do that first!
Take the site offline
Backup ALL THE THINGS:Files
Databases
Logs
Why? Quarantine so the attackers can do no further harm. (to your visitors or your site)
Update ALL THE software!!!
Core software
Plugins
Themes?
Other?
Before you put things back online
Check ALL THE files!!!
Does this belong here?
Backups help
Again before you put things back online
Change ALL THE passwords!!!
Set the policy
Need more? Use two-factor.
If someone had the key to your front door, would you not change it?
Re-install ALL THE THINGS!!!
Backups.
Re-install.
No backups? Can't re-install?Just one line . what? What? WHAT?
Magical find
Shwo the find one-linerNote WP's built in file integrity rebuilder
find ALL THE insecure permissions!!
Permissions issues:find /path/ -type d -perm 777 -printbetter:find /path/ -type d -exec chmod 755 {} \; -printalternative:find /path/ -type d -perm 777 -exec chmod 755 {} \; -print
find /path/ -type f -exec chmod 644 {} \; -print
Directories and file permissions
find ALL THE backdoors!!!
find /path/ -name *php -exec grep fingerprint {} \; -print
find /path/ -name *php -exec grep fingerprint {} \; -exec rm {} \; -print (or use chmod 0 {} instead of rm {} )
find /path/ -name *php -exec grep all\|the\|things {} \; -print
Backdoors! Bah!
Destroy ALL THE backdoors!!!
find /path/ -name *php -exec \grep FilesMan\|eval(base64_decode(\|eval(gzinflate( {} \; \
-exec chmod 0 {} \; -or -exec \
grep \(base64_decode\)\{10,\}\|\(\\\)\{30,\} {} \; \
-exec sed -i.backup /\(base64_decode\)\{10,\}\|\(\\\)\{30,\}/d {} \; -print
Shwo the find one-linerNote WP's built in file integrity rebuilder
Spot ALL THE differences!
Use diff to compare directories.
Works best with backups (or just download WP)
$ diff omgfire.com omgfire.com_lastbackupOnly in omgfire.com: this_could_be_a_backdoor.phpCommon subdirectories: omgfire.com/wp-admin and omgfire.com_lastbackup/wp-admindiff omgfire.com/wp-config.php omgfire.com_lastbackup/wp-config.php1d0<
Pay for ALL THE fixes!!!
The good, the bad and the ugly
Good companies that release fixes for free, work with hosting providres, never play the blame game.Bad companies that have no contributions to security community, high costs.Ugly high costs, blame game posts in their blog! Charlatans (snakeoil) how will they interact with you as a customer if they openly berate people on their blog?
Preventative
Server side
Site side
Wordpress specific tricks
Review
Server options
Firewall mod_security, cloudflare
Database Restrict by hostname
permissions, firewalls (mod_sec, cloudflare, htaccess)Database server (hostname access)
Site configuration
File Monitoring
Stop using FTP
HTTPS
Lock down directory/file permission
Monitor with rsync/git/svn on your backup serverStop using FTP!Https (who logged in today using the open wifi?)Permissions, always important.
Wordpress tricks
Enable auto-update
Don't login as admin
Database table prefix
Disable PHP/CGI in upload/include directories
Plugins!
Https logins, or two factorAdmin, don't make your login name guessableTable prefixes help but don't prevent SQLiIf you're uploading images, why would you execute them as PHP?How many plugins and themes do you have installed that are not in use?
Security Plugins
BackupsPreventionCleanupMonitoring Authentication
File Monitor plusXVaultPressXXGoogle Auth.YubikeyEtc...X
Exploit Scanner
/XBackup BuddyX
There are a lot of options, just search for security in the plugins reposatory. Be warned, many end up unmaintained.Some claim to cover everything, but none cover all of your needs.
Security Services
BackupsPreventionCleanupMonitoringPrice
CloudflareX/Free-20+5/month
VaultPressX/X15-350/month
StoptheHackerXFree-100+/month
URLvoid.comVarious othersXFree
SucuriXX90-290/month
List/graphCloudflare, vaultpress, sitemonitor, stopthehacker, sucuri
Anyone in the audience from these services? make checks payable to... or talk with them after.
Auditing
Most of these will be techniques I will quickly cover that are all handled via SSHSoryr, advanced topic. I can go over details in person.
Who logged in?
Via SSH: last
Via WordPress: simple login log plugin
Not supported with WP panelUse last command via SSH, this will verify if it was a SSH/FTP password compromise.
Digging in with timestamps.
$ ls -la omgfire.com/backdoor.php -rw-rw-r-- 1 user grp 0 Feb 13 21:52 omgfire.com/backdoor.php$ grep 21:52: logs/omgfire.com/access.log.2012-02-13123.125.71.31 - - [13/Feb/2012:21:52:53 -0800] "POST /wp-content/plugins/hello.php HTTP/1.1" 200 158 "-" "Mozilla"
Tiemstamp coorealation with file creations, logs, etc...Note the POST request shady!
Digging in with HTTP logs
$ awk '{print $7}' access.log | sort | uniq -c | sort -n
Awk/grep/sort madness!
Digging in with HTTP logs
$ awk '{print $7}' access.log | sort | uniq -c | sort -n 1 /phpMyAdmin-2.2.3/index.php 1 /phpMyAdmin-2.5.5-pl1/index.php 1 /phpMyAdmin-2.5.5/index.php 1 /phpMyAdmin-2.5.6-rc2/index.php 1 /phpMyAdmin/index.php 1 /phpmyadmin1/index.php 1 /pma/index.php 1 /web/phpMyAdmin/index.php 1 /websql/index.php 2 /phpmyadmin/index.php 4 /robots.txt 242 /
Awk/grep/sort madness!
Ask your host!
You may not be alone.
It doesn't hurt to ask, and it's entirely possible they are familiar with that specific type of attack.
followup
Take ownership and post your experience
Help the next website owner.
Do not be ashamed to post about your site being compromised, if anything it may help. Help not only you, your visitors, but the next webmaster that sees a similar attack against their site. Build a network of individual site owners who are all actively reporting these compormises, will be paying it forward.
Further reading
http://codex.wordpress.org/Hardening_WordPress
No seriously, wordpress and automattic take security seriouesly. Following the steps in this URL which is well written will show you specific details on what to do. I just didn't want to waste time talking about only what's on this URL.