wordpress security - the "no-bs" version
DESCRIPTION
A presentation I put together for WordCamp Chicago 2012.TRANSCRIPT
![Page 1: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/1.jpg)
The “No-BS” Version
WORDPRESS SECURITY
![Page 2: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/2.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
2
SUCURI@WORDCAMP# WHOIS PEREZBOX• Name: Tony Perez
• Street name: The Hulk
• Handle: Perezbox
• Company: Sucuri
• Occupation: Executive / Owner
• Likes: Guns, InfoSec, Harley’s, MMA
• Personality: Rational / Objective = Turd
• Location: Menifee, California
![Page 3: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/3.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
3
TODAY’S CHALLENGES
• Administration
• Extensibility
• Credentials
• End-users
• Education
![Page 4: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/4.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
4
KNOWLEDGECheck yourself before you wreck yourself
“The user’s going to pick dancing pigs over security every time.” - Bruce Schneier
![Page 5: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/5.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
5
KNOW THE ENVIRONMENTLA
MP
STAC
K LINUX
Apache
MySQL
PHP
• This is what it takes to run WordPress
• Each contains its own laundry list of known vulnerabilities
• Bare-bones
![Page 6: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/6.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
6
KNOW THE APPLICATIONW
ordP
ress
Core
Themes
Plugins
End-User
• Today’s Problem
![Page 7: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/7.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
7
REALISTIC ENVIRONMENT
Linux Operating System
Apache
WordPress CPANEL Plesk
MySQL
myLittleAdmin PHPMyAdmin Etc..
PHP
Modules
![Page 8: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/8.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
8
YOUR HOST• Who is your host?
• How do you connect to the server?
• FTP, SFTP, SSH
• What security does your host use? Do they use any web security?
• What will your host do if you get hacked?
• Will they shut your site down?
• Will they kick you off their server?
• Will they fix it for you?
IF YOU DON”T KNOW WHAT YOU”RE DOING GO WITH A
MANAGED SOLUTION
![Page 9: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/9.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
9
CONNECTING• If you don’t need it, disable it
• SFTP / SSH is preferred
• FTP works fine – disable if you’re not using, don’t talk to me if you are
• FTP/SFTP != WP-ADMIN
• Least Privileged
• You don’t have to log in FTP / SFTP with full root access
• Everyone doesn’t need to be an admin
• You don’t need to log in as admin
• The focus is on the role, not the name of the user
• Accountability – kill generic accounts – who is doing what?
![Page 10: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/10.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
10
• Big enterprises with large followings:
• WordPress.com
• WooThemes
• Worth Investing time and energy to compromise, bigger return
• Trolling the web looking for known vulnerabilities
• Ability for mass exposure
• Think “TimThumb”
ATTACK TYPE
Opportunistic Targeted
![Page 11: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/11.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
11
AUTOMATION IS KEY
Automation
Scan
Detect
Exploit
PWN
• Targeted / Opportunistic
• Vulnerability Scans• Brute Force / Data
Dictionary Attacks• DDOS / DOS• XSS / CSRF• SQLi
![Page 12: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/12.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
12
BLACKLISTING• Take a chill pill.. Not the end of the world• Detect, Remove, Submit
![Page 13: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/13.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
13
THE MISTAKE
• But why me?!?!?!
• Forget the why, look at the how!!
![Page 14: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/14.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
14
THE HOWNothing fancy here.. The facts
“Own one Own them All”
![Page 15: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/15.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
15
• Privilege Escalation
• Brute Force / Data Dictionary
• Remote File Include
• Remote File Execution
• Injections
• Remote File Inclusion
• Remote File Execution
• Brute Force / Data Dictionary
TODAY’S EXPLOITS
Application EnvironmentYou
Control
![Page 16: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/16.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
16
TOP 5 WORDPRESS INFECTIONS• Backdoors
• Difficult to Detect via HTTP
• Injections
• Easy to Detect via HTTP
• Pharma Hack
• Best person to detect is the owner, difficult to detect via HTTP
• Malicious Redirects
• Easy to Detect via HTTP
• Defacements
• Pretty obvious – you’re now supporting the Syrian fight or preaching to your Turkish brothers
![Page 17: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/17.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
17
BACKDOOR• Complete access via shell… kiss all hardening good bye • Sad day.. .. Good time to cry…
![Page 18: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/18.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
18
LINK INJECTION• Drive-by-Download attempt – think Fake AV / Adobe• Pharma Links – Erectile Dysfunction (Viagra)
![Page 19: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/19.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
19
PHARMA• Affiliate Model• Multi-million dollar industry • Generate ~3.5k new clients daily
![Page 20: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/20.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
20
DEFACEMENT• Hacktivism at its finest • Awareness to cause
![Page 21: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/21.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
21
COMMON VECTORS• Vulnerable Software
• Often associated with Out-of-date software
• WordPress Themes / Plugins, more so than Core
• Cross Site Contamination
• Soup Kitchen Servers
• Compromised Credentials
• Password123, Password1, 111111a = not cool
• Remote File Inclusion
• Leads to Remote Execution
• Think TimThumb, Uploadify, etc…
“38% of us Would Rather Clean a Toilet Than Think of New
Password”- Mashable
![Page 22: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/22.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
22
MAKE IT STOPSimple is so much sweeter…
“The question isn't who is going to let me; it's who is going to stop me.”
![Page 23: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/23.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
23
THE KEY IS ACCESS• In almost all instances the key is access, whether via:
• WP-ADMIN
• SSH / SFTP (Port 22)
• FTP (Port 21) = > You are dead to me!!! : )
• Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can’t avoid Zero day events, but you can stay proactive when identified
• Doesn’t include environmental issues
• Myth: Remove Admin
• Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts.
• The “administrator” role matters more than the “administrator” or “admin” user name.
![Page 24: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/24.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
24
THIS IS WHAT MATTERS - KISS
Server WAF Application WAF
Two Factor Authentication
Strong / Unique
Password
Secure Environment
From an access stand point:
From a vulnerability stand point:
Stay Current Use Trusted Sources
Avoid Soup Kitchen Servers
Separate Staging
from Production
Secure Environment
![Page 25: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/25.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
25
1. Don’t let WordPress write to itself
2. Filter by IP
• SSH Access
• WP-ADMIN Access
• Database Access
3. Use a dedicated server / VPS
4. Employ a WAF / Logging Solution
5. Enable SSL
1. Kill PHP Execution
2. Disable Theme / Plugin Editing via Admin
3. Connect Securely – SFTP / SSH
4. Use Authentication Keys in wp-config
5. Use Trusted Sources
6. Use a local Antivirus – Yes, MAC’s need one
7. Verify your permissions - D 755 | F 644
8. Least Privileged
9. Kill generic accounts - Accountability
10. Backup your site – yes, Database too
MY ADVISE
To the Average Joe: To the Paranoid / Lucky:
![Page 26: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/26.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
26
KILL PHP EXECUTION• The idea is not to let them execute any PHP files. You do so by adding this in
an .htaccess file in the directory of choice. Recommendation:
• WP-INCLUDES
• UPLOADS
#PROTECT [Directory Name]
<Files *.php>
Deny from all
</Files>
![Page 27: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/27.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
27
DISABLE PLUGIN/THEME EDITOR• Add to wp-config – if a user is compromised they won’t be able to add anything to the
core theme or plugin files.
# Disable Plugin / Theme Editor
Define(‘DISALLOW_FILE_EDIT’,true);
![Page 28: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/28.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
28
• Duo Two-Factor Authentication
• Limit Login Attempts
• Theme-Check
• BackupBuddy
• Akismet
• Sucuri Security Premium
• Duo Two-Factor Authentication
• Theme-Check
• BackupBuddy
• Akismet
RECOMMENDED PLUGINS
Clients Non-Clients
![Page 29: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/29.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
29
• Sucuri Blog: http://blog.sucuri.net
• SiteCheck Scanner: http://sitecheck.sucuri.net
• Unmask Parasites: http://unmaskparasites.com
• Perishable Press: http://perishablepress.com/category/web-design/security/
• Secunia Security Advisories: http://secunia.com/community/advisories/search/?search=wordpress
• Hacked – http://wordpress.org/tags/hacked
• Malware – http://wordpress.org/tags/malware
• BadwareBusters – https://badwarebusters.org
KNOW WHERE TO GO, IF… IT HAPPENS
Support Forums Online Resources
![Page 30: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/30.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
30
BLACKLIST ENTITIES• Google
• Chrome, FireFox
• Search Engine Results Page (SERP)
• http://www.google.com/webmaster/tools
• http://www.google.com/safebrowsing/diagnostic?site=[your site]
• Bing
• Internet Explorer
• Yahoo
• http://www.bing.com/toolbox/webmaster/
• Norton
• SafeWeb Browsing
• http://safeweb.norton.com/
• AVG
• Opera
• http://www.avgthreatlabs.com/sitereports/
![Page 31: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/31.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
31
Sucuri
Tony Perezhttp://sucuri.net
http://blog.sucuri.net
http://perezbox.com & http://tonyonsecurity.com
@perezbox and @tonyonsecurity
![Page 32: WordPress Security - The "No-BS" Version](https://reader033.vdocuments.us/reader033/viewer/2022052822/554bcbffb4c9058f6c8b474a/html5/thumbnails/32.jpg)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
32