WordPress Security 101 - PowerPoint PPT Presentation

1 / 50
About This Presentation
Title:

WordPress Security 101

Description:

WordPress Security 101++ Awk/grep/sort madness! ... How many plugins and themes do you have installed that are not in use? There are a lot of options, ... – PowerPoint PPT presentation

Number of Views:259
Avg rating:3.0/5.0
Slides: 51
Provided by: lei160
Category:

less

Transcript and Presenter's Notes

Title: WordPress Security 101


1
WordPress Security 101
2
Introduction
3
Break down
  • Security basics
  • Attacker motives
  • Clean up
  • Prevention
  • Auditing!

4
whoami
  • Robert Rowley
  • Security guy
  • Websites, Server, Social Engineering, Mobile
  • DreamHost security one size fits all person

5
DreamHost
  • 1million websites
  • Huge WordPress install base.

6
YOU!
  • Security core concepts
  • It is easy

7
Security core concepts
  • Backups
  • Passwords
  • Updates
  • Monitoring

8
Backups
  • Keep them regularly
  • Keep them secure and off site

9
Passwords
  • Easy!
  • Passphrase alphanumeric and other characters
  • Better!
  • Two factor.

10
Updates
  • Automate if possible.
  • On the first day it's already too late.

11
Monitoring
  • Prevent the attack from going unnoticed.

12
The bad guys
13
Fruit?
14
Low hanging fruit
15
Bots!
16
Attacker motivation
  • Why? Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why? Why? Why?
    Why? Why?
    Why? Why? Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why?
    Why? Why? Why? Why?
    Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why? Why?
    Why? Why? Why? Why? Why?
    Why?

Why? Why? Why? Why?
Why? Why? Why?
Why? Why? Why? Why?Why? Why?
Why? Why?
Why? Why?
Why?Why? Why? Why?

WHY?
17
Attacker motivation










18
How?
  • Software vulnerabilities
  • Arbitrary file uploads, Code execution, LFI/RFI
    SQLi
  • Password compromise
  • Spyware/Brute force
  • Host based attacks
  • Are you on a shared host? (cloud?)

19
Show your work!
  • How does a compromised site equal profit?
  • Phishing (Identity theft)
  • BlackHat SEO (Affiliate services efraud)
  • Traffic Theft (Malware)
  • Spam (All of the above)
  • Backdoor installations (All of the above)

20
Graphs
  • DreamHost attack logs
  • Actual traffic from 8/20/2011 ? 02/16/2012

21
Graph zenCart
22
(No Transcript)
23
(No Transcript)
24
You're not helping!!!
25
Clean up ALL THE THINGS!!!!
26
Not that hard
  • All
  • The
  • Things

27
If you plan to audit, do that first!
  • Take the site offline
  • Backup ALL THE THINGS
  • Files
  • Databases
  • Logs

28
Update ALL THE software!!!
  • Core software
  • Plugins
  • Themes?
  • Other?

29
Check ALL THE files!!!
  • Does this belong here?
  • Backups help

30
Change ALL THE passwords!!!
  • Set the policy
  • Need more? Use two-factor.

31
Re-install ALL THE THINGS!!!
  • Backups.
  • Re-install.
  • No backups? Can't re-install?
  • Just one line . what? What? WHAT?
  • Magical find

32
find ALL THE insecure permissions!!
  • Permissions issues
  • find /path/ -type d -perm 777 -print
  • better
  • find /path/ -type d -exec chmod 755 \ -print
  • alternative
  • find /path/ -type d -perm 777 -exec chmod 755
    \ -print
  • find /path/ -type f -exec chmod 644 \ -print

33
find ALL THE backdoors!!!
  • find /path/ -name php -exec grep fingerprint
    \ -print
  • find /path/ -name php -exec grep fingerprint
    \ -exec rm \ -print

  • (or use chmod 0 instead of rm
    )
  • find /path/ -name php -exec grep
    all\the\things \ -print

34
Destroy ALL THE backdoors!!!
  • find /path/ -name php -exec \
  • grep FilesMan\eval(base64_decode(\eval(gzinfla
    te( \ \
  • -exec chmod 0 \ -or -exec \
  • grep \(base64_decode\)\10,\\\(\\\)\30,\
    \ \
  • -exec sed -i.backup /\(base64_decode\)\10,\\\(
    \\\)\30,\/d \ -print

35
Spot ALL THE differences!
  • Use diff to compare directories.
  • Works best with backups (or just download WP)
  • diff omgfire.com omgfire.com_lastbackup
  • Only in omgfire.com this_could_be_a_backdoor.php
  • Common subdirectories omgfire.com/wp-admin and
    omgfire.com_lastbackup/wp-admin
  • diff omgfire.com/wp-config.php omgfire.com_lastbac
    kup/wp-config.php
  • 1d0
  • lt lt? / this is a little bit of code changed! /
    ?gt

36
Pay for ALL THE fixes!!!
  • The good, the bad and the ugly

37
Preventative

38
Server options
  • Firewall
  • mod_security, cloudflare
  • Database
  • Restrict by hostname

39
Site configuration
  • File Monitoring
  • Stop using FTP
  • HTTPS
  • Lock down directory/file permission

40
Wordpress tricks
  • Enable auto-update
  • Don't login as admin
  • Database table prefix
  • Disable PHP/CGI in upload/include directories
  • Plugins!

41
Security Plugins
Backups Prevention Cleanup Monitoring Authentication
File Monitor plus X
VaultPress X X
Google Auth. Yubikey Etc... X
Exploit Scanner / X
Backup Buddy X
42
Security Services
Backups Prevention Cleanup Monitoring Price
Cloudflare X / Free-205/month
VaultPress X / X 15-350/month
StoptheHacker X Free-100/month
URLvoid.com Various others X Free
Sucuri X X 90-290/month
43
Auditing
44
Who logged in?
  • Via SSH last
  • Via WordPress simple login log plugin

45
Digging in with timestamps.
  • ls -la omgfire.com/backdoor.php
  • -rw-rw-r-- 1 user grp 0 Feb 13 2152
    omgfire.com/backdoor.php
  • grep 2152 logs/omgfire.com/access.log.2012-02-
    13
  • 123.125.71.31 - - 13/Feb/2012215253 -0800
  • "POST /wp-content/plugins/hello.php HTTP/1.1" 200
    158 "-" "Mozilla"

46
Digging in with HTTP logs
  • awk 'print 7' access.log sort uniq -c
    sort -n

47
Digging in with HTTP logs
  • awk 'print 7' access.log sort uniq -c
    sort -n
  • 1 /phpMyAdmin-2.2.3/index.php
  • 1 /phpMyAdmin-2.5.5-pl1/index.php
  • 1 /phpMyAdmin-2.5.5/index.php
  • 1 /phpMyAdmin-2.5.6-rc2/index.php
  • 1 /phpMyAdmin/index.php
  • 1 /phpmyadmin1/index.php
  • 1 /pma/index.php
  • 1 /web/phpMyAdmin/index.php
  • 1 /websql/index.php
  • 2 /phpmyadmin/index.php
  • 4 /robots.txt
  • 242 /

48
Ask your host!
  • You may not be alone.

49
followup
  • Take ownership and post your experience
  • Help the next website owner.

50
Further reading
  • http//codex.wordpress.org/Hardening_WordPress
Write a Comment
User Comments (0)
About PowerShow.com