word press security

J IGAR PANDYA

WordPress Security1

04/11/2023

Know the Environment2

LA

MP

S

TA

CK

LINUX

Apache

MySQL

PHP

• This is what it takes to run WordPress

• Each contains its own laundry list of known vulnerabilities

• Bare-bones

04/11/2023

Know the application3

Word

Pre

ss CoreTheme

sPlugins

End-User

• Today’s Problem

04/11/2023

Realistic Environment4

Linux Operating System

Apache

WordPress CPANEL Plesk

MySQL

myLittleAdmin

PHPMyAdmin Etc..

PHP

Modules

04/11/2023

5

Your Host

Who is your host?

How do you connect to the server? FTP, SFTP, SSH

What security does your host use? Do they use any web security?

What will your host do if you get hacked? Will they shut your site down? Will they kick you off their server? Will they fix it for you?

IF YOU DON”T KNOW WHAT YOU”RE DOING GO WITH A MANAGED

SOLUTION

04/11/2023

6

Connecting

If you don’t need it, disable it SFTP / SSH is preferred FTP works fine – disable if you’re not using, don’t talk to

me if you are FTP/SFTP != WP-ADMIN

Least Privileged You don’t have to log in FTP / SFTP with full root access Everyone doesn’t need to be an admin You don’t need to log in as admin The focus is on the role, not the name of the user Accountability – kill generic accounts – who is doing what?

04/11/2023

7

Opportunistic Targeted

Trolling the web looking for known vulnerabilities

Ability for mass exposure

Think “TimThumb”

Big enterprises with large followings: WordPress.com WooThemes

Worth Investing time and energy to compromise, bigger return

Attack Type

04/11/2023

8

Automation is KEY

Automation

Scan

Detect

Exploit

PWN

• Targeted / Opportunistic

• Vulnerability Scans• Brute Force / Data

Dictionary Attacks• DDOS / DOS• XSS / CSRF• SQLi

04/11/2023

9

Blacklisting

• Take a chill pill.. Not the end of the world• Detect, Remove, Submit

04/11/2023

10

The MISTAKE

But why me?!?!?!

Forget the why, look at the how!!

04/11/2023

11

NOTHING FANCY HERE. . THE FACTS

The How

“Own one Own them All”

04/11/2023

12

Application Environment

Injections

Remote File Inclusion

Remote File Execution

Brute Force / Data Dictionary

Privilege Escalation

Brute Force / Data Dictionary

Remote File Include

Remote File Execution

Today’s Exploits

You Control

04/11/2023

13

Top 5 WordPress Infections

Backdoors Difficult to Detect via HTTP

Injections Easy to Detect via HTTP

Pharma Hack Best person to detect is the owner, difficult to detect via

HTTPMalicious Redirects

Easy to Detect via HTTPDefacements

Pretty obvious – you’re now supporting the Syrian fight or preaching to your Turkish brothers

04/11/2023

14

Backdoor• Complete access via shell… kiss all hardening good bye • Sad day.. .. Good time to cry…

04/11/2023

15

Link Injection• Drive-by-Download attempt – think Fake AV / Adobe• Pharma Links – Erectile Dysfunction (Viagra)

04/11/2023

16

PHARMA• Affiliate Model• Multi-million dollar industry • Generate ~3.5k new clients daily

04/11/2023

17

Defacement• Hacktivism at its finest • Awareness to cause

04/11/2023

18

Common Vectors

Vulnerable Software Often associated with Out-of-date software WordPress Themes / Plugins, more so than Core

Cross Site Contamination Soup Kitchen Servers

Compromised Credentials Password123, Password1, 111111a = not cool

Remote File Inclusion Leads to Remote Execution Think TimThumb, Uploadify, etc…

“38% of us Would Rather Clean a Toilet Than Think of New

Password”- Mashable

04/11/2023

19

SIMPLE IS SO MUCH SWEETER…

Make it STOP

“The question isn't who is going to let me; it's who is going to stop

me.”

04/11/2023

20

The Key is Access

In almost all instances the key is access, whether via: WP-ADMIN SSH / SFTP (Port 22) FTP (Port 21) = > You are dead to me!!! : ) Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can’t avoid

Zero day events, but you can stay proactive when identified Doesn’t include environmental issues

Myth: Remove Admin Fact: to crack a 10 character password = 1,700 years via brute-force. Today,

dictionary attacks are the preferred method. Either way, requires multiple scan attempts.

The “administrator” role matters more than the “administrator” or “admin” user name.

04/11/2023

21

This is What Matters - KISS

Server WAF

Application

WAF

Two Facto

r Authenticat

ion

Strong /

Unique

Password

Secure

Environment

From an access stand point:

From a vulnerability stand point:

Stay Current

Use Trusted Sources

Avoid Soup

Kitchen Servers

Separate Staging

from Producti

on

Secure Environ

ment

04/11/2023

22

To the Average Joe: To the Paranoid / Lucky:

1. Kill PHP Execution 2. Disable Theme / Plugin Editing via

Admin3. Connect Securely – SFTP / SSH4. Use Authentication Keys in wp-

config5. Use Trusted Sources6. Use a local Antivirus – Yes, MAC’s

need one7. Verify your permissions - D 755 | F

6448. Least Privileged9. Kill generic accounts -

Accountability10. Backup your site – yes, Database

too

1. Don’t let WordPress write to itself

2. Filter by IP SSH Access WP-ADMIN Access Database Access

3. Use a dedicated server / VPS

4. Employ a WAF / Logging Solution

5. Enable SSL

My Advise

04/11/2023

23

Kill PHP Execution

The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation: WP-INCLUDES UPLOADS

#PROTECT [Directory Name] <Files *.php> Deny from all </Files>

04/11/2023

24

Disable Plugin/Theme Editor

Add to wp-config – if a user is compromised they won’t be able to add anything to the core theme or plugin files.

# Disable Plugin / Theme Editor Define(‘DISALLOW_FILE_EDIT’,true);

04/11/2023

25

Clients Non-Clients

Sucuri Security Premium

Duo Two-Factor Authentication

Theme-CheckBackupBuddyAkismet

Duo Two-Factor Authentication

Limit Login Attempts

Theme-CheckBackupBuddyAkismet

Recommended Plugins

04/11/2023

26

Support Forums Online Resources

Hacked – http://wordpress.org/tags/hacked

Malware – http://wordpress.org/tags/malware

BadwareBusters – https://badwarebusters.org

Sucuri Blog: http://blog.sucuri.net

SiteCheck Scanner: http://sitecheck.sucuri.net

Unmask Parasites: http://unmaskparasites.com

Perishable Press: http://perishablepress.com/category/web-design/security/

Secunia Security Advisories: http://secunia.com/community/advisories/search/?search=wordpress

Know Where to Go, If… It happens

04/11/2023

27

Blacklist entities

Google Chrome, FireFox Search Engine Results Page (SERP) http://www.google.com/webmaster/tools http://www.google.com/safebrowsing/diagnostic?site=[your site]

Bing Internet Explorer Yahoo http://www.bing.com/toolbox/webmaster/

Norton SafeWeb Browsing Facebook http://safeweb.norton.com/

AVG Opera http://www.avgthreatlabs.com/sitereports/

04/11/2023

28

Jigar Pandya

http://www.zealousweb.comhttp://

youritcoach.wordpress.com

04/11/2023

29