wordpress security - the "no-bs" version
DESCRIPTION
A presentation I put together for WordCamp Chicago 2012.TRANSCRIPT
The “No-BS” Version
WORDPRESS SECURITY
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
2
SUCURI@WORDCAMP# WHOIS PEREZBOX• Name: Tony Perez
• Street name: The Hulk
• Handle: Perezbox
• Company: Sucuri
• Occupation: Executive / Owner
• Likes: Guns, InfoSec, Harley’s, MMA
• Personality: Rational / Objective = Turd
• Location: Menifee, California
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
3
TODAY’S CHALLENGES
• Administration
• Extensibility
• Credentials
• End-users
• Education
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
4
KNOWLEDGECheck yourself before you wreck yourself
“The user’s going to pick dancing pigs over security every time.” - Bruce Schneier
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
5
KNOW THE ENVIRONMENTLA
MP
STAC
K LINUX
Apache
MySQL
PHP
• This is what it takes to run WordPress
• Each contains its own laundry list of known vulnerabilities
• Bare-bones
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
6
KNOW THE APPLICATIONW
ordP
ress
Core
Themes
Plugins
End-User
• Today’s Problem
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
7
REALISTIC ENVIRONMENT
Linux Operating System
Apache
WordPress CPANEL Plesk
MySQL
myLittleAdmin PHPMyAdmin Etc..
PHP
Modules
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
8
YOUR HOST• Who is your host?
• How do you connect to the server?
• FTP, SFTP, SSH
• What security does your host use? Do they use any web security?
• What will your host do if you get hacked?
• Will they shut your site down?
• Will they kick you off their server?
• Will they fix it for you?
IF YOU DON”T KNOW WHAT YOU”RE DOING GO WITH A
MANAGED SOLUTION
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
9
CONNECTING• If you don’t need it, disable it
• SFTP / SSH is preferred
• FTP works fine – disable if you’re not using, don’t talk to me if you are
• FTP/SFTP != WP-ADMIN
• Least Privileged
• You don’t have to log in FTP / SFTP with full root access
• Everyone doesn’t need to be an admin
• You don’t need to log in as admin
• The focus is on the role, not the name of the user
• Accountability – kill generic accounts – who is doing what?
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
10
• Big enterprises with large followings:
• WordPress.com
• WooThemes
• Worth Investing time and energy to compromise, bigger return
• Trolling the web looking for known vulnerabilities
• Ability for mass exposure
• Think “TimThumb”
ATTACK TYPE
Opportunistic Targeted
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
11
AUTOMATION IS KEY
Automation
Scan
Detect
Exploit
PWN
• Targeted / Opportunistic
• Vulnerability Scans• Brute Force / Data
Dictionary Attacks• DDOS / DOS• XSS / CSRF• SQLi
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
12
BLACKLISTING• Take a chill pill.. Not the end of the world• Detect, Remove, Submit
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
13
THE MISTAKE
• But why me?!?!?!
• Forget the why, look at the how!!
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
14
THE HOWNothing fancy here.. The facts
“Own one Own them All”
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
15
• Privilege Escalation
• Brute Force / Data Dictionary
• Remote File Include
• Remote File Execution
• Injections
• Remote File Inclusion
• Remote File Execution
• Brute Force / Data Dictionary
TODAY’S EXPLOITS
Application EnvironmentYou
Control
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
16
TOP 5 WORDPRESS INFECTIONS• Backdoors
• Difficult to Detect via HTTP
• Injections
• Easy to Detect via HTTP
• Pharma Hack
• Best person to detect is the owner, difficult to detect via HTTP
• Malicious Redirects
• Easy to Detect via HTTP
• Defacements
• Pretty obvious – you’re now supporting the Syrian fight or preaching to your Turkish brothers
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
17
BACKDOOR• Complete access via shell… kiss all hardening good bye • Sad day.. .. Good time to cry…
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
18
LINK INJECTION• Drive-by-Download attempt – think Fake AV / Adobe• Pharma Links – Erectile Dysfunction (Viagra)
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
19
PHARMA• Affiliate Model• Multi-million dollar industry • Generate ~3.5k new clients daily
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
20
DEFACEMENT• Hacktivism at its finest • Awareness to cause
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
21
COMMON VECTORS• Vulnerable Software
• Often associated with Out-of-date software
• WordPress Themes / Plugins, more so than Core
• Cross Site Contamination
• Soup Kitchen Servers
• Compromised Credentials
• Password123, Password1, 111111a = not cool
• Remote File Inclusion
• Leads to Remote Execution
• Think TimThumb, Uploadify, etc…
“38% of us Would Rather Clean a Toilet Than Think of New
Password”- Mashable
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
22
MAKE IT STOPSimple is so much sweeter…
“The question isn't who is going to let me; it's who is going to stop me.”
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
23
THE KEY IS ACCESS• In almost all instances the key is access, whether via:
• WP-ADMIN
• SSH / SFTP (Port 22)
• FTP (Port 21) = > You are dead to me!!! : )
• Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can’t avoid Zero day events, but you can stay proactive when identified
• Doesn’t include environmental issues
• Myth: Remove Admin
• Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts.
• The “administrator” role matters more than the “administrator” or “admin” user name.
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
24
THIS IS WHAT MATTERS - KISS
Server WAF Application WAF
Two Factor Authentication
Strong / Unique
Password
Secure Environment
From an access stand point:
From a vulnerability stand point:
Stay Current Use Trusted Sources
Avoid Soup Kitchen Servers
Separate Staging
from Production
Secure Environment
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
25
1. Don’t let WordPress write to itself
2. Filter by IP
• SSH Access
• WP-ADMIN Access
• Database Access
3. Use a dedicated server / VPS
4. Employ a WAF / Logging Solution
5. Enable SSL
1. Kill PHP Execution
2. Disable Theme / Plugin Editing via Admin
3. Connect Securely – SFTP / SSH
4. Use Authentication Keys in wp-config
5. Use Trusted Sources
6. Use a local Antivirus – Yes, MAC’s need one
7. Verify your permissions - D 755 | F 644
8. Least Privileged
9. Kill generic accounts - Accountability
10. Backup your site – yes, Database too
MY ADVISE
To the Average Joe: To the Paranoid / Lucky:
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
26
KILL PHP EXECUTION• The idea is not to let them execute any PHP files. You do so by adding this in
an .htaccess file in the directory of choice. Recommendation:
• WP-INCLUDES
• UPLOADS
#PROTECT [Directory Name]
<Files *.php>
Deny from all
</Files>
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
27
DISABLE PLUGIN/THEME EDITOR• Add to wp-config – if a user is compromised they won’t be able to add anything to the
core theme or plugin files.
# Disable Plugin / Theme Editor
Define(‘DISALLOW_FILE_EDIT’,true);
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
28
• Duo Two-Factor Authentication
• Limit Login Attempts
• Theme-Check
• BackupBuddy
• Akismet
• Sucuri Security Premium
• Duo Two-Factor Authentication
• Theme-Check
• BackupBuddy
• Akismet
RECOMMENDED PLUGINS
Clients Non-Clients
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
29
• Sucuri Blog: http://blog.sucuri.net
• SiteCheck Scanner: http://sitecheck.sucuri.net
• Unmask Parasites: http://unmaskparasites.com
• Perishable Press: http://perishablepress.com/category/web-design/security/
• Secunia Security Advisories: http://secunia.com/community/advisories/search/?search=wordpress
• Hacked – http://wordpress.org/tags/hacked
• Malware – http://wordpress.org/tags/malware
• BadwareBusters – https://badwarebusters.org
KNOW WHERE TO GO, IF… IT HAPPENS
Support Forums Online Resources
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
30
BLACKLIST ENTITIES• Google
• Chrome, FireFox
• Search Engine Results Page (SERP)
• http://www.google.com/webmaster/tools
• http://www.google.com/safebrowsing/diagnostic?site=[your site]
• Bing
• Internet Explorer
• Yahoo
• http://www.bing.com/toolbox/webmaster/
• Norton
• SafeWeb Browsing
• http://safeweb.norton.com/
• AVG
• Opera
• http://www.avgthreatlabs.com/sitereports/
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
31
Sucuri
Tony Perezhttp://sucuri.net
http://blog.sucuri.net
http://perezbox.com & http://tonyonsecurity.com
@perezbox and @tonyonsecurity
04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX
32