4. KNOWLEDGE
Check yourself before you wreck yourself
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 4
“The user’s going to pick dancing pigs over
security every time.”
- Bruce Schneider
5. IT‟S ABOUT RISK REDUCTION!!!
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 5
• Forget the “Why”
• Why is this happening to me?
• Focus on the “How”
• How do I protect myself?
Your risk will never be 0%
6. DEFENSE IN DEPTH
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 6
• Layered Defenses
“…a concept in which multiple layers of security controls
(defenses) are placed throughout an information technology
(IT) system. Its intent is to provide redundancy in the event a
security control fails or a vulnerability is exploited…”
7. KNOW THE ENVIRONMENTLAMPSTACK
LINUX
Apache
MySQL
PHP
• This is what it takes to
run WordPress
• Each contains its own
laundry list of known
vulnerabilities
• .org Implementations
not .com
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 7
9. ASK QUESTIONS…
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 9
• Host:
• What happens if I get hacked and you detect it before I do?
• What backup solution do you offer me?
• What security protocols do you have in place to protect me?
• Designer / Developer:
• Are you following all the appropriate coding best practice guidelines found in the codex?
• Has your code ever been independently reviewed?
• How will my website be maintained after the project completion?
• Who will be responsible for updating my theme / plugin / core when the project is
complete?
• Are my files being backed up in the event of a catastrophe?
10. TODAY‟S RELEVANT ATTACK VECTORS
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 10
• Access Control
• Brute Force
• Software Vulnerabilities
• Vulnerability Scanners
• Denial of Service (DoS)
• Distributed / Non-Distributed
11. • Two factor / Multi-Factor
Authentication
• IP White Listing
• Throttling Access Attempts
• Access is King for attackers and
website owners make it too easy
• Facilitated through Poor Passwords
• Little Attention to Access Control‟s
• Applies to all entry points –
email, cpanel, FTP / SFTP, etc…
ACCESS CONTROL
Challenges Solutions
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 11
12. • Website Firewall – SaaS based
• Stay current with the latest
vulnerability releases
• Apply updates to entire stack when
available
• Keep Only What you need on the
server (production)
• Very difficult for non technical people
• Users refuse to update, some cannot
• Soup Kitchen Servers
• Too many attackers with too much time
• Zero Days
SOFTWARE VULNERABILITIES
Challenges Solutions
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 12
13. DENIAL OF SERVICE VS BRUTE FORCE
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 13
• Educational Post: http://blog.sucuri.net/2014/03/understanding-denial-of-service-and-
brute-force-attacks-wordpress-joomla-drupal-vbulletin.html
• Differentiating Factor = Intent
• Disruption of Services vs Gaining Access
• Both important in their own Righ
Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute
More than 162,000 WordPress Sites Used for Distributed Denial of Service Attack (DDOS)
14. CONNECTING
• If you don‟t need it, disable it
• SFTP / SSH is preferred
• FTP works fine – disable if you‟re not using, don‟t talk to me if you are
• FTP/SFTP != WP-ADMIN
• Least Privileged
• You don‟t have to log in FTP / SFTP with full root access
• Everyone doesn‟t need to be an admin
• You don‟t need to log in as admin
• The focus is on the role, not the name of the user
• Accountability – kill generic accounts – who is doing what?
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 14
16. • Big enterprises with large
followings
• Big Name
• Worth Investing time and energy
to compromise, bigger return
• Trolling the web looking for
known vulnerabilities
• Ability for mass exposure
• Think “TimThumb”
ATTACK TYPE
Opportunistic Targeted
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 16
18. THE HOW
Nothing fancy here.. The facts
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 18
“Own one Own them All”
19. TOP SECURITY ISSUES TODAY
• Backdoors
• Injections
• Pharma Hack
• SEO SPAM
• Malicious Redirects
• Defacements
• Form Abuse
• SPAM Emails
• Compromised web servers
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 19
20. 1. Employ Website Firewall
2. Don‟t let WordPress write to itself
3. Filter Access by IP
4. Use a dedicated server / VPS
5. Monitor all Activity (Logging)
6. Enable SSL for transactions
7. Keep environment current (patched)
8. No Soup Kitchen Servers
1. Kill PHP Execution
2. Disable Theme / Plugin Editing via Admin
3. Connect Securely – SFTP / SSH
4. Use Authentication Keys in wp-config
5. Use Trusted Sources
6. Use a local Antivirus – Yes, MAC‟s need one
7. Verify your permissions - D 755 | F 644
8. Least Privileged
9. Kill generic accounts - Accountability
10. Backup your site – yes, Database too
THINGS YOU CAN DO TO REDUCE RISK
The Bare Minimum: Ideal implementations:
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 20
21. KILL PHP EXECUTION
• The idea is not to let them execute any PHP files. You do so by adding this in an
.htaccess file in the directory of choice. Recommendation:
• WP-INCLUDES
• UPLOADS
#PROTECT [Directory Name]
<Files *.php>
Deny from all
</Files>
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 21
22. DISABLE PLUGIN/THEME EDITOR
• Add to wp-config – if a user is compromised they won‟t be able to add anything to the
core theme or plugin files.
# Disable Plugin / Theme Editor
Define(„DISALLOW_FILE_EDIT‟,true);
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 22
23. • Limit Login Attempts
• BackupBuddy
• Akismet
• Better WP Security
• WP Security Audit Log
• Google Authenticator
• WordFence
• Detection – Monitoring / Remediation
• Protection – Website Firewall
• Auditing – Sucuri Premium Plugin
• BackupBuddy
Read about how I set things up here:
http://wpengine.com/2013/04/24/how-tony-
perez-of-sucuri-sets-up-his-own-security/
SECURITY CONFIGURATIONS
My Setup Alternatives
3/15/2014@PEREZBOX @SUCURI_SECURITY #WCCHX 23
As humans we like to focus too much on the “Why me? Why would they do this? Why my site?” but the reality is that we rarely do what we have to from the get go. How many of those same people asking the “Why” spent the time asking the “How” before they got a website.I know I didn’t….By How I mean, how do I protect myself? This ofcourse is not fault to you as website owners. It just hasn’t been instilled in our brains yet. When you buy a car, before you get off the lot the sales person is telling you about insurance and things like GAP. When you buy a computer, they come with builtinAntiVirus, offering 6 months free, and making it difficult for you to get rid of later. The reality, these are very annoying pesky examples but it puts it in our minds. We need insurance. We need an antivirus. Can we say the same for when we are building a website or when we’re requesting it? Can we say that we’re asking our developers and maintainers the right questions?