4. “The user’s going to pick dancing pigs over security every time.”
- Bruce Schneier
Check yourself before you wreck yourself
KNOWLEDGE
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 4
5. KNOW THE ENVIRONMENT
• This is what it takes to
LINUX
LAMP STACK
run WordPress
Apache • Each contains its own
laundry list of known
MySQL vulnerabilities
• Bare-bones
PHP
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 5
6. KNOW THE APPLICATION
Core
WordPress
Themes
• Today‟s Problem
Plugins
End-User
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 6
7. REALISTIC ENVIRONMENT
Linux Operating System
Apache MySQL PHP
WordPress CPANEL Plesk myLittleAdmin PHPMyAdmin Etc.. Modules
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 7
8. YOUR HOST
IF YOU DON”T KNOW WHAT
• Who is your host?
YOU”RE DOING GO WITH A
MANAGED SOLUTION
• How do you connect to the server?
• FTP, SFTP, SSH
• What security does your host use? Do they use any web security?
• What will your host do if you get hacked?
• Will they shut your site down?
• Will they kick you off their server?
• Will they fix it for you?
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 8
9. CONNECTING
• If you don‟t need it, disable it
• SFTP / SSH is preferred
• FTP works fine – disable if you‟re not using, don‟t talk to me if you are
• FTP/SFTP != WP-ADMIN
• Least Privileged
• You don‟t have to log in FTP / SFTP with full root access
• Everyone doesn‟t need to be an admin
• You don‟t need to log in as admin
• The focus is on the role, not the name of the user
• Accountability – kill generic accounts – who is doing what?
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 9
10. ATTACK TYPE
Opportunistic Targeted
• Trolling the web looking for • Big enterprises with large
known vulnerabilities followings:
• Ability for mass exposure • WordPress.com
• Think “TimThumb” • WooThemes
• Worth Investing time and energy
to compromise, bigger return
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 10
11. AUTOMATION IS KEY
• Targeted /
Scan Opportunistic
• Vulnerability Scans
• Brute Force / Data
PWN Automation Detect Dictionary Attacks
• DDOS / DOS
• XSS / CSRF
Exploit
• SQLi
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 11
12. BLACKLISTING
• Take a chill pill.. Not the end of the world
• Detect, Remove, Submit
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 12
13. THE MISTAKE
• But why me?!?!?!
• Forget the why, look at the how!!
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 13
14. “Own one Own them All”
Nothing fancy here.. The facts
THE HOW
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 14
15. TODAY‟S EXPLOITS
You
Application Control Environment
• Injections • Privilege Escalation
• Remote File Inclusion • Brute Force / Data Dictionary
• Remote File Execution • Remote File Include
• Brute Force / Data Dictionary • Remote File Execution
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 15
16. TOP 5 WORDPRESS INFECTIONS
• Backdoors
• Difficult to Detect via HTTP
• Injections
• Easy to Detect via HTTP
• Pharma Hack
• Best person to detect is the owner, difficult to detect via HTTP
• Malicious Redirects
• Easy to Detect via HTTP
• Defacements
• Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish
brothers
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 16
17. BACKDOOR
• Complete access via shell… kiss all hardening good bye
• Sad day.. .. Good time to cry…
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 17
19. PHARMA
• Affiliate Model
• Multi-million dollar industry
• Generate ~3.5k new clients daily
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 19
20. DEFACEMENT
• Hacktivism at its finest
• Awareness to cause
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 20
21. COMMON VECTORS
“38% of us Would Rather Clean a
• Vulnerable Software Toilet Than Think of New
• Often associated with Out-of-date software Password”
- Mashable
• WordPress Themes / Plugins, more so than Core
• Cross Site Contamination
• Soup Kitchen Servers
• Compromised Credentials
• Password123, Password1, 111111a = not cool
• Remote File Inclusion
• Leads to Remote Execution
• Think TimThumb, Uploadify, etc…
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 21
22. “The question isn't who is going to let me; it's
who is going to stop me.”
Simple is so much sweeter…
MAKE IT STOP
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 22
23. THE KEY IS ACCESS
• In almost all instances the key is access, whether via:
• WP-ADMIN
• SSH / SFTP (Port 22)
• FTP (Port 21) = > You are dead to me!!! : )
• Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but
you can stay proactive when identified
• Doesn‟t include environmental issues
• Myth: Remove Admin
• Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are
the preferred method. Either way, requires multiple scan attempts.
• The “administrator” role matters more than the “administrator” or “admin” user name.
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 23
24. THIS IS WHAT MATTERS - KISS
From an access stand point:
Strong /
Application Two Factor Secure
Server WAF Unique
WAF Authentication Environment
Password
From a vulnerability stand point:
Avoid Soup Separate
Use Trusted Secure
Stay Current Kitchen Staging from
Sources Environment
Servers Production
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 24
25. MY ADVISE
To the Average Joe: To the Paranoid / Lucky:
1. Kill PHP Execution 1. Don‟t let WordPress write to itself
2. Disable Theme / Plugin Editing via Admin
2. Filter by IP
3. Connect Securely – SFTP / SSH
4. Use Authentication Keys in wp-config
• SSH Access
5. Use Trusted Sources • WP-ADMIN Access
6. Use a local Antivirus – Yes, MAC‟s need one • Database Access
7. Verify your permissions - D 755 | F 644
3. Use a dedicated server / VPS
8. Least Privileged
9. Kill generic accounts - Accountability
4. Employ a WAF / Logging Solution
10. Backup your site – yes, Database too 5. Enable SSL
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 25
26. KILL PHP EXECUTION
• The idea is not to let them execute any PHP files. You do so by adding this in an
.htaccess file in the directory of choice. Recommendation:
• WP-INCLUDES
• UPLOADS
#PROTECT [Directory Name]
<Files *.php>
Deny from all
</Files>
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 26
27. DISABLE PLUGIN/THEME EDITOR
• Add to wp-config – if a user is compromised they won‟t be able to add anything to the
core theme or plugin files.
# Disable Plugin / Theme Editor
Define(„DISALLOW_FILE_EDIT‟,true);
@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY
#WCCHX
10/15/2012 27
Pundits will argue that admin is half the battle and most users use poor passwords. Education is my focus. Using a strong password is arguably easier and more effective. randomly generated using characters, would