You always think it will never happen to you but when it does, it’s all hands on deck. My personal site was almost hacked and since then I actively looked at what I could improve. During this talk I will talk what I had before and show all the improvements I made since then. It will be a mixed of using using the existing tools and my own creation in managing my sites.

1. Marko Heijnen CODEKITCHEN
The moment my site
got hacked
WordCamp Switerland, Zurich 2015

3. 0. The Story

4. I have set things up

5. Hardening WordPress
• Difficult password
• VPN access to home is required to login as
super admin
• Files can’t be changed by PHP
• define('DISALLOW_FILE_MODS', true);
• Renamed wp-content folder

6. Other positive effects
• A lot of functionality is custom written
• PHP FPM with Opcache requires restart for
changes to be effected
• WordPress Network install

7. And then it’s all for
having things up-to-date

8. Normally I keep
everything up-to-date

9. But one plugin slipped
my attention

10. It all started with an
internal e-mail at my job

11. I start checking to see
if I can reproduce it

12. 😱😱😱

13. 1. Shock & Denial

16. Checking the log files
showed how they managed it

17. Checking the log files
showed the failed

18. • 202.69.240.177 - - [20/Feb/2015:14:34:51 +0200]
"POST //?var=upload HTTP/1.1" 200 116 "-" "Mozilla/5.0
(X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like
Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"
• 202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "GET /
wp-content/file.php HTTP/1.1" 301 178 "-" "Mozilla/5.0
(X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like
Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"
• 202.69.240.177 - - [20/Feb/2015:14:34:52 +0200] "GET /
content/file.php HTTP/1.1" 404 11767 "-" "Mozilla/5.0
(X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like
Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"

19. 2. Anger

20. Having that stupid rewrite

21. Why didn’t I updated my
plugins?

22. Why didn’t I had any
protecting for this in place

23. 3. Working Through

24. Start fixing things

25. Start fixing things
• Update all plugins
• Check the upload directory for more PHP files and
delete them all
• Don’t allow PHP to be ever executed inside
uploads
• See if everything still is untouched

26. I was lucky I have git
but what about you?

27. Checksum checker
• Checks the hash of your files with hashes of the
original
• Not for WordPress core but for your plugins and
themes
• wpcentral.io/api/checksums/plugin/tabify-edit-
screen/0.8.3

28. How to prevent things like
this happening again?

29. Application firewall
• Something that actively protects you against
vulnerabilities such as cross-site scripting (XSS)
and SQL injection
• Sucuri or CloudFlare as a service
• NinjaFirewall as a plugin
• Currently I’m using modSecurity
• Now looking at the rule sets of owasp.org

30. How to detect if it happens

31. Builded a custom tool

32. List of all sites

33. General overview of a site

34. Security checks for the site

35. Security checks for the site

36. Security checks for the site

37. List of all servers

38. 4. Acceptance & Hope

39. Things I learned
from this

40. Things I learned
• Don’t expect plugin developer to announce
publicly that they have or had security issues
• Read the log files more often
• Work pro active on securing my site
• Check out the latest and greatest tools for securing
and checking your sites

41. Last but not least:
Some questions for you

42. Some questions for you
• What does your host do to protect you?
• What do you do yourself?
• How good is your wp-login.php protected?
• Did you hardening your site?
• How secure are your backups?
• Do you know what people trying to do to your site?

43. Marko Heijnen
• Founder of CodeKitchen
• Lead developer of GlotPress
• Core contributor for
WordPress
• Organizer for WordCamp
Belgrade

44. Marko Heijnen
info@markoheijnen.com
@markoheijnen

45. Thank you for
listening
@markoheijnen
markoheijnen.com
codekitchen.eu