SlideShare ist ein Scribd-Unternehmen logo

Secure Your Wordpress

n|u - The Open Security Community
n|u - The Open Security Community

This document discusses securing a WordPress site. It begins with an agenda that includes understanding how WordPress works and its file structure, setting up WordPress, and configuring security settings. It then covers how WordPress functions through index.php and includes other files. It also discusses correlating files and folders. The document outlines setting up WordPress via FTP/SSH or SVN and hardening the server. It details common attack vectors like vulnerabilities in core, plugins, and themes as well as account brute forcing. It recommends customizing .htaccess rules and using child themes to modify functionality securely.

BildungTechnologieBusiness
1 von 22
Downloaden Sie, um offline zu lesen
Secure Wordpress Bachaav Session A Null Community Initiative 30 – Nov - 2013
Agenda • Understand • How to Setup • Security Configuration
Agenda • Understand – How Wordpress Works – File and Folder Co-relations • How to Setup • Security Configuration
Demo Setup • VirtualBox VM – NAT interface for Internet Access – Hostonly connection for normal testing – sudo ifconfig => get the IP Address • Various URL – http://IP/wordpress – http://IP/phpmyadmin • Credentials – Username:wordpress – Password:wordpress
How Wordpress Works ● Index.php – Define WP_USE_THEMES – include(wp-blog-header.php) ● Wp-blog-header – include(wp-config.php) -> db and other constants – include(wp-settings.php) ● lots and lots of includes ● Plugins from PLUGIN_DIR ● Pluggable_functions loaded (can be overridden by plugins) – Path Declaration – Query Parsing and assignment – HTTP Headers – Request Parsing – Template Redirections – Theme ● Header ● Loop ● Widget / Sidebar ● Footer Reference : http://codex.wordpress.org/User:DavidHouse/Wordpress_Code_Flow
File and Folders Co-relations ● wp-config.php ● wp-settings.php ● index.php ● .htaccess ● /wp-admin/ ● /wp-content – /plugins – /themes ● /wp-includes
Agenda • Understand • How to Setup – Setup over FTP / SSH – Setup via SVN • Security Configuration
Setup • Shared hosting – Use Hosting Control Panel – Upload Via FTP and run install.php • VPS / Dedicated / Cloud Server – Upload via ssh / ftp – Sync via SVN
Wordpress Setup
Agenda • Understand • How to Setup • Security Configuration – Basic Server hardening – Understanding attack vectors – Implement Protections
Base Server Hardening • This session is wordpress focused so we will not cover about server hardening in details
Core Level Attacks ● Present Unpatched Issues – Full Path Disclosures – Enumeration Issues ● Username ● Attachment ● Plugins ● Themes – Account Bruteforce – Version disclosure and Multiple places ● Previously exploited issues – XMLRPC based SSRF attack – D-DoS and more
Other Attacks ● Plugin / Theme using old Files ● Vulnerable Code in Core ● Vulnerable Code in Plugin / Themes ● Permission and Access Issues
How to Defend ● Core Modifications is not recommended as every upgrade modifies core files. ● Implement Custom HTACCESS based restrictions ● Implement Hook / function override via custom theme templates ● Even theme modification is a absolute no – no as new update will override it.
HTACCESS ● Redirections – RewriteCond %{REQUEST_URI} robots.txt – RewriteRule ^abracadabra/ http://google.com [R=301,L] ● Custom Directives – DirectoryIndex index.html – ServerSignature Off – Header unset Etag
Theme modification the right way ● Child Theme folder : all files picked first from this and then from parent ● style.css /* – Theme Name: Anantshri – Theme URI: http://www.anantshri.info/ – Description: Child theme for the twenty twelve – Author: Anant Shrivastava – Author URI: http://anantshri.info/about/ – Template: twentytwelve – Version: 0.1.0 – */ – @import url("../twentytwelve/style.css"); ● functions.php : Can be used to provide all function overrides – remove_action( 'widgets_init', 'xyz_widgets_init' ); – add_action( 'widgets_init', 'abc_widgets_init' );
User / Attachment Enumeration ● Index.php?author=1 – Redirects to /author/<username> ● Index.php?attachment=1 – Redirects to Individual Attachment URL
Plugin / Theme Enumeration ● How it is identified – Predictable URL : wp-content/plugin , themes – Predictable file : readme.txt and plugin specific assets(js or css)
Account Bruteforce / Enumeration ● Possible to Enumerate Accounts due to different Error Messages
More Issues ● Full Path Disclosures display_error : Off (php.ini) ● ClickJacking protection ● swf and timthumb related attacks ● Issues related to wp-includes folder ● Comment Spam ● Dangerous Methods (PUT and more) ● XMLRPC issues ● Automated scanners ● Wordpress header code
Plus a lot more ● This should help us in getting started and since you are now aware of various functions and ways to control them its an open playground now.

Empfohlen

Random numbers
Random numbersRandom numbers
Random numbersPositive Hack Days
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karman|u - The Open Security Community
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 

Empfohlen

Random numbers
Random numbersRandom numbers
Random numbersPositive Hack Days
 
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)Hack Into Drupal Sites (or, How to Secure Your Drupal Site)
Hack Into Drupal Sites (or, How to Secure Your Drupal Site)nyccamp
 
Web-servers & Application Hacking
Web-servers & Application HackingWeb-servers & Application Hacking
Web-servers & Application HackingRaghav Bisht
 
Drupal Security Hardening
Drupal Security HardeningDrupal Security Hardening
Drupal Security HardeningGerald Villorente
 
Nessus and Reporting Karma
Nessus and Reporting KarmaNessus and Reporting Karma
Nessus and Reporting Karman|u - The Open Security Community
 
Hacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesHacking Adobe Experience Manager sites
Hacking Adobe Experience Manager sitesMikhail Egorov
 
Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Securing Drupal 7: Do not get Hacked or Spammed to death!
Securing Drupal 7: Do not get Hacked or Spammed to death!Adelle Frank
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Hacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtHacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtRaghav Bisht
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
Root via XSS
Root via XSSRoot via XSS
Root via XSSPositive Hack Days
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Nikto
NiktoNikto
NiktoSorina Chirilă
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyondamiable_indian
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardeningn|u - The Open Security Community
 
WordPress MU 101
WordPress MU 101WordPress MU 101
WordPress MU 101Pete Mall
 
Taking your site from Drupal 6 to Drupal 7
Taking your site from Drupal 6 to Drupal 7Taking your site from Drupal 6 to Drupal 7
Taking your site from Drupal 6 to Drupal 7Phase2
 

Weitere ähnliche Inhalte

Was ist angesagt?

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016bugcrowd
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoPichaya Morimoto
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassRob Fuller
 
Hacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtHacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtRaghav Bisht
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsMikhail Egorov
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new blackRob Fuller
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?Mikhail Egorov
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal SiteNaveen Valecha
 
End to end web security
End to end web securityEnd to end web security
End to end web securityGeorge Boobyer
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesSpin Lai
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkChris Gates
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictionsMukesh k.r
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowAcquia
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking DrupalGreg Foss
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim HegazyHackIT Ukraine
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyondamiable_indian
 

Was ist angesagt? (20)

Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016Bug Bounty Hunter Methodology - Nullcon 2016
Bug Bounty Hunter Methodology - Nullcon 2016
 
Art of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya MorimotoArt of Web Backdoor - Pichaya Morimoto
Art of Web Backdoor - Pichaya Morimoto
 
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassThe Dirty Little Secrets They Didn’t Teach You In Pentesting Class
The Dirty Little Secrets They Didn’t Teach You In Pentesting Class
 
Hacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav BishtHacking in shadows By - Raghav Bisht
Hacking in shadows By - Raghav Bisht
 
Hunting for security bugs in AEM webapps
Hunting for security bugs in AEM webappsHunting for security bugs in AEM webapps
Hunting for security bugs in AEM webapps
 
Windows Attacks AT is the new black
Windows Attacks AT is the new blackWindows Attacks AT is the new black
Windows Attacks AT is the new black
 
Root via XSS
Root via XSSRoot via XSS
Root via XSS
 
What should a hacker know about WebDav?
What should a hacker know about WebDav?What should a hacker know about WebDav?
What should a hacker know about WebDav?
 
Hack Proof Your Drupal Site
Hack Proof Your Drupal SiteHack Proof Your Drupal Site
Hack Proof Your Drupal Site
 
End to end web security
End to end web securityEnd to end web security
End to end web security
 
Two scoops of Django - Security Best Practices
Two scoops of Django - Security Best PracticesTwo scoops of Django - Security Best Practices
Two scoops of Django - Security Best Practices
 
Attacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit FrameworkAttacking Oracle with the Metasploit Framework
Attacking Oracle with the Metasploit Framework
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Nikto
NiktoNikto
Nikto
 
Bypass file upload restrictions
Bypass file upload restrictionsBypass file upload restrictions
Bypass file upload restrictions
 
Drupal and Security: What You Need to Know
Drupal and Security: What You Need to KnowDrupal and Security: What You Need to Know
Drupal and Security: What You Need to Know
 
Attacking Drupal
Attacking DrupalAttacking Drupal
Attacking Drupal
 
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
"15 Technique to Exploit File Upload Pages", Ebrahim Hegazy
 
Cracking into embedded devices and beyond
Cracking into embedded devices and beyondCracking into embedded devices and beyond
Cracking into embedded devices and beyond
 
Web Server Hardening
Web Server HardeningWeb Server Hardening
Web Server Hardening
 

Ähnlich wie Secure Your Wordpress

WordPress MU 101
WordPress MU 101WordPress MU 101
WordPress MU 101Pete Mall
 
Taking your site from Drupal 6 to Drupal 7
Taking your site from Drupal 6 to Drupal 7Taking your site from Drupal 6 to Drupal 7
Taking your site from Drupal 6 to Drupal 7Phase2
 
Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress InstallationLester Chan
 
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Vlad Lasky
 
NGINX 101 - now with more Docker
NGINX 101 - now with more DockerNGINX 101 - now with more Docker
NGINX 101 - now with more Dockersarahnovotny
 
NGINX 101 - now with more Docker
NGINX 101 - now with more DockerNGINX 101 - now with more Docker
NGINX 101 - now with more DockerSarah Novotny
 
A WordPress workshop at Cefalo
A WordPress workshop at Cefalo A WordPress workshop at Cefalo
A WordPress workshop at Cefalo Beroza Paul
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Think Media Inc.
 
Drupal 7x Installation - Introduction to Drupal Concepts
Drupal 7x Installation - Introduction to Drupal ConceptsDrupal 7x Installation - Introduction to Drupal Concepts
Drupal 7x Installation - Introduction to Drupal ConceptsMicky Metts
 
Selenium grid workshop london 2016
Selenium grid workshop london 2016Selenium grid workshop london 2016
Selenium grid workshop london 2016Marcus Merrell
 
Moodle Development Best Pracitces
Moodle Development Best PracitcesMoodle Development Best Pracitces
Moodle Development Best PracitcesJustin Filip
 
WordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress TrivandrumWordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress TrivandrumWordPress Trivandrum
 
Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3Drupalcon Paris
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentBrad Williams
 
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...rtCamp
 
Atomicant Drupal 6 Theming
Atomicant Drupal 6 ThemingAtomicant Drupal 6 Theming
Atomicant Drupal 6 ThemingMarek Sotak
 
WordPress At Scale. WordCamp Dhaka 2019
WordPress At Scale. WordCamp Dhaka 2019WordPress At Scale. WordCamp Dhaka 2019
WordPress At Scale. WordCamp Dhaka 2019Anam Ahmed
 

Ähnlich wie Secure Your Wordpress (20)

WordPress MU 101
WordPress MU 101WordPress MU 101
WordPress MU 101
 
Taking your site from Drupal 6 to Drupal 7
Taking your site from Drupal 6 to Drupal 7Taking your site from Drupal 6 to Drupal 7
Taking your site from Drupal 6 to Drupal 7
 
It4k12 wordpress
It4k12 wordpressIt4k12 wordpress
It4k12 wordpress
 
Securing Your WordPress Installation
Securing Your WordPress InstallationSecuring Your WordPress Installation
Securing Your WordPress Installation
 
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
Tips for Fixing a Hacked WordPress Site - WordCamp Sydney 2016
 
WordPress Security
WordPress SecurityWordPress Security
WordPress Security
 
NGINX 101 - now with more Docker
NGINX 101 - now with more DockerNGINX 101 - now with more Docker
NGINX 101 - now with more Docker
 
NGINX 101 - now with more Docker
NGINX 101 - now with more DockerNGINX 101 - now with more Docker
NGINX 101 - now with more Docker
 
A WordPress workshop at Cefalo
A WordPress workshop at Cefalo A WordPress workshop at Cefalo
A WordPress workshop at Cefalo
 
Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013Presentation to SAIT Students - Dec 2013
Presentation to SAIT Students - Dec 2013
 
19servlets
19servlets19servlets
19servlets
 
Drupal 7x Installation - Introduction to Drupal Concepts
Drupal 7x Installation - Introduction to Drupal ConceptsDrupal 7x Installation - Introduction to Drupal Concepts
Drupal 7x Installation - Introduction to Drupal Concepts
 
Selenium grid workshop london 2016
Selenium grid workshop london 2016Selenium grid workshop london 2016
Selenium grid workshop london 2016
 
Moodle Development Best Pracitces
Moodle Development Best PracitcesMoodle Development Best Pracitces
Moodle Development Best Pracitces
 
WordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress TrivandrumWordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
WordPress Hosting Best Practices - Do's and Don't s | WordPress Trivandrum
 
Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3Staging Drupal 8 31 09 1 3
Staging Drupal 8 31 09 1 3
 
Intro to WordPress Plugin Development
Intro to WordPress Plugin DevelopmentIntro to WordPress Plugin Development
Intro to WordPress Plugin Development
 
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...
Managing a WordPress Site as a Composer Project by Rahul Bansal @ WordCamp Na...
 
Atomicant Drupal 6 Theming
Atomicant Drupal 6 ThemingAtomicant Drupal 6 Theming
Atomicant Drupal 6 Theming
 
WordPress At Scale. WordCamp Dhaka 2019
WordPress At Scale. WordCamp Dhaka 2019WordPress At Scale. WordCamp Dhaka 2019
WordPress At Scale. WordCamp Dhaka 2019
 

Mehr von n|u - The Open Security Community

Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...n|u - The Open Security Community
 

Mehr von n|u - The Open Security Community (20)

Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)Hardware security testing 101 (Null - Delhi Chapter)
Hardware security testing 101 (Null - Delhi Chapter)
 
Osint primer
Osint primerOsint primer
Osint primer
 
SSRF exploit the trust relationship
SSRF exploit the trust relationshipSSRF exploit the trust relationship
SSRF exploit the trust relationship
 
Nmap basics
Nmap basicsNmap basics
Nmap basics
 
Metasploit primary
Metasploit primaryMetasploit primary
Metasploit primary
 
Api security-testing
Api security-testingApi security-testing
Api security-testing
 
Introduction to TLS 1.3
Introduction to TLS 1.3Introduction to TLS 1.3
Introduction to TLS 1.3
 
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
Gibson 101 -quick_introduction_to_hacking_mainframes_in_2020_null_infosec_gir...
 
Talking About SSRF,CRLF
Talking About SSRF,CRLFTalking About SSRF,CRLF
Talking About SSRF,CRLF
 
Building active directory lab for red teaming
Building active directory lab for red teamingBuilding active directory lab for red teaming
Building active directory lab for red teaming
 
Owning a company through their logs
Owning a company through their logsOwning a company through their logs
Owning a company through their logs
 
Introduction to shodan
Introduction to shodanIntroduction to shodan
Introduction to shodan
 
Cloud security
Cloud security Cloud security
Cloud security
 
Detecting persistence in windows
Detecting persistence in windowsDetecting persistence in windows
Detecting persistence in windows
 
Frida - Objection Tool Usage
Frida - Objection Tool UsageFrida - Objection Tool Usage
Frida - Objection Tool Usage
 
OSQuery - Monitoring System Process
OSQuery - Monitoring System ProcessOSQuery - Monitoring System Process
OSQuery - Monitoring System Process
 
DevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -SecurityDevSecOps Jenkins Pipeline -Security
DevSecOps Jenkins Pipeline -Security
 
Extensible markup language attacks
Extensible markup language attacksExtensible markup language attacks
Extensible markup language attacks
 
Linux for hackers
Linux for hackersLinux for hackers
Linux for hackers
 
Android Pentesting
Android PentestingAndroid Pentesting
Android Pentesting
 

Kürzlich hochgeladen

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)eniolaolutunde
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3JemimahLaneBuaron
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxNirmalaLoungPoorunde1
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformChameera Dedduwage
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingTechSoup
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13Steve Thomason
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphThiyagu K
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionSafetyChain Software
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpinRaunakKeshri1
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxGaneshChakor2
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationnomboosow
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991RKavithamani
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxiammrhaywood
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxmanuelaromero2013
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Educationpboyjonauth
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxVS Mahajan Coaching Centre
 

Kürzlich hochgeladen (20)

Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)Software Engineering Methodologies (overview)
Software Engineering Methodologies (overview)
 
Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3Q4-W6-Restating Informational Text Grade 3
Q4-W6-Restating Informational Text Grade 3
 
Employee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptxEmployee wellbeing at the workplace.pptx
Employee wellbeing at the workplace.pptx
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
A Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy ReformA Critique of the Proposed National Education Policy Reform
A Critique of the Proposed National Education Policy Reform
 
Grant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy ConsultingGrant Readiness 101 TechSoup and Remy Consulting
Grant Readiness 101 TechSoup and Remy Consulting
 
The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13The Most Excellent Way | 1 Corinthians 13
The Most Excellent Way | 1 Corinthians 13
 
Z Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot GraphZ Score,T Score, Percential Rank and Box Plot Graph
Z Score,T Score, Percential Rank and Box Plot Graph
 
Mastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory InspectionMastering the Unannounced Regulatory Inspection
Mastering the Unannounced Regulatory Inspection
 
Student login on Anyboli platform.helpin
Student login on Anyboli platform.helpinStudent login on Anyboli platform.helpin
Student login on Anyboli platform.helpin
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
CARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptxCARE OF CHILD IN INCUBATOR..........pptx
CARE OF CHILD IN INCUBATOR..........pptx
 
Interactive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communicationInteractive Powerpoint_How to Master effective communication
Interactive Powerpoint_How to Master effective communication
 
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
Industrial Policy - 1948, 1956, 1973, 1977, 1980, 1991
 
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptxSOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
SOCIAL AND HISTORICAL CONTEXT - LFTVD.pptx
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
How to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptxHow to Make a Pirate ship Primary Education.pptx
How to Make a Pirate ship Primary Education.pptx
 
Introduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher EducationIntroduction to ArtificiaI Intelligence in Higher Education
Introduction to ArtificiaI Intelligence in Higher Education
 
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptxOrganic Name Reactions for the students and aspirants of Chemistry12th.pptx
Organic Name Reactions for the students and aspirants of Chemistry12th.pptx
 

Secure Your Wordpress

  • 1. Secure Wordpress Bachaav Session A Null Community Initiative 30 – Nov - 2013
  • 2. Agenda • Understand • How to Setup • Security Configuration
  • 3. Agenda • Understand – How Wordpress Works – File and Folder Co-relations • How to Setup • Security Configuration
  • 4. Demo Setup • VirtualBox VM – NAT interface for Internet Access – Hostonly connection for normal testing – sudo ifconfig => get the IP Address • Various URL – http://IP/wordpress – http://IP/phpmyadmin • Credentials – Username:wordpress – Password:wordpress
  • 5. How Wordpress Works ● Index.php – Define WP_USE_THEMES – include(wp-blog-header.php) ● Wp-blog-header – include(wp-config.php) -> db and other constants – include(wp-settings.php) ● lots and lots of includes ● Plugins from PLUGIN_DIR ● Pluggable_functions loaded (can be overridden by plugins) – Path Declaration – Query Parsing and assignment – HTTP Headers – Request Parsing – Template Redirections – Theme ● Header ● Loop ● Widget / Sidebar ● Footer Reference : http://codex.wordpress.org/User:DavidHouse/Wordpress_Code_Flow
  • 6.
  • 7. File and Folders Co-relations ● wp-config.php ● wp-settings.php ● index.php ● .htaccess ● /wp-admin/ ● /wp-content – /plugins – /themes ● /wp-includes
  • 8. Agenda • Understand • How to Setup – Setup over FTP / SSH – Setup via SVN • Security Configuration
  • 9. Setup • Shared hosting – Use Hosting Control Panel – Upload Via FTP and run install.php • VPS / Dedicated / Cloud Server – Upload via ssh / ftp – Sync via SVN
  • 11. Agenda • Understand • How to Setup • Security Configuration – Basic Server hardening – Understanding attack vectors – Implement Protections
  • 12. Base Server Hardening • This session is wordpress focused so we will not cover about server hardening in details
  • 13. Core Level Attacks ● Present Unpatched Issues – Full Path Disclosures – Enumeration Issues ● Username ● Attachment ● Plugins ● Themes – Account Bruteforce – Version disclosure and Multiple places ● Previously exploited issues – XMLRPC based SSRF attack – D-DoS and more
  • 14. Other Attacks ● Plugin / Theme using old Files ● Vulnerable Code in Core ● Vulnerable Code in Plugin / Themes ● Permission and Access Issues
  • 15. How to Defend ● Core Modifications is not recommended as every upgrade modifies core files. ● Implement Custom HTACCESS based restrictions ● Implement Hook / function override via custom theme templates ● Even theme modification is a absolute no – no as new update will override it.
  • 16. HTACCESS ● Redirections – RewriteCond %{REQUEST_URI} robots.txt – RewriteRule ^abracadabra/ http://google.com [R=301,L] ● Custom Directives – DirectoryIndex index.html – ServerSignature Off – Header unset Etag
  • 17. Theme modification the right way ● Child Theme folder : all files picked first from this and then from parent ● style.css /* – Theme Name: Anantshri – Theme URI: http://www.anantshri.info/ – Description: Child theme for the twenty twelve – Author: Anant Shrivastava – Author URI: http://anantshri.info/about/ – Template: twentytwelve – Version: 0.1.0 – */ – @import url("../twentytwelve/style.css"); ● functions.php : Can be used to provide all function overrides – remove_action( 'widgets_init', 'xyz_widgets_init' ); – add_action( 'widgets_init', 'abc_widgets_init' );
  • 18. User / Attachment Enumeration ● Index.php?author=1 – Redirects to /author/<username> ● Index.php?attachment=1 – Redirects to Individual Attachment URL
  • 19. Plugin / Theme Enumeration ● How it is identified – Predictable URL : wp-content/plugin , themes – Predictable file : readme.txt and plugin specific assets(js or css)
  • 20. Account Bruteforce / Enumeration ● Possible to Enumerate Accounts due to different Error Messages
  • 21. More Issues ● Full Path Disclosures display_error : Off (php.ini) ● ClickJacking protection ● swf and timthumb related attacks ● Issues related to wp-includes folder ● Comment Spam ● Dangerous Methods (PUT and more) ● XMLRPC issues ● Automated scanners ● Wordpress header code
  • 22. Plus a lot more ● This should help us in getting started and since you are now aware of various functions and ways to control them its an open playground now.