Tons of details from basics of security to how to handle a compromised website yourself.

1. WordPress Security 101++

2. Introduction

3. Break down
● Security basics
● Attacker motives
● Clean up
● Prevention
● Auditing!

4. whoami
● Robert Rowley
● Security guy
● Websites, Server, Social Engineering, Mobile
● DreamHost security “one size fits all” person

5. DreamHost
● 1million+ websites
● Huge WordPress install base.

6. YOU!
● Security core concepts
● It is easy

7. Security core concepts
● Backups
● Passwords
● Updates
● Monitoring

8. Backups
● Keep them regularly
● Keep them secure and off site

9. Passwords
● Easy!
● “Passphrase” alphanumeric and other characters
● Better!
● Two factor.

10. Updates
● Automate if possible.
● On the first day it's already too late.

11. Monitoring
● Prevent the attack from going unnoticed.

12. The bad guys

13. Fruit?

14. Low hanging fruit

15. Bots!

16. Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why?
Why? Why? Why? Why? Why? Why?
Attacker motivation
Why? Why? Why? Why?
Why? Why? Why?
Why? Why? Why?
Why?Why? Why?
Why? Why?
Why? Why?
Why?Why? Why?
Why?
WHY?WHY?

17. $ $ $ $ $ $ $ $
$$ $ $ $
$ $$ $ $ $ $ $$ $ $
$ $ $$ $ $ $ $ $$ $
$ $ $ $$ $ $ $ $ $$
$ $ $ $ $$ $ $ $ $
$ $ $ $ $$ $ $
$ $ $ $ $ $ $$
$ $ $ $ $ $ $
$ $ $ $ $ $ $ $
Attacker motivation
$$

18. How?
● Software vulnerabilities
Arbitrary file uploads, Code execution, LFI/RFI SQLi
● Password compromise
Spyware/Brute force
● Host based attacks
Are you on a shared host? (cloud?)

19. Show your work!
How does a compromised site equal profit?
● Phishing (Identity theft)
● BlackHat SEO (Affiliate services efraud)
● Traffic Theft (Malware)
● Spam (All of the above)
● Backdoor installations (All of the above)

20. Graphs
● DreamHost attack logs
● Actual traffic from 8/20/2011 → 02/16/2012

21. Graph: zenCart

24. You're not helping!!!

25. Clean up ALL THE THINGS!!!!

26. Not that hard
●All
●The
●Things

27. If you plan to audit, do that first!
● Take the site offline
● Backup ALL THE THINGS:
● Files
● Databases
● Logs

28. Update ALL THE software!!!
● Core software
● Plugins
● Themes?
● Other?

29. Check ALL THE files!!!
● Does this belong here?
● Backups help

30. Change ALL THE passwords!!!
● Set the policy
● Need more? Use two-factor.

31. Re-install ALL THE THINGS!!!
● Backups.
● Re-install.
● No backups? Can't re-install?
● Just one line …. what? What? WHAT?
● Magical “find”

32. find ALL THE insecure permissions!!
Permissions issues:
find /path/ -type d -perm 777 -print
better:
find /path/ -type d -exec chmod 755 {} ; -print
alternative:
find /path/ -type d -perm 777 -exec chmod 755 {} ; -print
find /path/ -type f -exec chmod 644 {} ; -print

33. find ALL THE backdoors!!!
find /path/ -name “*php” -exec grep “fingerprint” {} ; -print
find /path/ -name “*php” -exec grep “fingerprint” {} ; -exec rm {} ; -print
(or use chmod 0 {} instead of rm {} )
find /path/ -name “*php” -exec grep “all|the|things” {} ; -print

34. Destroy ALL THE backdoors!!!
find /path/ -name “*php” -exec
● grep “FilesMan|eval(base64_decode(|eval(gzinflate(“ {} ;
● -exec chmod 0 {} ; -or -exec
● grep “(base64_decode){10,}|(){30,}” {} ;
● -exec sed -i.backup “/(base64_decode){10,}|(){30,}/d” {} ; -print
●
●

35. Spot ALL THE “diff”erences!
● Use “diff” to compare directories.
● Works best with backups (or just download WP)
$ diff omgfire.com omgfire.com_lastbackup
Only in omgfire.com: this_could_be_a_backdoor.php
Common subdirectories: omgfire.com/wp-admin and
omgfire.com_lastbackup/wp-admin
diff omgfire.com/wp-config.php
omgfire.com_lastbackup/wp-config.php
1d0
< <? /* this is a little bit of code changed! */ ?>

36. Pay for ALL THE fixes!!!
● The good, the bad and the ugly

37. Preventative

38. Server options
● Firewall
mod_security, cloudflare
● Database
Restrict by hostname

39. Site configuration
● File Monitoring
● Stop using FTP
● HTTPS
● Lock down directory/file permission

40. Wordpress tricks
● Enable auto-update
● Don't login as “admin”
● Database table prefix
● Disable PHP/CGI in upload/include directories
● Plugins!

41. Security Plugins
Backups Prevention Cleanup Monitoring Authentication
File Monitor
plus X
VaultPress
X X
Google Auth.
Yubikey
Etc...
X
Exploit Scanner
/ X
Backup Buddy
X

42. Security Services
Backups Prevention Cleanup Monitoring Price
Cloudflare
X /
Free-20+5/month
VaultPress
X / X
15-350/month
StoptheHacker
X
Free-100+/month
URLvoid.com
Various others X
Free
Sucuri
X X
90-290/month

43. Auditing

44. Who logged in?
● Via SSH: “last”
● Via WordPress: “simple login log” plugin

45. Digging in with timestamps.
$ ls -la omgfire.com/backdoor.php
-rw-rw-r-- 1 user grp 0 Feb 13 21:52 omgfire.com/backdoor.php
$ grep 21:52: logs/omgfire.com/access.log.2012-02-13
123.125.71.31 - - [13/Feb/2012:21:52:53 -0800]
"POST /wp-content/plugins/hello.php HTTP/1.1" 200 158 "-"
"Mozilla"

46. Digging in with HTTP logs
$ awk '{print $7}' access.log | sort | uniq -c | sort -n

47. Digging in with HTTP logs
$ awk '{print $7}' access.log | sort | uniq -c | sort -n
1 /phpMyAdmin-2.2.3/index.php
1 /phpMyAdmin-2.5.5-pl1/index.php
1 /phpMyAdmin-2.5.5/index.php
1 /phpMyAdmin-2.5.6-rc2/index.php
1 /phpMyAdmin/index.php
1 /phpmyadmin1/index.php
1 /pma/index.php
1 /web/phpMyAdmin/index.php
1 /websql/index.php
2 /phpmyadmin/index.php
4 /robots.txt
242 /

48. Ask your host!
● You may not be alone.

49. followup
● Take ownership and post your experience
● Help the next website owner.

50. Further reading
http://codex.wordpress.org/Hardening_WordPress