SlideShare ist ein Scribd-Unternehmen logo

Word press security

Als PPTX, PDF herunterladen
J
Jigar Pandya
Technologie
1 von 29
J I G A R P A N D Y A WordPress Security 1
Know the Environment 7/30/2013 2 LAMPSTACK LINUX Apache MySQL PHP • This is what it takes to run WordPress • Each contains its own laundry list of known vulnerabilities • Bare-bones
Know the application 7/30/2013 3 WordPress Core Themes Plugins End-User • Today‟s Problem
Realistic Environment 7/30/2013 4 Linux Operating System Apache WordPress CPANEL Plesk MySQL myLittleAdmin PHPMyAdmin Etc.. PHP Modules
Your Host 7/30/2013 5  Who is your host?  How do you connect to the server?  FTP, SFTP, SSH  What security does your host use? Do they use any web security?  What will your host do if you get hacked?  Will they shut your site down?  Will they kick you off their server?  Will they fix it for you? IF YOU DON”T KNOW WHAT YOU”RE DOING GO WITH A MANAGED SOLUTION
Connecting 7/30/2013 6  If you don‟t need it, disable it  SFTP / SSH is preferred  FTP works fine – disable if you‟re not using, don‟t talk to me if you are  FTP/SFTP != WP-ADMIN  Least Privileged  You don‟t have to log in FTP / SFTP with full root access  Everyone doesn‟t need to be an admin  You don‟t need to log in as admin  The focus is on the role, not the name of the user  Accountability – kill generic accounts – who is doing what?
Opportunistic Targeted 7/30/2013  Trolling the web looking for known vulnerabilities  Ability for mass exposure  Think “TimThumb”  Big enterprises with large followings:  WordPress.com  WooThemes  Worth Investing time and energy to compromise, bigger return 7 Attack Type
Automation is KEY 7/30/2013 8 Automation Scan Detect Exploit PWN • Targeted / Opportunistic • Vulnerability Scans • Brute Force / Data Dictionary Attacks • DDOS / DOS • XSS / CSRF • SQLi
Blacklisting 7/30/2013 9 • Take a chill pill.. Not the end of the world • Detect, Remove, Submit
The MISTAKE 7/30/2013 10  But why me?!?!?!  Forget the why, look at the how!!
N O T H I N G F A N C Y H E R E . . T H E F A C T S 7/30/2013 11 The How “Own one Own them All”
Application Environment 7/30/2013  Injections  Remote File Inclusion  Remote File Execution  Brute Force / Data Dictionary  Privilege Escalation  Brute Force / Data Dictionary  Remote File Include  Remote File Execution 12 Today‟s Exploits You Control
Top 5 WordPress Infections 7/30/2013 13  Backdoors  Difficult to Detect via HTTP  Injections  Easy to Detect via HTTP  Pharma Hack  Best person to detect is the owner, difficult to detect via HTTP  Malicious Redirects  Easy to Detect via HTTP  Defacements  Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish brothers
Backdoor 7/30/2013 14 • Complete access via shell… kiss all hardening good bye • Sad day.. .. Good time to cry…
Link Injection 7/30/2013 15 • Drive-by-Download attempt – think Fake AV / Adobe • Pharma Links – Erectile Dysfunction (Viagra)
PHARMA 7/30/2013 16 • Affiliate Model • Multi-million dollar industry • Generate ~3.5k new clients daily
Defacement 7/30/2013 17 • Hacktivism at its finest • Awareness to cause
Common Vectors 7/30/2013 18  Vulnerable Software  Often associated with Out-of-date software  WordPress Themes / Plugins, more so than Core  Cross Site Contamination  Soup Kitchen Servers  Compromised Credentials  Password123, Password1, 111111a = not cool  Remote File Inclusion  Leads to Remote Execution  Think TimThumb, Uploadify, etc… “38% of us Would Rather Clean a Toilet Than Think of New Password” - Mashable
S I M P L E I S S O M U C H S W E E T E R … 7/30/2013 19 Make it STOP “The question isn't who is going to let me; it's who is going to stop me.”
The Key is Access 7/30/2013 20  In almost all instances the key is access, whether via:  WP-ADMIN  SSH / SFTP (Port 22)  FTP (Port 21) = > You are dead to me!!! : )  Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but you can stay proactive when identified  Doesn‟t include environmental issues  Myth: Remove Admin  Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts.  The “administrator” role matters more than the “administrator” or “admin” user name.
This is What Matters - KISS 7/30/2013 21 Server WAF Application WAF Two Factor Authentication Strong / Unique Password Secure Environment From an access stand point: From a vulnerability stand point: Stay Current Use Trusted Sources Avoid Soup Kitchen Servers Separate Staging from Production Secure Environment
To the Average Joe: To the Paranoid / Lucky: 7/30/2013 1. Kill PHP Execution 2. Disable Theme / Plugin Editing via Admin 3. Connect Securely – SFTP / SSH 4. Use Authentication Keys in wp-config 5. Use Trusted Sources 6. Use a local Antivirus – Yes, MAC‟s need one 7. Verify your permissions - D 755 | F 644 8. Least Privileged 9. Kill generic accounts - Accountability 10. Backup your site – yes, Database too 1. Don‟t let WordPress write to itself 2. Filter by IP  SSH Access  WP-ADMIN Access  Database Access 3. Use a dedicated server / VPS 4. Employ a WAF / Logging Solution 5. Enable SSL 22 My Advise
Kill PHP Execution 7/30/2013 23  The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation:  WP-INCLUDES  UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files>
Disable Plugin/Theme Editor 7/30/2013 24  Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);
Clients Non-Clients 7/30/2013  Sucuri Security Premium  Duo Two-Factor Authentication  Theme-Check  BackupBuddy  Akismet  Duo Two-Factor Authentication  Limit Login Attempts  Theme-Check  BackupBuddy  Akismet 25 Recommended Plugins
Support Forums Online Resources 7/30/2013  Hacked – http://wordpress.org/tag s/hacked  Malware – http://wordpress.org/tag s/malware  BadwareBusters – https://badwarebusters. org  Sucuri Blog: http://blog.sucuri.net  SiteCheck Scanner: http://sitecheck.sucuri.net  Unmask Parasites: http://unmaskparasites.com  Perishable Press: http://perishablepress.com/category /web-design/security/  Secunia Security Advisories: http://secunia.com/community/advi sories/search/?search=wordpress 26 Know Where to Go, If… It happens
Blacklist entities 7/30/2013 27  Google  Chrome, FireFox  Search Engine Results Page (SERP)  http://www.google.com/webmaster/tools  http://www.google.com/safebrowsing/diagnostic?site=[your site]  Bing  Internet Explorer  Yahoo  http://www.bing.com/toolbox/webmaster/  Norton  SafeWeb Browsing  Facebook  http://safeweb.norton.com/  AVG  Opera  http://www.avgthreatlabs.com/sitereports/
7/30/2013 28 Jigar Pandya http://www.zealousweb.com http://youritcoach.wordpress.com
7/30/2013 29

Empfohlen

NIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsNIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsOddvar Moe
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
Hacke windows med windows - avanserte angrep
Hacke windows med windows - avanserte angrepHacke windows med windows - avanserte angrep
Hacke windows med windows - avanserte angrepOddvar Moe
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
avast 7.0.1474 license key
avast 7.0.1474 license keyavast 7.0.1474 license key
avast 7.0.1474 license keyHayWhitfield72
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
How to Delete plus network.com
How to Delete plus network.comHow to Delete plus network.com
How to Delete plus network.commariagoel7
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 

Empfohlen

NIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsNIC 2017 - Attack and detection in Windows Environments
NIC 2017 - Attack and detection in Windows EnvironmentsOddvar Moe
 
Ultimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPUltimate Guide to Setup DarkComet with NoIP
Ultimate Guide to Setup DarkComet with NoIPPich Pra Tna
 
Hacke windows med windows - avanserte angrep
Hacke windows med windows - avanserte angrepHacke windows med windows - avanserte angrep
Hacke windows med windows - avanserte angrepOddvar Moe
 
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)
Attacker Ghost Stories (CarolinaCon / Area41 / RVASec)Rob Fuller
 
avast 7.0.1474 license key
avast 7.0.1474 license keyavast 7.0.1474 license key
avast 7.0.1474 license keyHayWhitfield72
 
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedBackup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin Ahmed
Backup-File Artifacts - OWASP Khartoum InfoSec Sessions 2016 - Mazin AhmedMazin Ahmed
 
How to Delete plus network.com
How to Delete plus network.comHow to Delete plus network.com
How to Delete plus network.commariagoel7
 
10 things I’ve learnt about web application security
10 things I’ve learnt about web application security10 things I’ve learnt about web application security
10 things I’ve learnt about web application securityJames Crowley
 
Problem
ProblemProblem
Problemtristantravers13
 
Soc prashanth harish
Soc prashanth harishSoc prashanth harish
Soc prashanth harishPrashanth Kannan
 
Soc harish prashanth
Soc harish prashanthSoc harish prashanth
Soc harish prashanthPrashanth Kannan
 
Grafikud 11
Grafikud 11Grafikud 11
Grafikud 11aniram551
 
Team Urbanism - Driving to Happiness
Team Urbanism - Driving to HappinessTeam Urbanism - Driving to Happiness
Team Urbanism - Driving to HappinessJoshua Caplan
 
Problem
ProblemProblem
Problemtristantravers13
 
Twitter data analysis
Twitter data analysisTwitter data analysis
Twitter data analysisPrashanth Kannan
 
كيف أجعل من ابني قائدًا
كيف أجعل من ابني قائدًاكيف أجعل من ابني قائدًا
كيف أجعل من ابني قائدًاKama Kamal
 
validação metodológica VantS
validação metodológica VantSvalidação metodológica VantS
validação metodológica VantSJunior Kapp
 
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVAlexander Sverdlov
 
Internet Security
Internet SecurityInternet Security
Internet SecurityAnne Adrian
 
Dark Alleys/Internet Security
Dark Alleys/Internet SecurityDark Alleys/Internet Security
Dark Alleys/Internet SecurityJohn Dorner
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesArea41
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
Open Source Databases Security
Open Source Databases SecurityOpen Source Databases Security
Open Source Databases SecuritySerge Frezefond
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 

Weitere ähnliche Inhalte

Andere mochten auch

Team Urbanism - Driving to Happiness
Team Urbanism - Driving to HappinessTeam Urbanism - Driving to Happiness
Team Urbanism - Driving to HappinessJoshua Caplan
 
كيف أجعل من ابني قائدًا
كيف أجعل من ابني قائدًاكيف أجعل من ابني قائدًا
كيف أجعل من ابني قائدًاKama Kamal
 
validação metodológica VantS
validação metodológica VantSvalidação metodológica VantS
validação metodológica VantSJunior Kapp
 

Andere mochten auch (9)

Problem
ProblemProblem
Problem
 
Soc prashanth harish
Soc prashanth harishSoc prashanth harish
Soc prashanth harish
 
Soc harish prashanth
Soc harish prashanthSoc harish prashanth
Soc harish prashanth
 
Grafikud 11
Grafikud 11Grafikud 11
Grafikud 11
 
Team Urbanism - Driving to Happiness
Team Urbanism - Driving to HappinessTeam Urbanism - Driving to Happiness
Team Urbanism - Driving to Happiness
 
Problem
ProblemProblem
Problem
 
Twitter data analysis
Twitter data analysisTwitter data analysis
Twitter data analysis
 
كيف أجعل من ابني قائدًا
كيف أجعل من ابني قائدًاكيف أجعل من ابني قائدًا
كيف أجعل من ابني قائدًا
 
validação metodológica VantS
validação metodológica VantSvalidação metodológica VantS
validação metodológica VantS
 

Ähnlich wie Word press security

Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVAlexander Sverdlov
 
Internet Security
Internet SecurityInternet Security
Internet SecurityAnne Adrian
 
Dark Alleys/Internet Security
Dark Alleys/Internet SecurityDark Alleys/Internet Security
Dark Alleys/Internet SecurityJohn Dorner
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteAndrew Sorensen
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Brian Layman
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesArea41
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017Otto Kekäläinen
 
Open Source Databases Security
Open Source Databases SecurityOpen Source Databases Security
Open Source Databases SecuritySerge Frezefond
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Rob Fuller
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012Angela Bowman
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017Otto Kekäläinen
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application SecurityNicholas Davis
 
Joomladay Netherlands - Security
Joomladay Netherlands - SecurityJoomladay Netherlands - Security
Joomladay Netherlands - SecurityWilco Jansen
 
Understanding Plone Security
Understanding Plone SecurityUnderstanding Plone Security
Understanding Plone SecurityFabiano Weimar
 
Joomladay Switzerland - security
Joomladay Switzerland - securityJoomladay Switzerland - security
Joomladay Switzerland - securityWilco Jansen
 
Open Source In Education - Tech&Learning Conference Presentation '09
Open Source In Education - Tech&Learning Conference Presentation '09Open Source In Education - Tech&Learning Conference Presentation '09
Open Source In Education - Tech&Learning Conference Presentation '09William Stites
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableDarren Duke
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User SecurityDre Armeda
 
6 - Web Application Security.pptx
6 - Web Application Security.pptx6 - Web Application Security.pptx
6 - Web Application Security.pptxAlmaOraevi
 

Ähnlich wie Word press security (20)

Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IVIncident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
Incident Prevention and Incident Response - Alexander Sverdlov, PHDays IV
 
Internet Security
Internet SecurityInternet Security
Internet Security
 
Dark Alleys/Internet Security
Dark Alleys/Internet SecurityDark Alleys/Internet Security
Dark Alleys/Internet Security
 
Web Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your websiteWeb Security: What's wrong, and how the bad guys can break your website
Web Security: What's wrong, and how the bad guys can break your website
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
Rob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost StoriesRob "Mubix" Fuller: Attacker Ghost Stories
Rob "Mubix" Fuller: Attacker Ghost Stories
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
 
Open Source Databases Security
Open Source Databases SecurityOpen Source Databases Security
Open Source Databases Security
 
Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014Attacker Ghost Stories - ShmooCon 2014
Attacker Ghost Stories - ShmooCon 2014
 
WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012WordPress Security Essentials WordCamp Denver 2012
WordPress Security Essentials WordCamp Denver 2012
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
 
Survey Presentation About Application Security
Survey Presentation About Application SecuritySurvey Presentation About Application Security
Survey Presentation About Application Security
 
Joomladay Netherlands - Security
Joomladay Netherlands - SecurityJoomladay Netherlands - Security
Joomladay Netherlands - Security
 
Understanding Plone Security
Understanding Plone SecurityUnderstanding Plone Security
Understanding Plone Security
 
Joomladay Switzerland - security
Joomladay Switzerland - securityJoomladay Switzerland - security
Joomladay Switzerland - security
 
Open Source In Education - Tech&Learning Conference Presentation '09
Open Source In Education - Tech&Learning Conference Presentation '09Open Source In Education - Tech&Learning Conference Presentation '09
Open Source In Education - Tech&Learning Conference Presentation '09
 
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) HackableCollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
CollabSphere SC 103 : Domino on the Web : Yes, It's (Probably) Hackable
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
6 - Web Application Security.pptx
6 - Web Application Security.pptx6 - Web Application Security.pptx
6 - Web Application Security.pptx
 

Kürzlich hochgeladen

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdflior mazor
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesrafiqahmad00786416
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024The Digital Insurer
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusZilliz
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024The Digital Insurer
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAndrey Devyatkin
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CVKhem
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 

Kürzlich hochgeladen (20)

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
GenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdfGenAI Risks & Security Meetup 01052024.pdf
GenAI Risks & Security Meetup 01052024.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024Manulife - Insurer Transformation Award 2024
Manulife - Insurer Transformation Award 2024
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
A Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source MilvusA Beginners Guide to Building a RAG App Using Open Source Milvus
A Beginners Guide to Building a RAG App Using Open Source Milvus
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 

Word press security

  • 1. J I G A R P A N D Y A WordPress Security 1
  • 2. Know the Environment 7/30/2013 2 LAMPSTACK LINUX Apache MySQL PHP • This is what it takes to run WordPress • Each contains its own laundry list of known vulnerabilities • Bare-bones
  • 4. Realistic Environment 7/30/2013 4 Linux Operating System Apache WordPress CPANEL Plesk MySQL myLittleAdmin PHPMyAdmin Etc.. PHP Modules
  • 5. Your Host 7/30/2013 5  Who is your host?  How do you connect to the server?  FTP, SFTP, SSH  What security does your host use? Do they use any web security?  What will your host do if you get hacked?  Will they shut your site down?  Will they kick you off their server?  Will they fix it for you? IF YOU DON”T KNOW WHAT YOU”RE DOING GO WITH A MANAGED SOLUTION
  • 6. Connecting 7/30/2013 6  If you don‟t need it, disable it  SFTP / SSH is preferred  FTP works fine – disable if you‟re not using, don‟t talk to me if you are  FTP/SFTP != WP-ADMIN  Least Privileged  You don‟t have to log in FTP / SFTP with full root access  Everyone doesn‟t need to be an admin  You don‟t need to log in as admin  The focus is on the role, not the name of the user  Accountability – kill generic accounts – who is doing what?
  • 7. Opportunistic Targeted 7/30/2013  Trolling the web looking for known vulnerabilities  Ability for mass exposure  Think “TimThumb”  Big enterprises with large followings:  WordPress.com  WooThemes  Worth Investing time and energy to compromise, bigger return 7 Attack Type
  • 8. Automation is KEY 7/30/2013 8 Automation Scan Detect Exploit PWN • Targeted / Opportunistic • Vulnerability Scans • Brute Force / Data Dictionary Attacks • DDOS / DOS • XSS / CSRF • SQLi
  • 9. Blacklisting 7/30/2013 9 • Take a chill pill.. Not the end of the world • Detect, Remove, Submit
  • 10. The MISTAKE 7/30/2013 10  But why me?!?!?!  Forget the why, look at the how!!
  • 11. N O T H I N G F A N C Y H E R E . . T H E F A C T S 7/30/2013 11 The How “Own one Own them All”
  • 12. Application Environment 7/30/2013  Injections  Remote File Inclusion  Remote File Execution  Brute Force / Data Dictionary  Privilege Escalation  Brute Force / Data Dictionary  Remote File Include  Remote File Execution 12 Today‟s Exploits You Control
  • 13. Top 5 WordPress Infections 7/30/2013 13  Backdoors  Difficult to Detect via HTTP  Injections  Easy to Detect via HTTP  Pharma Hack  Best person to detect is the owner, difficult to detect via HTTP  Malicious Redirects  Easy to Detect via HTTP  Defacements  Pretty obvious – you‟re now supporting the Syrian fight or preaching to your Turkish brothers
  • 14. Backdoor 7/30/2013 14 • Complete access via shell… kiss all hardening good bye • Sad day.. .. Good time to cry…
  • 15. Link Injection 7/30/2013 15 • Drive-by-Download attempt – think Fake AV / Adobe • Pharma Links – Erectile Dysfunction (Viagra)
  • 16. PHARMA 7/30/2013 16 • Affiliate Model • Multi-million dollar industry • Generate ~3.5k new clients daily
  • 17. Defacement 7/30/2013 17 • Hacktivism at its finest • Awareness to cause
  • 18. Common Vectors 7/30/2013 18  Vulnerable Software  Often associated with Out-of-date software  WordPress Themes / Plugins, more so than Core  Cross Site Contamination  Soup Kitchen Servers  Compromised Credentials  Password123, Password1, 111111a = not cool  Remote File Inclusion  Leads to Remote Execution  Think TimThumb, Uploadify, etc… “38% of us Would Rather Clean a Toilet Than Think of New Password” - Mashable
  • 19. S I M P L E I S S O M U C H S W E E T E R … 7/30/2013 19 Make it STOP “The question isn't who is going to let me; it's who is going to stop me.”
  • 20. The Key is Access 7/30/2013 20  In almost all instances the key is access, whether via:  WP-ADMIN  SSH / SFTP (Port 22)  FTP (Port 21) = > You are dead to me!!! : )  Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid Zero day events, but you can stay proactive when identified  Doesn‟t include environmental issues  Myth: Remove Admin  Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts.  The “administrator” role matters more than the “administrator” or “admin” user name.
  • 21. This is What Matters - KISS 7/30/2013 21 Server WAF Application WAF Two Factor Authentication Strong / Unique Password Secure Environment From an access stand point: From a vulnerability stand point: Stay Current Use Trusted Sources Avoid Soup Kitchen Servers Separate Staging from Production Secure Environment
  • 22. To the Average Joe: To the Paranoid / Lucky: 7/30/2013 1. Kill PHP Execution 2. Disable Theme / Plugin Editing via Admin 3. Connect Securely – SFTP / SSH 4. Use Authentication Keys in wp-config 5. Use Trusted Sources 6. Use a local Antivirus – Yes, MAC‟s need one 7. Verify your permissions - D 755 | F 644 8. Least Privileged 9. Kill generic accounts - Accountability 10. Backup your site – yes, Database too 1. Don‟t let WordPress write to itself 2. Filter by IP  SSH Access  WP-ADMIN Access  Database Access 3. Use a dedicated server / VPS 4. Employ a WAF / Logging Solution 5. Enable SSL 22 My Advise
  • 23. Kill PHP Execution 7/30/2013 23  The idea is not to let them execute any PHP files. You do so by adding this in an .htaccess file in the directory of choice. Recommendation:  WP-INCLUDES  UPLOADS #PROTECT [Directory Name] <Files *.php> Deny from all </Files>
  • 24. Disable Plugin/Theme Editor 7/30/2013 24  Add to wp-config – if a user is compromised they won‟t be able to add anything to the core theme or plugin files. # Disable Plugin / Theme Editor Define(„DISALLOW_FILE_EDIT‟,true);
  • 25. Clients Non-Clients 7/30/2013  Sucuri Security Premium  Duo Two-Factor Authentication  Theme-Check  BackupBuddy  Akismet  Duo Two-Factor Authentication  Limit Login Attempts  Theme-Check  BackupBuddy  Akismet 25 Recommended Plugins
  • 26. Support Forums Online Resources 7/30/2013  Hacked – http://wordpress.org/tag s/hacked  Malware – http://wordpress.org/tag s/malware  BadwareBusters – https://badwarebusters. org  Sucuri Blog: http://blog.sucuri.net  SiteCheck Scanner: http://sitecheck.sucuri.net  Unmask Parasites: http://unmaskparasites.com  Perishable Press: http://perishablepress.com/category /web-design/security/  Secunia Security Advisories: http://secunia.com/community/advi sories/search/?search=wordpress 26 Know Where to Go, If… It happens
  • 27. Blacklist entities 7/30/2013 27  Google  Chrome, FireFox  Search Engine Results Page (SERP)  http://www.google.com/webmaster/tools  http://www.google.com/safebrowsing/diagnostic?site=[your site]  Bing  Internet Explorer  Yahoo  http://www.bing.com/toolbox/webmaster/  Norton  SafeWeb Browsing  Facebook  http://safeweb.norton.com/  AVG  Opera  http://www.avgthreatlabs.com/sitereports/

Hinweis der Redaktion

  1. Pundits will argue that admin is half the battle and most users use poor passwords. Education is my focus. Using a strong password is arguably easier and more effective. randomly generated using characters, would