This document discusses ways to detect security issues on a WordPress site and server. It recommends using tools like ModSecurity, fail2ban, Apticron, and Apt-dater to monitor for updates, failed login attempts, and other security events. It also proposes building a WordPress plugin called WP Central that would aggregate security data from all sites and servers and provide a central dashboard. The plugin would monitor files, permissions, login attempts, and perform checksum scans to detect any changes or additions.
2. Marko Heijnen
• Founder of CodeKitchen
• Lead developer of GlotPress
• Core contributor for
WordPress
• Plugin developer
• Organizer for WordCamp
Belgrade
• Using lots of (new)
technologies
4. Stats first 5 months of 2015
• 3 core security updates
• Cross-site Scripting (XSS) due to the misuse of the
add_query_arg() and remove_query_arg()
functions
• Cross-site scripting (XSS) vulnerability inside the
popular JetPack plugin. and the default Twenty
Fifteen theme because of genericons.
13. Detection of your install
• Updates of WordPress, Plugins and themes
• Failed login attempts
• Security issues in plugins and themes
• Security enhancements reported by core
• List of plugins/themes you don’t use
14. Detection of the server
• Updates of server software
• Failed login attempts
15. Detection what is going on
• Requests to plugins you don’t have (404’s)
• Permissions of your folders/files
• Check if files got changed (Core, plugins, themes)
• Check if files got added (Core, plugins, themes)
• What is in your uploads folder (PHP files)
17. Software for security I use
• modsecurity / UFW on every server (default blocks
all)
• fail2ban
• apticron (only 1 per matching type)
• apt-dater-host (in combination with apt-dater)
• Own code
18. Apticron
• Cronjob checking if there are updates
• Mail you when there are updates
• Can mail the total list or only new updates
19. Apt-dater and Apt-dater-host
• Terminal-based remote package update manager
• A tool to manage a lot of servers
• Grouped same servers
• Install and update packages
29. WP Central API
• http://wpcentral.io/api/
• First started with contributors
• After that stats
• Now creating checksums for plugins and themes
• Soon similar functionality as wpvulndb.com
30. Node.js server
• WordPress calls a microserver (nginx)
• nginx calls node.js server
• Returns the data when exists
• Will return error when not and generates the
checksums behind the scene
31. WP Central API
• http://wpcentral.io/api/checksums/theme/
twentyfifteen/1.2
• [{"code":"wpcentral_server_error","message":"Gener
ating checksums”}]
• [{"file":"header.php","checksum":"c0919b5f4b6e4f3a
58b858b2305e9146"},{},{},{},{},{},{},{},{},{},{},{},{},{}]
40. OSSEC
• An Open Source Host-based Intrusion Detection
System
• Performs log analysis, file integrity checking, policy
monitoring, rootkit detection, real-time alerting and
active response
• Works with a manager and agents
• https://hackertarget.com/defending-wordpress-
ossec/