It’s About The Basics
Website Security (WordPress)
04/07/2023
@PEREZBOX
• Sucuri, Inc.– @sucuri_security– @perezbox
• Specialization:– Website Security– Incident Handling
• Special Interests:– Brazilian JiuJitsu
Tony Perez | @perezbox | @sucuri_security 2
04/07/2023
• Website Security Company
• Global Operations
• Platform Agnostic (i.e., WordPress, Joomla, etc..)
• Scan 2M Unique Domains a Month
• Block 4M web attacks a Month
• Remediate 400 – 500 websites a day
• Signature / Heuristic Based
• 24/7 operations
Tony Perez | @perezbox | @sucuri_security 3
04/07/2023
Statistics
Tony Perez | @perezbox | @sucuri_security 4
04/07/2023
2013 – Year of the Mega Breach
Data Breaches (Millions)
2011 2013
Tony Perez | @perezbox | @sucuri_security 5
~230%
04/07/2023
Anatomy of Malicious Websites
Malicious WebsitesLegitimate Websites
Tony Perez | @perezbox | @sucuri_security 6
85%
04/07/2023
Legitimate Websites
Not-ExploitableExploitable
77%
Tony Perez | @perezbox | @sucuri_security 7
1 in 8 - Critical Vulnerability
04/07/2023
Ransomware Explosion
Ransomware
2012 2013
Tony Perez | @perezbox | @sucuri_security 8
~500%
04/07/2023
Malware Distribution
Remote iFram
e Inclu
des
Remote JavaScr
ipt Inclu
des
SPAM
Injecti
ons
Obfuscated / E
ncoded Ja
vaScript
Conditional Redire
cts
Defacements
Other
26%
19%16%
14%11%
4%
10%
Tony Perez | @perezbox | @sucuri_security 9
04/07/2023
Understanding Hackers
Tony Perez | @perezbox | @sucuri_security 10
04/07/2023
Anatomy of Website Attacks
Recon Identify Attack Decisions Sustain
Tony Perez | @perezbox | @sucuri_security 11
Use for malware? Pat of a zombie network? Data breach?
What kind of website do you have?
04/07/2023
Five Stages of an Attack
Tony Perez | @perezbox | @sucuri_security 12
04/07/2023
Automated Attacks
WP-ADMIN
Themes / Plugins Payload
Tony Perez | @perezbox | @sucuri_security 13
Exploiting Access Control
04/07/2023
Distribution Mechanism
Malicious Links
Social Media
Email Links Website
Text Message
s
Tony Perez | @perezbox | @sucuri_security 14
04/07/2023
There’s a Tool for that
• Malware as a Service (MaaS) – Yes, pay someone to hack
for you
• Different tools to break in and generate payloads– Brute force and
vulnerability exploits Malware Payloads
Tony Perez | @perezbox | @sucuri_security 15
04/07/2023
Why?
Tony Perez | @perezbox | @sucuri_security 16
04/07/2023
Impacts To You
Tony Perez | @perezbox | @sucuri_security 17
04/07/2023
Beyond The Application Layer
• Going Deeper than the application layer, targeting the server.
• Server Polymorphism – a.k.a highly adaptive / sophistication
Tony Perez | @perezbox | @sucuri_security 18
DarkleechCdork
(Apache)
Ebury (SSH)
Email Server (SPAM)
Heartbleed(OpenSSL)
04/07/2023
Phishing Lures
Tony Perez | @perezbox | @sucuri_security 19
93% Increase in 2013
04/07/2023
Exploiting Forms
• Stick With Reputable Sources
• Generating SPAM emails, resource hogs
• IP blacklisting
Tony Perez | @perezbox | @sucuri_security 20
04/07/2023
Search Engine Poisoning (SEP)
• Pharmacy• Payday Loans
Tony Perez | @perezbox | @sucuri_security 21
04/07/2023
Blacklisting
Tony Perez | @perezbox | @sucuri_security 22
04/07/2023
Drive By Downloads
Tony Perez | @perezbox | @sucuri_security 23
04/07/2023
Brute Force Attacks
Tony Perez | @perezbox | @sucuri_security 24
04/07/2023
Denial of Service (DOS)
Tony Perez | @perezbox | @sucuri_security 25
04/07/2023
Brute Force vs Denial of Service
Tony Perez | @perezbox | @sucuri_security 26
04/07/2023
Trust Erosion
Tony Perez | @perezbox | @sucuri_security 27
04/07/2023
Free is not always Free• http://blog.sucuri.net/2014/03/unmasking-free-premium-wor
dpress-plugins.html
Tony Perez | @perezbox | @sucuri_security 28
- SEOPresser- Payload located: wp-content/plugins/seo-pressor(gratuit)- File: central.class.php
- Flat Skins Pack Extension- Payload located: wp-content/restrict-content-pro/includes/- File: sidebar.php
- Restrict Content Pro- Paylaod located: wp-content/ubermenu-skins-flat
04/07/2023
Don’t Worry, Everyone is a “Target”
Tony Perez | @perezbox | @sucuri_security 29
04/07/2023
Defenses
Tony Perez | @perezbox | @sucuri_security 30
04/07/2023
Biggest Weakness / Vulnerability
Tony Perez | @perezbox | @sucuri_security 31
04/07/2023
It’s About Good Posture
Tony Perez | @perezbox | @sucuri_security 32
Security Posture
Principles
Access
Vulnerabilities
04/07/2023
Starts With Expectations
“It’s about risk reduction… risk will never be zero…”
Tony Perez | @perezbox | @sucuri_security 33
Posture
Risk
04/07/2023
Defense in Depth
“…a concept in which multiple layers of security controls (defenses) are placed throughout an
information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…”
Tony Perez | @perezbox | @sucuri_security 34
04/07/2023
Layered Defenses
Tony Perez | @perezbox | @sucuri_security 35
Protection Detection
Auditing Sustainment
04/07/2023
Access – P@ssw0rd
• Passwords
Tony Perez | @perezbox | @sucuri_security 36
Complex – Long - Unique
04/07/2023
Enforce Strong Credentials
Tony Perez | @perezbox | @sucuri_security 37
04/07/2023
Push the Access Boundaries
Tony Perez | @perezbox | @sucuri_security 38
• https://getclef.com/ | @getclef
04/07/2023
Principle of Least Privileged
“requires that in a particular abstraction layer of a computing environment, every module
(such as a process, a user or a program depending on the subject) must be able to
access only the information and resources that are necessary for its legitimate purpose.”
Tony Perez | @perezbox | @sucuri_security 39
04/07/2023
Understand Your Roles
Tony Perez | @perezbox | @sucuri_security 40
04/07/2023
Hardening – Kill PHP
Tony Perez | @perezbox | @sucuri_security 41
PHP Execution, disable it:
/wp-includes /wp-content▪ /themes▪ /plugins▪ /uploads
<Files *.php>Deny from all</Files>
04/07/2023
Disable Plugin / Theme Editor
• WP-CONFIG File Modification
#Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);
Tony Perez | @perezbox | @sucuri_security 42
04/07/2023
Brute Force Attacks
Tony Perez | @perezbox | @sucuri_security 43
04/07/2023
Please Backup
Tony Perez | @perezbox | @sucuri_security 44
04/07/2023
Software Vulnerabilities
• Stay current with the latest vulnerabilities:– Secure - http://wordpress.org/plugins/secure/
Tony Perez | @perezbox | @sucuri_security 45
04/07/2023
Brute Force Protection
• Local Protection– https://bruteprotect.com/ | @BruteProtect
Tony Perez | @perezbox | @sucuri_security 46
04/07/2023
Stay Current (Update)
Tony Perez | @perezbox | @sucuri_security 47
04/07/2023
Website Firewalls
Tony Perez | @perezbox | @sucuri_security 48
• Stay ahead of Software Vulnerabilities
04/07/2023
Ensure Integrity of Connection
Tony Perez | @perezbox | @sucuri_security 49
• https://www.getcloak.com/ | @getcloak
04/07/2023
Simple Steps to Reduce Risk
1. Employ Website Firewall2. Don’t let WordPress write to
itself3. Filter Access by IP 4. Use a dedicated server / VPS5. Monitor all Activity (Logging)6. Enable SSL for transactions7. Keep environment current
(patched)8. No Soup Kitchen Servers
Tony Perez | @perezbox | @sucuri_security 50
1. Connect Securely – SFTP / SSH
2. Authentication Keys / wp-config
3. Use Trusted Sources4. Use a local Antivirus – MAC
too5. Permissions - D 755 | F 6446. Least Privileged Principles7. Accountability8. Backups – Include Database
Ideal implementations:The Bare Minimum:
04/07/2023
Notable ResourcesName Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
Malware Scanner http://sitecheck.sucuri.net
Malware Scanner http://unmaskparasites.com
Badware Busters https://badwarebusters.org
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites
Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked
WordPress Hardening http://codex.wordpress.org/Hardening_WordPress
Tony Perez | @perezbox | @sucuri_security 51
04/07/2023
Sucuri, Inc.
Tony Perez
http://sucuri.nethttp://blog.sucuri.net
@perezbox | @sucuri_security
http://www.slideshare.net/perezbox/website-security-wordpress-its-about-the-
basics
Tony Perez | @perezbox | @sucuri_security 52