WordPress Security - The "No-BS" Version

The “No-BS” Version

WORDPRESS SECURITY

04/11/2023@PEREZBOX @SUCURI_SECURITY @TONYONSECURITY #WCCHX

2

SUCURI@WORDCAMP# WHOIS PEREZBOX• Name: Tony Perez

• Street name: The Hulk

• Handle: Perezbox

• Company: Sucuri

• Occupation: Executive / Owner

• Likes: Guns, InfoSec, Harley’s, MMA

• Personality: Rational / Objective = Turd

• Location: Menifee, California


3

TODAY’S CHALLENGES

• Administration

• Extensibility

• Credentials

• End-users

• Education


4

KNOWLEDGECheck yourself before you wreck yourself

“The user’s going to pick dancing pigs over security every time.” - Bruce Schneier


5

KNOW THE ENVIRONMENTLA

MP

STAC

K LINUX

Apache

MySQL

PHP

• This is what it takes to run WordPress

• Each contains its own laundry list of known vulnerabilities

• Bare-bones


6

KNOW THE APPLICATIONW

ordP

ress

Core

Themes

Plugins

End-User

• Today’s Problem


7

REALISTIC ENVIRONMENT

Linux Operating System

Apache

WordPress CPANEL Plesk

MySQL

myLittleAdmin PHPMyAdmin Etc..

PHP

Modules


8

YOUR HOST• Who is your host?

• How do you connect to the server?

• FTP, SFTP, SSH

• What security does your host use? Do they use any web security?

• What will your host do if you get hacked?

• Will they shut your site down?

• Will they kick you off their server?

• Will they fix it for you?

IF YOU DON”T KNOW WHAT YOU”RE DOING GO WITH A

MANAGED SOLUTION


9

CONNECTING• If you don’t need it, disable it

• SFTP / SSH is preferred

• FTP works fine – disable if you’re not using, don’t talk to me if you are

• FTP/SFTP != WP-ADMIN

• Least Privileged

• You don’t have to log in FTP / SFTP with full root access

• Everyone doesn’t need to be an admin

• You don’t need to log in as admin

• The focus is on the role, not the name of the user

• Accountability – kill generic accounts – who is doing what?


10

• Big enterprises with large followings:

• WordPress.com

• WooThemes

• Worth Investing time and energy to compromise, bigger return

• Trolling the web looking for known vulnerabilities

• Ability for mass exposure

• Think “TimThumb”

ATTACK TYPE

Opportunistic Targeted


11

AUTOMATION IS KEY

Automation

Scan

Detect

Exploit

PWN

• Targeted / Opportunistic

• Vulnerability Scans• Brute Force / Data

Dictionary Attacks• DDOS / DOS• XSS / CSRF• SQLi


12

BLACKLISTING• Take a chill pill.. Not the end of the world• Detect, Remove, Submit


13

THE MISTAKE

• But why me?!?!?!

• Forget the why, look at the how!!


14

THE HOWNothing fancy here.. The facts

“Own one Own them All”


15

• Privilege Escalation

• Brute Force / Data Dictionary

• Remote File Include

• Remote File Execution

• Injections

• Remote File Inclusion

• Remote File Execution

• Brute Force / Data Dictionary

TODAY’S EXPLOITS

Application EnvironmentYou

Control


16

TOP 5 WORDPRESS INFECTIONS• Backdoors

• Difficult to Detect via HTTP

• Injections

• Easy to Detect via HTTP

• Pharma Hack

• Best person to detect is the owner, difficult to detect via HTTP

• Malicious Redirects

• Easy to Detect via HTTP

• Defacements

• Pretty obvious – you’re now supporting the Syrian fight or preaching to your Turkish brothers


17

BACKDOOR• Complete access via shell… kiss all hardening good bye • Sad day.. .. Good time to cry…


18

LINK INJECTION• Drive-by-Download attempt – think Fake AV / Adobe• Pharma Links – Erectile Dysfunction (Viagra)


19

PHARMA• Affiliate Model• Multi-million dollar industry • Generate ~3.5k new clients daily


20

DEFACEMENT• Hacktivism at its finest • Awareness to cause


21

COMMON VECTORS• Vulnerable Software

• Often associated with Out-of-date software

• WordPress Themes / Plugins, more so than Core

• Cross Site Contamination

• Soup Kitchen Servers

• Compromised Credentials

• Password123, Password1, 111111a = not cool

• Remote File Inclusion

• Leads to Remote Execution

• Think TimThumb, Uploadify, etc…

“38% of us Would Rather Clean a Toilet Than Think of New

Password”- Mashable


22

MAKE IT STOPSimple is so much sweeter…

“The question isn't who is going to let me; it's who is going to stop me.”


23

THE KEY IS ACCESS• In almost all instances the key is access, whether via:

• WP-ADMIN

• SSH / SFTP (Port 22)

• FTP (Port 21) = > You are dead to me!!! : )

• Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can’t avoid Zero day events, but you can stay proactive when identified

• Doesn’t include environmental issues

• Myth: Remove Admin

• Fact: to crack a 10 character password = 1,700 years via brute-force. Today, dictionary attacks are the preferred method. Either way, requires multiple scan attempts.

• The “administrator” role matters more than the “administrator” or “admin” user name.


24

THIS IS WHAT MATTERS - KISS

Server WAF Application WAF

Two Factor Authentication

Strong / Unique

Password

Secure Environment

From an access stand point:

From a vulnerability stand point:

Stay Current Use Trusted Sources

Avoid Soup Kitchen Servers

Separate Staging

from Production

Secure Environment


25

1. Don’t let WordPress write to itself

2. Filter by IP

• SSH Access

• WP-ADMIN Access

• Database Access

3. Use a dedicated server / VPS

4. Employ a WAF / Logging Solution

5. Enable SSL

1. Kill PHP Execution

2. Disable Theme / Plugin Editing via Admin

3. Connect Securely – SFTP / SSH

4. Use Authentication Keys in wp-config

5. Use Trusted Sources

6. Use a local Antivirus – Yes, MAC’s need one

7. Verify your permissions - D 755 | F 644

8. Least Privileged

9. Kill generic accounts - Accountability

10. Backup your site – yes, Database too

MY ADVISE

To the Average Joe: To the Paranoid / Lucky:


26

KILL PHP EXECUTION• The idea is not to let them execute any PHP files. You do so by adding this in

an .htaccess file in the directory of choice. Recommendation:

• WP-INCLUDES

• UPLOADS

#PROTECT [Directory Name]

<Files *.php>

Deny from all

</Files>


27

DISABLE PLUGIN/THEME EDITOR• Add to wp-config – if a user is compromised they won’t be able to add anything to the

core theme or plugin files.

# Disable Plugin / Theme Editor

Define(‘DISALLOW_FILE_EDIT’,true);


28

• Duo Two-Factor Authentication

• Limit Login Attempts

• Theme-Check

• BackupBuddy

• Akismet

• Sucuri Security Premium

• Duo Two-Factor Authentication

• Theme-Check

• BackupBuddy

• Akismet

RECOMMENDED PLUGINS

Clients Non-Clients


29

• Sucuri Blog: http://blog.sucuri.net

• SiteCheck Scanner: http://sitecheck.sucuri.net

• Unmask Parasites: http://unmaskparasites.com

• Perishable Press: http://perishablepress.com/category/web-design/security/

• Secunia Security Advisories: http://secunia.com/community/advisories/search/?search=wordpress

• Hacked – http://wordpress.org/tags/hacked

• Malware – http://wordpress.org/tags/malware

• BadwareBusters – https://badwarebusters.org

KNOW WHERE TO GO, IF… IT HAPPENS

Support Forums Online Resources

http://blog.sucuri.net/

http://sitecheck.sucuri.net/

http://unmaskparasites.com/

http://perishablepress.com/category/web-design/security/



http://secunia.com/community/advisories/search/?search=wordpress



http://wordpress.org/tags/hacked

http://wordpress.org/tags/malware

https://badwarebusters.org/


30

BLACKLIST ENTITIES• Google

• Chrome, FireFox

• Search Engine Results Page (SERP)

• http://www.google.com/webmaster/tools

• http://www.google.com/safebrowsing/diagnostic?site=[your site]

• Bing

• Internet Explorer

• Yahoo

• http://www.bing.com/toolbox/webmaster/

• Norton

• SafeWeb Browsing

• Facebook

• http://safeweb.norton.com/

• AVG

• Opera

• http://www.avgthreatlabs.com/sitereports/

http://www.google.com/webmaster/tools

http://www.google.com/safebrowsing/diagnostic?site=%5Byour

http://www.bing.com/toolbox/webmaster/

http://safeweb.norton.com/

http://www.avgthreatlabs.com/sitereports/


31

Sucuri

Tony Perezhttp://sucuri.net

http://blog.sucuri.net

http://perezbox.com & http://tonyonsecurity.com

@perezbox and @tonyonsecurity

http://sucuri.net/

http://blog.sucuri.net/

http://perezbox.com/

http://tonyonsecurity.com/


32

Date post:	08-May-2015
Category:	Technology
Upload:	tony-perez
View:	22,470 times
Download:	0 times

WordPress Security - The "No-BS" Version

Technology