WordPress Security 101

1
WordPress Security 101
2
Introduction
3
Break down

• Security basics
• Attacker motives
• Clean up
• Prevention
• Auditing!

4
whoami

• Robert Rowley
• Security guy
• Websites, Server, Social Engineering, Mobile
• DreamHost security one size fits all person

5
DreamHost

• 1million websites
• Huge WordPress install base.

6
YOU!

• Security core concepts
• It is easy

7
Security core concepts

• Backups
• Passwords
• Updates
• Monitoring

8
Backups

• Keep them regularly
• Keep them secure and off site

9
Passwords

• Easy!
• Passphrase alphanumeric and other characters
• Better!
• Two factor.

10
Updates

• Automate if possible.
• On the first day it's already too late.

11
Monitoring

• Prevent the attack from going unnoticed.

12
The bad guys
13
Fruit?
14
Low hanging fruit
15
Bots!
16
Attacker motivation

• Why? Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why? Why? Why?
  Why? Why?
  Why? Why? Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why?
  Why? Why? Why? Why?
  Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why? Why?
  Why? Why? Why? Why? Why?
  Why?

Why? Why? Why? Why?
Why? Why? Why?
Why? Why? Why? Why?Why? Why?
Why? Why?
Why? Why?
Why?Why? Why? Why?

WHY?
17
Attacker motivation

• 
  
  
  
  
  
  
  
  

18
How?

• Software vulnerabilities
• Arbitrary file uploads, Code execution, LFI/RFI
  SQLi
• Password compromise
• Spyware/Brute force
• Host based attacks
• Are you on a shared host? (cloud?)

19
Show your work!

• How does a compromised site equal profit?

• Phishing (Identity theft)
• BlackHat SEO (Affiliate services efraud)
• Traffic Theft (Malware)
• Spam (All of the above)
• Backdoor installations (All of the above)

20
Graphs

• DreamHost attack logs
• Actual traffic from 8/20/2011 ? 02/16/2012

21
Graph zenCart
22
(No Transcript)
23
(No Transcript)
24
You're not helping!!!
25
Clean up ALL THE THINGS!!!!
26
Not that hard

• All
• The
• Things

27
If you plan to audit, do that first!

• Take the site offline
• Backup ALL THE THINGS
• Files
• Databases
• Logs

28
Update ALL THE software!!!

• Core software
• Plugins
• Themes?
• Other?

29
Check ALL THE files!!!

• Does this belong here?
• Backups help

30
Change ALL THE passwords!!!

• Set the policy
• Need more? Use two-factor.

31
Re-install ALL THE THINGS!!!

• Backups.
• Re-install.
• No backups? Can't re-install?
• Just one line . what? What? WHAT?
• Magical find

32
find ALL THE insecure permissions!!

• Permissions issues
• find /path/ -type d -perm 777 -print
• better
• find /path/ -type d -exec chmod 755 \ -print
• alternative
• find /path/ -type d -perm 777 -exec chmod 755
  \ -print
• find /path/ -type f -exec chmod 644 \ -print

33
find ALL THE backdoors!!!

• find /path/ -name php -exec grep fingerprint
  \ -print
• find /path/ -name php -exec grep fingerprint
  \ -exec rm \ -print
• 
  (or use chmod 0 instead of rm
  )
• find /path/ -name php -exec grep
  all\the\things \ -print

34
Destroy ALL THE backdoors!!!

• find /path/ -name php -exec \
• grep FilesMan\eval(base64_decode(\eval(gzinfla
  te( \ \
• -exec chmod 0 \ -or -exec \
• grep \(base64_decode\)\10,\\\(\\\)\30,\
  \ \
• -exec sed -i.backup /\(base64_decode\)\10,\\\(
  \\\)\30,\/d \ -print

35
Spot ALL THE differences!

• Use diff to compare directories.
• Works best with backups (or just download WP)
• diff omgfire.com omgfire.com_lastbackup
• Only in omgfire.com this_could_be_a_backdoor.php
• Common subdirectories omgfire.com/wp-admin and
  omgfire.com_lastbackup/wp-admin
• diff omgfire.com/wp-config.php omgfire.com_lastbac
  kup/wp-config.php
• 1d0
• lt lt? / this is a little bit of code changed! /
  ?gt

36
Pay for ALL THE fixes!!!

• The good, the bad and the ugly

37
Preventative

38
Server options

• Firewall
• mod_security, cloudflare
• Database
• Restrict by hostname

39
Site configuration

• File Monitoring
• Stop using FTP
• HTTPS
• Lock down directory/file permission

40
Wordpress tricks

• Enable auto-update
• Don't login as admin
• Database table prefix
• Disable PHP/CGI in upload/include directories
• Plugins!

41
Security Plugins
Backups Prevention Cleanup Monitoring Authentication
File Monitor plus X
VaultPress X X
Google Auth. Yubikey Etc... X
Exploit Scanner / X
Backup Buddy X
42
Security Services
Backups Prevention Cleanup Monitoring Price
Cloudflare X / Free-205/month
VaultPress X / X 15-350/month
StoptheHacker X Free-100/month
URLvoid.com Various others X Free
Sucuri X X 90-290/month
43
Auditing
44
Who logged in?

• Via SSH last
• Via WordPress simple login log plugin

45
Digging in with timestamps.

• ls -la omgfire.com/backdoor.php
• -rw-rw-r-- 1 user grp 0 Feb 13 2152
  omgfire.com/backdoor.php
• grep 2152 logs/omgfire.com/access.log.2012-02-
  13
• 123.125.71.31 - - 13/Feb/2012215253 -0800
• "POST /wp-content/plugins/hello.php HTTP/1.1" 200
  158 "-" "Mozilla"

46
Digging in with HTTP logs

• awk 'print 7' access.log sort uniq -c
  sort -n

47
Digging in with HTTP logs

• awk 'print 7' access.log sort uniq -c
  sort -n
• 1 /phpMyAdmin-2.2.3/index.php
• 1 /phpMyAdmin-2.5.5-pl1/index.php
• 1 /phpMyAdmin-2.5.5/index.php
• 1 /phpMyAdmin-2.5.6-rc2/index.php
• 1 /phpMyAdmin/index.php
• 1 /phpmyadmin1/index.php
• 1 /pma/index.php
• 1 /web/phpMyAdmin/index.php
• 1 /websql/index.php
• 2 /phpmyadmin/index.php
• 4 /robots.txt
• 242 /

48
Ask your host!

• You may not be alone.

49
followup

• Take ownership and post your experience
• Help the next website owner.

50
Further reading

• http//codex.wordpress.org/Hardening_WordPress