CODEKITCHEN AT: WORDCAMP SOFIA 2015

Marko Heijnen presents

The moment my site got hacked

0. The Story

I have set things up

Hardening WordPressDifficult password

VPN access is required for admins to login

Files can’t be changed by PHP

define('DISALLOW_FILE_MODS', true);

Renamed wp-content folder

Other positive effects

PHP FPM with Opcache requires restart

WordPress Network install

A lot of functionality is custom written

And then it’s all for having things up-to-date

Normally I keep everything up-to-date

But one plugin slipped my attention

It all started with an internal e-mail at my job

I start checking to see if I can reproduce it

😱😱😱

1. Shock & Denial

Checking the log files showed how they managed it

Checking the log files showed the failed

202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "POST //?var=upload HTTP/1.1" 200 116 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"

202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "GET /wp-content/file.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"

202.69.240.177 - - [20/Feb/2015:14:34:52 +0200] "GET /content/file.php HTTP/1.1" 404 11767 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"

2. Anger

Having that stupid rewrite

Why didn’t I updated my plugins?

Why didn’t I had any protecting for this in place

3. Understanding

Understanding

Where do I need to fix it

Is it something a host could have prevented

Why was someone trying to hack my site

Where do you protect

Protection flow

Server (DDOS / rate limits / login attempts)

App / Site (App specific security / support)

Network (DDOS protection)

4. Working Through

Start fixing things

Start fixing things

Check the upload directory for more PHP files

Don’t allow PHP to be ever executed inside uploads

Update all plugins

See if everything still is untouched

I was lucky I have git but what about you?

Checksum checker

Not for WordPress core but for your plugins and themes

wpcentral.io/api/checksums/plugin/tabify-edit-screen/0.8.3

Checks the hash of your files with hashes of the original

How to prevent things like this happening again?

Application firewallSomething that actively protects you against vulnerabilities such as cross-site scripting (XSS) and SQL injection

Sucuri or CloudFlare as a service

NinjaFirewall as a plugin

Currently I’m using modSecurity

Now looking at the rule sets of owasp.org

How to detect if it happens

Builded a custom tool

List of all sites

General overview of a site

Security checks for the site

Security checks for the site

Security checks for the site

List of all servers

5. Acceptance & Hope

Things I learned from this

It can happen to anyone

Things I learned

Read the log files more often

Don’t expect plugin developer to announce publicly that they have or had security issues

Work pro active on securing my site

Check out the latest and greatest tools for securing and checking your sites

Last but not least: Some questions for you

Some questions for you

What do you do yourself?

How good is your wp-login.php protected?

What does your host do to protect you?

Did you hardening your site?

How secure are your backups?

Do you know what people trying to do to your site?

Marko HeijnenFounder of CodeKitchen

Ex-lead developer of GlotPress

Core contributor for WordPress

Organizer for WordCamp Belgrade

Marko Heijneninfo@markoheijnen.com

@markoheijnen

Thank you for listening

Questions?