WordPress Security 101++

Introduction

WelcomeI want so show security is easy, I'm giving out the keys to the castle and want everyone to be able to do this.

Break down

Security basics

Attacker motives

Clean up

Prevention

Auditing!

Security Concepts

Know your attacker

Cleanup

Prevention

Auditing

whoami

Robert Rowley

Security guyWebsites, Server, Social Engineering, Mobile

DreamHost security one size fits all person

Robert R Silly acronyms like CISSP10ish years experience in multiple arenas of security (mobile, websites, administration, networking)Customer facing security concerns at Dreamhost.

DreamHost

1million+ websites

Huge WordPress install base.

Goes beyond wordpress, but we see it all and monitor it, which makes for a great conversation piece!

YOU!

Security core concepts

It is easy

It's all about how easy security is. Everything goes back to the core concepts so lets get into that!

Security core concepts

Backups

Passwords

Updates

Monitoring

Backups, password (policy) mgmnt, updating software, monitor

Backups

Keep them regularly

Keep them secure and off site

Keep them often, keep them secure. Check them regularly.Do not presume anyone is keeping backups, be certain.

Passwords

Easy!Passphrase alphanumeric and other characters

Better!Two factor.

Did you lock your car here? Who is at fault if it's broken into (that's right , the burglar!) Choosing good passwords isn't about if you can remember the password to login, it's about policy. Do you feel it's necessary to have a unique password that will stop someone from getting into your site/FTP (if not? Just set it to abc123, password, or secret)More on policy, you have to think about where you can log in to your site's admin pages (is this network secure/safe? Back to car analogy regarding where you park it)Many of the remainder of the topics in this talk actually come down to this type of decision. For example lets think of backups as how important is it that you have a copy of your site's data if it's lost? Your answer is what you base your backup policies on!

Updates

Automate if possible.

On the first day it's already too late.

Following right on in from passwords and policies. The longer you leave a site at the last security update, the longer you're exposing the domain to an attack. If there is a critical security update in the patch, then you need to upgarde ASAP (unless your site is not on the internet)Why ASAP? I'll show some graphs, but in the infamous words of MC Frontalot, it's already too late.

Monitoring

Prevent the attack from going unnoticed.

It's really a stop-gap concept.It's already too late.Sooner the better for incident response.You need to know ASAP about these events to be able to take action.

The bad guys

Knowing what you're up against is important! Knowing is half the battle!

Common threats

Low hanging fruit

Ties back in to best practices

Review monitored logs of attacks

Attacker motivation

Commonly seen activity

Fruit?

Low hanging fruit

It's well known attackers go for the easy target.No matter how much you think i'm too small to be targetted it's not about that, every website is a possible target if not for anything more than to act as a small part in a bigger attack (add another bot to the pile!).

Bots!

It's all automated (well mostly, but those are more unique cases)Bots hit sites every day, I know this because I monitor them, and unless there is an ritlain fueled obsessive compulsive freak of a person out there doing the same repetative attacks on tens of thousands of sites a date then these are bots.

Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why?

Attacker motivation

Why? Why? Why? Why? Why? Why? Why? Why? Why? Why? Why?Why? Why? Why? Why? Why? Why? Why?Why? Why? Why?

WHY?

You may ask yourself, why?

$ $ $ $ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $$ $ $ $ $ $ $ $ $ $$ $ $ $ $ $ $ $ $ $$ $ $ $ $ $ $ $ $ $ $ $ $ $ $ $

Attacker motivation

$

MoneyThis is just the majority of attacks we see, which are connected to cyber criminal gangs. There are alternatives such as anonymous (who do it for awareness/causes) and cough governments (for espionage) but the vast majority is just gangs who want money.

How?

Software vulnerabilities Arbitrary file uploads, Code execution, LFI/RFI SQLi

Password compromiseSpyware/Brute force

Host based attacksAre you on a shared host? (cloud?)

Arbitrary file uploads (upload backdoors)Code execution (backdoor access)Password compromise (they can do what you can do)LFI/RFI (backdoors)SQLi (get your Dbs)

Show your work!

How does a compromised site equal profit?

Phishing (Identity theft)

BlackHat SEO (Affiliate services efraud)

Traffic Theft (Malware)

Spam (All of the above)

Backdoor installations (All of the above)

Phishing (Identity theft)BlackHat SEO (Affiliate services efrauding)Traffic Theft (Malware)Spam (All of the above)Backdoor installations (All of the above)

Graphs

DreamHost attack logs

Actual traffic from 8/20/2011 02/16/2012

This is not to say the software listed is any less secure (each has patched the vulnerability)These are attempts, not successesAll attacks were blocked

Graph: zenCart

zencart

e107

Lets call this rimrum.phpNot part of wordpress core

You're not helping!!!

OK lets get into some important steps in a cleanup.

Clean up ALL THE THINGS!!!!

Check for changes in files/db/logins (back to best practices)

Check for upgrades

Passowrd security

It's easy , unless you weren't paying attention, then it's certainly far moer difficult!

Services (my god ...)

DIY. My god it's only one line!

Not that hard

All

The

Things

If you plan to audit, do that first!

Take the site offline

Backup ALL THE THINGS:Files

Databases

Logs

Why? Quarantine so the attackers can do no further harm. (to your visitors or your site)

Update ALL THE software!!!

Core software

Plugins

Themes?

Other?

Before you put things back online

Check ALL THE files!!!

Does this belong here?

Backups help

Again before you put things back online

Change ALL THE passwords!!!

Set the policy

Need more? Use two-factor.

If someone had the key to your front door, would you not change it?

Re-install ALL THE THINGS!!!

Backups.

Re-install.

No backups? Can't re-install?Just one line . what? What? WHAT?

Magical find

Shwo the find one-linerNote WP's built in file integrity rebuilder

find ALL THE insecure permissions!!

Permissions issues:find /path/ -type d -perm 777 -printbetter:find /path/ -type d -exec chmod 755 {} \; -printalternative:find /path/ -type d -perm 777 -exec chmod 755 {} \; -print

find /path/ -type f -exec chmod 644 {} \; -print

Directories and file permissions

find ALL THE backdoors!!!

find /path/ -name *php -exec grep fingerprint {} \; -print

find /path/ -name *php -exec grep fingerprint {} \; -exec rm {} \; -print (or use chmod 0 {} instead of rm {} )

find /path/ -name *php -exec grep all\|the\|things {} \; -print

Backdoors! Bah!

Destroy ALL THE backdoors!!!

find /path/ -name *php -exec \grep FilesMan\|eval(base64_decode(\|eval(gzinflate( {} \; \

-exec chmod 0 {} \; -or -exec \

grep \(base64_decode\)\{10,\}\|\(\\\)\{30,\} {} \; \

-exec sed -i.backup /\(base64_decode\)\{10,\}\|\(\\\)\{30,\}/d {} \; -print

Shwo the find one-linerNote WP's built in file integrity rebuilder

Spot ALL THE differences!

Use diff to compare directories.

Works best with backups (or just download WP)

$ diff omgfire.com omgfire.com_lastbackupOnly in omgfire.com: this_could_be_a_backdoor.phpCommon subdirectories: omgfire.com/wp-admin and omgfire.com_lastbackup/wp-admindiff omgfire.com/wp-config.php omgfire.com_lastbackup/wp-config.php1d0<

Pay for ALL THE fixes!!!

The good, the bad and the ugly

Good companies that release fixes for free, work with hosting providres, never play the blame game.Bad companies that have no contributions to security community, high costs.Ugly high costs, blame game posts in their blog! Charlatans (snakeoil) how will they interact with you as a customer if they openly berate people on their blog?

Preventative

Server side

Site side

Wordpress specific tricks

Review

Server options

Firewall mod_security, cloudflare

Database Restrict by hostname

permissions, firewalls (mod_sec, cloudflare, htaccess)Database server (hostname access)

Site configuration

File Monitoring

Stop using FTP

HTTPS

Lock down directory/file permission

Monitor with rsync/git/svn on your backup serverStop using FTP!Https (who logged in today using the open wifi?)Permissions, always important.

Wordpress tricks

Enable auto-update

Don't login as admin

Database table prefix

Disable PHP/CGI in upload/include directories

Plugins!

Https logins, or two factorAdmin, don't make your login name guessableTable prefixes help but don't prevent SQLiIf you're uploading images, why would you execute them as PHP?How many plugins and themes do you have installed that are not in use?

Security Plugins

BackupsPreventionCleanupMonitoring Authentication

File Monitor plusXVaultPressXXGoogle Auth.YubikeyEtc...X

Exploit Scanner

/XBackup BuddyX

There are a lot of options, just search for security in the plugins reposatory. Be warned, many end up unmaintained.Some claim to cover everything, but none cover all of your needs.

Security Services

BackupsPreventionCleanupMonitoringPrice

CloudflareX/Free-20+5/month

VaultPressX/X15-350/month

StoptheHackerXFree-100+/month

URLvoid.comVarious othersXFree

SucuriXX90-290/month

List/graphCloudflare, vaultpress, sitemonitor, stopthehacker, sucuri

Anyone in the audience from these services? make checks payable to... or talk with them after.

Auditing

Most of these will be techniques I will quickly cover that are all handled via SSHSoryr, advanced topic. I can go over details in person.

Who logged in?

Via SSH: last

Via WordPress: simple login log plugin

Not supported with WP panelUse last command via SSH, this will verify if it was a SSH/FTP password compromise.

Digging in with timestamps.

$ ls -la omgfire.com/backdoor.php -rw-rw-r-- 1 user grp 0 Feb 13 21:52 omgfire.com/backdoor.php$ grep 21:52: logs/omgfire.com/access.log.2012-02-13123.125.71.31 - - [13/Feb/2012:21:52:53 -0800] "POST /wp-content/plugins/hello.php HTTP/1.1" 200 158 "-" "Mozilla"

Tiemstamp coorealation with file creations, logs, etc...Note the POST request shady!

Digging in with HTTP logs

$ awk '{print $7}' access.log | sort | uniq -c | sort -n

Awk/grep/sort madness!

Digging in with HTTP logs

$ awk '{print $7}' access.log | sort | uniq -c | sort -n 1 /phpMyAdmin-2.2.3/index.php 1 /phpMyAdmin-2.5.5-pl1/index.php 1 /phpMyAdmin-2.5.5/index.php 1 /phpMyAdmin-2.5.6-rc2/index.php 1 /phpMyAdmin/index.php 1 /phpmyadmin1/index.php 1 /pma/index.php 1 /web/phpMyAdmin/index.php 1 /websql/index.php 2 /phpmyadmin/index.php 4 /robots.txt 242 /

Awk/grep/sort madness!

Ask your host!

You may not be alone.

It doesn't hurt to ask, and it's entirely possible they are familiar with that specific type of attack.

followup

Take ownership and post your experience

Help the next website owner.

Do not be ashamed to post about your site being compromised, if anything it may help. Help not only you, your visitors, but the next webmaster that sees a similar attack against their site. Build a network of individual site owners who are all actively reporting these compormises, will be paying it forward.

Further reading

http://codex.wordpress.org/Hardening_WordPress

No seriously, wordpress and automattic take security seriouesly. Following the steps in this URL which is well written will show you specific details on what to do. I just didn't want to waste time talking about only what's on this URL.