WordPress Security 2014 - The Basics of Security

It’s all about the Basics!!

WORDPRESS SECURITY

04/11/2023 2

SUCURI# WHOIS PEREZBOX• Name: Tony Perez

• Twitter: @perezbox

• Company: Sucuri, Inc.

• Insight: Information Technology

• Passion: Brazilian Jiu Jitsu

@PEREZBOX @SUCURI_SECURITY #WCATL

04/11/2023 3

TODAY’S 5 CHALLENGES

• Knowledge / Awareness

• Administration

• Extensibility

• Credentials

• End-users

@PEREZBOX @SUCURI_SECURITY #WCCHX

04/11/2023 4

KNOWLEDGECheck yourself before you wreck yourself


“The user’s going to pick dancing pigs over security every time.”

- Bruce Schneider

04/11/2023 5

IT’S ABOUT RISK REDUCTION!!!


• Forget the “Why”

• Why is this happening to me?

• Focus on the “How”

• How do I protect myself?

Your risk will never be 0%

04/11/2023 6

DEFENSE IN DEPTH


• Layered Defenses

“…a concept in which multiple layers of security controls (defenses) are placed throughout an information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…”

04/11/2023 7

KNOW THE ENVIRONMENTLA

MP

STAC

K LINUX

Apache

MySQL

PHP

• This is what it takes to run WordPress

• Each contains its own laundry list of known vulnerabilities

• .org Implementations not .com


04/11/2023 8

REALISTIC ENVIRONMENT


Linux Operating System

Apache

WordPress CPANEL Plesk

MySQL

myLittleAdmin PHPMyAdmin Etc..

PHP

Modules

04/11/2023 9

ASK QUESTIONS…


• Host:

• What happens if I get hacked and you detect it before I do?

• What backup solution do you offer me?

• What security protocols do you have in place to protect me?

• Designer / Developer:

• Are you following all the appropriate coding best practice guidelines found in the codex?

• Has your code ever been independently reviewed?

• How will my website be maintained after the project completion?

• Who will be responsible for updating my theme / plugin / core when the project is complete?

• Are my files being backed up in the event of a catastrophe?

04/11/2023 10

TODAY’S RELEVANT ATTACK VECTORS


• Access Control

• Brute Force

• Software Vulnerabilities

• Vulnerability Scanners

• Denial of Service (DoS)

• Distributed / Non-Distributed

04/11/2023 11

• Two factor / Multi-Factor Authentication

• IP White Listing

• Throttling Access Attempts

• Access is King for attackers and website owners make it too easy

• Facilitated through Poor Passwords

• Little Attention to Access Control’s

• Applies to all entry points – email, cpanel, FTP / SFTP, etc…

ACCESS CONTROL

Challenges Solutions


04/11/2023 12

• Website Firewall – SaaS based

• Stay current with the latest vulnerability releases

• Apply updates to entire stack when available

• Keep Only What you need on the server (production)

• Very difficult for non technical people

• Users refuse to update, some cannot

• Soup Kitchen Servers

• Too many attackers with too much time

• Zero Days

SOFTWARE VULNERABILITIES

Challenges Solutions


04/11/2023 13

DENIAL OF SERVICE VS BRUTE FORCE


• Educational Post: http://blog.sucuri.net/2014/03/understanding-denial-of-service-and-brute-force-attacks-wordpress-joomla-drupal-vbulletin.html

• Differentiating Factor = Intent

• Disruption of Services vs Gaining Access

• Both important in their own Righ

Large Distributed Brute Force WordPress Attack Underway – 40,000 Attacks Per Minute

More than 162,000 WordPress Sites Used for Distributed Denial of Service Attack (DDOS)

http://blog.sucuri.net/2014/03/understanding-denial-of-service-and-brute-force-attacks-wordpress-joomla-drupal-vbulletin.html



04/11/2023 14

CONNECTING• If you don’t need it, disable it

• SFTP / SSH is preferred

• FTP works fine – disable if you’re not using, don’t talk to me if you are

• FTP/SFTP != WP-ADMIN

• Least Privileged

• You don’t have to log in FTP / SFTP with full root access

• Everyone doesn’t need to be an admin

• You don’t need to log in as admin

• The focus is on the role, not the name of the user

• Accountability – kill generic accounts – who is doing what?


04/11/2023 15

THE PASSWORD GAME


04/11/2023 16

• Big enterprises with large followings

• Big Name

• Worth Investing time and energy to compromise, bigger return

• Trolling the web looking for known vulnerabilities

• Ability for mass exposure

• Think “TimThumb”

ATTACK TYPE

Opportunistic Targeted


04/11/2023 17

BRAND REPUTATION


• Blacklisting• Dirty Search Engine Result Pages (SERP)

04/11/2023 18

THE HOWNothing fancy here.. The facts


“Own one Own them All”

04/11/2023 19

TOP SECURITY ISSUES TODAY• Backdoors

• Injections

• Pharma Hack

• SEO SPAM

• Malicious Redirects

• Defacements

• Form Abuse

• SPAM Emails

• Compromised web servers


04/11/2023 20

1. Employ Website Firewall

2. Don’t let WordPress write to itself

3. Filter Access by IP

4. Use a dedicated server / VPS

5. Monitor all Activity (Logging)

6. Enable SSL for transactions

7. Keep environment current (patched)

8. No Soup Kitchen Servers

1. Kill PHP Execution

2. Disable Theme / Plugin Editing via Admin

3. Connect Securely – SFTP / SSH

4. Use Authentication Keys in wp-config

5. Use Trusted Sources

6. Use a local Antivirus – Yes, MAC’s need one

7. Verify your permissions - D 755 | F 644

8. Least Privileged

9. Kill generic accounts - Accountability

10. Backup your site – yes, Database too

THINGS YOU CAN DO TO REDUCE RISK

The Bare Minimum: Ideal implementations:


04/11/2023 21

KILL PHP EXECUTION• The idea is not to let them execute any PHP files. You do so by adding this in

an .htaccess file in the directory of choice. Recommendation:

• WP-INCLUDES

• UPLOADS

#PROTECT [Directory Name]

<Files *.php>

Deny from all

</Files>


04/11/2023 22

DISABLE PLUGIN/THEME EDITOR

• Add to wp-config – if a user is compromised they won’t be able to add anything to the core theme or plugin files.

# Disable Plugin / Theme Editor

Define(‘DISALLOW_FILE_EDIT’,true);


04/11/2023 23

• Limit Login Attempts

• BackupBuddy

• Akismet

• Better WP Security

• WP Security Audit Log

• Google Authenticator

• WordFence

• Detection – Monitoring / Remediation

• Protection – Website Firewall

• Auditing – Sucuri Premium Plugin

• BackupBuddy

Read about how I set things up here:

http://wpengine.com/2013/04/24/how-tony-perez-of-sucuri-sets-up-his-own-security/

SECURITY CONFIGURATIONS

My Setup Alternatives





04/11/2023 24

IMPORTANT SERVICES (PAID)


• Managed Hosting

• WPEngine - http://wpengine.com/

• Page.ly - http://page.ly/

• WebSynthesis - http://websynthesis.com/

• Maintenance Services

• Maintainn - http://maintainn.com/

• Security

• Sucuri – http://sucuri.net

http://wpengine.com/

http://wpengine.com/

http://page.ly/

http://page.ly/

http://websynthesis.com/

http://websynthesis.com/

http://maintainn.com/

http://maintainn.com/

http://sucuri.net/

04/11/2023 25

• Sucuri Blog: http://blog.sucuri.net

• SiteCheck Scanner: http://sitecheck.sucuri.net

• Unmask Parasites: http://unmaskparasites.com

• Secunia Security Advisories: http://secunia.com/community/advisories/search/?search=wordpress

• Hacked – http://wordpress.org/tags/hacked

• Malware – http://wordpress.org/tags/malware

• BadwareBusters – https://badwarebusters.org

• WordPress Hardening

• http://codex.wordpress.org/Hardening_WordPress

KNOW WHERE TO GO

Support Forums Online Resources


http://blog.sucuri.net/

http://sitecheck.sucuri.net/

http://unmaskparasites.com/

http://secunia.com/community/advisories/search/?search=wordpress



http://wordpress.org/tags/hacked

http://wordpress.org/tags/malware

https://badwarebusters.org/

http://codex.wordpress.org/Hardening_WordPress

http://codex.wordpress.org/Hardening_WordPress

04/11/2023 26

BLACKLIST SOURCES


• Google

• Search Engine Results Page (SERP)

• http://www.google.com/webmaster/tools

• http://www.google.com/safebrowsing/diagnostic?site=[your site]

• Bing

• Internet Explorer | Yahoo

• http://www.bing.com/toolbox/webmaster/

• Norton

• SafeWeb Browsing | Facebook

• http://safeweb.norton.com/

• AVG

• Opera

• http://www.avgthreatlabs.com/sitereports/

http://www.google.com/webmaster/tools

http://www.google.com/safebrowsing/diagnostic?site=%5Byour

http://www.bing.com/toolbox/webmaster/

http://www.bing.com/toolbox/webmaster/

http://safeweb.norton.com/

http://www.avgthreatlabs.com/sitereports/

04/11/2023 27

Sucuri, Inc.

Tony Perezhttp://sucuri.net

http://blog.sucuri.net

http://perezbox.com | @perezbox


http://sucuri.net/

http://blog.sucuri.net/

http://perezbox.com/

WordPress Security 2014 - The Basics of Security

Technology

Transcript of WordPress Security 2014 - The Basics of Security