It Starts With Good Posture

Website Security (WordPress)

04/11/2023

@PEREZBOX

• Sucuri, Inc.– @sucuri_security– @sucurisupport– @sucurilabs– @perezbox

• Specialization:– Website Security– Incident Handling

• Special Interests:– Brazilian JiuJitsu

Tony Perez | @perezbox | @sucuri_security 2

04/11/2023

• Website Security Company

• Global Operations

• Platform Agnostic (i.e., WordPress, Joomla, etc..)

• Scan 2M Unique Domains a Month

• Block 4M web attacks a Month

• Remediate 400 – 500 websites a day

• Signature / Heuristic Based

• 24/7 operations

Tony Perez | @perezbox | @sucuri_security 3

04/11/2023

Statistics

Tony Perez | @perezbox | @sucuri_security 4

04/11/2023

Anatomy of Malicious Websites

Malicious WebsitesLegitimate Websites

Tony Perez | @perezbox | @sucuri_security 5

85%

04/11/2023

Legitimate Websites

Not-ExploitableExploitable

77%

Tony Perez | @perezbox | @sucuri_security 6

1 in 8 - Critical Vulnerability

04/11/2023

Hacks Affecting Users

Tony Perez | @perezbox | @sucuri_security 7

04/11/2023

Top 4 Symptoms

Tony Perez | @perezbox | @sucuri_security 8

• Malicious Redirects (i.e., abuse your traffic)• Backdoors (i.e., Bypass Access Controls)• Phishing (i.e., Spear Phishing Campaigns)• Search Engine Poisoning (i.e., Pharma, etc…)

….. Obviously many more, but these are the most prevalent…

@perezbox | @sucuri_security

Malicious Redirect

@perezbox | @sucuri_security

Malicious Redirects• Easy / Medium to Detect

– Be mindful of conditionals• Looking for Integrity Issues

– Has something been modified?

• Common location[s]:– .htaccess– Index.php– Footer.php– Header.php

• Biggest Issue– Redirectors are becoming highly complex– Employing heavy conditional elements

@perezbox | @sucuri_security

Phishing

@perezbox | @sucuri_security

Phishing, Cntd..

• Difficult to Detect Remotely• Looking for Integrity Issues

– Is something somewhere it doesn’t belong?

• Common location[s]:– WP-Includes– Theme Directories

• Biggest Issue– It can be anywhere– Fully contained

@perezbox | @sucuri_security

Backdoors

@perezbox | @sucuri_security

Backdoors, cntd…• Can’t detect remotely, only locally

• Looking for Integrity Issues – Is something somewhere it doesn’t

belong?

• Common location[s]:– WP-Includes– Root Directory

• Biggest Issue– Allows attacker to bypass your

access controls– Provides full control of the

environment

• Common terms:– Is_bot– Eval– Base64_decode– Fopen– Fclose– readfile– Edoced_46esad– Exec– System– Shell_exec– Gzuncompress– popen– FilesMan

grep -RPl --include=*.{php} "(system|exec|passthru|shell_exec|base64_decode|eval|) *\(" /var/www

@perezbox | @sucuri_security

Example of Complexity

@perezbox | @sucuri_security

Search Engine Poisoning

@perezbox | @sucuri_security

Search Engine Poisoning, cntd.. • Targets Search Engines (i.e., Google, Bing, Yahoo)

• Looking for Integrity Issues – Have your posts / pages been modified?

• Common location[s]:– Index.php (root, theme, plugins, etc..)– Header.php– Footer.php– Embedded in Database (Posts / Pages)

• Biggest Issue– Continuous to evolve– Highly conditional– Not within visible range – often offscreen

@perezbox | @sucuri_security

Indicators of a HackSearch Engines have gotten pretty good at detecting issues –

Google blacklists over 10 thousand websites a day.

04/11/2023

Anatomy of Attacks

Tony Perez | @perezbox | @sucuri_security 19

04/11/2023

Phase of an Attack

Recon Identify Attack Decisions Sustain

Tony Perez | @perezbox | @sucuri_security 20

Use for malware? Pat of a zombie network? Data breach?

What kind of website do you have?

04/11/2023

Automated Attacks

WP-ADMIN

Themes / Plugins Payload

Tony Perez | @perezbox | @sucuri_security 21

Exploiting Access Control

04/11/2023

Distribution Mechanism

Malicious Links

Social Media

Email Links Website

Text Messages

Tony Perez | @perezbox | @sucuri_security 22

04/11/2023

There’s a Tool for that

• Malware as a Service (MaaS) – Yes, pay someone to

hack for you

• Different tools to break in and generate payloads– Brute force and

vulnerability exploits Malware Payloads

Tony Perez | @perezbox | @sucuri_security 23

04/11/2023

Why?

Tony Perez | @perezbox | @sucuri_security 24

04/11/2023

Happening To Everyone

Tony Perez | @perezbox | @sucuri_security 25

04/11/2023

It’s About Posture

Tony Perez | @perezbox | @sucuri_security 26

04/11/2023

Begins with Posture

Tony Perez | @perezbox | @sucuri_security 27

Posture

Risk

“Risk will never be zero, but it can be reduced”

04/11/2023

It’s About Good Posture

Tony Perez | @perezbox | @sucuri_security 28

Security Posture

Principles

Access

Vulnerabilities

04/11/2023

Layered Defenses

Tony Perez | @perezbox | @sucuri_security 29

Protection Auditing

Detection Sustainment

04/11/2023

Defense in Depth

“…a concept in which multiple layers of security controls (defenses) are placed throughout an

information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…”

Tony Perez | @perezbox | @sucuri_security 30

04/11/2023

Access – P@ssw0rd

• Passwords

Tony Perez | @perezbox | @sucuri_security 31

Complex – Long - Unique

04/11/2023

Enforce Strong Credentials

Tony Perez | @perezbox | @sucuri_security 32

04/11/2023

Auditing (Monitor Activity)

Tony Perez | @perezbox | @sucuri_security 33

04/11/2023

Auditing Questions

Tony Perez | @perezbox | @sucuri_security | #JoomlaDayAtlanta 34

• Understand what is going on at all time– Who is logging in?– Who is trying to log in?– What files are changing?– Has a post been created?– Has a page been created?– Are there any integrity issues?

04/11/2023

Principle of Least Privileged

“requires that in a particular abstraction layer of a computing environment, every module

(such as a process, a user or a program depending on the subject) must be able to

access only the information and resources that are necessary for its legitimate purpose.”

Tony Perez | @perezbox | @sucuri_security 35

04/11/2023

Understand Your Roles

Tony Perez | @perezbox | @sucuri_security 36

04/11/2023

Hardening – Kill PHP

Tony Perez | @perezbox | @sucuri_security 37

PHP Execution, disable it:

/wp-includes /wp-content▪ /themes▪ /plugins▪ /uploads

<Files *.php>Deny from all</Files>

04/11/2023

Disable Plugin / Theme Editor

• WP-CONFIG File Modification

#Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);

Tony Perez | @perezbox | @sucuri_security 38

04/11/2023

Brute Force Attacks

Tony Perez | @perezbox | @sucuri_security 39

04/11/2023

Backups – It’s Your Safety Net

Tony Perez | @perezbox | @sucuri_security 40

04/11/2023

Software Vulnerabilities

• Stay current with the latest vulnerabilities:– Secure - http://wordpress.org/plugins/secure/

Tony Perez | @perezbox | @sucuri_security 41

04/11/2023

Stay Current (Update)

Tony Perez | @perezbox | @sucuri_security 42

04/11/2023

Website Firewalls

Tony Perez | @perezbox | @sucuri_security 43

• Stay ahead of Software Vulnerabilities

04/11/2023

Ensure Integrity of Connection

Tony Perez | @perezbox | @sucuri_security 44

• https://www.getcloak.com/ | @getcloak

04/11/2023

Google Webmaster

Tony Perez | @perezbox | @sucuri_security 45

04/11/2023

Simple Steps to Reduce Risk

1. Employ Website Firewall2. Don’t let WordPress write to

itself3. Filter Access by IP 4. Use a dedicated server / VPS5. Monitor all Activity (Logging)6. Enable SSL for transactions7. Keep environment current

(patched)8. No Soup Kitchen Servers

Tony Perez | @perezbox | @sucuri_security 46

1. Connect Securely – SFTP / SSH

2. Authentication Keys / wp-config

3. Use Trusted Sources4. Use a local Antivirus – MAC

too5. Permissions - D 755 | F 6446. Least Privileged Principles7. Accountability8. Backups – Include Database

Ideal implementations:The Bare Minimum:

04/11/2023

Notable ResourcesName Tool

Sucuri Blog http://blog.sucuri.net

Sucuri TV http://sucuri.tv

Malware Scanner http://sitecheck.sucuri.net

Malware Scanner http://unmaskparasites.com

Badware Busters https://badwarebusters.org

Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites

Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633

Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress

Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31

WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked

WordPress Hardening http://codex.wordpress.org/Hardening_WordPress

Tony Perez | @perezbox | @sucuri_security 47

04/11/2023

Dealing with a Hack

Tony Perez | @perezbox | @sucuri_security 48

Dealing with Malware http://blog.sucuri.net/2012/10/dealing-with-todays-wordpress-malware.html

Leveraging Google Webmaster Tools http://www.unmaskparasites.com/malware-warning-guide/

Google Webmaster Tools (Hacked) http://www.google.com/webmasters/hacked/

Understanding Google’s Blacklists http://blog.sucuri.net/2013/11/understanding-googles-blacklist-cleaning-your-hacked-website-and-removing-from-blacklist.html Clearing Your Website with Free

Scannerhttp://blog.sucuri.net/2013/10/cleaning-up-your-wordpress-site-with-the-free-sucuri-plugin.html

WordPress Tips & Tricks http://blog.sucuri.net/2012/07/website-malware-removal-wordpress-tips-tricks.html

04/11/2023

Sucuri, Inc.

Tony Perez

http://sucuri.nethttp://blog.sucuri.net

@perezbox | @sucuri_security

@sucurilabs | @sucurisupport

Tony Perez | @perezbox | @sucuri_security 49