word camp orange county 2012 enduser security
DESCRIPTION
TRANSCRIPT
WordPress
SecurityKnowledge is Power
04/10/2023@sucuri_security @perezbox #wcoc
2
Who Am I
Hi, my name is Tony Perez | @perezbox
Marine Corps – War Vet
Sucuri Security
Objectivity and rationalism
Gun carrying, Harley riding, Martial Artist .
Web-malware is my life
04/10/2023@sucuri_security @perezbox #wcoc
3
What are we going to talk about?
Web Security
Look at some statistics…
Provide an understanding of web malware
Understand the threat scape a bit…
Look at some of the recent trends…
Give some hardening tips
Get into the recommendations…
04/10/2023@sucuri_security @perezbox #wcoc
4
Thinking about Web Security
Web Security
Access Containment Knowledge
The Stats
04/10/2023@sucuri_security @perezbox #wcoc
6
Web Numbers
> 700 Million websites – As of May 2012– Netcraft
300 Million – Number of websites in 2011 – Pingdom
10.82 Billion – Number of indexed pages – WorldWebSize
2.1 Billion – Number of internet users worldwide Pingdom
Projected that:1 Billion – 2013
2 Billion - 2015
04/10/2023@sucuri_security @perezbox #wcoc
7
WordPress Numbers73 Million + – Number of WP powered sites
16% - Of all Websites run WordPress
22 – Out of every 100 new domains in the U.S.
54% - CMS marketshare62% - Market share of top 1,000,000 Sites
53% - Market share of top 100,000 sites
55% - Market share of top 10,000 sites
Projection300 – 500 Million - 2015
04/10/2023@sucuri_security @perezbox #wcoc
8
Web Malware Numbers
403 Million – Unique variants of malware 2011140% Growth – 2010 – 2011 in unique variants
55,294 – Malicious web domains in 2011130% Growth – 2010 – 2011 in malicious domains
81% - Increase malicious web-based attacks between 2010 / 2011
42 Billion – Global SPAM per day 2011
(Source: Symantec Internet Security Threat Report, Vol 17)
04/10/2023@sucuri_security @perezbox #wcoc
9
Gah… NO MORE NUMBERS
The web is growing at an unprecedented pace.
WordPress growth – astronomical and gaining
Web-based malware is not far behind
To have a virtual presence you must consider the security of your website
Web Security
04/10/2023@sucuri_security @perezbox #wcoc
11
Thinking about Web Security
Web Security
Access
Control Authentication
Containment
Reduce Threat
Minimize Impact
Knowledge
Have a Plan Be prepared
04/10/2023@sucuri_security @perezbox #wcoc
12
Web-based MalwareMalware – Short for malicious software. This software is designed to disrupt operation of an information system
(i.e., local machine, server, mobile device, etc…)
In 2011, malnets (malware networks) emerged as the next evolution in the threat landscape. These infrastructures
last beyond any one attack. - BlueCoat 2012 Web Security Report
04/10/2023@sucuri_security @perezbox #wcoc
13
Types of Malware
Obfuscated JavaScript
Hidden & Malicious iFrames
Embedded Trojans
Phishing Attempts
Malicious Redirects
Backdoors (e.g., C99, R57, Webshells)
Stupid, Pointless, Annoying Messages (SPAM)
Defacement
Anomalies
IP Cloaking
Drive by Downloads
04/10/2023@sucuri_security @perezbox #wcoc
14
Attack Vectors
User IssuesOut-of-Date Software
Social Engineering
Compromised Credentials
Software IssuesSQL Injection
Cross-Site Scripting (XSS)
Cross-Site Request Forgery (XSRF)
Remote Execution
04/10/2023@sucuri_security @perezbox #wcoc
15
Most Common Distributions
Social Engineering Trick you into installing malware
Compromising credentials
Websites, Email, Twitter
Drive-by-DownloadsInstall malware after exploiting a vulnerability – big issue for us in the WP community
iFrame (52.6%) and JS injections (26.5%)
Malicious redirectsRedirect user to another site often distributing malware
04/10/2023@sucuri_security @perezbox #wcoc
16
Threat Landscape
Threat Landsca
peNetwork
Web Server
Application
End User
Local Environment
Administration
Environmental
04/10/2023@sucuri_security @perezbox #wcoc
17
The Attacker
Types
White-Hat
Ethical / Grey Hat
Script Kiddie
Hacktivist
Cracker / Black Hat
Culture
Has code of ethics, heroes and villains and competing gangs
Knowledge is power
Most Believe information and computer access should be freely shared
Major motivation among hackers is status
Financial gain is a strong motivation with crackers – Robin Hood mindset – ok to steal
04/10/2023@sucuri_security @perezbox #wcoc
18
But I only write about lazy lizards!!!!
• Opportunistic Attacks
• Road of least resistance
• Political Agenda / Further Cause
• Mass Exposure
• In short – it doesn’t matter what you write about, you have a virtual presence
04/10/2023@sucuri_security @perezbox #wcoc
19
Is WordPress insecure?
Out of the box, core is well built and secure
It’s no longer the days of 1.5
Security team is in place to quickly address and patch issues
Extensibility – both its strength and weakness
With popularity comes a target… think Windows for local environments
Easy target because of its exposure, attackers focusing on the platform
Road of least resistance
04/10/2023@sucuri_security @perezbox #wcoc
20
Recent Vulnerabilities and Infections
Vulnerabilities
PHP-CGI Vulnerability - Patched
WooThemes Vulnerability – Patched
TimThumb Vulnerability – Patched
Campaigns
Recovery-hdd.eu Malware Campaign
Nikjju Mass Injection Campaign
GetMama Conditional Malware Campaign
.RR.NU Malware Campagin
Sweepstake Malware Campaign
04/10/2023@sucuri_security @perezbox #wcoc
21
Top reasons why we see these infections
Poor credential Management
Poor System Administration
Soup Kitchen Servers
Out of Date Software
Lack of Web knowledge
Use of self-proclaimed “experts”
Cutting Corners
So what can you do?Glad you asked
04/10/2023@sucuri_security @perezbox #wcoc
23
Reduce Threat Risk
Update
Credentials
Communicate Securely
Themes / Plugins
Harden Your Install
Don’t forget your local environment
Knowledge - Resources
04/10/2023@sucuri_security @perezbox #wcoc
24
Update, Update, Update
Leading cause of infections
If your theme is so coupled with core it can’t be updated, consider purchasing a new one
PHP, Core, Themes, Plugins, JavaScript…
04/10/2023@sucuri_security @perezbox #wcoc
25
Credentials (user / password)
Basics
Avoid using ‘Admin’ & ‘Administrator’
Use Strong PasswordsOnline Generator: http://www.onlinepasswordgenerator.com/password.php
Use Password ManagerLastPass – Free – Online / Mobile Access
https://lastpass.com/
1Passwordhttps://agilebits.com/onepassword
Take-Aways
Complex Unique passwordUpper / Lower
Symbols
Numbers
Longer than 18 characters
Passphrases
Use one time – Password manager
In short:No Dates
No Names
No Pets
No Places
A = @, E = 3, S= $, O = 0They know this
04/10/2023@sucuri_security @perezbox #wcoc
26
Data Dictionary / Defacement
04/10/2023@sucuri_security @perezbox #wcoc
27
Communicate Securely
Communication mechanismsFile Transfer Protocol (FTP)
Secret File Transfer Protocol (SFTP)
Secure Shell (SSH)
ToolsFilezilla
Coda
NCFTP
SFTP / SSH - Best Approach
Google: How to create SFTP account on [Host Name]
Google: How to enable SSH on [Host Name]
04/10/2023@sucuri_security @perezbox #wcoc
28
Safe Themes / Plugins
WordPress Repository is a good place to start19.6k+ - Available Plugins
1.5k+ - Available Themes
Look for good descriptions of the theme or plugin
Look to see versions and updates
Active change log is always good
Theme-check & Plugin-check are good tools to check potential issues
Free Theme?http://wpmu.org/why-you-should-never-search-for-free-wordpress-themes-in-google-or-anywhere-else/
04/10/2023@sucuri_security @perezbox #wcoc
29
Plugins To Avoid
WPStats.org SPAM – Fake Advanced Search PluginSEO poisoning – Bad
http://blog.sucuri.net/2012/05/wpstats-org-spam-and-a-fake-advanced-search-plugin.html
Dean FCKEditor with PWWANGS Code for WordPress (version 1.0.0)Upload / Server control - Very Bad
http://blog.sucuri.net/2012/03/wordpress-third-party-vulnerability-deans-fckeditor-with-pwwangs-code-for-wordpress-version-1-0-0.html
Absolute Privacy PluginKnown vulnerability
http://blog.sucuri.net/2012/02/vulnerability-in-the-absolute-privacy-plugin.html
ToolsPack PluginDangerous backdoor – full access - Very Bad
http://blog.sucuri.net/2012/02/new-wordpress-toolspack-plugin.html
04/10/2023@sucuri_security @perezbox #wcoc
30
What websites are dangerous?
HardeningGetting er done!
04/10/2023@sucuri_security @perezbox #wcoc
32
HTACCESS is your Friend
Configuration file for web servers using Apache
Features:Error Documents
Redirects
Password Protection
Deny visitors by IP
Hot link prevention
Access prevention
More?
Apply these changes at your own peril – run risk of blowing up site
04/10/2023@sucuri_security @perezbox #wcoc
33
Protect HTACCESS
Permission<= 640
#PROTECT HTACCESS<Files HTACCESS>Order Allow, DenyDeny from all</Files>
04/10/2023@sucuri_security @perezbox #wcoc
34
Protect WP-Config
.htaccess
Permissions<= 640 #PROTECT WP-CONFIG
<Files wp-config.php>Order Allow, DenyDeny from all</Files>
04/10/2023@sucuri_security @perezbox #wcoc
35
Authentication Keyswp-config.php
Encrypts information stored in user’s cookies
https://api.wordpress.org/secret-key/1.1/salt/
Resource: http://codex.wordpress.org/Editing_wp-config.php
04/10/2023@sucuri_security @perezbox #wcoc
36
Database Prefix
Default is “wp_”
wp-config.php
04/10/2023@sucuri_security @perezbox #wcoc
37
Admin User
Created by “default” < = 3.0
In higher version you can define your own administrator
Create new user, apply “administrator” role
Be mindful of any posts created by “admin” user
Delete “admin” user
04/10/2023@sucuri_security @perezbox #wcoc
38
Disable Directory Listing
Nobody show know the color of your skivvies
Default in most hosts, not always
# PREVENT DIRECTORY LISTINGSOptions -Indexes
04/10/2023@sucuri_security @perezbox #wcoc
39
Disable Plugin / Theme Editor
wp-config.php file
Remove the ability modify your files via your wp-admin panel – force to use SFTP / SSH and your local IDE
# Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);
04/10/2023@sucuri_security @perezbox #wcoc
40
PermissionsDirectories
755
Files644
Important Files.htaccess = 644
wp-config.php = 600
php.ini = 600
php.cgi = 711
php5.cgi = 100
Reading: http://codex.wordpress.org/Changing_File_Permissions
Directories: find [path to install] -type d -exec chmod 755 {} \;
Files:Find [path to install] -type f -exec chmod 644 {} \;
04/10/2023@sucuri_security @perezbox #wcoc
41
Protect WP-AdminIf you have a dynamic IP this might be problematic
Consider HTTPS (Heavy / Complicated) or Basic Authentication (Effective / Simple)
# SECURE Access to WP-ADMIN<FilesMatch ".*"> Order Deny,Allow Deny from all Allow from [IP Address]</FilesMatch>
04/10/2023@sucuri_security @perezbox #wcoc
42
Harden WP-Includes
Create .htaccess in wp-includes directory
#PROTECT WP-INCLUDES<FilesMatch “.php”>Order Allow, DenyDeny from allDeny</Files>
04/10/2023@sucuri_security @perezbox #wcoc
43
Harden WP-Content
Create .htaccess in wp-content directory
Most vulnerable, contains Uploads directory, often the attack vector
It can be moved, but if you’re an end-user don’t touch – hire a pro – lots of dependencies
#PROTECT WP-CONTENT<FilesMatch “.php”>Order Allow, DenyDeny from allDeny</Files>
04/10/2023@sucuri_security @perezbox #wcoc
44
Limit Upload
Most shells < 1 mb
Good idea anyway -
//limit file upload to 10mbLimitRequestBody 10240000
04/10/2023@sucuri_security @perezbox #wcoc
45
Protect Against BotsMalnets are a growing problem, proactively protect against them using a Web Application Firewall
Perishable Press – 5G Blacklist 2012
http://perishablepress.com/5g-blacklist-2012/
04/10/2023@sucuri_security @perezbox #wcoc
46
5G WordPress Add-OnDon’t want to add all that other stuff? No problem, try this condensed version for WordPress
Doesn’t require the 5G Blacklist and helps protect against bad URL request – i.e., helps take the load off your server from these very annoying requests
Source: http://perishablepress.com/wordpress-5g-blacklist/
Careful – wp-signup required for MultiSite
04/10/2023@sucuri_security @perezbox #wcoc
47
Secure Login Page
There are a number of plugins you can use for this, or, you can turn to your .htaccess again
Might be an issue if its not static..
<Files wp-login.php>Order Deny,AllowDeny from AllAllow from [Your IP]</Files>
04/10/2023@sucuri_security @perezbox #wcoc
48
Protect against XSS
Deny bad query Strings – in short, don’t become a victim to cross-site scripting
# QUERY STRING EXPLOITS<IfModule mod_rewrite.c> RewriteCond %{QUERY_STRING} ../ [NC,OR] RewriteCond %{QUERY_STRING} boot.ini [NC,OR] RewriteCond %{QUERY_STRING} tag= [NC,OR] RewriteCond %{QUERY_STRING} ftp: [NC,OR] RewriteCond %{QUERY_STRING} http: [NC,OR] RewriteCond %{QUERY_STRING} https: [NC,OR] RewriteCond %{QUERY_STRING} mosConfig [NC,OR] RewriteCond %{QUERY_STRING} ^.*([|]|(|)|<|>|'|"|;|?|*).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%22|%27|%3C|%3E|%5C|%7B|%7C).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|config|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare|drop).* [NC] RewriteRule ^(.*)$ - [F,L]</IfModule>
04/10/2023@sucuri_security @perezbox #wcoc
49
SPAM Comments
SPAM in your comments can get you blacklisted just as fast as injections on your pages
Disable comments on pages if you don’t want them
Setting to close comments after a certain amount of time.
Settings > Discussion > Other Comment Settings
Automatically close comments on articles older than XX days
Use AKISMET
04/10/2023@sucuri_security @perezbox #wcoc
50
Cross-Site Contamination
Most of the things provided so far help you from external attacks.
Internal attacks are as prevalent
Growing problem – “Soup Kitchen” servers
Development, Staging, Testing, Productions – 1 environment
http://blog.sucuri.net/2012/03/a-little-tale-about-website-cross-contamination.html
http://blog.sucuri.net/2012/03/website-cross-contamination-blackhat-seo-spam-malware.html
04/10/2023@sucuri_security @perezbox #wcoc
51
Security PluginsSucuri Clients – Sucuri Security – Free to Clients
Web Application Firewall
Integrity Monitoring
Auditing
Hardening
More: http://sucuri.net/services/preventive
Not a client? No problem, other good options include – Login Lock
http://wordpress.org/extend/plugins/login-lock/
WordPress File Monitorhttp://wordpress.org/extend/plugins/wordpress-file-monitor/
WordPress Firewall 2http://wordpress.org/extend/plugins/wordpress-firewall-2/
BulletProof Securityhttp://wordpress.org/extend/plugins/bulletproof-security/
Still have a malware problem?
04/10/2023@sucuri_security @perezbox #wcoc
53
Two Approaches
Do it Yourself
Forums are you friend
Requires time and patience
Leverage free tools
Know when you’re in over your head
Can take time – hours, days, weeks, months
Hire a Professional
Will cost money
Alleviates the stress
Gets you up and running in hours, if not days
04/10/2023@sucuri_security @perezbox #wcoc
54
Support Forums
WordPress.orgHacked: http://wordpress.org/tags/hacked
Malware: http://wordpress.org/tags/malware
BadwareBusters.orghttps://badwarebusters.org/
04/10/2023@sucuri_security @perezbox #wcoc
55
Things to Know when Engaging Professionals
Know who your host is and how to contact them in the event of an emergency
Know how to access your server – FTP, SFTP, SSH, FTPS
Have a backup accessible
Tips: http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-know-when-engaging-a-web-malware-company.html
04/10/2023@sucuri_security @perezbox #wcoc
56
Tips & TricksAfter all this you might still become infected, and if you do here are a few tips to keep you going:1. Immediately Change all credentials – wp-admin,
database, cpanel
2. Log into your database and check all the users
3. Replace WP manually – avoid the default updater
4. Defacements – look at your index files (watch out for “.html” and “index2.php”)
5. Use live scanner: http://sitecheck.sucuri.net
6. Use terminal to GREP and FIND issues reported
7. Restore site from clean backup
8. Purge your cache
9. Disable plugins, validate each plugin
10. Engage a professional
Online Resources
04/10/2023@sucuri_security @perezbox #wcoc
58
FREE Real Time Virus ScannersSucuri SiteCheck: http://sitecheck.sucuri.net
Unmask Parasites: http://unmaskparasites.com/
04/10/2023@sucuri_security @perezbox #wcoc
59
Blacklisting Authorities
GoogleChrome, FireFox
Search Engine Results Page (SERP)
http://www.google.com/webmaster/tools
http://www.google.com/safebrowsing/diagnostic?site=[your site]
BingInternet Explorer
http://www.bing.com/toolbox/webmaster/
NortonFacebook
http://safeweb.norton.com/
AVGOpera
http://www.avgthreatlabs.com/sitereports/
04/10/2023@sucuri_security @perezbox #wcoc
60
Useful PluginsKnow what you’re using:
Theme-CheckAuthors: Pross, Otto42
http://wordpress.org/extend/plugins/theme-check/
Plugin-CheckAuthor: Pross
http://wordpress.org/extend/plugins/plugin-check/
Protect Against Comment SPAMAkismet
Authors: Matt, Ryan, Andy, mdawaffe
http://wordpress.org/extend/plugins/akismet/
Still offers free service
Backups are your friend:Author: iThemes
http://pluginbuddy.com/purchase/backupbuddy/
04/10/2023@sucuri_security @perezbox #wcoc
61
Online Reading
http://blog.sucuri.net/2012/04/lockdown-wordpress-a-security-webinar-with-dre-armeda.html
http://blog.sucuri.net/2012/04/ask-sucuri-how-to-stop-the-hacker-and-ensure-your-site-is-locked.html
http://blog.sucuri.net/2012/04/ask-sucuri-what-should-i-know-when-engaging-a-web-malware-company.html
http://codex.wordpress.org/Hardening_WordPress
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://wpsecure.net/
04/10/2023@sucuri_security @perezbox #wcoc
62
Online Tools
http://www.botsvsbrowsers.com/SimulateUserAgent.asp
http://www.tareeinternet.com/scripts/base.html
http://www.tareeinternet.com/scripts/decrypt.php
04/10/2023@sucuri_security @perezbox #wcoc
63
Tony Perez
Company: Sucuri Security
Company site: http://sucuri.net
Company blog: http://blog.sucuri.net
Personal blog: http://perezbox.com
Twitter: http://twitter.com/perezbox
Linkedin: http://linkedin.com/in/perezbox
Email: [email protected]