Applying the Art of War precepts will help you by giving perspective of the problem about security in WordPress environments, and also the understanding of how to act effectively when something bad happens to your website or e-commerce. Presenting the way a WordPress is usually hacked, the layer-based model of security and some examples I gathered during my years at Sucuri and GoDaddy Security, I'll try to make you aware of this problem, I'll give some examples of what could happen and how, and provide you with some countermeasures to avoid this to happen whenever it is possible.

1. HackingWordPress
… and countermeasures
Nestor Angulo (@pharar) - WordCamp Vienna 2020

2. #WCVIE Nestor Angulo (@pharar) - 2020 2

3. Who I am
–A curious guy
… sometimes even more than a cat
–Computer Science degree &Techonology Advisor
–2015
Ø Security Analyst @ Sucuri
–2017
Ø ATS & Managed SSL specialist @ GoDaddy
(Security Group)
–2019
Ø Interim Head of IT @ GoDaddy Spain
#WCVIE Nestor Angulo (@pharar) - 2020 3

4. About
– Sucuri: Anaconda !( Securi | Security )
– Website security
– Fully remote (people from > 25 countries)
– 2008: Founded
– 2017: GoDaddy family proud member
– Free scanners:
– Sitecheck
sitecheck.sucuri.net
– Performance
performance.sucuri.net
#WCVIE Nestor Angulo (@pharar) - 2020 4

5. DISCLAIMER
#WCVIE Nestor Angulo (@pharar) - 2020 5
Any sensitive information has been protected or
encoded to preserve privacy. Any similarity with the
reality is just a coincidence.
I’m responsible of what I say, not what you interpret.
This talk is intended to be DIDACTIC. I don’t promote
any hacking attempt with illegal intentions.
Always ask to an expert if you have questions.

6. #WCVIE Nestor Angulo (@pharar) - 2020 6
Es gibt zwei Arten von
Unternehmen:
diejenigen, die gehackt wurden,
und diejenigen, die noch nicht
wissen, dass sie gehackt
wurden.

7. #WCVIE Nestor Angulo (@pharar) - 2020 7

8. TheArt ofWar
#WCVIE Nestor Angulo (@pharar) - 2020 8

9. TheArt ofWar
– Chinese treatise about military
strategies and tactics, by SunTzu
(5th century)
– “If you know yourself and you
also know your enemy, you
won’t be defeated in any battle”
– “All warfare is based on
deception”
#WCVIE Nestor Angulo (@pharar) - 2020 9

10. About the
atackers
… AKA hated angels.
… AKA loved demons.
#WCVIE Nestor Angulo (@pharar) - 2020 10

11. Hacker VS
Cyberterrorist
#WCVIE Nestor Angulo (@pharar) - 2020 11
Hacker:
Curious person who loves
to go beyond limits or
conventions.
Cyberterrorist / Cracker:
Computer Hacker, aligned to enrich
himself in a zero-sum game situation.
The bad guy

12. #WCVIE Nestor Angulo (@pharar) - 2020 12
Hacker HatColours
ØBlack Hat
Cyberterrorist, thief
ØGrey Hat
White Hat one using
illegal procedures
ØWhite Hat
Security Analyst,
ethical hacker

13. How
Security
works
… I mean, in the DigitalWorld
#WCVIE Nestor Angulo (@pharar) - 2020 13

14. #WCVIE Nestor Angulo (@pharar) - 2020 14
Layer-basedSecurity simplified Model
Layer Protection
You, the weakest point Knowledge
Your device Antivirus
Your connection SSL
Your web site WAF
Your credentials Strong passwords, 2FA
Your site security monitor, plugins, updates
Your server security monitor, sysadmin, updates
Your database monitor, sysadmin
Maintenance tasks

15. Protect
yourCastle!
…Wait, do I actually own a
Castle?
#WCVIE Nestor Angulo (@pharar) - 2020 15

16. #WCVIE Nestor Angulo (@pharar) - 2020 16

17. YourCastle
#WCVIE Nestor Angulo (@pharar) - 2020
USERS DATABASE CONTENT
INFRASTRUCTURE BOT NET REPUTATION
17

18. Build a
greatWall!
…Well, what is ”great” for
you?
#WCVIE Nestor Angulo (@pharar) - 2020 18

19. YourWall
#WCVIE Nestor Angulo (@pharar) - 2020 19
Antivirus
SSL certificate
WAF
Passwords
Monitors & Scanners
Updates
Plugins &Themes

20. Every wall
has holes…
… AKA weak points
#WCVIE Nestor Angulo (@pharar) - 2020 20

21. The
Weaknesses
…some examples.
– You are your weakest point
– You can be scammed
– Passwords.
– Vulnerable to brute force attacks
– Leftovers
– Ex: Admin users, FTP users, db dumps, etc.
– Outdated/vulnerable software
– Enabled/Disabled not-in-use plugins/themes
– Non-secure connection (avoid public wifi)
– Vulnerable to Man-In-the-Middle attacks
#WCVIE Nestor Angulo (@pharar) - 2020 21

22. The tools
… AKA weapons
#WCVIE Nestor Angulo (@pharar) - 2020 22

23. Malware
Some types
Backdoors,
zero-day
Exploits
Troyans,
Fremium
plugins
Ransom-
ware,
Spyware
Adware,
Scareware
…
Software intentionally designed to
cause damage to a computer, client,
or computer network.
#WCVIE Nestor Angulo (@pharar) - 2020 23

24. Definitions
–Vulnerability
–Bug in the code or posibility of misuse
that can be used to perform
unauthorized actions within a
computer system.
–Exploit
–Software that leverages a vulnerability
–Backdoor
–Malware which allows remote
execution of code
#WCVIE Nestor Angulo (@pharar) - 2020 24

25. Some facts
… let’s blow your mind!
#WCVIE Nestor Angulo (@pharar) - 2020 25

26. Site hacking
almost never is
client-oriented
(98% of cases)
Almost always
happens due to a
deficient monitoring
/ maintenance
A SSL certificate
is not
an antihacking shield
Patches & security
updates appear
almost always after
hacking exploits
Errare Humanum Est
(Human being fails)
Security never is
(nor will be)
100% effective
#WCVIE Nestor Angulo (@pharar) - 2020 26

27. Then…
is WordPress secure?
#WCVIE Nestor Angulo (@pharar) - 2020 27

28. #WCVIE Nestor Angulo (@pharar) - 2020 28

29. Yes
At least, the most it can be.
#WCVIE Nestor Angulo (@pharar) - 2020 29

30. The problem is that…
… is extremely easy to create
an insecure site with WordPress
#WCVIE Nestor Angulo (@pharar) - 2020 30

31. The Hacking
How it happens.

32. #WCVIE Nestor Angulo (@pharar) - 2020 32

33. The Process
#WCVIE Nestor Angulo (@pharar) - 2020 33
Vulnerability Exploit Injection
Final Code Backdoor
Spam /
defacement
BotNode Code

34. #WCVIE Nestor Angulo (@pharar) - 2020 34

35. Searching the
vulnerability
#WCVIE Nestor Angulo (@pharar) - 2020 35

36. GoogleHacking
Database
exploit-db.com/
google-hacking-
database
#WCVIE Nestor Angulo (@pharar) - 2020 36

37. WPScan
Vulnerability
Database
wpvulndb.com
#WCVIE Nestor Angulo (@pharar) - 2020 37

38. Ex1:Using
Google
Hacking DB
38#WCVIE Nestor Angulo (@pharar) - 2020

39. Ex1:Using
Google
Hacking DB
39#WCVIE Nestor Angulo (@pharar) - 2020

40. Ex2:Using
WPVULNDB
40#WCVIE Nestor Angulo (@pharar) - 2020

41. Ex2:Using
WPVULNDB
41#WCVIE Nestor Angulo (@pharar) - 2020

42. Ex3:Using
WPVULNDB
42#WCVIE Nestor Angulo (@pharar) - 2020

43. Ex3:UsingWPVULNDB
ØThe WordPress REST API got
activated by default in 4.7.0 and
4.7.1 version.
ØBug: any visitor can modify any post
without permissions.
ØHundreds of thousands sites got
exploited using this vulnerability
because they didn’t updated.
43#WCVIE Nestor Angulo (@pharar) - 2020

44. Ex3:Using
WPVULNDB
44#WCVIE Nestor Angulo (@pharar) - 2020

45. What
happens
if…
#WCVIE Nestor Angulo (@pharar) - 2020 45

46. Defacements
#WCVIE Nestor Angulo (@pharar) - 2020 46

47. Defacements
#WCVIE Nestor Angulo (@pharar) - 2020 47

48. Example:
PhotographerGallery
#WCVIE Nestor Angulo (@pharar) - 2020 48

49. #WCVIE Nestor Angulo (@pharar) - 2020 49

50. #WCVIE Nestor Angulo (@pharar) - 2020 50

51. #WCVIE Nestor Angulo (@pharar) - 2020 51

52. #WCVIE Nestor Angulo (@pharar) - 2020 52

53. Black HatSEO
#WCVIE Nestor Angulo (@pharar) - 2020 53

54. #WCVIE Nestor Angulo (@pharar) - 2020 54

55. #WCVIE Nestor Angulo (@pharar) - 2020 55

56. #WCVIE Nestor Angulo (@pharar) - 2020 56

57. #WCVIE Nestor Angulo (@pharar) - 2020 57

58. DDoSAttacks /
BotNets
#WCVIE Nestor Angulo (@pharar) - 2020 58

59. Normal, tending to calm
#WCVIE Nestor Angulo (@pharar) - 2020 59

60. #WCVIE Nestor Angulo (@pharar) - 2020 60

61. #WCVIE Nestor Angulo (@pharar) - 2020 61

62. Countermeasures
Reactive vs Proactive

63. Characters in theStory
(if something happens)
#WCVIE Nestor Angulo (@pharar) - 2020 63
You
• Owner /
Admins
• Developer &
Designer
• Users/clients
Hosting
Provider
• Agent / C3
• Support &
Backups
Security
Expert
• Security
department
• External
services

64. Measures:
Reactive vs
Proactive
#WCVIE Nestor Angulo (@pharar) - 2020 64
Reactive:
When bad things have
already happened
Pain mitigation
Proactive:
Before anything bad
happens
Risk mitigation

65. Reactive
measures
#WCVIE Nestor Angulo (@pharar) - 2020 65
Scan your site:
Status:
sitecheck.sucuri.net
Blacklist: virustotal.com
CRC: Check, Remove and Change
Update
Restore a backup

66. 66
#WCVIENestorAngulo(@pharar)-2020

67. Proactive
measures
#WCVIE Nestor Angulo (@pharar) - 2020 67
Reduce admins, plugins and themes
Backups
Updates
Invest in Hosting & Security
WAF

68. BACKUPS
#WCVIE Nestor Angulo (@pharar) - 2020 68
Have a backups strategy
NEVER store the backups in your
production server
A clean and FUNCTIONAL backup will be
your best friend a bad day

69. Updates
– PLUGINS
– THEMES
– CORE
– PHP
– APACHE / NGINX
– SERVER
– CPANEL / PLESK
– …
#WCVIE Nestor Angulo (@pharar) - 2020 69

70. Updates
#WCVIE Nestor Angulo (@pharar) - 2020 70
Source:
Web Professional
Security Survey 2019
sucuri.net

71. Remember to
invest in…
#WCVIE Nestor Angulo (@pharar) - 2020 71
SECURITY HOSTING

72. Hosting
#WCVIE Nestor Angulo (@pharar) - 2020 72
FIRST LAYER OF
YOUR SITE’S DEFENSE
BALANCE BETWEEN
PRICE AND FEATURES
THEY ARE IN CHARGE OF
THE SERVER’S SERVICES,
DATABASE AND
MAINTENANCE

73. Shared hosting vs dedicated
#WCVIENestorAngulo(@pharar)-2020
73

74. Source:
2019Sucuri
survey to
ecommerce
owners.
#WCVIE Nestor Angulo (@pharar) - 2020 74

75. WAF
Your guard dog
FILTERS ALLYOUR
WEBTRAFFIC
PROTECTS AGAINST
XSS, DDOS, …
PATCHSVIRTUALLY WIDELY
KNOWN SOFTWARE
VULNERABILITIES
IF IT INCLUDES CDN,
IMPROVESYOUR SITE’S
SPEED & PERFORMANCE
FORENSIC ANALISYS
TOOL
ALLOWS MANUAL
BLOCKING
#WCVIE Nestor Angulo (@pharar) - 2020 75

76. WAF
Your guard dog
FILTERS ALLYOUR
WEBTRAFFIC
PROTECTS AGAINST
XSS, DDOS, …
PATCHSVIRTUALLY WIDELY
KNOWN SOFTWARE
VULNERABILITIES
IF IT INCLUDES CDN,
IMPROVESYOUR SITE’S
SPEED & PERFORMANCE
FORENSIC ANALISYS
TOOL
ALLOWS MANUAL
BLOCKING
#WCVIE Nestor Angulo (@pharar) - 2020 76

77. #WCVIE Nestor Angulo (@pharar) - 2020 77

78. #WCVIE Nestor Angulo (@pharar) - 2020 78

79. Danke schön!
Fragen?
79
@pharar
Nestor Angulo de Ugarte