SlideShare a Scribd company logo

WordPress Security: Defend yourself against digital invaders

Download as PPTX, PDF
Vladimír Smitka
Vladimír Smitka

My speech at WordCamp Prague 2016 about WordPress security.

Technology
1 of 62
http://lynt.cz WordPress Security: Defend yourself against digital invaders Vláďa Smitka vladimir.smitka@lynt.cz @smitka Lynt services s.r.o. Update! Backup! Be careful!
http://lynt.cz WP leaks like a sieve 10. 7. 2016 2 Have you ever heard that? Let's tell the truth.
http://lynt.cz10. 7. 2016 3 Updated / Obsolete Web developers should push their customers to pay for support and provide responsibly. Customers should be willing to accept it – the website is one of their empoyee in fact.
http://lynt.cz What is the current status? • Complex research of 65 000 czech sites 04/2015 10. 7. 2016 4 http://lynt.cz/blog/wordpress-in-the-czech-complex-research WP versions
http://lynt.cz Status 2 days ago (02/2016) 10. 7. 2016 5 16 639 WP versions – 02/2016 unknown
http://lynt.cz Status 2 days ago 10. 7. 2016 6 3.7.13 247 3.8.13 1779 3.9.10 2229 4.0.10 2570 4.1.10 2946 4.2.7 4305 4.3.3 4695 4.4.2 15225 Still updated versions
http://lynt.cz Status 2 days ago (02/2016) 10. 7. 2016 7 25 % WP sites run on 3.6 or lower – security updates are no longer provided 18 % WP sites on 3.7 or higher haven‘t installed the latest security updates yet =At least 40 % of Czech WP sites contains security issues Current version 27 % Supported versions with updates 30 % Suported versions, without updates 18% Unsupported versions 28% WP versions recency
http://lynt.cz What does it mean? • I ran the annual WordCamp HACK campaign! • Almost 1000 reports about critical vulnerabilities or hacked sites were sent • More than 300 vulnerable Slider Revolution plugins discovered! • A WordCamp invitation was included • Responses from owners and developers of the affected sites were less than warm… 10. 7. 2016 8
http://lynt.cz How to manage updates? • WP Updates Notifier plugin sends an e-mail when an update is available • Tools allowing bulk management: – InfiniteWP – ManageWP – WP Remote • How to turn on the auto-update feature (mu- plugins): add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' ); 10. 7. 2016 9
http://lynt.cz Infinite WP • Self-hosted • Base version for free (fully funcional, no limits) • Just install InfiniteWP Client plugin + copy&paste credentials 10. 7. 2016 10
http://lynt.cz UPDATE 05/2016 • MainWP – new self-hosted bulk management system – looks very promising 10. 7. 2016 11
http://lynt.cz Automated testing • If you are afraid that something important breaks after an update, it is possible to write automated tests • Casper.js • Selenuium • GhostPy • Online services: http://www.testomato.com/,... 10. 7. 2016 12
http://lynt.cz Hackers? 10. 7. 2016 13
http://lynt.cz What the hell do they want? • How do I know? => I analyzed many compromised systems + I run Honey Pots • http://pot.lynt.cz – it emulates an older WP with some vulnerabilites and there is also a fake SSH access 10. 7. 2016 14
http://lynt.cz Honey Pot • How long did it take from the launch of a new machine to the first attacks? 10. 7. 2016 15 12 minutes • The Internet is dangerous – accept this fact and be prepared
http://lynt.cz Ok, what do they want? • Inject malicious code to infect visitors and to show their ads • Send a SPAM • Attack other servers • Gain sensitive data • Shut down your site/the whole server 10. 7. 2016 16
http://lynt.cz What does the uploaded evil code do? 10. 7. 2016 17 The first mention about Simple UDP flood is from 2004: https://forums.cpanel.net/threads/scr ipt-in-tmp-made-by-hacker.33184/ The most simple backdoor: eval($_POST[sam]); Remote shell – e.g. b374k Scripts to enable more attacks: • Password cracking • SPAM sending • Script Simple UDP flood
http://lynt.cz What methods do they use? • Login • Comments • Particular bugs in plugins, themes or WP core • Tapping • Phishing • Cross site infection through other sites on a shared hosting 10. 7. 2016 18 Prepared backdoors: Hi, does anyone have an experience with ### site? They offer plugins just for few bucks They sell stolen plugins without the license, you can download them for free somewhere on the Internet
http://lynt.cz Cross infection • Common problem on multihosting 10. 7. 2016 19 Folderwithallsites Web1 Web2 Web3
http://lynt.cz How to login into WP? • /wp-admin + user name & password • XML-RPC (/xmlrpc.php) • Cookie • REST-API (/wp-json) – coming soon 10. 7. 2016 20
http://lynt.cz Harvesting user logins • /?author=1 => /author/admin/ • Password admin, admin0, admin1,… Brute force Rules into .htaccess: RewriteCond %{QUERY_STRING} author= RewriteRule ^(.*)$ http://uckf.you? [L,R=301] 10. 7. 2016 21
http://lynt.cz A hacker can tap your credentials 10. 7. 2016 22
http://lynt.cz …or ask you directly Subject: A security problem on wordcamp.cz Date: Sat, 20 FEB 2016 09:51:48 +0200 From: HOSTING <your@amazing.hosting> To: <you> Dear customer, Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some Amazing Plugin“ which enables to gain full control over your website and attack other sites consequently. There is no official patch available yet but our team can fix the issue manually. For this purpose we need your credentials to your WP administration. Send them ASAP to stop the attacks. Otherwise we will be forced to turn off your site. Regards, Your Amazing Hosting, Inc. 10. 7. 2016 23
http://lynt.cz XML RPC • /xmlrpc.php • This protocol allows remote control of your site from various applications – e.g. post publishing • The protocol is used rarely • But some plugins use it – JetPack • system.multicall function which allowed an attacker to test hundreds of passwords with one call (disclosured and fixed in September 2015) • If you want to use XML RPC, allow it only form particular IP addresses 10. 7. 2016 24 Block via .htaccess <Files "xmlrpc.php"> Order Allow,Deny deny from all </Files>
http://lynt.cz Cookie 10. 7. 2016 25
http://lynt.cz Cookie wordpress_9338f7bf999516f89fdc070299cf0b82=admin %7C1456673124%7COB8LpfMl7ZqlMm1zuN23LMBGOna 0IdLmz4g7JQBwtYn%7Cb73f661495e9323a6df2dffe8001 5360b41ed8970a5cf05dd4053aecc4109a40 10. 7. 2016 26 • md5(URL) = http://pot.lynt.cz • User name • Validity = 28.2.2016 15:25:24 (+14 days) • Hash – AUTH_KEY + AUTH_SALT + 4 chars from password‘s hash • Token (od 4.0) hash 43 random chars
http://lynt.cz Crypto keys in wp-config.php define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); You can obtain new ones from: https://api.wordpress.org/secret-key/1.1/salt/ The HACK campaing discovered that 16 % of sites with a vulnerability in Slider Revolution also used default crypt keys. If you install WP via wp-config-sample.php renaming, don‘t forget to change the crypto keys! 10. 7. 2016 27
http://lynt.cz WordPress 4.0+ 10. 7. 2016 28 You can invalidate the „remember me“ token and log off all users 36 % WP websites uses older version User profile:
http://lynt.cz Cookie tapping 10. 7. 2016 29 Na rozdíl od jména a hesla, se cookie posílají stále.
http://lynt.cz Higher rights – higher risks 10. 7. 2016 30 • Subscriber – Can read posts, edit their profile. The main benefit is easier commenting. • Contributor – Can write new posts but can‘t publish them (Editor or Administrator have to publish them). Doesn‘t have access to the Media Gallery (can embed images form external sources) – useful for guest blogging. • Author – Can manage their posts, manage comments on these posts. Had access to the Media Gallery. Can‘t manage pages. • Editor – Can manage all content – posts, pages, comments, categories. Can use javascript in comments. • Administrator – All rights – content, plugins, themes, widgets, menus. A good practice is not to create content with the admin account. • SuperAdministrator (only in WP multisite) – manages the network
http://lynt.cz Privileges customization • Rights are editable – e.g. If a person needs to change the menu, they don‘t need the admin rights: • Use plugin User Role Editor • Or use a similar code: 10. 7. 2016 31 https://codex.wordpress.org/Roles_and_Capabilities $role_object = get_role( 'editor' ); $role_object->add_cap( 'edit_theme_options' );
http://lynt.cz HTTPS • SSL cerificates are cheap (finally): • < 8 $/year – e.g. ssls.cz • Free – Let‘s Encrypt (needs support on server) • 2 options – Whole web on HTTPS (better) – Only administration on HTTPS 10. 7. 2016 32 git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt ./letsencrypt-auto --apache -d <my-web> -d www. <my-web> Obnovovací skript: http://do.co/le-renew (le-renew <my-web>)
http://lynt.cz Deploy HTTPS – whole web • Ask your host/admin to set up the certificate • Try if it works • Settings - General 10. 7. 2016 33 You can set up it also in the wp-config.php, - it saves DB queries: define('WP_HOME', 'https://<my-web>'); define('WP_SITEURL', 'http://<my-web>'); • There is a problem with the mixed content – WP makes absolute links – you need to fix it • SSL Insecure Content Fixer • Fix in admin – one by one • Fix in DB: UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://<my-web>', 'https://<my-web>')
http://lynt.cz Deploy HTTPS – administration only Place this code into wp-config.php: define( 'FORCE_SSL_ADMIN', true ); There is a problem with the mixed content in the Media Gallery: SSL Insecure Content Fixer + the „Simple“ settings 10. 7. 2016 34
http://lynt.cz10. 7. 2016 35 Fixes CSS, JS and Images in the Media Gallery Fixes incorrect URLs in the content SSL Insecure Content - settings
http://lynt.cz Redirect from HTTP to HTTPS In .htaccess: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> 10. 7. 2016 36 * May differ on some hostings
http://lynt.cz Other encrypted protocols • SFTP/SCP instead FTP • SSH instead Telnet • IMAPs (POP3s) instead IMAP (POP3) • SMTP TLS/SMTP STARTTLS instead SMTP • VPN 10. 7. 2016 37
http://lynt.cz How does the attack proceed? • Check publicly known information (domain owners, e-mail addresses, IPs, employees‘ names… recon-ng) • Active scan, identification - WP-scan • Agressive scan – e.g. DirBuster (tries if particular folders exist - /phpmyadmin/,…) • Vulnerabilities tests – generate suspicious queries • Can be detected - causes many 404 10. 7. 2016 38
http://lynt.cz XSS 10. 7. 2016 39
http://lynt.cz XSS – worse 10. 7. 2016 40
http://lynt.cz XSS – really dangerous 10. 7. 2016 41 Overlay reacts on mouse movement: onMouseMove Edit Themes
http://lynt.cz XSS – at its maximum 10. 7. 2016 42
http://lynt.cz Ask admin for help Subject: A security problem on wordcamp.cz Date: Sat, 20 FEB 2016 09:59:02 +0200 From: HOSTING <your@amazing.hosting> To: <you> Dear customer, Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some Amazing Plugin“ which enables to gain full control over your website and attack other sites consequently. You need to disable the funcion „Uglyness “ until a patch is available – you can do so simply via following link: http://<your-web>/wp-content/plugins/amazing-plugin/abc.php?xy=dG9obGUgamUgemx5IGtvZCA6LSk Please disable the function or delete the plugin, otherwise we will be forced to turn off your site. Regards, Your Amazing Hosting, Inc. 10. 7. 2016 43
http://lynt.cz Cross-site request forgery • When the system doesn‘t check the origin of the request 10. 7. 2016 44 Hi Admin, check this cool site! Cool site Lorem ipsum /create new user for the attacker • The prevention are the „signed“ forms (there is a unique token added by server and checked after the submision) • WP uses „nonces“ (no all plugins use them…) /wp-admin/post.php?post=1&action=trash&_wpnonce=b192fc4204
http://lynt.cz SQL Injection • Unsanitized inputs (again) • It is possible to modify DB queries and consequently obtain the complete data from DB • Interesting stuff in the DB: – E-mails – User names, hashed passwords – Auth Token for autologin Cookie – Credentials to external services 10. 7. 2016 45
http://lynt.cz Security plugins • My favourite combo: • WordFence + BBQ: Bad Block Queries • Blocks invalid login attempts • Limits scans • File changes detection • Denies user logins harvesting • Denies PHP execution in uploads • Limits SPAM • Accesses to the global attackers list • Filters out the suspicious queries 10. 7. 2016 46
http://lynt.cz10. 7. 2016 47
http://lynt.cz WordFence – after installation 10. 7. 2016 48 Level 2: more notifications, limiting invalid logins Level 3: starts with the traffic limiting Level 4: blocks invalid login names immediately
http://lynt.cz WordFence – Live Traffic 10. 7. 2016 49
http://lynt.cz WordFence – file changes detection 10. 7. 2016 50
http://lynt.cz WordFence – traffic limiting 10. 7. 2016 51
http://lynt.cz WordFence – login security 10. 7. 2016 52
http://lynt.cz WordFence – other options 10. 7. 2016 53
http://lynt.cz WordFence – other options 10. 7. 2016 54 Great plugin but unfortunatelly it lacks blocking of suspicious queries
http://lynt.cz10. 7. 2016 55 Simple plugin, no configuration – blocks suspicious queries E.g.: eval(, base64_, UNION * SELECT, wp-config.php, < …
http://lynt.cz UPDATE 05/2016 • There is a new „Firewall“ feature in WordFence since 6.1.1 • It blocks suspicious queries  10. 7. 2016 56
http://lynt.cz Recovery after infection • Stop the web (e.g. deny all in .htaccess) • Remove everything, restore from clean backup/ manual disinfection if no clean backup available (FAR) • Imitate the cause (usually update) • Change FTP password • Change DB password • Change users‘ passwords, check unknown users • New crypto keys into wp-config.php: https://api.wordpress.org/secret-key/1.1/salt/ • Check files for changes and evil code (Wordfence, Sucuri Scanner) 10. 7. 2016 57
http://lynt.cz Inspiration – how do we protect our sites? • wp-login.php only from the Czech Republic (GeoIP module) • Blocked xmlrpc.php and some other files + disabled PHP in uploads • Comments spam blocking (NoSpamNX) + Ping/Track Back filter (Topsy Blocker) • Bulk updates management • Sites isolation • HTTP headers: – X-Frame-Options SAMEORIGIN; – X-XSS-Protection "1; mode=block" – X-Content-Type-Options nosniff • Deletion unused themes and plugins 10. 7. 2016 58
http://lynt.cz Inspiration – how do we protect our sites? • Fail2Ban (invalid login attempts, too many 404, https://wordpress.org/plugins/wp-fail2ban/ ) • Suspicious queries filtering (serverside) • Realtime log (Log Stash) and error (Sentry) analysis • Server monitoring (Zabbix) • File changes detection + malware analysis – Maldet + Yara • Daily serverside backups (plugins can be used as well: BackWPup, UpdraftPlus, BackupBuddy) • Watch current resources about new threats 10. 7. 2016 59
http://lynt.cz Resources • Information about vulnerabilities • https://www.owasp.org/ • https://wpvulndb.com/ • https://blog.sucuri.net/ • https://www.wordfence.com/blog/ • https://packetstormsecurity.com/ • https://www.reddit.com/r/xss • My presentation from last year: • http://www.slideshare.net/vsmitka/wordpress-security-for- everone 10. 7. 2016 60
http://lynt.cz Homework for tomorrow □ Check unique crypto keys in the wp-config.php □ Create backup □ Remove unused plugins □ Remove all unused themes (you can keep one of the default themes and the parent theme) □ Lower user rights □ Update everything 10. 7. 2016 61
http://lynt.cz Thank you for your attention 10. 7. 2016 62 Update, backup, use a security plugin, be careful

Recommended

WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuningVladimír Smitka
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 

Recommended

WordPress security for everyone
WordPress security for everyoneWordPress security for everyone
WordPress security for everyoneVladimír Smitka
 
WordPress performance tuning
WordPress performance tuningWordPress performance tuning
WordPress performance tuningVladimír Smitka
 
Be ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruBe ef presentation-securitybyte2011-michele_orru
Be ef presentation-securitybyte2011-michele_orruMichele Orru
 
Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Advances in BeEF - AthCon2012
Advances in BeEF - AthCon2012Michele Orru
 
Buried by time, dust and BeEF
Buried by time, dust and BeEFBuried by time, dust and BeEF
Buried by time, dust and BeEFMichele Orru
 
Hacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruHacktivity2011 be ef-preso_micheleorru
Hacktivity2011 be ef-preso_micheleorruMichele Orru
 
When you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesWhen you don't have 0days: client-side exploitation for the masses
When you don't have 0days: client-side exploitation for the massesMichele Orru
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!WordCamp Cape Town
 
MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPressdsero
 
Less and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developersLess and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developersSeravo
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Search in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itSearch in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itOtto Kekäläinen
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...Otto Kekäläinen
 
Use Xdebug to profile PHP
Use Xdebug to profile PHPUse Xdebug to profile PHP
Use Xdebug to profile PHPSeravo
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpressn|u - The Open Security Community
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's EncryptWalter Ebert
 
HTTPS and HTTP/2
HTTPS and HTTP/2HTTPS and HTTP/2
HTTPS and HTTP/2MatthewWalker9
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Nahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuNahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuJan Voracek
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructureWP Engine
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkWilliam Earnhardt
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 
Wordfence 2016
Wordfence 2016Wordfence 2016
Wordfence 2016Vladimír Smitka
 
WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3Vladimír Smitka
 

More Related Content

What's hot

MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPressdsero
 
Less and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developersLess and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developersSeravo
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsKrzysztof Kotowicz
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Vlad Lasky
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitationKrzysztof Kotowicz
 
Search in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itSearch in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itOtto Kekäläinen
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Krzysztof Kotowicz
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...Otto Kekäläinen
 
Use Xdebug to profile PHP
Use Xdebug to profile PHPUse Xdebug to profile PHP
Use Xdebug to profile PHPSeravo
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEFMichele Orru
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's EncryptWalter Ebert
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptFrancois Marier
 
Nahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuNahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuJan Voracek
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Jeremiah Grossman
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Francois Marier
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructureWP Engine
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkWilliam Earnhardt
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Michele Orru
 

What's hot (20)

MySQL Tips for WordPress
MySQL Tips for WordPressMySQL Tips for WordPress
MySQL Tips for WordPress
 
Less and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developersLess and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developers
 
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome ExtensionsI'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
I'm in ur browser, pwning your stuff - Attacking (with) Google Chrome Extensions
 
Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011Securing Your WordPress Website - WordCamp GC 2011
Securing Your WordPress Website - WordCamp GC 2011
 
Advanced Chrome extension exploitation
Advanced Chrome extension exploitationAdvanced Chrome extension exploitation
Advanced Chrome extension exploitation
 
Search in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itSearch in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize it
 
Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)Html5: Something wicked this way comes (Hack in Paris)
Html5: Something wicked this way comes (Hack in Paris)
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...
 
Use Xdebug to profile PHP
Use Xdebug to profile PHPUse Xdebug to profile PHP
Use Xdebug to profile PHP
 
Secure Your Wordpress
Secure Your WordpressSecure Your Wordpress
Secure Your Wordpress
 
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
Rooting Your Internals: Inter-Protocol Exploitation, custom shellcode and BeEF
 
HTTPS + Let's Encrypt
HTTPS + Let's EncryptHTTPS + Let's Encrypt
HTTPS + Let's Encrypt
 
HTTPS and HTTP/2
HTTPS and HTTP/2HTTPS and HTTP/2
HTTPS and HTTP/2
 
Integrity protection for third-party JavaScript
Integrity protection for third-party JavaScriptIntegrity protection for third-party JavaScript
Integrity protection for third-party JavaScript
 
Nahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressuNahlédněte za oponu VersionPressu
Nahlédněte za oponu VersionPressu
 
Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)Top Ten Web Hacking Techniques (2010)
Top Ten Web Hacking Techniques (2010)
 
Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)Defeating Cross-Site Scripting with Content Security Policy (updated)
Defeating Cross-Site Scripting with Content Security Policy (updated)
 
Securing your web infrastructure
Securing your web infrastructureSecuring your web infrastructure
Securing your web infrastructure
 
Managing Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large NetworkManaging Multisite: Lessons from a Large Network
Managing Multisite: Lessons from a Large Network
 
Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)Dark Fairytales from a Phisherman (Vol. II)
Dark Fairytales from a Phisherman (Vol. II)
 

Viewers also liked

WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3Vladimír Smitka
 
Nejčastejší problémy WordPress webů
Nejčastejší problémy WordPress webůNejčastejší problémy WordPress webů
Nejčastejší problémy WordPress webůVladimír Smitka
 
WP výkon a jeho profilování
WP výkon a jeho profilováníWP výkon a jeho profilování
WP výkon a jeho profilováníVladimír Smitka
 
WordCamp Praha 2016 - Bezpečnost WordPress
WordCamp Praha 2016 - Bezpečnost WordPressWordCamp Praha 2016 - Bezpečnost WordPress
WordCamp Praha 2016 - Bezpečnost WordPressVladimír Smitka
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-securityDigamber Pradhan
 
Wordpress Security Top 10 Protections
Wordpress Security Top 10 ProtectionsWordpress Security Top 10 Protections
Wordpress Security Top 10 ProtectionsRoshni Kumar Yambem
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionTony Perez
 
WordPress Security for Beginners
WordPress Security for BeginnersWordPress Security for Beginners
WordPress Security for BeginnersAdam W. Warner
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...Otto Kekäläinen
 
Jednoduchý firemní web na WordPressu - WordCamp Praha 2014
Jednoduchý firemní web na WordPressu - WordCamp Praha 2014Jednoduchý firemní web na WordPressu - WordCamp Praha 2014
Jednoduchý firemní web na WordPressu - WordCamp Praha 2014Radek Kucera
 
České weby a Wordpress (Q4/2014)
České weby a Wordpress (Q4/2014)České weby a Wordpress (Q4/2014)
České weby a Wordpress (Q4/2014)Vladimír Smitka
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Brad Williams
 
Licence k šablonám a pluginům - WordCamp 2014 Praha
Licence k šablonám a pluginům - WordCamp 2014 PrahaLicence k šablonám a pluginům - WordCamp 2014 Praha
Licence k šablonám a pluginům - WordCamp 2014 PrahaTomáš Cirkl
 
Základní nastavení wordpressu
Základní nastavení wordpressuZákladní nastavení wordpressu
Základní nastavení wordpressuKamil Kuchta
 
Word press pluginy (pokročilé) - Tomáš Cirkl
Word press pluginy (pokročilé) - Tomáš CirklWord press pluginy (pokročilé) - Tomáš Cirkl
Word press pluginy (pokročilé) - Tomáš CirklTomáš Cirkl
 
WCBham Beginner WordPress Security
WCBham Beginner WordPress SecurityWCBham Beginner WordPress Security
WCBham Beginner WordPress SecurityGerroald Barron
 

Viewers also liked (20)

Wordfence 2016
Wordfence 2016Wordfence 2016
Wordfence 2016
 
WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3WordPress: Základy - bezpečnost 3x3
WordPress: Základy - bezpečnost 3x3
 
Nejčastejší problémy WordPress webů
Nejčastejší problémy WordPress webůNejčastejší problémy WordPress webů
Nejčastejší problémy WordPress webů
 
WP výkon a jeho profilování
WP výkon a jeho profilováníWP výkon a jeho profilování
WP výkon a jeho profilování
 
WordCamp Praha 2016 - Bezpečnost WordPress
WordCamp Praha 2016 - Bezpečnost WordPressWordCamp Praha 2016 - Bezpečnost WordPress
WordCamp Praha 2016 - Bezpečnost WordPress
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
 
Wordpress Security Top 10 Protections
Wordpress Security Top 10 ProtectionsWordpress Security Top 10 Protections
Wordpress Security Top 10 Protections
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 
Instalace WordPress
Instalace WordPressInstalace WordPress
Instalace WordPress
 
WordPress Security for Beginners
WordPress Security for BeginnersWordPress Security for Beginners
WordPress Security for Beginners
 
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
WordPress Security 101 – WordCamp Finland 2016 presentation by Otto Kekäläine...
 
Jednoduchý firemní web na WordPressu - WordCamp Praha 2014
Jednoduchý firemní web na WordPressu - WordCamp Praha 2014Jednoduchý firemní web na WordPressu - WordCamp Praha 2014
Jednoduchý firemní web na WordPressu - WordCamp Praha 2014
 
České weby a Wordpress (Q4/2014)
České weby a Wordpress (Q4/2014)České weby a Wordpress (Q4/2014)
České weby a Wordpress (Q4/2014)
 
Výkon WordPress
Výkon WordPressVýkon WordPress
Výkon WordPress
 
Wordcamp Praha 2014
Wordcamp Praha 2014Wordcamp Praha 2014
Wordcamp Praha 2014
 
Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010Now That's What I Call WordPress Security 2010
Now That's What I Call WordPress Security 2010
 
Licence k šablonám a pluginům - WordCamp 2014 Praha
Licence k šablonám a pluginům - WordCamp 2014 PrahaLicence k šablonám a pluginům - WordCamp 2014 Praha
Licence k šablonám a pluginům - WordCamp 2014 Praha
 
Základní nastavení wordpressu
Základní nastavení wordpressuZákladní nastavení wordpressu
Základní nastavení wordpressu
 
Word press pluginy (pokročilé) - Tomáš Cirkl
Word press pluginy (pokročilé) - Tomáš CirklWord press pluginy (pokročilé) - Tomáš Cirkl
Word press pluginy (pokročilé) - Tomáš Cirkl
 
WCBham Beginner WordPress Security
WCBham Beginner WordPress SecurityWCBham Beginner WordPress Security
WCBham Beginner WordPress Security
 

Similar to WordPress Security: Defend yourself against digital invaders

BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruMichele Orru
 
WordPress Performance
WordPress PerformanceWordPress Performance
WordPress Performancedsero
 
Are we security yet
Are we security yetAre we security yet
Are we security yetCristian Vat
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Anna Klepacka
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRailwaymen
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsFelipe Prado
 
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTYWilliam Chong
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfGiorgiRcheulishvili
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaultsMatias Korhonen
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Jeremiah Grossman
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device InsecurityJeremy Brown
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosPROIDEA
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecuritiesamiable_indian
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Matt Johansen
 

Similar to WordPress Security: Defend yourself against digital invaders (20)

BeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-OrruBeEF_EUSecWest-2012_Michele-Orru
BeEF_EUSecWest-2012_Michele-Orru
 
WordPress Performance
WordPress PerformanceWordPress Performance
WordPress Performance
 
Are we security yet
Are we security yetAre we security yet
Are we security yet
 
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
Workshop KrakYourNet2016 - Web applications hacking Ruby on Rails example
 
RoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails exampleRoR Workshop - Web applications hacking - Ruby on Rails example
RoR Workshop - Web applications hacking - Ruby on Rails example
 
2023-May.pptx
2023-May.pptx2023-May.pptx
2023-May.pptx
 
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generatorsDEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
DEF CON 27 - BEN SADEGHIPOUR - owning the clout through ssrf and pdf generators
 
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
 
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdfEN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
EN - BlackHat US 2009 favorite XSS Filters-IDS and how to attack them.pdf
 
Rails security: above and beyond the defaults
Rails security: above and beyond the defaultsRails security: above and beyond the defaults
Rails security: above and beyond the defaults
 
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
Identifying Web Servers: A First-look Into the Future of Web Server Fingerpri...
 
Cloud Device Insecurity
Cloud Device InsecurityCloud Device Insecurity
Cloud Device Insecurity
 
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan KuskosCONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
CONFidence 2015: The Top 10 Web Hacks of 2014 - Matt Johansen, Johnathan Kuskos
 
PHP on Windows
PHP on WindowsPHP on Windows
PHP on Windows
 
PHP on Windows
PHP on WindowsPHP on Windows
PHP on Windows
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Top 10 Web Hacks 2012
Top 10 Web Hacks 2012Top 10 Web Hacks 2012
Top 10 Web Hacks 2012
 
Romulus OWASP
Romulus OWASPRomulus OWASP
Romulus OWASP
 
526_topic08.ppt
526_topic08.ppt526_topic08.ppt
526_topic08.ppt
 
gofortution
gofortutiongofortution
gofortution
 

More from Vladimír Smitka

Google Tag Manager a analytika ve WordPress
Google Tag Manager a analytika ve WordPressGoogle Tag Manager a analytika ve WordPress
Google Tag Manager a analytika ve WordPressVladimír Smitka
 
WordCamp Bratislava 2019 - Cache!
WordCamp Bratislava 2019 - Cache!WordCamp Bratislava 2019 - Cache!
WordCamp Bratislava 2019 - Cache!Vladimír Smitka
 
Co ukázal globální scan přístupných .git repozitářů?
Co ukázal globální scan přístupných .git repozitářů?Co ukázal globální scan přístupných .git repozitářů?
Co ukázal globální scan přístupných .git repozitářů?Vladimír Smitka
 
Hesla a vícefaktorová autentizace ve WP
Hesla a vícefaktorová autentizace ve WPHesla a vícefaktorová autentizace ve WP
Hesla a vícefaktorová autentizace ve WPVladimír Smitka
 
Drobné chyby, které vám mohou zlomit vaz
Drobné chyby, které vám mohou zlomit vazDrobné chyby, které vám mohou zlomit vaz
Drobné chyby, které vám mohou zlomit vazVladimír Smitka
 
Sysops tipy pro lepší WP
Sysops tipy pro lepší WPSysops tipy pro lepší WP
Sysops tipy pro lepší WPVladimír Smitka
 
Najčastejšie problémy WordPress webov
Najčastejšie problémy WordPress webovNajčastejšie problémy WordPress webov
Najčastejšie problémy WordPress webovVladimír Smitka
 
WordCamp Brno 2017 - rychlý a bezpečný web
WordCamp Brno 2017 - rychlý a bezpečný webWordCamp Brno 2017 - rychlý a bezpečný web
WordCamp Brno 2017 - rychlý a bezpečný webVladimír Smitka
 
WordPress - základy bezpečnosti
WordPress - základy bezpečnostiWordPress - základy bezpečnosti
WordPress - základy bezpečnostiVladimír Smitka
 
Bezpečnost WordPress pro začátečníky
Bezpečnost WordPress pro začátečníkyBezpečnost WordPress pro začátečníky
Bezpečnost WordPress pro začátečníkyVladimír Smitka
 
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015Vladimír Smitka
 
Wordcamp Praha 2015 - další útržky z prezentace
Wordcamp Praha 2015 - další útržky z prezentaceWordcamp Praha 2015 - další útržky z prezentace
Wordcamp Praha 2015 - další útržky z prezentaceVladimír Smitka
 
Bezpečnost Wordpressu - 4. WP konference
Bezpečnost Wordpressu - 4. WP konferenceBezpečnost Wordpressu - 4. WP konference
Bezpečnost Wordpressu - 4. WP konferenceVladimír Smitka
 
Sítě pro malé a střední podniky 2014
Sítě pro malé a střední podniky 2014Sítě pro malé a střední podniky 2014
Sítě pro malé a střední podniky 2014Vladimír Smitka
 
Jak si (ne)nechat hacknout Wordpress stránky
Jak si (ne)nechat hacknout Wordpress stránkyJak si (ne)nechat hacknout Wordpress stránky
Jak si (ne)nechat hacknout Wordpress stránkyVladimír Smitka
 

More from Vladimír Smitka (20)

Google Tag Manager a analytika ve WordPress
Google Tag Manager a analytika ve WordPressGoogle Tag Manager a analytika ve WordPress
Google Tag Manager a analytika ve WordPress
 
WordCamp Bratislava 2019 - Cache!
WordCamp Bratislava 2019 - Cache!WordCamp Bratislava 2019 - Cache!
WordCamp Bratislava 2019 - Cache!
 
Webmeetup #3
Webmeetup #3Webmeetup #3
Webmeetup #3
 
Co ukázal globální scan přístupných .git repozitářů?
Co ukázal globální scan přístupných .git repozitářů?Co ukázal globální scan přístupných .git repozitářů?
Co ukázal globální scan přístupných .git repozitářů?
 
Hesla a vícefaktorová autentizace ve WP
Hesla a vícefaktorová autentizace ve WPHesla a vícefaktorová autentizace ve WP
Hesla a vícefaktorová autentizace ve WP
 
WP Weekend 2018
WP Weekend 2018WP Weekend 2018
WP Weekend 2018
 
Drobné chyby, které vám mohou zlomit vaz
Drobné chyby, které vám mohou zlomit vazDrobné chyby, které vám mohou zlomit vaz
Drobné chyby, které vám mohou zlomit vaz
 
Sysops tipy pro lepší WP
Sysops tipy pro lepší WPSysops tipy pro lepší WP
Sysops tipy pro lepší WP
 
Najčastejšie problémy WordPress webov
Najčastejšie problémy WordPress webovNajčastejšie problémy WordPress webov
Najčastejšie problémy WordPress webov
 
Http/2 vs Image Sprites
Http/2 vs Image SpritesHttp/2 vs Image Sprites
Http/2 vs Image Sprites
 
Ansible
AnsibleAnsible
Ansible
 
WordCamp Brno 2017 - rychlý a bezpečný web
WordCamp Brno 2017 - rychlý a bezpečný webWordCamp Brno 2017 - rychlý a bezpečný web
WordCamp Brno 2017 - rychlý a bezpečný web
 
WordPress - základy bezpečnosti
WordPress - základy bezpečnostiWordPress - základy bezpečnosti
WordPress - základy bezpečnosti
 
Bezpečnost WordPress pro začátečníky
Bezpečnost WordPress pro začátečníkyBezpečnost WordPress pro začátečníky
Bezpečnost WordPress pro začátečníky
 
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
Bezpečnost WP, tipy pro každého - wordCamp Praha 2015
 
Wordcamp Praha 2015 - další útržky z prezentace
Wordcamp Praha 2015 - další útržky z prezentaceWordcamp Praha 2015 - další útržky z prezentace
Wordcamp Praha 2015 - další útržky z prezentace
 
Dijskrův algoritmus
Dijskrův algoritmusDijskrův algoritmus
Dijskrův algoritmus
 
Bezpečnost Wordpressu - 4. WP konference
Bezpečnost Wordpressu - 4. WP konferenceBezpečnost Wordpressu - 4. WP konference
Bezpečnost Wordpressu - 4. WP konference
 
Sítě pro malé a střední podniky 2014
Sítě pro malé a střední podniky 2014Sítě pro malé a střední podniky 2014
Sítě pro malé a střední podniky 2014
 
Jak si (ne)nechat hacknout Wordpress stránky
Jak si (ne)nechat hacknout Wordpress stránkyJak si (ne)nechat hacknout Wordpress stránky
Jak si (ne)nechat hacknout Wordpress stránky
 

Recently uploaded

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 3652toLead Limited
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningLars Bell
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfLoriGlavin3
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxLoriGlavin3
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsPixlogix Infotech
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxLoriGlavin3
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024BookNet Canada
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyAlfredo García Lavilla
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupFlorian Wilhelm
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfPrecisely
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxNavinnSomaal
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteDianaGray10
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxLoriGlavin3
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenHervé Boutemy
 

Recently uploaded (20)

Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365Ensuring Technical Readiness For Copilot in Microsoft 365
Ensuring Technical Readiness For Copilot in Microsoft 365
 
DSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine TuningDSPy a system for AI to Write Prompts and Do Fine Tuning
DSPy a system for AI to Write Prompts and Do Fine Tuning
 
Moving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdfMoving Beyond Passwords: FIDO Paris Seminar.pdf
Moving Beyond Passwords: FIDO Paris Seminar.pdf
 
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptxDigital Identity is Under Attack: FIDO Paris Seminar.pptx
Digital Identity is Under Attack: FIDO Paris Seminar.pptx
 
The Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and ConsThe Ultimate Guide to Choosing WordPress Pros and Cons
The Ultimate Guide to Choosing WordPress Pros and Cons
 
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptxThe Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
The Role of FIDO in a Cyber Secure Netherlands: FIDO Paris Seminar.pptx
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
Transcript: New from BookNet Canada for 2024: Loan Stars - Tech Forum 2024
 
Commit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easyCommit 2024 - Secret Management made easy
Commit 2024 - Secret Management made easy
 
Streamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project SetupStreamlining Python Development: A Guide to a Modern Project Setup
Streamlining Python Development: A Guide to a Modern Project Setup
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdfHyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
Hyperautomation and AI/ML: A Strategy for Digital Transformation Success.pdf
 
SAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptxSAP Build Work Zone - Overview L2-L3.pptx
SAP Build Work Zone - Overview L2-L3.pptx
 
Take control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test SuiteTake control of your SAP testing with UiPath Test Suite
Take control of your SAP testing with UiPath Test Suite
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptxA Deep Dive on Passkeys: FIDO Paris Seminar.pptx
A Deep Dive on Passkeys: FIDO Paris Seminar.pptx
 
DevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache MavenDevoxxFR 2024 Reproducible Builds with Apache Maven
DevoxxFR 2024 Reproducible Builds with Apache Maven
 

WordPress Security: Defend yourself against digital invaders

  • 1. http://lynt.cz WordPress Security: Defend yourself against digital invaders Vláďa Smitka vladimir.smitka@lynt.cz @smitka Lynt services s.r.o. Update! Backup! Be careful!
  • 2. http://lynt.cz WP leaks like a sieve 10. 7. 2016 2 Have you ever heard that? Let's tell the truth.
  • 3. http://lynt.cz10. 7. 2016 3 Updated / Obsolete Web developers should push their customers to pay for support and provide responsibly. Customers should be willing to accept it – the website is one of their empoyee in fact.
  • 4. http://lynt.cz What is the current status? • Complex research of 65 000 czech sites 04/2015 10. 7. 2016 4 http://lynt.cz/blog/wordpress-in-the-czech-complex-research WP versions
  • 5. http://lynt.cz Status 2 days ago (02/2016) 10. 7. 2016 5 16 639 WP versions – 02/2016 unknown
  • 6. http://lynt.cz Status 2 days ago 10. 7. 2016 6 3.7.13 247 3.8.13 1779 3.9.10 2229 4.0.10 2570 4.1.10 2946 4.2.7 4305 4.3.3 4695 4.4.2 15225 Still updated versions
  • 7. http://lynt.cz Status 2 days ago (02/2016) 10. 7. 2016 7 25 % WP sites run on 3.6 or lower – security updates are no longer provided 18 % WP sites on 3.7 or higher haven‘t installed the latest security updates yet =At least 40 % of Czech WP sites contains security issues Current version 27 % Supported versions with updates 30 % Suported versions, without updates 18% Unsupported versions 28% WP versions recency
  • 8. http://lynt.cz What does it mean? • I ran the annual WordCamp HACK campaign! • Almost 1000 reports about critical vulnerabilities or hacked sites were sent • More than 300 vulnerable Slider Revolution plugins discovered! • A WordCamp invitation was included • Responses from owners and developers of the affected sites were less than warm… 10. 7. 2016 8
  • 9. http://lynt.cz How to manage updates? • WP Updates Notifier plugin sends an e-mail when an update is available • Tools allowing bulk management: – InfiniteWP – ManageWP – WP Remote • How to turn on the auto-update feature (mu- plugins): add_filter( 'auto_update_plugin', '__return_true' ); add_filter( 'auto_update_theme', '__return_true' ); 10. 7. 2016 9
  • 10. http://lynt.cz Infinite WP • Self-hosted • Base version for free (fully funcional, no limits) • Just install InfiniteWP Client plugin + copy&paste credentials 10. 7. 2016 10
  • 11. http://lynt.cz UPDATE 05/2016 • MainWP – new self-hosted bulk management system – looks very promising 10. 7. 2016 11
  • 12. http://lynt.cz Automated testing • If you are afraid that something important breaks after an update, it is possible to write automated tests • Casper.js • Selenuium • GhostPy • Online services: http://www.testomato.com/,... 10. 7. 2016 12
  • 14. http://lynt.cz What the hell do they want? • How do I know? => I analyzed many compromised systems + I run Honey Pots • http://pot.lynt.cz – it emulates an older WP with some vulnerabilites and there is also a fake SSH access 10. 7. 2016 14
  • 15. http://lynt.cz Honey Pot • How long did it take from the launch of a new machine to the first attacks? 10. 7. 2016 15 12 minutes • The Internet is dangerous – accept this fact and be prepared
  • 16. http://lynt.cz Ok, what do they want? • Inject malicious code to infect visitors and to show their ads • Send a SPAM • Attack other servers • Gain sensitive data • Shut down your site/the whole server 10. 7. 2016 16
  • 17. http://lynt.cz What does the uploaded evil code do? 10. 7. 2016 17 The first mention about Simple UDP flood is from 2004: https://forums.cpanel.net/threads/scr ipt-in-tmp-made-by-hacker.33184/ The most simple backdoor: eval($_POST[sam]); Remote shell – e.g. b374k Scripts to enable more attacks: • Password cracking • SPAM sending • Script Simple UDP flood
  • 18. http://lynt.cz What methods do they use? • Login • Comments • Particular bugs in plugins, themes or WP core • Tapping • Phishing • Cross site infection through other sites on a shared hosting 10. 7. 2016 18 Prepared backdoors: Hi, does anyone have an experience with ### site? They offer plugins just for few bucks They sell stolen plugins without the license, you can download them for free somewhere on the Internet
  • 19. http://lynt.cz Cross infection • Common problem on multihosting 10. 7. 2016 19 Folderwithallsites Web1 Web2 Web3
  • 20. http://lynt.cz How to login into WP? • /wp-admin + user name & password • XML-RPC (/xmlrpc.php) • Cookie • REST-API (/wp-json) – coming soon 10. 7. 2016 20
  • 21. http://lynt.cz Harvesting user logins • /?author=1 => /author/admin/ • Password admin, admin0, admin1,… Brute force Rules into .htaccess: RewriteCond %{QUERY_STRING} author= RewriteRule ^(.*)$ http://uckf.you? [L,R=301] 10. 7. 2016 21
  • 22. http://lynt.cz A hacker can tap your credentials 10. 7. 2016 22
  • 23. http://lynt.cz …or ask you directly Subject: A security problem on wordcamp.cz Date: Sat, 20 FEB 2016 09:51:48 +0200 From: HOSTING <your@amazing.hosting> To: <you> Dear customer, Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some Amazing Plugin“ which enables to gain full control over your website and attack other sites consequently. There is no official patch available yet but our team can fix the issue manually. For this purpose we need your credentials to your WP administration. Send them ASAP to stop the attacks. Otherwise we will be forced to turn off your site. Regards, Your Amazing Hosting, Inc. 10. 7. 2016 23
  • 24. http://lynt.cz XML RPC • /xmlrpc.php • This protocol allows remote control of your site from various applications – e.g. post publishing • The protocol is used rarely • But some plugins use it – JetPack • system.multicall function which allowed an attacker to test hundreds of passwords with one call (disclosured and fixed in September 2015) • If you want to use XML RPC, allow it only form particular IP addresses 10. 7. 2016 24 Block via .htaccess <Files "xmlrpc.php"> Order Allow,Deny deny from all </Files>
  • 26. http://lynt.cz Cookie wordpress_9338f7bf999516f89fdc070299cf0b82=admin %7C1456673124%7COB8LpfMl7ZqlMm1zuN23LMBGOna 0IdLmz4g7JQBwtYn%7Cb73f661495e9323a6df2dffe8001 5360b41ed8970a5cf05dd4053aecc4109a40 10. 7. 2016 26 • md5(URL) = http://pot.lynt.cz • User name • Validity = 28.2.2016 15:25:24 (+14 days) • Hash – AUTH_KEY + AUTH_SALT + 4 chars from password‘s hash • Token (od 4.0) hash 43 random chars
  • 27. http://lynt.cz Crypto keys in wp-config.php define('AUTH_KEY', 'put your unique phrase here'); define('SECURE_AUTH_KEY', 'put your unique phrase here'); define('LOGGED_IN_KEY', 'put your unique phrase here'); define('NONCE_KEY', 'put your unique phrase here'); define('AUTH_SALT', 'put your unique phrase here'); define('SECURE_AUTH_SALT', 'put your unique phrase here'); define('LOGGED_IN_SALT', 'put your unique phrase here'); define('NONCE_SALT', 'put your unique phrase here'); You can obtain new ones from: https://api.wordpress.org/secret-key/1.1/salt/ The HACK campaing discovered that 16 % of sites with a vulnerability in Slider Revolution also used default crypt keys. If you install WP via wp-config-sample.php renaming, don‘t forget to change the crypto keys! 10. 7. 2016 27
  • 28. http://lynt.cz WordPress 4.0+ 10. 7. 2016 28 You can invalidate the „remember me“ token and log off all users 36 % WP websites uses older version User profile:
  • 29. http://lynt.cz Cookie tapping 10. 7. 2016 29 Na rozdíl od jména a hesla, se cookie posílají stále.
  • 30. http://lynt.cz Higher rights – higher risks 10. 7. 2016 30 • Subscriber – Can read posts, edit their profile. The main benefit is easier commenting. • Contributor – Can write new posts but can‘t publish them (Editor or Administrator have to publish them). Doesn‘t have access to the Media Gallery (can embed images form external sources) – useful for guest blogging. • Author – Can manage their posts, manage comments on these posts. Had access to the Media Gallery. Can‘t manage pages. • Editor – Can manage all content – posts, pages, comments, categories. Can use javascript in comments. • Administrator – All rights – content, plugins, themes, widgets, menus. A good practice is not to create content with the admin account. • SuperAdministrator (only in WP multisite) – manages the network
  • 31. http://lynt.cz Privileges customization • Rights are editable – e.g. If a person needs to change the menu, they don‘t need the admin rights: • Use plugin User Role Editor • Or use a similar code: 10. 7. 2016 31 https://codex.wordpress.org/Roles_and_Capabilities $role_object = get_role( 'editor' ); $role_object->add_cap( 'edit_theme_options' );
  • 32. http://lynt.cz HTTPS • SSL cerificates are cheap (finally): • < 8 $/year – e.g. ssls.cz • Free – Let‘s Encrypt (needs support on server) • 2 options – Whole web on HTTPS (better) – Only administration on HTTPS 10. 7. 2016 32 git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt ./letsencrypt-auto --apache -d <my-web> -d www. <my-web> Obnovovací skript: http://do.co/le-renew (le-renew <my-web>)
  • 33. http://lynt.cz Deploy HTTPS – whole web • Ask your host/admin to set up the certificate • Try if it works • Settings - General 10. 7. 2016 33 You can set up it also in the wp-config.php, - it saves DB queries: define('WP_HOME', 'https://<my-web>'); define('WP_SITEURL', 'http://<my-web>'); • There is a problem with the mixed content – WP makes absolute links – you need to fix it • SSL Insecure Content Fixer • Fix in admin – one by one • Fix in DB: UPDATE wp_posts SET post_content = REPLACE(post_content, 'http://<my-web>', 'https://<my-web>')
  • 34. http://lynt.cz Deploy HTTPS – administration only Place this code into wp-config.php: define( 'FORCE_SSL_ADMIN', true ); There is a problem with the mixed content in the Media Gallery: SSL Insecure Content Fixer + the „Simple“ settings 10. 7. 2016 34
  • 35. http://lynt.cz10. 7. 2016 35 Fixes CSS, JS and Images in the Media Gallery Fixes incorrect URLs in the content SSL Insecure Content - settings
  • 36. http://lynt.cz Redirect from HTTP to HTTPS In .htaccess: <IfModule mod_rewrite.c> RewriteEngine On RewriteCond %{SERVER_PORT} !^443$ RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L] RewriteBase / RewriteRule ^index.php$ - [L] RewriteCond %{REQUEST_FILENAME} !-f RewriteCond %{REQUEST_FILENAME} !-d RewriteRule . /index.php [L] </IfModule> 10. 7. 2016 36 * May differ on some hostings
  • 37. http://lynt.cz Other encrypted protocols • SFTP/SCP instead FTP • SSH instead Telnet • IMAPs (POP3s) instead IMAP (POP3) • SMTP TLS/SMTP STARTTLS instead SMTP • VPN 10. 7. 2016 37
  • 38. http://lynt.cz How does the attack proceed? • Check publicly known information (domain owners, e-mail addresses, IPs, employees‘ names… recon-ng) • Active scan, identification - WP-scan • Agressive scan – e.g. DirBuster (tries if particular folders exist - /phpmyadmin/,…) • Vulnerabilities tests – generate suspicious queries • Can be detected - causes many 404 10. 7. 2016 38
  • 41. http://lynt.cz XSS – really dangerous 10. 7. 2016 41 Overlay reacts on mouse movement: onMouseMove Edit Themes
  • 42. http://lynt.cz XSS – at its maximum 10. 7. 2016 42
  • 43. http://lynt.cz Ask admin for help Subject: A security problem on wordcamp.cz Date: Sat, 20 FEB 2016 09:59:02 +0200 From: HOSTING <your@amazing.hosting> To: <you> Dear customer, Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some Amazing Plugin“ which enables to gain full control over your website and attack other sites consequently. You need to disable the funcion „Uglyness “ until a patch is available – you can do so simply via following link: http://<your-web>/wp-content/plugins/amazing-plugin/abc.php?xy=dG9obGUgamUgemx5IGtvZCA6LSk Please disable the function or delete the plugin, otherwise we will be forced to turn off your site. Regards, Your Amazing Hosting, Inc. 10. 7. 2016 43
  • 44. http://lynt.cz Cross-site request forgery • When the system doesn‘t check the origin of the request 10. 7. 2016 44 Hi Admin, check this cool site! Cool site Lorem ipsum /create new user for the attacker • The prevention are the „signed“ forms (there is a unique token added by server and checked after the submision) • WP uses „nonces“ (no all plugins use them…) /wp-admin/post.php?post=1&action=trash&_wpnonce=b192fc4204
  • 45. http://lynt.cz SQL Injection • Unsanitized inputs (again) • It is possible to modify DB queries and consequently obtain the complete data from DB • Interesting stuff in the DB: – E-mails – User names, hashed passwords – Auth Token for autologin Cookie – Credentials to external services 10. 7. 2016 45
  • 46. http://lynt.cz Security plugins • My favourite combo: • WordFence + BBQ: Bad Block Queries • Blocks invalid login attempts • Limits scans • File changes detection • Denies user logins harvesting • Denies PHP execution in uploads • Limits SPAM • Accesses to the global attackers list • Filters out the suspicious queries 10. 7. 2016 46
  • 48. http://lynt.cz WordFence – after installation 10. 7. 2016 48 Level 2: more notifications, limiting invalid logins Level 3: starts with the traffic limiting Level 4: blocks invalid login names immediately
  • 49. http://lynt.cz WordFence – Live Traffic 10. 7. 2016 49
  • 50. http://lynt.cz WordFence – file changes detection 10. 7. 2016 50
  • 51. http://lynt.cz WordFence – traffic limiting 10. 7. 2016 51
  • 52. http://lynt.cz WordFence – login security 10. 7. 2016 52
  • 53. http://lynt.cz WordFence – other options 10. 7. 2016 53
  • 54. http://lynt.cz WordFence – other options 10. 7. 2016 54 Great plugin but unfortunatelly it lacks blocking of suspicious queries
  • 55. http://lynt.cz10. 7. 2016 55 Simple plugin, no configuration – blocks suspicious queries E.g.: eval(, base64_, UNION * SELECT, wp-config.php, < …
  • 56. http://lynt.cz UPDATE 05/2016 • There is a new „Firewall“ feature in WordFence since 6.1.1 • It blocks suspicious queries  10. 7. 2016 56
  • 57. http://lynt.cz Recovery after infection • Stop the web (e.g. deny all in .htaccess) • Remove everything, restore from clean backup/ manual disinfection if no clean backup available (FAR) • Imitate the cause (usually update) • Change FTP password • Change DB password • Change users‘ passwords, check unknown users • New crypto keys into wp-config.php: https://api.wordpress.org/secret-key/1.1/salt/ • Check files for changes and evil code (Wordfence, Sucuri Scanner) 10. 7. 2016 57
  • 58. http://lynt.cz Inspiration – how do we protect our sites? • wp-login.php only from the Czech Republic (GeoIP module) • Blocked xmlrpc.php and some other files + disabled PHP in uploads • Comments spam blocking (NoSpamNX) + Ping/Track Back filter (Topsy Blocker) • Bulk updates management • Sites isolation • HTTP headers: – X-Frame-Options SAMEORIGIN; – X-XSS-Protection "1; mode=block" – X-Content-Type-Options nosniff • Deletion unused themes and plugins 10. 7. 2016 58
  • 59. http://lynt.cz Inspiration – how do we protect our sites? • Fail2Ban (invalid login attempts, too many 404, https://wordpress.org/plugins/wp-fail2ban/ ) • Suspicious queries filtering (serverside) • Realtime log (Log Stash) and error (Sentry) analysis • Server monitoring (Zabbix) • File changes detection + malware analysis – Maldet + Yara • Daily serverside backups (plugins can be used as well: BackWPup, UpdraftPlus, BackupBuddy) • Watch current resources about new threats 10. 7. 2016 59
  • 60. http://lynt.cz Resources • Information about vulnerabilities • https://www.owasp.org/ • https://wpvulndb.com/ • https://blog.sucuri.net/ • https://www.wordfence.com/blog/ • https://packetstormsecurity.com/ • https://www.reddit.com/r/xss • My presentation from last year: • http://www.slideshare.net/vsmitka/wordpress-security-for- everone 10. 7. 2016 60
  • 61. http://lynt.cz Homework for tomorrow □ Check unique crypto keys in the wp-config.php □ Create backup □ Remove unused plugins □ Remove all unused themes (you can keep one of the default themes and the parent theme) □ Lower user rights □ Update everything 10. 7. 2016 61
  • 62. http://lynt.cz Thank you for your attention 10. 7. 2016 62 Update, backup, use a security plugin, be careful