5. Your Host
7/30/2013
5
Who is your host?
How do you connect to the server?
FTP, SFTP, SSH
What security does your host use? Do they use any web
security?
What will your host do if you get hacked?
Will they shut your site down?
Will they kick you off their server?
Will they fix it for you?
IF YOU DON”T KNOW
WHAT YOU”RE DOING GO
WITH A MANAGED
SOLUTION
6. Connecting
7/30/2013
6
If you don‟t need it, disable it
SFTP / SSH is preferred
FTP works fine – disable if you‟re not using, don‟t talk to me if
you are
FTP/SFTP != WP-ADMIN
Least Privileged
You don‟t have to log in FTP / SFTP with full root access
Everyone doesn‟t need to be an admin
You don‟t need to log in as admin
The focus is on the role, not the name of the user
Accountability – kill generic accounts – who is doing what?
7. Opportunistic Targeted
7/30/2013
Trolling the web looking for
known vulnerabilities
Ability for mass exposure
Think “TimThumb”
Big enterprises with large
followings:
WordPress.com
WooThemes
Worth Investing time and
energy to
compromise, bigger return
7
Attack Type
11. N O T H I N G F A N C Y H E R E . . T H E F A C T S
7/30/2013
11
The How
“Own one Own them All”
12. Application Environment
7/30/2013
Injections
Remote File Inclusion
Remote File Execution
Brute Force / Data Dictionary
Privilege Escalation
Brute Force / Data Dictionary
Remote File Include
Remote File Execution
12
Today‟s Exploits
You
Control
13. Top 5 WordPress Infections
7/30/2013
13
Backdoors
Difficult to Detect via HTTP
Injections
Easy to Detect via HTTP
Pharma Hack
Best person to detect is the owner, difficult to detect via HTTP
Malicious Redirects
Easy to Detect via HTTP
Defacements
Pretty obvious – you‟re now supporting the Syrian fight or
preaching to your Turkish brothers
18. Common Vectors
7/30/2013
18
Vulnerable Software
Often associated with Out-of-date software
WordPress Themes / Plugins, more so than Core
Cross Site Contamination
Soup Kitchen Servers
Compromised Credentials
Password123, Password1, 111111a = not cool
Remote File Inclusion
Leads to Remote Execution
Think TimThumb, Uploadify, etc…
“38% of us Would Rather
Clean a Toilet Than Think of
New Password”
- Mashable
19. S I M P L E I S S O M U C H S W E E T E R …
7/30/2013
19
Make it STOP
“The question isn't who is going to let
me; it's who is going to stop me.”
20. The Key is Access
7/30/2013
20
In almost all instances the key is access, whether via:
WP-ADMIN
SSH / SFTP (Port 22)
FTP (Port 21) = > You are dead to me!!! : )
Remote File Inclusion – Vulnerabilities in TimThumb / Uploadify – can‟t avoid
Zero day events, but you can stay proactive when identified
Doesn‟t include environmental issues
Myth: Remove Admin
Fact: to crack a 10 character password = 1,700 years via brute-force.
Today, dictionary attacks are the preferred method. Either way, requires multiple
scan attempts.
The “administrator” role matters more than the “administrator” or “admin” user
name.
21. This is What Matters - KISS
7/30/2013
21
Server WAF
Application
WAF
Two Factor
Authentication
Strong /
Unique
Password
Secure
Environment
From an access stand point:
From a vulnerability stand point:
Stay Current
Use Trusted
Sources
Avoid Soup
Kitchen
Servers
Separate
Staging from
Production
Secure
Environment
22. To the Average Joe: To the Paranoid / Lucky:
7/30/2013
1. Kill PHP Execution
2. Disable Theme / Plugin Editing via
Admin
3. Connect Securely – SFTP / SSH
4. Use Authentication Keys in wp-config
5. Use Trusted Sources
6. Use a local Antivirus – Yes, MAC‟s need
one
7. Verify your permissions - D 755 | F
644
8. Least Privileged
9. Kill generic accounts - Accountability
10. Backup your site – yes, Database too
1. Don‟t let WordPress
write to itself
2. Filter by IP
SSH Access
WP-ADMIN Access
Database Access
3. Use a dedicated server
/ VPS
4. Employ a WAF /
Logging Solution
5. Enable SSL
22
My Advise
23. Kill PHP Execution
7/30/2013
23
The idea is not to let them execute any PHP files. You
do so by adding this in an .htaccess file in the
directory of choice. Recommendation:
WP-INCLUDES
UPLOADS
#PROTECT [Directory Name]
<Files *.php>
Deny from all
</Files>
24. Disable Plugin/Theme Editor
7/30/2013
24
Add to wp-config – if a user is compromised they
won‟t be able to add anything to the core theme or
plugin files.
# Disable Plugin / Theme Editor
Define(„DISALLOW_FILE_EDIT‟,true);
Pundits will argue that admin is half the battle and most users use poor passwords. Education is my focus. Using a strong password is arguably easier and more effective. randomly generated using characters, would