3. http://lynt.cz10. 7. 2016 3
Updated / Obsolete
Web developers should push their customers to pay for
support and provide responsibly.
Customers should be willing to accept it – the website is
one of their empoyee in fact.
4. http://lynt.cz
What is the current status?
• Complex research of 65 000 czech sites 04/2015
10. 7. 2016 4
http://lynt.cz/blog/wordpress-in-the-czech-complex-research
WP versions
6. http://lynt.cz
Status 2 days ago
10. 7. 2016 6
3.7.13
247
3.8.13
1779
3.9.10
2229
4.0.10
2570
4.1.10
2946
4.2.7
4305
4.3.3
4695
4.4.2
15225
Still updated versions
7. http://lynt.cz
Status 2 days ago (02/2016)
10. 7. 2016 7
25 % WP sites run on 3.6 or lower – security updates are no longer provided
18 % WP sites on 3.7 or higher haven‘t installed the latest security updates yet
=At least 40 % of Czech WP sites contains security issues
Current version
27 %
Supported versions
with updates
30 %
Suported versions,
without updates
18%
Unsupported
versions
28%
WP versions recency
8. http://lynt.cz
What does it mean?
• I ran the annual WordCamp HACK campaign!
• Almost 1000 reports about critical
vulnerabilities or hacked sites were sent
• More than 300 vulnerable Slider Revolution
plugins discovered!
• A WordCamp invitation was included
• Responses from owners and developers of the
affected sites were less than warm…
10. 7. 2016 8
9. http://lynt.cz
How to manage updates?
• WP Updates Notifier plugin sends an e-mail when
an update is available
• Tools allowing bulk management:
– InfiniteWP
– ManageWP
– WP Remote
• How to turn on the auto-update feature (mu-
plugins):
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
10. 7. 2016 9
10. http://lynt.cz
Infinite WP
• Self-hosted
• Base version for free (fully funcional, no limits)
• Just install InfiniteWP Client plugin + copy&paste credentials
10. 7. 2016 10
12. http://lynt.cz
Automated testing
• If you are afraid that something important breaks
after an update, it is possible to write automated
tests
• Casper.js
• Selenuium
• GhostPy
• Online services: http://www.testomato.com/,...
10. 7. 2016 12
14. http://lynt.cz
What the hell do they want?
• How do I know?
=> I analyzed many compromised systems + I
run Honey Pots
• http://pot.lynt.cz – it emulates an older WP
with some vulnerabilites and there is also a
fake SSH access
10. 7. 2016 14
15. http://lynt.cz
Honey Pot
• How long did it take from the launch of a new
machine to the first attacks?
10. 7. 2016 15
12 minutes
• The Internet is dangerous – accept this
fact and be prepared
16. http://lynt.cz
Ok, what do they want?
• Inject malicious code to infect visitors and to
show their ads
• Send a SPAM
• Attack other servers
• Gain sensitive data
• Shut down your site/the whole server
10. 7. 2016 16
17. http://lynt.cz
What does the uploaded evil code do?
10. 7. 2016 17
The first mention about Simple UDP
flood is from 2004:
https://forums.cpanel.net/threads/scr
ipt-in-tmp-made-by-hacker.33184/
The most simple backdoor:
eval($_POST[sam]);
Remote shell – e.g. b374k
Scripts to enable more attacks:
• Password cracking
• SPAM sending
• Script Simple UDP flood
18. http://lynt.cz
What methods do they use?
• Login
• Comments
• Particular bugs in
plugins, themes or WP
core
• Tapping
• Phishing
• Cross site infection
through other sites on a
shared hosting
10. 7. 2016 18
Prepared backdoors:
Hi, does anyone have an
experience with ### site?
They offer plugins just for
few bucks
They sell stolen plugins
without the license, you can
download them for free
somewhere on the Internet
23. http://lynt.cz
…or ask you directly
Subject: A security problem on wordcamp.cz
Date: Sat, 20 FEB 2016 09:51:48 +0200
From: HOSTING <your@amazing.hosting>
To: <you>
Dear customer,
Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some
Amazing Plugin“ which enables to gain full control over your website and attack other sites
consequently.
There is no official patch available yet but our team can fix the issue manually. For this purpose we need
your credentials to your WP administration.
Send them ASAP to stop the attacks. Otherwise we will be forced to turn off your site.
Regards,
Your Amazing Hosting, Inc.
10. 7. 2016 23
24. http://lynt.cz
XML RPC
• /xmlrpc.php
• This protocol allows remote control of your site from various
applications – e.g. post publishing
• The protocol is used rarely
• But some plugins use it – JetPack
• system.multicall function which allowed an attacker to test
hundreds of passwords with one call (disclosured and fixed in
September 2015)
• If you want to use XML RPC, allow it only form particular IP
addresses
10. 7. 2016 24
Block via .htaccess
<Files "xmlrpc.php">
Order Allow,Deny
deny from all
</Files>
27. http://lynt.cz
Crypto keys in wp-config.php
define('AUTH_KEY', 'put your unique phrase here');
define('SECURE_AUTH_KEY', 'put your unique phrase here');
define('LOGGED_IN_KEY', 'put your unique phrase here');
define('NONCE_KEY', 'put your unique phrase here');
define('AUTH_SALT', 'put your unique phrase here');
define('SECURE_AUTH_SALT', 'put your unique phrase here');
define('LOGGED_IN_SALT', 'put your unique phrase here');
define('NONCE_SALT', 'put your unique phrase here');
You can obtain new ones from:
https://api.wordpress.org/secret-key/1.1/salt/
The HACK campaing discovered that 16 % of sites with a vulnerability in Slider Revolution also used default
crypt keys.
If you install WP via wp-config-sample.php renaming, don‘t forget to change the crypto keys!
10. 7. 2016 27
28. http://lynt.cz
WordPress 4.0+
10. 7. 2016 28
You can invalidate the „remember me“ token and log off all users
36 % WP websites uses older version
User profile:
30. http://lynt.cz
Higher rights – higher risks
10. 7. 2016 30
• Subscriber
– Can read posts, edit their profile. The main benefit is easier commenting.
• Contributor
– Can write new posts but can‘t publish them (Editor or Administrator have to
publish them). Doesn‘t have access to the Media Gallery (can embed images
form external sources) – useful for guest blogging.
• Author
– Can manage their posts, manage comments on these posts. Had access to the
Media Gallery. Can‘t manage pages.
• Editor
– Can manage all content – posts, pages, comments, categories. Can use
javascript in comments.
• Administrator
– All rights – content, plugins, themes, widgets, menus. A good practice is not to
create content with the admin account.
• SuperAdministrator (only in WP multisite) – manages the network
31. http://lynt.cz
Privileges customization
• Rights are editable – e.g. If a person needs to
change the menu, they don‘t need the admin
rights:
• Use plugin User Role Editor
• Or use a similar code:
10. 7. 2016 31
https://codex.wordpress.org/Roles_and_Capabilities
$role_object = get_role( 'editor' );
$role_object->add_cap( 'edit_theme_options' );
32. http://lynt.cz
HTTPS
• SSL cerificates are cheap (finally):
• < 8 $/year – e.g. ssls.cz
• Free – Let‘s Encrypt
(needs support on server)
• 2 options
– Whole web on HTTPS (better)
– Only administration on HTTPS
10. 7. 2016 32
git clone https://github.com/letsencrypt/letsencrypt /opt/letsencrypt
./letsencrypt-auto --apache -d <my-web> -d www. <my-web>
Obnovovací skript: http://do.co/le-renew (le-renew <my-web>)
33. http://lynt.cz
Deploy HTTPS – whole web
• Ask your host/admin to set up the certificate
• Try if it works
• Settings - General
10. 7. 2016 33
You can set up it also in the wp-config.php,
- it saves DB queries:
define('WP_HOME', 'https://<my-web>');
define('WP_SITEURL', 'http://<my-web>');
• There is a problem with the mixed content – WP makes absolute links – you
need to fix it
• SSL Insecure Content Fixer
• Fix in admin – one by one
• Fix in DB:
UPDATE wp_posts SET post_content = REPLACE(post_content,
'http://<my-web>', 'https://<my-web>')
34. http://lynt.cz
Deploy HTTPS – administration only
Place this code into wp-config.php:
define( 'FORCE_SSL_ADMIN', true );
There is a problem with the mixed content in the Media Gallery:
SSL Insecure Content Fixer + the „Simple“ settings
10. 7. 2016 34
35. http://lynt.cz10. 7. 2016 35
Fixes CSS, JS
and Images
in the Media
Gallery
Fixes
incorrect
URLs in the
content
SSL Insecure Content - settings
36. http://lynt.cz
Redirect from HTTP to HTTPS
In .htaccess:
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{SERVER_PORT} !^443$
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R,L]
RewriteBase /
RewriteRule ^index.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]
</IfModule>
10. 7. 2016 36
* May differ on some hostings
43. http://lynt.cz
Ask admin for help
Subject: A security problem on wordcamp.cz
Date: Sat, 20 FEB 2016 09:59:02 +0200
From: HOSTING <your@amazing.hosting>
To: <you>
Dear customer,
Your website wordcamp.cz running on WordPress contains a serious security problem in the „Some
Amazing Plugin“ which enables to gain full control over your website and attack other sites
consequently.
You need to disable the funcion „Uglyness “ until a patch is available – you can do so simply via
following link:
http://<your-web>/wp-content/plugins/amazing-plugin/abc.php?xy=dG9obGUgamUgemx5IGtvZCA6LSk
Please disable the function or delete the plugin, otherwise we will be forced to turn off your site.
Regards,
Your Amazing Hosting, Inc.
10. 7. 2016 43
44. http://lynt.cz
Cross-site request forgery
• When the system doesn‘t check the origin of the request
10. 7. 2016 44
Hi Admin, check
this cool site!
Cool site
Lorem ipsum
/create new user for the attacker
• The prevention are the „signed“ forms (there is a unique token
added by server and checked after the submision)
• WP uses „nonces“ (no all plugins use them…)
/wp-admin/post.php?post=1&action=trash&_wpnonce=b192fc4204
45. http://lynt.cz
SQL Injection
• Unsanitized inputs (again)
• It is possible to modify DB queries and
consequently obtain the complete data from DB
• Interesting stuff in the DB:
– E-mails
– User names, hashed passwords
– Auth Token for autologin Cookie
– Credentials to external services
10. 7. 2016 45
46. http://lynt.cz
Security plugins
• My favourite combo:
• WordFence + BBQ: Bad Block Queries
• Blocks invalid login attempts
• Limits scans
• File changes detection
• Denies user logins harvesting
• Denies PHP execution in uploads
• Limits SPAM
• Accesses to the global attackers list
• Filters out the suspicious queries
10. 7. 2016 46
57. http://lynt.cz
Recovery after infection
• Stop the web (e.g. deny all in .htaccess)
• Remove everything, restore from clean backup/
manual disinfection if no clean backup available (FAR)
• Imitate the cause (usually update)
• Change FTP password
• Change DB password
• Change users‘ passwords, check unknown users
• New crypto keys into wp-config.php:
https://api.wordpress.org/secret-key/1.1/salt/
• Check files for changes and evil code (Wordfence,
Sucuri Scanner)
10. 7. 2016 57
58. http://lynt.cz
Inspiration – how do we protect our sites?
• wp-login.php only from the Czech Republic (GeoIP module)
• Blocked xmlrpc.php and some other files + disabled PHP in uploads
• Comments spam blocking (NoSpamNX) + Ping/Track Back filter (Topsy
Blocker)
• Bulk updates management
• Sites isolation
• HTTP headers:
– X-Frame-Options SAMEORIGIN;
– X-XSS-Protection "1; mode=block"
– X-Content-Type-Options nosniff
• Deletion unused themes and plugins
10. 7. 2016 58
59. http://lynt.cz
Inspiration – how do we protect our sites?
• Fail2Ban (invalid login attempts, too many 404,
https://wordpress.org/plugins/wp-fail2ban/ )
• Suspicious queries filtering (serverside)
• Realtime log (Log Stash) and error (Sentry) analysis
• Server monitoring (Zabbix)
• File changes detection + malware analysis – Maldet + Yara
• Daily serverside backups (plugins can be used as well: BackWPup,
UpdraftPlus, BackupBuddy)
• Watch current resources about new threats
10. 7. 2016 59
60. http://lynt.cz
Resources
• Information about vulnerabilities
• https://www.owasp.org/
• https://wpvulndb.com/
• https://blog.sucuri.net/
• https://www.wordfence.com/blog/
• https://packetstormsecurity.com/
• https://www.reddit.com/r/xss
• My presentation from last year:
• http://www.slideshare.net/vsmitka/wordpress-security-for-
everone
10. 7. 2016 60
61. http://lynt.cz
Homework for tomorrow
□ Check unique crypto keys in the wp-config.php
□ Create backup
□ Remove unused plugins
□ Remove all unused themes (you can keep one
of the default themes and the parent theme)
□ Lower user rights
□ Update everything
10. 7. 2016 61