Protecting your site by detection
3 likes2,257 views
This document discusses ways to detect security issues on a WordPress site and server. It recommends using tools like ModSecurity, fail2ban, Apticron, and Apt-dater to monitor for updates, failed login attempts, and other security events. It also proposes building a WordPress plugin called WP Central that would aggregate security data from all sites and servers and provide a central dashboard. The plugin would monitor files, permissions, login attempts, and perform checksum scans to detect any changes or additions.
![WP Central API
• http://wpcentral.io/api/checksums/theme/
twentyfifteen/1.2
• [{"code":"wpcentral_server_error","message":"Gener
ating checksums”}]
• [{"file":"header.php","checksum":"c0919b5f4b6e4f3a
58b858b2305e9146"},{},{},{},{},{},{},{},{},{},{},{},{},{}]](https://image.slidesharecdn.com/protectingyoursitebydetection-150512220105-lva1-app6892/85/Protecting-your-site-by-detection-31-320.jpg)
Protecting your site by detection
- 1. CODEKITCHENMarko Heijnen Protecting your site by detection
- 2. Marko Heijnen • Founder of CodeKitchen • Lead developer of GlotPress • Core contributor for WordPress • Plugin developer • Organizer for WordCamp Belgrade • Using lots of (new) technologies
- 3. Recently lot’s of security issues got reported
- 4. Stats first 5 months of 2015 • 3 core security updates • Cross-site Scripting (XSS) due to the misuse of the add_query_arg() and remove_query_arg() functions • Cross-site scripting (XSS) vulnerability inside the popular JetPack plugin. and the default Twenty Fifteen theme because of genericons.
- 5. I almost got hacked
- 6. Not only your site but also your server
- 7. My server setup Loadbalancer Webserver 1 Webserver 2 Memcached Elasticsearch MariaDB
- 8. My server setup Public Private Loadbalancer Webserver 1 Webserver 2 Memcached Elasticsearch MariaDB
- 9. Do you know if you are currently hacked???
- 12. What can you detect
- 13. Detection of your install • Updates of WordPress, Plugins and themes • Failed login attempts • Security issues in plugins and themes • Security enhancements reported by core • List of plugins/themes you don’t use
- 14. Detection of the server • Updates of server software • Failed login attempts
- 15. Detection what is going on • Requests to plugins you don’t have (404’s) • Permissions of your folders/files • Check if files got changed (Core, plugins, themes) • Check if files got added (Core, plugins, themes) • What is in your uploads folder (PHP files)
- 16. How I do it
- 17. Software for security I use • modsecurity / UFW on every server (default blocks all) • fail2ban • apticron (only 1 per matching type) • apt-dater-host (in combination with apt-dater) • Own code
- 18. Apticron • Cronjob checking if there are updates • Mail you when there are updates • Can mail the total list or only new updates
- 19. Apt-dater and Apt-dater-host • Terminal-based remote package update manager • A tool to manage a lot of servers • Grouped same servers • Install and update packages
- 20. My server setup fail2ban modsecurity ufw apticron apt-dater-host ufw apticron (web1) apt-dater-host ufw apticron apt-dater-host Loadbalancer Webserver 1 Webserver 2 Memcached Elasticsearch MariaDB
- 21. Use WordPress to manage WordPress
- 22. Features • List all Linux packages • List all PECL updates • Shows if WP-CLI needs updating • Restart services
- 23. Features • List all WordPress updates • Ability to perform updates when allowed • Checksum scans • Upload directory scans • Doing backups • Send WP CLI command
- 24. List of all servers
- 25. List of all sites
- 26. General overview of a site
- 27. Security checks for the site
- 28. WP Central
- 29. WP Central API • http://wpcentral.io/api/ • First started with contributors • After that stats • Now creating checksums for plugins and themes • Soon similar functionality as wpvulndb.com
- 30. Node.js server • WordPress calls a microserver (nginx) • nginx calls node.js server • Returns the data when exists • Will return error when not and generates the checksums behind the scene
- 31. WP Central API • http://wpcentral.io/api/checksums/theme/ twentyfifteen/1.2 • [{"code":"wpcentral_server_error","message":"Gener ating checksums”}] • [{"file":"header.php","checksum":"c0919b5f4b6e4f3a 58b858b2305e9146"},{},{},{},{},{},{},{},{},{},{},{},{},{}]
- 32. WP-CLI
- 33. Ideas are more then welcome
- 35. Other solutions
- 36. Other solutions • VaultPress • ManageWP / WP Remote / InfiniteWP • Sucuri
- 37. There are WordPress plugins you could use But you should not trust that they do it all
- 38. The next steps
- 39. Log aggregation • Logstash • Fluentd • OSSEC
- 40. OSSEC • An Open Source Host-based Intrusion Detection System • Performs log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting and active response • Works with a manager and agents • https://hackertarget.com/defending-wordpress- ossec/