Website Security (WordPress) - It's About the Basics

It’s About The Basics

Website Security (WordPress)

04/07/2023

@PEREZBOX

• Sucuri, Inc.– @sucuri_security– @perezbox

• Specialization:– Website Security– Incident Handling

• Special Interests:– Brazilian JiuJitsu

Tony Perez | @perezbox | @sucuri_security 2

04/07/2023

• Website Security Company

• Global Operations

• Platform Agnostic (i.e., WordPress, Joomla, etc..)

• Scan 2M Unique Domains a Month

• Block 4M web attacks a Month

• Remediate 400 – 500 websites a day

• Signature / Heuristic Based

• 24/7 operations

04/07/2023

Statistics

04/07/2023

2013 – Year of the Mega Breach

Data Breaches (Millions)

2011 2013

04/07/2023

Anatomy of Malicious Websites

Malicious WebsitesLegitimate Websites

04/07/2023

Legitimate Websites

Not-ExploitableExploitable

1 in 8 - Critical Vulnerability

04/07/2023

Ransomware Explosion

Ransomware

2012 2013

04/07/2023

Malware Distribution

Remote iFram

e Inclu

Remote JavaScr

ipt Inclu

Injecti

Obfuscated / E

ncoded Ja

vaScript

Conditional Redire

Defacements

19%16%

14%11%

04/07/2023

Understanding Hackers

04/07/2023

Anatomy of Website Attacks

Recon Identify Attack Decisions Sustain

Use for malware? Pat of a zombie network? Data breach?

What kind of website do you have?

04/07/2023

Five Stages of an Attack

04/07/2023

Automated Attacks

WP-ADMIN

Themes / Plugins Payload

Exploiting Access Control

04/07/2023

Distribution Mechanism

Malicious Links

Social Media

Email Links Website

Text Message

04/07/2023

There’s a Tool for that

• Malware as a Service (MaaS) – Yes, pay someone to hack

for you

• Different tools to break in and generate payloads– Brute force and

vulnerability exploits Malware Payloads

04/07/2023

Impacts To You

04/07/2023

Beyond The Application Layer

• Going Deeper than the application layer, targeting the server.

• Server Polymorphism – a.k.a highly adaptive / sophistication

DarkleechCdork

(Apache)

Ebury (SSH)

Email Server (SPAM)

Heartbleed(OpenSSL)

04/07/2023

Phishing Lures

93% Increase in 2013

04/07/2023

Exploiting Forms

• Stick With Reputable Sources

• Generating SPAM emails, resource hogs

• IP blacklisting

04/07/2023

Search Engine Poisoning (SEP)

• Pharmacy• Payday Loans

04/07/2023

Blacklisting

04/07/2023

Drive By Downloads

04/07/2023

Brute Force Attacks

04/07/2023

Denial of Service (DOS)

04/07/2023

Brute Force vs Denial of Service

04/07/2023

Trust Erosion

04/07/2023

Free is not always Free• http://blog.sucuri.net/2014/03/unmasking-free-premium-wor

dpress-plugins.html

- SEOPresser- Payload located: wp-content/plugins/seo-pressor(gratuit)- File: central.class.php

- Flat Skins Pack Extension- Payload located: wp-content/restrict-content-pro/includes/- File: sidebar.php

- Restrict Content Pro- Paylaod located: wp-content/ubermenu-skins-flat

04/07/2023

Don’t Worry, Everyone is a “Target”

04/07/2023

Defenses

04/07/2023

Biggest Weakness / Vulnerability

04/07/2023

It’s About Good Posture

Security Posture

Principles

Access

Vulnerabilities

04/07/2023

Starts With Expectations

“It’s about risk reduction… risk will never be zero…”

Posture

04/07/2023

Defense in Depth

“…a concept in which multiple layers of security controls (defenses) are placed throughout an

information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…”

04/07/2023

Layered Defenses

Protection Detection

Auditing Sustainment

04/07/2023

Access – P@ssw0rd

• Passwords

Complex – Long - Unique

04/07/2023

Enforce Strong Credentials

04/07/2023

Push the Access Boundaries

• https://getclef.com/ | @getclef

04/07/2023

Principle of Least Privileged

“requires that in a particular abstraction layer of a computing environment, every module

(such as a process, a user or a program depending on the subject) must be able to

access only the information and resources that are necessary for its legitimate purpose.”

04/07/2023

Understand Your Roles

04/07/2023

Hardening – Kill PHP

PHP Execution, disable it:

/wp-includes /wp-content▪ /themes▪ /plugins▪ /uploads

04/07/2023

Disable Plugin / Theme Editor

• WP-CONFIG File Modification

#Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);

04/07/2023

Brute Force Attacks

04/07/2023

Please Backup

04/07/2023

Software Vulnerabilities

• Stay current with the latest vulnerabilities:– Secure - http://wordpress.org/plugins/secure/

04/07/2023

Brute Force Protection

• Local Protection– https://bruteprotect.com/ | @BruteProtect

04/07/2023

Stay Current (Update)

04/07/2023

Website Firewalls

• Stay ahead of Software Vulnerabilities

04/07/2023

Ensure Integrity of Connection

• https://www.getcloak.com/ | @getcloak

04/07/2023

Simple Steps to Reduce Risk

1. Employ Website Firewall2. Don’t let WordPress write to

itself3. Filter Access by IP 4. Use a dedicated server / VPS5. Monitor all Activity (Logging)6. Enable SSL for transactions7. Keep environment current

(patched)8. No Soup Kitchen Servers

1. Connect Securely – SFTP / SSH

2. Authentication Keys / wp-config

3. Use Trusted Sources4. Use a local Antivirus – MAC

too5. Permissions - D 755 | F 6446. Least Privileged Principles7. Accountability8. Backups – Include Database

Ideal implementations:The Bare Minimum:

04/07/2023

Notable ResourcesName Tool

Sucuri Blog http://blog.sucuri.net

Sucuri TV http://sucuri.tv

Malware Scanner http://sitecheck.sucuri.net

Malware Scanner http://unmaskparasites.com

Badware Busters https://badwarebusters.org

Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites

Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633

Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress

Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31

WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked

WordPress Hardening http://codex.wordpress.org/Hardening_WordPress

04/07/2023

Sucuri, Inc.

Tony Perez

http://sucuri.nethttp://blog.sucuri.net

@perezbox | @sucuri_security

http://www.slideshare.net/perezbox/website-security-wordpress-its-about-the-

basics

Website Security (WordPress) - It's About the Basics

Internet

SEO Basics for WordPress

Wordpress 101 - The Basics by Jack Davenport

WordPress Plugin Basics

WordPress and Web Accessibility: Why It's Important. WordCampUK 2012

WordPress Website Basics - Domains, Hosting & Why WordPress

Wordpress Basics PUR4103 Public Relations Visual … · 2013-03-18 · Wordpress Basics PUR4103 Public Relations Visual Communication Tappan Contents ... a hex code in Photoshop Previewing

Building the basics (WordPress Ottawa 2014)

WordPress SEO - The Absolute Basics

Wordpress Basics the meat and three veg of updating an SCA ... · Wordpress Basics… the meat and three veg of updating an SCA Wordpress site By Master Dimitrii Borodinskii – Lochac

WordPress SEO: Getting Back to the Basics

Wordpress Basics - Session 1

WordPress Basics How To Manage Your Website

“Understanding Car Crashes—It's Basics Physics” Teacher's guide

The Basics of Wordpress

The WordPress Project; It's all about YOU!

WordPress Security Basics - Melbourne WordPress User Meetup

3. How to Start Wordpress Basics

WordPress Basics - Roosevelt CS & Web Design › 2011 › 09 › ... · WordPress Basics. WordPress Basics Dashboard Themes Pages Posts Edit Menus. Dashboard. Themes. Pages. Posts

Basics of Wordpress

Beyond the Basics of Wordpress Wordpress IIdonneray.info/wp-content/uploads/2013/01/Wordpress-II.pdfBeyond the Basics of Wordpress - Wordpress II Page 4 of 27 Starting the blog on