Website Security (WordPress) - It's About the Basics

It’s About The Basics

Website Security (WordPress)

04/07/2023

@PEREZBOX

• Sucuri, Inc.– @sucuri_security– @perezbox

• Specialization:– Website Security– Incident Handling

• Special Interests:– Brazilian JiuJitsu

Tony Perez | @perezbox | @sucuri_security 2

04/07/2023

• Website Security Company

• Global Operations

• Platform Agnostic (i.e., WordPress, Joomla, etc..)

• Scan 2M Unique Domains a Month

• Block 4M web attacks a Month

• Remediate 400 – 500 websites a day

• Signature / Heuristic Based

• 24/7 operations


04/07/2023

Statistics


04/07/2023

2013 – Year of the Mega Breach

Data Breaches (Millions)

2011 2013


~230%

04/07/2023

Anatomy of Malicious Websites

Malicious WebsitesLegitimate Websites


85%

04/07/2023

Legitimate Websites

Not-ExploitableExploitable

77%


1 in 8 - Critical Vulnerability

04/07/2023

Ransomware Explosion

Ransomware

2012 2013


~500%

04/07/2023

Malware Distribution

Remote iFram

e Inclu

des

Remote JavaScr

ipt Inclu

des

SPAM

Injecti

ons

Obfuscated / E

ncoded Ja

vaScript

Conditional Redire

cts

Defacements

Other

26%

19%16%

14%11%

4%

10%


04/07/2023

Understanding Hackers


04/07/2023

Anatomy of Website Attacks

Recon Identify Attack Decisions Sustain


Use for malware? Pat of a zombie network? Data breach?

What kind of website do you have?

04/07/2023

Five Stages of an Attack


04/07/2023

Automated Attacks

WP-ADMIN

Themes / Plugins Payload


Exploiting Access Control

04/07/2023

Distribution Mechanism

Malicious Links

Social Media

Email Links Website

Text Message

s


04/07/2023

There’s a Tool for that

• Malware as a Service (MaaS) – Yes, pay someone to hack

for you

• Different tools to break in and generate payloads– Brute force and

vulnerability exploits Malware Payloads


04/07/2023

Why?


04/07/2023

Impacts To You


04/07/2023

Beyond The Application Layer

• Going Deeper than the application layer, targeting the server.

• Server Polymorphism – a.k.a highly adaptive / sophistication


DarkleechCdork

(Apache)

Ebury (SSH)

Email Server (SPAM)

Heartbleed(OpenSSL)

04/07/2023

Phishing Lures


93% Increase in 2013

04/07/2023

Exploiting Forms

• Stick With Reputable Sources

• Generating SPAM emails, resource hogs

• IP blacklisting


04/07/2023

Search Engine Poisoning (SEP)

• Pharmacy• Payday Loans


04/07/2023

Blacklisting


04/07/2023

Drive By Downloads


04/07/2023

Brute Force Attacks


04/07/2023

Denial of Service (DOS)


04/07/2023

Brute Force vs Denial of Service


04/07/2023

Trust Erosion


04/07/2023

Free is not always Free• http://blog.sucuri.net/2014/03/unmasking-free-premium-wor

dpress-plugins.html


- SEOPresser- Payload located: wp-content/plugins/seo-pressor(gratuit)- File: central.class.php

- Flat Skins Pack Extension- Payload located: wp-content/restrict-content-pro/includes/- File: sidebar.php

- Restrict Content Pro- Paylaod located: wp-content/ubermenu-skins-flat

http://blog.sucuri.net/2014/03/unmasking-free-premium-wordpress-plugins.html



04/07/2023

Don’t Worry, Everyone is a “Target”


04/07/2023

Defenses


04/07/2023

Biggest Weakness / Vulnerability


04/07/2023

It’s About Good Posture


Security Posture

Principles

Access

Vulnerabilities

04/07/2023

Starts With Expectations

“It’s about risk reduction… risk will never be zero…”


Posture

Risk

04/07/2023

Defense in Depth

“…a concept in which multiple layers of security controls (defenses) are placed throughout an

information technology (IT) system. Its intent is to provide redundancy in the event a security control fails or a vulnerability is exploited…”


04/07/2023

Layered Defenses


Protection Detection

Auditing Sustainment

04/07/2023

Access – P@ssw0rd

• Passwords


Complex – Long - Unique

04/07/2023

Enforce Strong Credentials


04/07/2023

Push the Access Boundaries


• https://getclef.com/ | @getclef

https://getclef.com/

https://getclef.com/

04/07/2023

Principle of Least Privileged

“requires that in a particular abstraction layer of a computing environment, every module

(such as a process, a user or a program depending on the subject) must be able to

access only the information and resources that are necessary for its legitimate purpose.”


04/07/2023

Understand Your Roles


04/07/2023

Hardening – Kill PHP


PHP Execution, disable it:

/wp-includes /wp-content▪ /themes▪ /plugins▪ /uploads

<Files *.php>Deny from all</Files>

04/07/2023

Disable Plugin / Theme Editor

• WP-CONFIG File Modification

#Disable Plugin / Theme EditorDefine(‘DISALLOW_FILE_EDIT’,true);


04/07/2023

Brute Force Attacks


04/07/2023

Please Backup


04/07/2023

Software Vulnerabilities

• Stay current with the latest vulnerabilities:– Secure - http://wordpress.org/plugins/secure/


http://wordpress.org/plugins/secure/

http://wordpress.org/plugins/secure/

04/07/2023

Brute Force Protection

• Local Protection– https://bruteprotect.com/ | @BruteProtect


https://bruteprotect.com/

https://bruteprotect.com/

04/07/2023

Stay Current (Update)


04/07/2023

Website Firewalls


• Stay ahead of Software Vulnerabilities

04/07/2023

Ensure Integrity of Connection


• https://www.getcloak.com/ | @getcloak

https://www.getcloak.com/

https://www.getcloak.com/

04/07/2023

Simple Steps to Reduce Risk

1. Employ Website Firewall2. Don’t let WordPress write to

itself3. Filter Access by IP 4. Use a dedicated server / VPS5. Monitor all Activity (Logging)6. Enable SSL for transactions7. Keep environment current

(patched)8. No Soup Kitchen Servers


1. Connect Securely – SFTP / SSH

2. Authentication Keys / wp-config

3. Use Trusted Sources4. Use a local Antivirus – MAC

too5. Permissions - D 755 | F 6446. Least Privileged Principles7. Accountability8. Backups – Include Database

Ideal implementations:The Bare Minimum:

04/07/2023

Notable ResourcesName Tool

Sucuri Blog http://blog.sucuri.net

Sucuri TV http://sucuri.tv

Malware Scanner http://sitecheck.sucuri.net

Malware Scanner http://unmaskparasites.com

Badware Busters https://badwarebusters.org

Google Forums http://productforums.google.com/forum/#!categories/webmasters/malware--hacked-sites

Google Webmaster Tools http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633

Secunia Security Advisories http://secunia.com/community/advisories/search/?search=wordpress

Exploit-DB http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31

WordPress Hacked FAQ http://codex.wordpress.org/FAQ_My_site_was_hacked

WordPress Hardening http://codex.wordpress.org/Hardening_WordPress


http://blog.sucuri.net/

http://sucuri.tv/

http://sitecheck.sucuri.net/

http://unmaskparasites.com/

https://badwarebusters.org/

http://productforums.google.com/forum/%23!categories/webmasters/malware--hacked-sites

http://productforums.google.com/forum/%23!categories/webmasters/malware--hacked-sites

http://support.google.com/webmasters/bin/answer.py?hl=en&answer=163633

http://secunia.com/community/advisories/search/?search=wordpress




http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31

http://www.exploit-db.com/search/?action=search&filter_description=Wordpress&filter_platform=31

http://codex.wordpress.org/FAQ_My_site_was_hacked

http://codex.wordpress.org/Hardening_WordPress

04/07/2023

Sucuri, Inc.

Tony Perez

http://sucuri.nethttp://blog.sucuri.net

@perezbox | @sucuri_security

http://www.slideshare.net/perezbox/website-security-wordpress-its-about-the-

basics


http://sucuri.net/

http://blog.sucuri.net/

http://www.slideshare.net/perezbox/website-security-wordpress-its-about-the-basics



Internet

Website Security (WordPress) - It's About the Basics