Embed Size (px)
DESCRIPTION
Different type of Website Attacks and its Security - By Deepanshu Kapoor Visit my Website For Service http://websecurityspecialist.com/ >WordPress Security >Malware Removal >Penetration Testing
Citation preview
Complete WordPress Security
•Hacking Methods•WordPress Security By – Deepanshu Kapoor
Security Specialist
www.websecurityspecialist.com
http://deepanshukapoor.usa.cc
About WordPress
WordPress is web software you can use to create a highly functional website or blog. WordPress is both free and priceless at the same time. WordPress started as a blogging system, but has evolved to be used as full content management system and so much more through the thousands of plugins, widgets, and themes. The core web design software is built by hundreds of community volunteers, and when you’re ready for more there are thousands of plugins and themes available to transform your site into almost anything you can imagine.
IntroductionWordPress Website Security includes various phases so that the site is to be considered as “ A COMPLETELY SECURED & RELIABLE WEBSITE ” in terms of cyber security.All the websites are ultimately hosted on web servers which provides space to store all the data present on website i.e. not only text and office documents but also multimedia files such as pictures and videos etc. In order to secure all the above mentioned credentials& integrity of website as well as clients related to that website, it is necessary to implement security filters on Server end.
Exploitation Methods for WP
1) Brute Force on Login Page – “wp-admin”2) Backdoors/shells in Themes.3) DDOS Attack on Website.4) Pharma Attack
Brute Force Attack Brute-force attack may have a dictionary of all words
or commonly used passwords and cycle through those words until it gains access to the account. A more complex brute-force attack involves trying every key combination in an effort to find the correct password that will unlock the encryption. Due to the number of possible combinations of letters, numbers and symbols, a brute force attack can take a long time to complete. The higher the type of encryption used (64-bit, 128-bit or 256-bit encryption), the longer it can take.
Most Common Software used is “BRUTUS”.
Brute Force Attempt
Security Methods1) Don’t use “Admin” as a username.
2) Good and complex password.
3) Security Plugins : 1) Limit login Attempts
2) All in one WP Security
3) One-Time Password
4) Limit Access to wp-admin by IP in wp-admin .htaccess file.
Backdoors/shells in Theme
Mostly user preferred free theme for there small scale websites. They get it download from Google, and upload on there WordPress.Many Hackers backdoor the themes and upload it on internet and wait let user’s download and use it. As soon as the theme is get installed and specific Backdoor URL link is opened by the user the mail containing the wp-admin address and the username – password is mailed to the Hacker.
Hackers also Upload shells in theme & get access to the website by using it.
Hack WordPress Using Shells
Its Security1) Always Buy Theme for your Website.
2) Security Plugin : 1) Sucuri Security
2) Exploit Scanner
3) Use File Permission on wp-content.
DDOS Attack
A distributed denial-of-service (DDoS) attack is one in which a multitude of compromised systems attack a single target, thereby causing denial of service for users of the targeted system. The flood of incoming messages to the target system essentially forces it to shut down, thereby denying service to the system to legitimate users.Hackers Use “Booters”.
DDOS Attack
DDOS Attack using Booters
Its Security1) Use CloudFlare DDOS Protection.
2) Use MaxCDN Protection.
3) Security Plugins : 1) All In One WP Security & Firewall
2) Botnet Attack Blocker
CloudFlare Protection
Pharma Attack When your site is infected with this hack, you will be
inadvertently giving links to Pharma sites selling Viagra and Cialis and other disco drugs. Not the most professional thing for people to see in Google linked to your site. The hack is a black hat SEO attack, these people are trying to increase links to their site for the keywords viagra, cialis etc. Your post descriptions in Google will contain references to drugs rather the the real title you set for you post.
How To Identify• The quickest way is to run a check on your site to see
if you have been infected, is to check on your site’s index in Google. Run the following search in Google:
“site:{yourdomain.com} viagra
• If you see unusual meta descriptions in Google linked to legitimate blog posts then you have probably been hacked.
Its SecurityThere is a very detailed fix supplied by Securi.net, but in
essence
you need to:
• Clean up WordPress
• Clean up your plugins
• Clean up your uploads directory
• Edit your database to remove rogue entries
Hardening WordPress
Basic Security Points
• Disable Theme Editor option from Dashboard.
• Change table prefix use – “secure_” instead of default – “wp_”.
• Choose different username instead of using “admin” for wp-admin page.
• Choose strong password. Like – dk@123#dk
Block Directory Browsing
• As WordPress is now so popular many people know the structure of a WordPress install and know where to look to discover what plug-ins you may use or any other files that might give away too much information about your site, one way to combat this is to prevent directory browsing.
• Put Below code in “.htaccess”.
Securing wp-admin • The ultimate implementation of this "second layer" password
protection is to require an HTTPS SSL encrypted connection for administration, so that all communication and sensitive data is encrypted.
• Restricted the wp-admin to specific IP.
• Security Plugin – One Time Password
Securing wp-content
• The wp-content folder contains images, themes and plug-ins and it's a very important folder within your WordPress install, so it makes sense to prevent outsiders accessing it.
• This requires it's very own .htaccess file which must be added to the wp-content folder, it allows users to see images, CSS etc... but protects the important PHP files:
Securing wp-includes
A second layer of protection can be added where scripts are generally not intended to be accessed by any user. One way to do that is to block those scripts using mod_rewrite in the .htaccess file.
Note: to ensure the code below is not overwritten by WordPress, place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file. WordPress can overwrite anything between these tags.
Securing wp-config.php
• Change the File Permission to – 400.
• wp-config.php is the file in your root directory that stores information about your site as well as database details, this file in particular we would not want to fall into the wrong hands.
• In your .htaccess add the following to prevent any access to the wp-config.php file:
Security Plugins• All In One WP Security & Firewall : This plugin is one of
the best security plugin to secure the website. This plugin give option to check the login attempts from different IP’s and can ping back if someone is performing ping action on website. We can Block the IP’s who can do multiple attempt.
• Sucuri Security - SiteCheck Malware Scanner : This Plugin is also used to secure the website. It checks any malware, JavaScript, iframes that may infect the website and remove it.
• Exploit Scanner : Use to Scan the malicious content on the website.
• Botnet Attack Blocker : This plugin blocks distributed botnet brute-force attacks on your WordPress installation.
Thank You…!!
