Upload
sitegroundcom
View
122.440
Download
2
Embed Size (px)
DESCRIPTION
Presented by Daniel Kanchev
Citation preview
8 WAYS TO HACK A WORDPRESS SITE
WordCamp Porto 2013 Daniel Kanchev
Before We Begin…• 7+ Years of WordPress
experience
• 5 years with SiteGround
• Love FOSS
• Addicted to extreme and not so secure sports
Why should YOU care?
1. OUTDATED WORDPRESS CORE
1. OUTDATED WORDPRESS CORE
• WP 3.7.1 - MAINTENANCE RELEASE • WP 3.6.1 - SECURITY RELEASE • WP 3.5.2 - SECURITY RELEASE • WP 3.5.1 - SECURITY RELEASE • WP 3.4.2 - SECURITY RELEASE • WP 3.4.1 - SECURITY RELEASE • WP 3.3.3 - SECURITY RELEASE • WP 3.3.2 - SECURITY RELEASE • WP 3.3.1 - SECURITY RELEASE • WP 3.2.1 - MAINTENANCE RELEASE
1. OUTDATED WORDPRESS CORE
• WP 3.7.1 - MAINTENANCE RELEASE • WP 3.6.1 - SECURITY RELEASE • WP 3.5.2 - SECURITY RELEASE • WP 3.5.1 - SECURITY RELEASE • WP 3.4.2 - SECURITY RELEASE • WP 3.4.1 - SECURITY RELEASE • WP 3.3.3 - SECURITY RELEASE • WP 3.3.2 - SECURITY RELEASE • WP 3.3.1 - SECURITY RELEASE • WP 3.2.1 - MAINTENANCE RELEASE
80%
UPDATE, UPDATE, UPDATE!
2. OUTDATED PLUGINS/THEMES
“Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection”
http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf
WP PLUGINS SECURITY STATE
• timthumb.php Security Vulnerability
• W3 Total Cache Vulnerability
NOTABLE EXAMPLES
LIVE DEMONSTRATION
3. UPDATED BUT STILL VULNERABLE
“8 out of 10 sites included base64 encoding in their themes.”
Siobhan McKeown
FREE THEMES/PLUGINS ?!
TRUSTED DEVELOPERS
USE WAF
4. WEAK LOGIN DETAILS
Do you log in with username “admin” ?
KEEPCALM
AND LET ME
SHOW YOU WHY
CHANGE THE ADMIN USER
UPDATE wp_users SET user_login = ‘Yourname+_admin’ where user_login = ‘admin’;
STRONG PASSWORDS
Comedy is acting out optimism!
Use a whole sentence or a favourite quote:
5. MALWARE
SECURE YOUR COMPUTERS• Keep your OS and all programs updated
• Install Anti-Virus software
• Use personal firewalls
• Open sites via HTTPS whenever possible
• Use SSH or SFTP instead of FTP
6. VULNERABLE SERVER SOFTWARE
WATCHA TALKIN ABOUT
SOME EXAMPLES
• PHP-CGI Vulnerability - versions before 5.3.12/5.4.2
• MySQL/MariaDB Vulnerability - versions before 5.5.25
• Apache range header DoS - versions before 2.2.20
• Update server software
• Follow security bulletins
• Hire professional sysadmins
7. INCORRECTLY CONFIGURED SERVER
APACHE SYMLINK VULNERABILITY
public_html/fred.txt —> /home/otheracct/public_html/wp-config.php
Add to httpd.conf or .htaccess file: SymLinksIfOwnerMatch
The Problem:
The Solution:
• Find a good host
• Hire professional sysadmins
8. WRONG PERMISSIONS + ISOLATION
• Folders: 755 • Files: 644 • wp-config.php: 444
THE CORRECT PERMISSIONS
SSH COMMAND TO CORRECT PERMISSIONS
• find /wordpress -type d -exec chmod 755 {} \; !
!
• find /wordpress -type f -exec chmod 644 {} \;
GENERAL GUIDELINES• Use Secret Keys - http://api.wordpress.org/secret-
key/1.1/salt
• Move wp-config.php to parent folder
• Use SSL for wp-login.php
• Allow admin access only from certain IPs
QUESTIONS ?
http://slideshare.net/siteground
REFERENCES• http://blog.sucuri.net/2013/05/from-a-site-compromise-to-full-
root-access-symlinks-to-root-part-i.html
• http://httpd.apache.org/security/CVE-2011-3192.txt
• http://thehackernews.com/2012/06/cve-2012-2122-serious-mysql.html
• http://blog.spiderlabs.com/2012/05/php-cgi-exploitation-by-example.html
• http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf