How to Detect and Secure a WordPress Hacked site

Transcript

1. 8th WordPress Thessaloniki Meetup DEI College, 17/12/2016 "Detect & Secure

   a WordPress Hacked Website: How to" Gerasimos Mourelatos, FixMyWP

2. Who am I? Gerasimos Mourelatos WordPress Consultant / Security Af

   cionado Co-founder @ FixMyWP.com Co-founder @ HostMyWP.com

3. "SECURITY IS A PROCESS NOT A PRODUCT" Computer Security: Will

   We Ever Learn - Essay by Bruce Schneier

4. ΑΛΛΟ ΕΝΑ WORDPRESS SITE HACKED?

5. WordPress is King Χρήση 0 5 10 15 20 25

   30 27,3 3,4 2,2 1,2 Content Management Systems Τα πιο δημοφιλή CMS WordPress Joomla Drupal Magento % % source: https://w3techs.com/

6. Οι μισές WordPress ιστ οσελίδες χρησιμοποιούν παλιά έκδοση τ ου

   WordPress Υποεκδόσεις 0 5 10 15 20 25 30 35 40 45 50 49,9 15,8 11 7,3 Η έκδοση 4.x χρησιμοποιείται από το 90% όλων των WordPress Ιστοσελίδων Υποεκδόσεις του WordPress 4.6 4.5 4.4 4.3 % % source: https://w3techs.com/technologies/details/cm-wordpress/4/all

7. Infected CMS Report by Sucuri, for Q2 - 2016 CMS

   0 10 20 30 40 50 60 70 80 78 14 6 5 2 Το WordPress είναι στην κορυφή με 78% συμμετοχή sub-title WordPress Joomla N/A Magento Drupal % % source: https://sucuri.net/website-security/hacked-reports/2016-q2-hacked-website-report

8. Google Safe Browsing Malware Report for Greece Ελλάδα 0 5000

   10000 15000 20000 25000 30000 35000 40000 45000 40063 441 Διάστημα ενός έτους Το 1% των site που ελέγχθηκαν βρέθηκε να έχει malware Sites Scanned Sites with Malware % % source: https://www.google.com/transparencyreport/safebrowsing/malware/?hl= en# region= GR&period= 365

9. ΕΝΔΕΙΞΕΙΣ ΠΟΥ ΔΕΙΧΝΟΥΝ ΟΤΙ Η ΙΣΤΟΣΕΛΙΔΑ ΜΑΣ ΕΧΕΙ ΠΑΡΑΒΙΑΣΤΕΙ

10. None

11. GOOGLE IS WATCHING YOU • This site ahead contains malware

    • This site may be hacked • This site may harm your computer

12. PHARMA HACK site:yoursite.com

13. GOOGLE SEARCH CONSOLE & TOOLS https://google.com/safebrowsing/diagnostic https://google.com/webmasters/sitemaps/

14. HOSTING AND ANALYTICS • Your host warns you about malicious

    content and email abuse coming from your account • Weird search keywords like viagra landing on your page • Your emails are starting to bounce or f agged as spam • Your bandwidth usage is skyrocketing • Your traf c is decreasing day by day image source: theme4press.com

15. ΠΡΟΒΛΗΜΑΤΑ ΣΤΗΝ ΙΣΤΟΣΕΛΙΔΑ ΣΑΣ

16. ΠΕΡΙΣΣΟΤΕΡΑ ΠΡΟΒΛΗΜΑΤΑ ΣΤΗΝ ΙΣΤΟΣΕΛΙΔΑ ΣΑΣ • Η ιστ οσελίδα σας

    κάνει redirect τ ους επισκέπτ ες σε μια άλλη ιστ οσελίδα • Το .htaccess αρχείο έχει κάποια “περίεργα” rules • Popup παράθυρα ή διαφημίσεις που δεν έχουν καμία σχέση με τ ην ιστ οσελίδα σας

17. Αλλαγές στ ον κώδικα • Περιέργα “κομμάτ ια” κώδικα στ

    ο header/footer τ ης ιστ οσελίδας σας(view source) • Προβλήματ α στ η εμφάνιση τ ης ιστ οσελίδας • 500’s Warnings

18. WordPress Dashboard Invisible Admin Users Περίεργος κώδικας μέσα στ α

    Post/Page

19. WORDPRESS HARDENING

20. Minimize Security Risks • Update WordPress • Remove all inactive

    themes and plugins. • Change all WP admin passwords and usernames, hosting panel, FTP/SFTP, MySQL Users. • Have 1 or 2 admin users and set strong passwords. • Remove all dev/demo/staging versions of your site. • Move any WP sites into a separate hosting account.

21. Stealth Mode • Hide the WordPress Login url • Disable

    XML-RPC when possible • Limit Login Attempts • Use Two-Factor Authentication

22. Be Pro-Active • Don't install nulled plugins/themes • Monitor your

    site logs regurarly • Make sure the following permissions are set: For Directories: 0755 For Files: 0644

23. DEEP DOWN AND DIRTY • Disallow access to wp-conf g.php

    through .htaccess: < f les wp-conf g.php> order allow,deny deny from all < /f les> • Disallow f le edit through wp-conf g.php: def ne('DISALLOW_FILE_EDIT', true); • Disable php execution for /wp-content/uploads using .htaccess: < Files *.php> deny from all < /Files> • Secure wp-includes by adding the snippet on the right through .htaccess(place it before the # BEGIN WordPress tags): < IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteRule ^ wp-admin/includes/ - [F,L] RewriteRule !^ wp-includes/ - [S= 3] RewriteRule ^ wp-includes/[^ /]+ \.php$ - [F,L] RewriteRule ^ wp-includes/js/tinymce/langs/. + \.php – [F,L] RewriteRule ^ wp-includes/theme-compat/ - [F,L] < /IfModule>

24. • Use SSL • Store backups of site • Use

    a WAF • Use a WordPress friendly Hosting Provider Extra Security Measurements • Don't access your site backend and hosting panel from public wif and computers in general • Use an antivirus yourself, scan regularly your box

25. Useful Links • https://sucuri.net/scanner/ • https://www.virustotal.com • http://webpagetest.org • https://wordpress.org/plugins/wordfence

    • https://wordpress.org/plugins/better-wp-security • https://wordpress.org/plugin/wp-changes-tracker • https://wordpress.org/plugins/exploit-scanner • https://wordpress.org/plugins/wp-security-audit-log • https://wordpress.org/plugins/limit-login-attempts • https://wordpress.org/plugins/google-authenticator

26. f xmywp help@f xmywp.com source: http://www.lpth.gr