WordPress Greek Community 6th meetup Security 101 - Stefanos Grammenos, Panagiotis Macromanolis

Copyright 2015 WebDevls

View Slide

REAL-TIME VISIBILITY INTO GLOBAL CYBER
WordPress-ATTACKS
By
Grammenos Stefanos
Panagiotis Macromanolis

View Slide

WordPress powers more than 74.6m sites around the
world
48% Technorati’s top 100 blogs, χρησιμοποιούν WP
Dashboard
WordPress-Related Keywords Score 37 Million Searches Per Month
WordPress.com Gets More Unique Visitors Than Amazon (Us)
Plugins have been downloaded more than 300,000,000+ times.
48 Million Downloads of WordPress
Online marketing circles will often discuss WordPress more than any other CMS out there.

View Slide

Αποτελεί τεράστιο στόχο
Για την διάδοση των πιο
κύριων μορφών
Κυβερνοεγκλημάτων
Κυρίως για την απλότητα της
Χρήσης του, άλλα και την
Τεράστια δημοτικότητα που έχει
Αποκτήσει.

View Slide

25 experts including lead
developers and security researchers.
WordPress and Drupal security team
collaboration.
The WordPress Security Team
Automatic Background Updates for
Security Releases.
2013 OWASP Top 10 Vulnerabilities
most serious application security risks.
WordPress Plugin and Theme Security
Theme Review Team – Plugin Review Team
API's (Core WordPress API's, DB API, FileSystem API, HTTP API Permissions and Current
User API ).
[email protected]

View Slide

Όταν είμαστε οπλισμένοι με τεχνικές συμβουλές και κοινή λογική. Μπορούμε
Να αποφύγουμε αρκετές από τις γνωστές επιθέσεις. Όσο περισσότερο δυσκολέψουμε
Το έργο ενός επιτιθέμενου στην ιστοσελίδα μας, τόσο πιο πιθανό είναι να μας αφήσει
Ήσυχο και να περάσει σε έναν πιο εύκολο στόχο.
Ασφάλεια Υπολογιστικών Συστημάτων
Sasser – Bagle – Zafi – MyDoom – Lovsan/Blaster – Klez - BugBeaR

View Slide

Attacks που τελούνται με τη χρήση Ηλεκτρονικών Υπολογιστών (Computer Crime)
Attacks που τελούνται μέσω του Διαδικτύου (Cyber Crime)

View Slide


View Slide

- Brute-force password-guessing attacks
- ΧSS -(css)
Οι κύριες WordPress Based επιθέσεις
Το WordPress παραμένει ο κύριος στόχος επιθέσεων
C.M.S
- SQL Injection
- Directory Indexing
Honorable Mentions
- Image HotLinking

View Slide

Brute Force Attack
Or Dictionary attack
Brute Force Attack is an automated process and can be done by using a program
That will try to decrypt your password by using a list of words, symbols and numbers
(wordlists).
The Attacker will try to compromize your website by brute force attacking to your
wp-login.php

View Slide

Cross Site Scripting Attack
Hack-Attack that exploits web applications
A security exploit in which attacker inserts
Malicious code into a link that appears to be
From a trustworthy source.

View Slide

Cross Site Scripting Attack
http://www.xssed.com/archive
Κλοπή κωδικών/λογαριασμών
Και προσωπικών δεδομένων
Aλλαγή ρυθμίσεων Browser Κλοπή Cookies
XSS, SQL Injections and Brute Force Attacks are the most commons attacks to WP

View Slide

The attacker injects a payload in the website’s database by submitting a vulnerable form with some malicious JavaScript
1.victim requests the web page from the website
2. The website serves the victim’s browser the page with the attacker’s payload as part of the HTML body.
3. The victim’s browser will execute the malicious script inside the HTML body.
In this case it would send the victim’s cookie to the attacker’s server.
The attacker now simply needs to extract the victim’s cookie when the HTTP request arrives to the server
after which the attacker can use the victim’s stolen cookie for impersonation.

View Slide

SQL Injection
Query Database Attack.
Attacker tries to find vulnerable queries in the code.
Access, to the Whole Database Tables and Schema.

View Slide

Directory Indexing
Is a way for an attacker, to find out our servers' folder structure.
Can find our server user name in the process.

View Slide

Image HotLinking
The ability for another website to use our own bandwidth

View Slide

DDoS
A DDoS or a Distributed Denial of Service Attack is used to target a single (or multiple)
Systems by sending a very large amount of traffic packets in to the system and finally
overwhelming it and make it unavailable.
Distributed via botnets (infected systems)
Types of DDoS Attacks
Traffic Attacks
Bandwidth Attacks
Application Attacks

View Slide

Live Demonstration On Brute Forcing
a WordPress Installation
Do Not Try this at Home..The following Operation is iLLegall and must be
Performed only after having the necessary permissions on the server and the website
From the rightful owner.

View Slide

Ways to Secure your Installation

View Slide

Don't use the 'admin' username
Good Passwords
Security Plugins
/plugins/google-authenticator/
Two Step Verification
WordFence
Clef

View Slide

Επιπρόσθετα μέτρα Αντιμετώπισης επιθέσης στο wp-login.php
MD5 algorithm- Crypt()
Passwords
Και Linux
και Windows
Password Protect the wp-login.php File
http://www.htaccesstools.com/htpasswd-generator/
1. Visit: http://www.htaccesstools.com/htpasswd-generator/
2. Use the form to create the username and password.
3. Login to cPanel in another window or tab.
4. Click on File Manager.
5. Select Home Directory.
6. Check Show Hidden Files (dotfiles) if not already checked.
7. Click on the Go button.
8. Look for a .wpadmin file
If one exists, right click on it and select Code Edit
to open the editor. Click on the Edit button to edit the file.
If one does not exist, click on New File at the top
of the page, and specify the name as .wpadmin
(with the dot at the front) and click on the Create New File button.
9. Paste the code provided from the website in step 2.
10. Click on the Save Changes button when complete.
11. You can Close the file when finished.
Βημα 1ο

View Slide

Επιπρόσθετα μέτρα Αντιμετώπισης επιθέσης στο wp-login.php
Password Protect the wp-login.php File
ErrorDocument 401 "Unauthorized Access"
ErrorDocument 403 "Forbidden"

AuthName "Authorized Only"
AuthType Basic
AuthUserFile /home/username/.wpadmin
require valid-user

Βημα 2ο
Username το username που έχουμε στο Cpanel

View Slide

# Block access to wp-admin.
order deny,allow
allow from x.x.x.x
deny from all
Block access to wp-admin by IP.
Στο .htaccess file μας.

View Slide

Protect your WP Installation from XSS by:
1. Keep your systems secured and updated.
2. Always download Themes and Plugins from trusted sources.
3. Ninja Firewall (WP Plugin)
4. Bullet Proof Security (WP Plugin)

View Slide

SQL Injection
Preventing
By Using Plugins.
By Using .htaccess *
1
By Changing the Default Database Prefix.

View Slide

Prevent Directory Indexing
By configuring your .htaccess file
Drop the code:
Options -Indexes
By creating a blank index.php in all your subfolders:

View Slide

Prevent Image HotLinking
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?your-site.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?your-other-domain.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ “http://ieikonamou.png” [NC,R,L]

View Slide


RewriteEngine On
RewriteBase /
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC]
RewriteRule ^(.*)$ - [F,L]
RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR]
RewriteCond %{QUERY_STRING} boot\.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag\= [NC,OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} (\|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$||ê|"|;|\?|\*|=$).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC]
RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$
RewriteRule ^(.*)$ - [F,L]

Appendix
1.

View Slide

Recommended WordPress Security Plugins
-Brute Forcing (etc) -IDS - Firewall +Scanners
1.Block Bad Queries (BBQ)
2. WordFence
3. WordPress Simple Firewall
1.Acunetix WP Security
2.Sucuri
3.Ithemes Sec Pro
1.Sucuri
2.Ithemes Sec Pro

View Slide

General Guide Lines
1. Maintain strong passwords.
2. Always Update Everything.
3. Protect your WordPress Admin.
4. Guard against brute Force Attacks.
5. Monitor for malware.
6. ...Then do something about malware.
7. Choose the right Web Host.
8. Always have your site cleaned.
9. Control sensitive information
10. Use any CDN Service

View Slide

Stay Vigilant !!!
11.

View Slide

Extra WebSecurity Informations
DNS and DNSSEC
DNS is the system that lets your
browser know which web server
to connect to when you request
to visit a website.
It’s the underlying backbone
of the usable internet
and yet, is vulnerable
to man in the middle attacks.
There is a solution. It’s called DNSSEC
and it adds cryptographic hashes and
signatures for authenticating DNS records.
The DNSSEC beta is open to all websites
that use CloudFlare for DNS.
email for beta access: [email protected]
DNS and DNSSEC
DNS is the system that lets your
browser know which web server
to connect to when you request
to visit a website.
It’s the underlying backbone
of the usable internet
and yet, is vulnerable
to man in the middle attacks.

View Slide

WordPress Greek Community 6th meetup Security 101 - Stefanos Grammenos, Panagiotis Macromanolis

WordPress Greek Community 6th meetup Security 101 - Stefanos Grammenos, Panagiotis Macromanolis

WordPress Greek Community

More Decks by WordPress Greek Community

Other Decks in Technology

Featured

Transcript