Upgrade to Pro — share decks privately, control downloads, hide ads and more …

WordPress X-Files - Makis Mourelatos

WordPress X-Files - Makis Mourelatos

WORDPRESS HACKED SITES
ONE STORY, MANY TALES

A717e9d055b2284e573b2412e32f5397?s=128

WordPress Greek Community

April 18, 2018
Tweet

Transcript

  1. 12th WordPress Larissa Meetup image source: fb.com/Syriopoulos.Kostas

  2. Gerasimos Mourelatos WordPress Security Afciooado “The problem of viruses is

    temporary and will be solved in two years” John McAffe, 1988
  3. WORDPRESS HACKED SITES ONE STORY, MANY TALES • HOSTING •

    WORDPRESS CORE • WORDPRESS THEMES • WORDPESS PLUGINS • LEAKED PASSWORDS infographic source: wptemplate.com
  4. NUMBERS AND STATS 8327 2580 351 Vulnerabilities by type WordPress

    Plugins Themes stats source: wpvulndb.com/statistics
  5. MORE NUMBERS AND STATS 15 14 13 12 12 Top

    5 Vulnerable Plugins NextGen Gallery WP Symposium W3 Total Cache Better WP Se- curity WooCommerce Persuasion Echelon Construct Awake Modular 0 1 2 3 4 5 6 5 5 4 4 4 Top 5 Vulnerable Themes stats source: wpvulndb.com/statistics
  6. • Shared server accounts • Outdated server configuration • Bad

    server configuration • Free hosting providers Hosting
  7. • Παλαιότερες εκδόσεις • Συνδυασμός με πρόχειρα ανεπτυγμένα plugin/themes •

    Πολλές φορές βασίζονται σε παρωχημένες τεχνολογίες (π.χ. SWFUpload) Core Files
  8. • Πρόχειρα ανεπτυγμένα Themes(π.χ. Avada) • Nulled Themes • Themes

    που χρησιμοποιούν Vulnerable Plugins Themes image source: wpbeginner.com
  9. PLUGINS • Πρόχειρα ανεπτυγμένα Plugins(π.χ. Revslider) • Nulled Plugins •

    Fake Plugins(!!!)
  10. FAKE SEO PLUGIN • SEO Plugin • Fake for WordPress

    SEO Tools • Installed secretly • Looks OK, but its not! • Backdoor threat source: wpdistrict.sitelock.com
  11. BUSTED! • Installed through vulnerable WP setups or plugins •

    Main files mimic valid WP plugin files • Use obfuscated code for malicious purposes
  12. FAIRYTALE GONE BAD • Well known WP Plugin • Sold

    to a new owner • New owner starts abusing it • Spam code published to sites • Plugin de-activated from WP.org
  13. LEAKED PASSWORDS(HOT TOPIC!) • Linkedin, MySpace etc • More than

    31 leaks • More than 1 billion accounts • "123456", "123456789", "111111", "qwerty" & "12345678" • 20% of users reused passwords source: sec.hpi.de
  14. STEPS ΓΙΑ ΝΑ ΜΟΙΡΑΣΕΙΣ PWN(O) • Use a VPN service

    • Search your target mail (gmail is ideal) • Query email for leak • Try and login to the email account • BOOM! • Use the same login details for the WP Dashboard • BOOM!
  15. SECURE YOUR WORDPRESS • ΕΠΙΛΕΞΤΕ ΑΞΙΟΠΙΣΤΟ HOSTING PROVIDER • UPDATE

    UPDATE UPDATE • CHANGE ADMIN USERNAME TO A RANDOM ONE • USE COMPLEX PASSWORDS AND 2FA • NO MORE THAN ONE ADMIN ACCOUNT • USE HTTPS • CHANGE WP DASHBOARD LOGIN URL • USE AS LESS AS POSSIBLE THEMES AND PLUGINS • DELETE ANY INACTIVE THEMES/PLUGINS • BACKUP DAILY(HOSTING REQUIREMENT)
  16. • https://wordpress.org/plugins/dropbox-backup/ • https://wordpress.org/plugins/rename-wp-login/ • https://wordpress.org/plugins/limit-login-attempts • https://wordpress.org/plugins/google-authenticator/ • https://wordpress.org/plugins/username-changer/

    • https://wordpress.org/plugins/file-changes-monitor/ • https://wordpress.org/about/security/ • https://sec.hpi.de/ilc/search • https://www.schneier.com/ USEFUL RESOURCES
  17. "I am regularly asked what the average Internet user can

    do to ensure his security. My first answer is usually 'Nothing; you're screwed'." Quote by Bruce Schneier