WordPress X-Files - Makis Mourelatos

Transcript

1. 12th WordPress Larissa Meetup image source: fb.com/Syriopoulos.Kostas

2. Gerasimos Mourelatos WordPress Security Afciooado “The problem of viruses is

   temporary and will be solved in two years” John McAffe, 1988

3. WORDPRESS HACKED SITES ONE STORY, MANY TALES • HOSTING •

   WORDPRESS CORE • WORDPRESS THEMES • WORDPESS PLUGINS • LEAKED PASSWORDS infographic source: wptemplate.com

4. NUMBERS AND STATS 8327 2580 351 Vulnerabilities by type WordPress

   Plugins Themes stats source: wpvulndb.com/statistics

5. MORE NUMBERS AND STATS 15 14 13 12 12 Top

   5 Vulnerable Plugins NextGen Gallery WP Symposium W3 Total Cache Better WP Se- curity WooCommerce Persuasion Echelon Construct Awake Modular 0 1 2 3 4 5 6 5 5 4 4 4 Top 5 Vulnerable Themes stats source: wpvulndb.com/statistics

6. • Shared server accounts • Outdated server configuration • Bad

   server configuration • Free hosting providers Hosting

7. • Παλαιότερες εκδόσεις • Συνδυασμός με πρόχειρα ανεπτυγμένα plugin/themes •

   Πολλές φορές βασίζονται σε παρωχημένες τεχνολογίες (π.χ. SWFUpload) Core Files

8. • Πρόχειρα ανεπτυγμένα Themes(π.χ. Avada) • Nulled Themes • Themes

   που χρησιμοποιούν Vulnerable Plugins Themes image source: wpbeginner.com

9. PLUGINS • Πρόχειρα ανεπτυγμένα Plugins(π.χ. Revslider) • Nulled Plugins •

   Fake Plugins(!!!)

10. FAKE SEO PLUGIN • SEO Plugin • Fake for WordPress

    SEO Tools • Installed secretly • Looks OK, but its not! • Backdoor threat source: wpdistrict.sitelock.com

11. BUSTED! • Installed through vulnerable WP setups or plugins •

    Main files mimic valid WP plugin files • Use obfuscated code for malicious purposes

12. FAIRYTALE GONE BAD • Well known WP Plugin • Sold

    to a new owner • New owner starts abusing it • Spam code published to sites • Plugin de-activated from WP.org

13. LEAKED PASSWORDS(HOT TOPIC!) • Linkedin, MySpace etc • More than

    31 leaks • More than 1 billion accounts • "123456", "123456789", "111111", "qwerty" & "12345678" • 20% of users reused passwords source: sec.hpi.de

14. STEPS ΓΙΑ ΝΑ ΜΟΙΡΑΣΕΙΣ PWN(O) • Use a VPN service

    • Search your target mail (gmail is ideal) • Query email for leak • Try and login to the email account • BOOM! • Use the same login details for the WP Dashboard • BOOM!

15. SECURE YOUR WORDPRESS • ΕΠΙΛΕΞΤΕ ΑΞΙΟΠΙΣΤΟ HOSTING PROVIDER • UPDATE

    UPDATE UPDATE • CHANGE ADMIN USERNAME TO A RANDOM ONE • USE COMPLEX PASSWORDS AND 2FA • NO MORE THAN ONE ADMIN ACCOUNT • USE HTTPS • CHANGE WP DASHBOARD LOGIN URL • USE AS LESS AS POSSIBLE THEMES AND PLUGINS • DELETE ANY INACTIVE THEMES/PLUGINS • BACKUP DAILY(HOSTING REQUIREMENT)

16. • https://wordpress.org/plugins/dropbox-backup/ • https://wordpress.org/plugins/rename-wp-login/ • https://wordpress.org/plugins/limit-login-attempts • https://wordpress.org/plugins/google-authenticator/ • https://wordpress.org/plugins/username-changer/

    • https://wordpress.org/plugins/file-changes-monitor/ • https://wordpress.org/about/security/ • https://sec.hpi.de/ilc/search • https://www.schneier.com/ USEFUL RESOURCES

17. "I am regularly asked what the average Internet user can

    do to ensure his security. My first answer is usually 'Nothing; you're screwed'." Quote by Bruce Schneier