Moving at the Speed of Creativity by Wesley Fryer

Security Tips for WordPress: Understanding Network Attacks

These are my notes from the April 20, 2012, Oklahoma City WordPress User’s Group meeting which focused on “Security Tips for WordPress.” The security portion of our meet up tonight was shared by Chris Dodds, whose website is FocusFire. (@focusfirebiz on Twitter) MY THOUGHTS AND COMMENTS ARE IN ALL CAPS. We met at The Div in Edmond.

'im in ur fiirwalz watchin ur pakkitz (by Andy Cunningham)' photo (c) 2009, Noah Sussman - license: http://creativecommons.org/licenses/by/2.0/

Chris is owner and principal advisor at Focusfire IT Strategy and Consulting
– has 10_ years of experience across multiple industries and IT disciplines
– ‘my system requirements: food, water, and internet connectivity’

This not is NOT about the top 5 WordPress security threats
– going to talk about the anatomy of attacks rather than specific threats, since specific threats change regularly

Thinks hackers might care about that aren’t your blog specifically
– your fancy server
– your fancy employer
– your fancy audience

Some hacker goals are to take control of servers to attack others
– maybe to attack a bank
– this can make attacks look like they are coming from someone else
– hacker can use a server as a ‘drop off point’ also to share information and files

hackers who want to spread malware, trojan files or other viruses

It’s not about you, when it comes to hackers, it’s due to your assets in many cases
– this is especially true for hobbyists

Who are hacking
script kiddies
hacktivists (hackers with an agenda: religious, environmental, etc. Anonymous is an example)
– professional criminals (have a lot of money to hire people)
– information warriors (Iran, China, US, etc. There are SO many people in China now focused on hacking, the scale of this is huge)

Comment from a participant about travels to China: Be very careful where you go, what you take
– computers can be taken from your room and the hard drive copied
– lots of people work for the government

Attacks are structured similarly
1 – enumeration: identifying your target, who is it, as much info as possible about your target (learning every bit of information they can for password resets)
— if attacking WordPress: is it hosted, on WordPress.com, what server OS is the host running

Handy Google search modifier: allinurl:/wp-admin/wp-login.php
– this yields about 2.3 million URLs
– and then I can do lots of automated things against those websites

2- access:
— lots of people might say their hotmail or gmail “got hacked,” but usually that happens when someone guesses your password
— that’s really not a hack, it’s guessing
— lots of security questions are public information
— think through what information you are putting out online, as well as what you put into security questions
— these are not technical things, it’s just research

Real password attacks can be automated
– uses a dictionary file
– exploits weak passwords
– dictionary based
– can be entirely automated

3- exploitation:
– can be installing a virus or key logger
– installing spam links
ToolsPack Plugin was found on about 30,000 WordPress blogs
– there is 1 line of code that is malicious, uses the EVAL PHP command to execute a string
– SQL injection attack

BackupBuddy is a tool which scans your backups

Payloads can be keylogger, trojan, spyware, virus, or even ransom ware (put in your credit card number to recover your files)
– SEO Spam is being reduced now thanks to work by Google, Bing and others: includes links and keywords
– hidden keywords
– also can try to build a link farm

Redirects or hijacks are also common

Best practices:
1- update! update! update!
– backup and test your backups
– use a unique passphrase
– don’t use the ‘admin’ user
– disable or delete un-used plugins

Input Sanitization is good for plugin developers, can prevent a lot of attacks that way
– lots of plugin hacks exploit plugs with poor sanitization

Soapbox about comments:
– many people have comments to drive page views, especially if advertising
– if you don’t need income from your comments, I recommend disabling them
– I derive little value from comments on any websites, so I disable comments on all my sites
– I put a comment up on my site instead of commenting on theirs, and email them to let them know

MY COMMENT: THE VALUE OF COMMENTS IS CERTAINLY DIFFERENT FOR ME IN THE EDUCATION CONTEXT…

Every time I’ve ever needed a backup in a corporate situation, it’s never worked because people NEVER TESTED IT

MY COMMENT: THIS IS SUCH A GREAT TIP. I WONDER HOW MANY PEOPLE HAVE ACTUALLY TESTED THEIR BACKUPS. I AM GOING TO DO THIS ON MY MAIN WORDPRESS INSTALLS.

Change the default user so you do NOT use admin
– now you can do this in WordPress

MY COMMENT: THIS IS A GREAT TIP AND I AM GOING TO FOLLOW IT!

As a security and IT professional I probably hate passwords more than anyone
– I recommend using a passphrase because they are easier to remember
– example: use “walrusslingshotmoonbeam” instead of “S3xyP@nda”
– most people have an easier time remembering a passphrase

Utility “1 Password” is great
– works on Mac, Windows, iOS and Android
– syncs to DropBox

Recommended WordPress Plugins

Backup:
BackWPop is open source or BAckupBuddy

Security
Better WP Security (open source – does let you limit login attempts plus a LOT more)
Limit Login Attempts (open source)
– Securi SiteCheck Scanner (sitecheck.sucuri.net/scanner)

These are all things your attacker will do once they control your site

Always perform a backup of your WordPress database before installing plugins, especially security plugins which probably are going to make database changes

Nothing will make your WordPress installation bulletproof, but these suggestions can separate you from the herd

Technorati Tags: , , , , ,


Posted

in

, ,

by

Tags:

Comments

2 responses to “Security Tips for WordPress: Understanding Network Attacks”

  1. Chris Dodds Avatar

    I’m going to be hypocritical and break my comment rule. 
    Thanks for the write up. It’s been a while since I’ve done a talk, but I had fun. I hope you guys all did too.

  2. Wesley Fryer Avatar

    Most rules need to be broken under certain circumstances. 🙂

    Thanks so much for your great talk tonight, Chris, I learned a lot!