These are my notes from the April 20, 2012, Oklahoma City WordPress User’s Group meeting which focused on “Security Tips for WordPress.” The security portion of our meet up tonight was shared by Chris Dodds, whose website is FocusFire. (@focusfirebiz on Twitter) MY THOUGHTS AND COMMENTS ARE IN ALL CAPS. We met at The Div in Edmond.
Chris is owner and principal advisor at Focusfire IT Strategy and Consulting
– has 10_ years of experience across multiple industries and IT disciplines
– ‘my system requirements: food, water, and internet connectivity’
This not is NOT about the top 5 WordPress security threats
– going to talk about the anatomy of attacks rather than specific threats, since specific threats change regularly
Thinks hackers might care about that aren’t your blog specifically
– your fancy server
– your fancy employer
– your fancy audience
Some hacker goals are to take control of servers to attack others
– maybe to attack a bank
– this can make attacks look like they are coming from someone else
– hacker can use a server as a ‘drop off point’ also to share information and files
hackers who want to spread malware, trojan files or other viruses
It’s not about you, when it comes to hackers, it’s due to your assets in many cases
– this is especially true for hobbyists
Who are hacking
– script kiddies
– hacktivists (hackers with an agenda: religious, environmental, etc. Anonymous is an example)
– professional criminals (have a lot of money to hire people)
– information warriors (Iran, China, US, etc. There are SO many people in China now focused on hacking, the scale of this is huge)
Comment from a participant about travels to China: Be very careful where you go, what you take
– computers can be taken from your room and the hard drive copied
– lots of people work for the government
Attacks are structured similarly
1 – enumeration: identifying your target, who is it, as much info as possible about your target (learning every bit of information they can for password resets)
— if attacking WordPress: is it hosted, on WordPress.com, what server OS is the host running
Handy Google search modifier: allinurl:/wp-admin/wp-login.php
– this yields about 2.3 million URLs
– and then I can do lots of automated things against those websites
2- access:
— lots of people might say their hotmail or gmail “got hacked,” but usually that happens when someone guesses your password
— that’s really not a hack, it’s guessing
— lots of security questions are public information
— think through what information you are putting out online, as well as what you put into security questions
— these are not technical things, it’s just research
Real password attacks can be automated
– uses a dictionary file
– exploits weak passwords
– dictionary based
– can be entirely automated
3- exploitation:
– can be installing a virus or key logger
– installing spam links
– ToolsPack Plugin was found on about 30,000 WordPress blogs
– there is 1 line of code that is malicious, uses the EVAL PHP command to execute a string
– SQL injection attack
BackupBuddy is a tool which scans your backups
Payloads can be keylogger, trojan, spyware, virus, or even ransom ware (put in your credit card number to recover your files)
– SEO Spam is being reduced now thanks to work by Google, Bing and others: includes links and keywords
– hidden keywords
– also can try to build a link farm
Redirects or hijacks are also common
Best practices:
1- update! update! update!
– backup and test your backups
– use a unique passphrase
– don’t use the ‘admin’ user
– disable or delete un-used plugins
Input Sanitization is good for plugin developers, can prevent a lot of attacks that way
– lots of plugin hacks exploit plugs with poor sanitization
Soapbox about comments:
– many people have comments to drive page views, especially if advertising
– if you don’t need income from your comments, I recommend disabling them
– I derive little value from comments on any websites, so I disable comments on all my sites
– I put a comment up on my site instead of commenting on theirs, and email them to let them know
MY COMMENT: THE VALUE OF COMMENTS IS CERTAINLY DIFFERENT FOR ME IN THE EDUCATION CONTEXT…
Every time I’ve ever needed a backup in a corporate situation, it’s never worked because people NEVER TESTED IT
MY COMMENT: THIS IS SUCH A GREAT TIP. I WONDER HOW MANY PEOPLE HAVE ACTUALLY TESTED THEIR BACKUPS. I AM GOING TO DO THIS ON MY MAIN WORDPRESS INSTALLS.
Change the default user so you do NOT use admin
– now you can do this in WordPress
MY COMMENT: THIS IS A GREAT TIP AND I AM GOING TO FOLLOW IT!
As a security and IT professional I probably hate passwords more than anyone
– I recommend using a passphrase because they are easier to remember
– example: use “walrusslingshotmoonbeam” instead of “S3xyP@nda”
– most people have an easier time remembering a passphrase
Utility “1 Password” is great
– works on Mac, Windows, iOS and Android
– syncs to DropBox
Recommended WordPress Plugins
Backup:
– BackWPop is open source or BAckupBuddy
Security
– Better WP Security (open source – does let you limit login attempts plus a LOT more)
– Limit Login Attempts (open source)
– Securi SiteCheck Scanner (sitecheck.sucuri.net/scanner)
These are all things your attacker will do once they control your site
Always perform a backup of your WordPress database before installing plugins, especially security plugins which probably are going to make database changes
Nothing will make your WordPress installation bulletproof, but these suggestions can separate you from the herd
Technorati Tags: wordpress, security, hack, hacker, script, kiddie
Comments
2 responses to “Security Tips for WordPress: Understanding Network Attacks”
I’m going to be hypocritical and break my comment rule.
Thanks for the write up. It’s been a while since I’ve done a talk, but I had fun. I hope you guys all did too.
Most rules need to be broken under certain circumstances. 🙂
Thanks so much for your great talk tonight, Chris, I learned a lot!