Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf ·...
Transcript of Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf ·...
![Page 1: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/1.jpg)
www.securify.nl
Hardening Wordpress
15/07/2016 Antonis Manaras
mobile & web
A guide to stop or recover from a Pwn…
![Page 2: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/2.jpg)
Part 1: General info(What ?)
![Page 3: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/3.jpg)
Part 1: General info
• Content Management System• Open Source• PHP & MySQL• Structure:• Core• Themes• Plugins
![Page 4: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/4.jpg)
Core Themes Plugins++ =
![Page 5: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/5.jpg)
Core Themes Plugins++ =
![Page 6: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/6.jpg)
Core Themes Plugins++ =
![Page 7: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/7.jpg)
Core Themes Plugins++ =
Minimum to work Extra functionality
![Page 8: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/8.jpg)
45k+ Plugins!~ 10k Themes
![Page 9: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/9.jpg)
Wordpress marketshareAlexa top 1M
https://www.datanyze.com/market-‐share/cms/
![Page 10: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/10.jpg)
Attack Surface
Base installation Many plugins
Attack surface
![Page 11: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/11.jpg)
Part 2: Prevent a Pwn(Be proactive)
![Page 12: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/12.jpg)
Core
Theme(s)
Plugins
Server
![Page 13: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/13.jpg)
Hardening WordpressServer
Three ways of hosting Wordpress:1. Shared Hosting Service2. Managed (hybrid)3. Self Hosting*
![Page 14: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/14.jpg)
Hardening WordpressSecurity 101
Updates!Updates everywhere…
Core
Themes
Plugins
Server*
![Page 15: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/15.jpg)
Hardening WordpressSecurity 101
Use strong passwords!Avoid:• Short passwords à Use at least 8 chars (or more…)• Passwords containing known info like name, address, date of birth, pets etc…• Common dictionary words• Only numerical or alpha à Best mix it up• …
![Page 16: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/16.jpg)
Hardening WordpressSecurity 101
FTP access SFTP• Encrypted password• Encrypted data
![Page 17: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/17.jpg)
Hardening WordpressSecurity 101
Backups!• Regularly• Off server
Pro Tip:• Keep a copy of a clean installation + your base
configuration as in day-‐0
![Page 18: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/18.jpg)
Hardening WordpressSecurity 101
Use Child themes when tweaking with appearance
![Page 19: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/19.jpg)
Hardening WordpressServer
Three ways of hosting Wordpress:1. Shared Hosting Service2. Managed (hybrid)3. Self Hosting*
![Page 20: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/20.jpg)
*
![Page 21: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/21.jpg)
Hardening WordpressServer
Before starting with Wordpress hardening, make sure you are set with:• Infrastructure• Apache • PHP• MySQL
Then… Move on!
![Page 22: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/22.jpg)
Hardening WordpressServer
Fine tune file permissions• Directories:
755• Files:
644• /wp-‐admin/ à All files must be writeable only by user account• /wp-‐includesà All files must be writeable only by user account• /wp-‐content àMust be writeable from user and web server
![Page 23: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/23.jpg)
Hardening WordpressServer
Restrict access to the admin panel• Add a .htaccess file to wp-‐admin:
Order Deny,AllowDeny from allAllow from 127.0.0.1
• Add server-‐side password protection (BasicAuth)• Whitelist allowed IPs• Enforce the administrator(s) to use VPN and/or SSH• Delete (or change) the admin account• Use different name than account login name
![Page 24: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/24.jpg)
Hardening WordpressServer
Secure wp-‐config.phpMove the file one directory above the Wordpress installation• (site installed in web root à wp-‐config.php will be outside web root and internet)• User and web server should have read permissions (400 or 440)• Wordpress will automatically search one directory above if file not in web root• You can add a .htaccess file with:
<files wp-‐config.php> order allow,denydeny from all </files>
![Page 25: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/25.jpg)
Hardening WordpressServer
Disable directory listing or add blank index.phpfilesNow the directories are not browse-‐ableMain folders to protect:• wp-‐includes• wp-‐content• wp-‐content/plugins• wp-‐content/themes• wp-‐content/uploads
![Page 26: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/26.jpg)
Hardening WordpressServer
It’s all about what is exposedGoogle dorks• inurl:wp-‐config.txt• Inurl:/wp-‐content/plugins/{vuln plugin name}
![Page 27: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/27.jpg)
Part 3: I got Pwned!(What now…?)
![Page 28: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/28.jpg)
Recover from a Pwn
Step 1: Stay calm!Then, move on…
![Page 29: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/29.jpg)
Recover from a Pwn
If you don’t have a clean backup, take one NOW!
![Page 30: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/30.jpg)
Recover from a Pwn
Analyze the damage• Usually, a piece of malicious code is injected in
JS files for spamming purposes• https://sitecheck.sucuri.net -‐ You can scan
your site to see what is the damage
![Page 31: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/31.jpg)
Recover from a Pwn
Install a fresh Wordpress installation and theme/plugins as well• Make sure to have the wordpress downloaded from official source!
![Page 32: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/32.jpg)
Recover from a Pwn
… Start over …What if you had done Part 1 and Part 2 earlier…??
![Page 33: Hardening WordPress: A guide to stop or recover from a Pwn. Hardening WordPress.pdf · Must%be%writeable from%user%and%web%server. Hardening%Wordpress Server Restrict%access%to%theadmin%panel](https://reader031.fdocuments.us/reader031/viewer/2022022800/5c6dacf909d3f214088bebc3/html5/thumbnails/33.jpg)
Thank you!