The moment my site got hacked - WordCamp Sofia
-
Upload
marko-heijnen -
Category
Technology
-
view
826 -
download
0
Transcript of The moment my site got hacked - WordCamp Sofia
Hardening WordPressDifficult password
VPN access is required for admins to login
Files can’t be changed by PHP
define('DISALLOW_FILE_MODS', true);
Renamed wp-content folder
Other positive effects
PHP FPM with Opcache requires restart
WordPress Network install
A lot of functionality is custom written
202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "POST //?var=upload HTTP/1.1" 200 116 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"
202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "GET /wp-content/file.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"
202.69.240.177 - - [20/Feb/2015:14:34:52 +0200] "GET /content/file.php HTTP/1.1" 404 11767 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"
Understanding
Where do I need to fix it
Is it something a host could have prevented
Why was someone trying to hack my site
Where do you protect
Protection flow
Server (DDOS / rate limits / login attempts)
App / Site (App specific security / support)
Network (DDOS protection)
Start fixing things
Check the upload directory for more PHP files
Don’t allow PHP to be ever executed inside uploads
Update all plugins
See if everything still is untouched
Checksum checker
Not for WordPress core but for your plugins and themes
wpcentral.io/api/checksums/plugin/tabify-edit-screen/0.8.3
Checks the hash of your files with hashes of the original
Application firewallSomething that actively protects you against vulnerabilities such as cross-site scripting (XSS) and SQL injection
Sucuri or CloudFlare as a service
NinjaFirewall as a plugin
Currently I’m using modSecurity
Now looking at the rule sets of owasp.org
Things I learned
Read the log files more often
Don’t expect plugin developer to announce publicly that they have or had security issues
Work pro active on securing my site
Check out the latest and greatest tools for securing and checking your sites
Some questions for you
What do you do yourself?
How good is your wp-login.php protected?
What does your host do to protect you?
Did you hardening your site?
How secure are your backups?
Marko HeijnenFounder of CodeKitchen
Ex-lead developer of GlotPress
Core contributor for WordPress
Organizer for WordCamp Belgrade