WORDPRESS PLUGINS€¦ · Hi, I’m Regina Smola. I’m the mom of 2 awesome boys and 2 cuddly...

WORDPRESS PLUGINS

@2011 Regina Smola, WPSecurityLock.com. All rights reserved. 0

Presentation by Regina Smola

Uncovering the Hidden Dangersof Shiny Plugin Syndrome!

Who Am I?Hi, I’m Regina Smola. I’m the mom of 2 awesome boysand 2 cuddly golden retrievers,security addict, WordPress user andblogger, and Internet and affiliatemarketer. I started my first website in 1999,got it viciously hacked in 2000 andagain in 2001. Since then, I’ve spentcountless hours learning ways toprotect my online business andhelping you do the same. Niche — WordPress Security Owner — www.WPSecurityLock.com Current Nicknames — PasswordSherriff and the Hacker Attacker.


WORDPRESS PLUGINS

There are plugins that can do just about anything ona WordPress blog, such as… �Track your website visitors (Google Analytics)�Integrate social media (Facebook, Twitter, LinkedIn)�Search Engine Optimization (SEO)�Add a shopping cart�Insert audio and video�Block Comment Spam�Create Site Backups

David was my largest case study for having the most plugins(67) on one WordPress site. And he owns more than 150!


Plugins – The Good!

WORDPRESS PLUGINS

Plugins can get hacked into and open up backdoors forhackers to deface and destroy your site including… SQL Injections – change content inside your database or grabinfo like credit cards or passwords. Cross-Site Scripting – inject client-side scripts into pages.Remote File Inclusion – add remote files through scripts.Code Execution – Download viruses to visitors’ computers.


Plugins – The Bad!

WORDPRESS PLUGINS

Email received on October 20, 2011 by an attacked site,which also got blacklisted on search engines. Dear ____: It appears that your website has been hacked by a fraudster.It is now hosting a phishing attack against NedBank. Pleaseremove the fraudulent folders/files as soon as possible andsecure your website as it has been compromised. Please note that it is possible that the fraudulent content is embedded in your website's legitimate files…


Remote File Inclusion

WORDPRESS PLUGINS


Remote File Inclusion

WORDPRESS PLUGINS

Recently Hacked Common Plugins

1. WordPress AdRotate Version 3.6.6 – SQL InjectionRemoved from WordPress.orghttp://wordpress.org/extend/plugins/adrotate/2. WordPress BackWPup Version 2.1.4 – Code ExecutionFixed vulnerability in Version 2.1.6http://wordpress.org/extend/plugins/backwpup/3. WordPress Contact Form Version 2.7.5 – SQL InjectionRemoved from WordPress.orghttp://wordpress.org/extend/plugins/contact-form-wordpress/


Hacked Plugins

WORDPRESS PLUGINS

Recently Hacked Common Plugins

1. WordPress GD Star Rating Version 1.9.10 – SQL InjectionFixed vulnerability in Version 1.9.11http://wordpress.org/extend/plugins/gd-star-rating/2. WP-SpamFree WordPress Spam Version ? – SQL InjectionRemoved from WordPress.orghttp://wordpress.org/extend/plugins/wp-spamfree/3. Wp-phpmyAdmin – Any Version – Backdoor VulnerabilityRemoved from WordPress.orghttp://wordpress.org/extend/plugins/wp-phpmyadmin/


Hacked Plugins

WORDPRESS PLUGINS


AdRotate Cached 11/14/2011

WORDPRESS PLUGINS


AdRotate Removed from WordPress.org

WORDPRESS PLUGINS


Spam Free Developer Gave Up!

WORDPRESS PLUGINS


Spam Free Users Still Using It!

WORDPRESS PLUGINS


Google Analytics for WordPress Fixed Vulnerability

Google Analytics for WordPress by YoastVersion 4.1.2 vulnerable. Fixed in Version 4.1.3http://wordpress.org/extend/plugins/google-analytics-for-wordpress/changelog/ WordPress.org Plugin Repository got hacked into on June 21, 2011 andthe following plugins were compromised (fixes have been released):�AddThis Version 2.2.0�Wptouch Version 1.9.29�W3 Total Cache Version 0.9.2.3

WORDPRESS PLUGINS

Plugin developers can drop off the planet!


Abandoned Plugins!

WORDPRESS PLUGINS

Plugins can break your site and/or cause conflicts!

�The “White Screen of Death!” Such as, one plugin shares the samewp_options table code with another and causes a conflict.�Feeds Don’t Work Properly…

Example 1: RSS Error: XML error: Not well-formed (invalid token) at line 1,column 1 (seen in the Dashboard).

Example 2: Akismet has detected a problem. A server or network problemprevented Akismet from checking 135 comments. They have beentemporarily held for moderation and will be automatically re-checked in 16mins.�Some plugins you have installed no longer work (code conflict).


The Dreaded Broken Site!

WORDPRESS PLUGINS

Plugins can break your site and/or cause conflicts!

�Site is loading slowly looking for database calls from a badly codedplugin of missing files/items or loops.�The more plugins you have the longer your site takes to load, evenif they’re deactivated. The database has to “check” to see if it’sactive or not.�Poorly written plugins can cause a conflict with “Menus” (sitenavigation).


The Dreaded Broken Site!

WORDPRESS PLUGINS

Plugins can track your data without your knowledge


Do you know if your site activity is being tracked?

“some of pages were loading really slow and I then noticed the reason. In the task bar of mybrowser, it said…”Waiting for map.media6degrees.com!” Panic struck me! Had I been hacked? Did I have malware on my site? Good grief! - Chris Cobb, MyBonusBlog.com. Published July 18, 2011

WORDPRESS PLUGINS

MYTH: A deactivated plugin cannot get hacked. TRUTH: Deactivating a plugin still leaves it on theserver. If a hacker has found a vulnerability, he can usehis nasty “I’m going to get you” script and search forthe files. MYTH: My plugins are all up to date so I’m safe. TRUTH: Plugins must be checked frequently to see ifany vulnerabilities have been found and if they are stillsupported by the developer.


Plugin MYTHS!

WORDPRESS PLUGINS

Beware of Premium Plugins. Just because you’ve paidfor a plugin does not make it safe! Questions to ask yourself… 1. Does the plugin developer offer support?2. Is the website that you bought it from still in business?3. Do you trust the developer?4. Is the plugin original or is it PLR or a copy?5. Have you searched the web to see if there arevulnerabilities reported?6. How old is the plugin?


Paid Plugins Are Risky!

WORDPRESS PLUGINS

What you should check first before buying a plugin… 1. Check to see what others are saying, read reviews andcomments or forum posts.2. Email the plugin developer a “pre-sales” question and seehow quickly he responds.3. If they have a mailing list, subscribe to keep informed.4. Check the changelog to see when it was last updated.5. Search the web for the name of the plugin and the wordsvulnerability, compromised, and backdoor.


Should you buy it or deny it?

WORDPRESS PLUGINS

Plugins can make or break your site. They must bemanaged and updated regularly! 1. If there’s a plugin update available in your Dashboard now,click on “View version details” link and check the changelog.

If it’s a security/vulnerability fix, update the pluginimmediately and run a malware scan on your site.http://unmaskparasites.com.


Do Monthly Plugin Audits!

WORDPRESS PLUGINS

1. Keep your plugins up to date even if it’s just a language

file. Sometimes developers don’t list everything.2. Visit the plugin page every month to make sure it still

exists.3. If a plugin has been removed from WordPress.org,

there’s a good reason. Deactivate and delete itimmediately! And scan your site for malware.

4. Check the plugin page to make sure it doesn’t say it’s nolonger supported and check the forum posts too. (I wishthey’d just delete it!)



WORDPRESS PLUGINS

1. Is the developer responding to issues or questions on thesupport forums? If it’s been ages, most likely he’s flown thecoop! Run, don’t walk over to your Dashboard and kill theplugin.2. Check the latest modified date. Oldy-Moldy plugins increaseyour risk of being hacked.3. Check to see what version of WordPress it’s compatiblewith. WordPress 3.3 is just around the corner, will it work?4. Do a search online for the name of the plugin and thewords vulnerability, compromised and backdoor.



WORDPRESS PLUGINS

1. Check that all your plugins are still working. One mightdisable another and you don’t even know it without checking.2. If you’re using individual plugins to do many things andthere’s a plugin that does them all, consolidate. Less is more!3. Delete all deactivated plugins unless you plan on usingthem.4. Remove all the database entries the deleted plugins leftbehind to avoid conflicts and server load.5. Check your server permissions. Directories (folders) shouldbe 755 and Files should be 644 MAXIMUM!



WORDPRESS PLUGINS

LAST AND VERY IMPORTANT TIP!The timthumb script that runs in many themes and someplugins had a backdoor vulnerability and millions of websiteshave been hacked because of it. Install the Timthumb Vulnerability Scanner plugin andscan it TONIGHT!

There’s even a built-in “Fix” button that will close the securityhole for you. Go to:http://wordpress.org/extend/plugins/timthumb-vulnerability-scanner/


PLEASE DO THIS TONIGHT!

TIME IS TICKING

I know it sounds like a lot of work to do each month. Butwe can’t stress enough how important it is! Don’t have time? We have good news! We’ll do yourMonthly Plugin Security Audits for you! SPECIAL OFFER: http://nams.ws/audit


Secure Your WordPress Plugins!

THANKS FOR LISTENING

Let’s Connect!My Site: http://nams.ws/secure!Facebook: http://facebook.com/wpsecuritylock!Google Plus: http://www.wpsecuritylock.com/+!Company LinkedIn: http://www.linkedin.com/company/wpsecuritylock!Personal LinkedIn: http://www.linkedin.com/in/reginasmola!Twitter: http://twitter.com/WPSecurityLock!Skype: wpsecuritylock!Phone: (815) 200-9775


I’m so happy you wanted to learn about security!

WORDPRESS PLUGINS€¦ · Hi, I’m Regina Smola. I’m the mom of 2 awesome boys and 2 cuddly...

Documents

Transcript of WORDPRESS PLUGINS€¦ · Hi, I’m Regina Smola. I’m the mom of 2 awesome boys and 2 cuddly...