Wordpress Security. A guide on how to not get hacked when using wordpress. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K

Similar documents
Magento Security Best practices 2015

Nikolay Zaynelov Annual LUG-БГ Meeting nikolay.zaynelov.com

CCM 4350 Week 11. Security Architecture and Engineering. Guest Lecturer: Mr Louis Slabbert School of Science and Technology.

JOOMLA SECURITY. ireland website design. by Oliver Hummel. ADDRESS Unit 12D, Six Cross Roads Business Park, Waterford City

VPN Lesson 2: VPN Implementation. Summary

Railo Installation on CentOS Linux 6 Best Practices

The current version installed on your server is el6.x86_64 and it's the latest available.

IP Application Security Manager and. VMware vcloud Air

Reverse Shells Enable Attackers To Operate From Your Network. Richard Hammer August 2006

Out of the Fire - Adding Layers of Protection When Deploying Oracle EBS to the Internet

Hardening WordPress. (or, How Not To Get Hacked And What To Do When You Are) Gregory Ray dot gray Sunday, March 15, 15

CS 558 Internet Systems and Technologies

SANS Dshield Webhoneypot Project. OWASP November 13th, The OWASP Foundation Jason Lam

Recon and Mapping Tools and Exploitation Tools in SamuraiWTF Report section Nick Robbins

Advanced Web Security, Lab

Using Nessus In Web Application Vulnerability Assessments

SVNManager Installation. Documentation. Department of Public Health Erasmus MC University Medical Center

Hacking the WordpressEcosystem

Trend Micro Worry- Free Business Security st time setup Tips & Tricks

Protect Your Websites and Beat the Hackers

NETWORK SECURITY HACKS *

The Social-Engineer Toolkit (SET)

ASL IT Security Advanced Web Exploitation Kung Fu V2.0

Cloud Security:Threats & Mitgations

Introduction: 1. Daily 360 Website Scanning for Malware

A Decision Maker s Guide to Securing an IT Infrastructure

STABLE & SECURE BANK lab writeup. Page 1 of 21

WordPress Security Scan Configuration

FRIENDS OF SEARCH HARDENING WORDPRESS VARIOUS TWEAKS FOR BETTER WP SECURITY

Penetration Testing Report Client: Business Solutions June 15 th 2015

Filter Avoidance and Anonymous Proxy Guard

Linux Server Support by Applied Technology Research Center. Proxy Server Configuration

The purpose of this report is to educate our prospective clients about capabilities of Hackers Locked.

An Open Source IPS. IIT Network Security Project Project Team: Mike Smith, Sean Durkin, Kaebin Tan

for NewTech United, London

Project Artillery Active Honeypotting. Dave Kennedy Founder, Principal Security Consultant

MyPBX Security Configuration Guide

WordPress File Monitor Plus Plugin Configuration

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

IS L06 Protect Servers and Defend Against APTs with Symantec Critical System Protection

NSFOCUS Web Application Firewall White Paper

2013 MONITORAPP Co., Ltd.

System Admin Module User Guide. Schmooze Com Inc.

Lab 7 - Exploitation 1. NCS 430 Penetration Testing Lab 7 Sunday, March 29, 2015 John Salamy

We protect you applications! No, you don t. Digicomp Hacking Day 2013 May 16 th 2013

Guidelines for Web applications protection with dedicated Web Application Firewall

How To Use Powerhell For Security Research

Virtual Machine daloradius Administrator Guide Version 0.9-9

Sophos UTM Web Application Firewall for Microsoft Exchange connectivity

CyberSecurity & Keeping your data safe. October 20, 2015

Network Security CS 192

Features. The Samhain HIDS. Overview of available features. Rainer Wichmann

Arrow ECS University 2015 Radware Hybrid Cloud WAF Service. 9 Ottobre 2015

Firewall VPN Router. Quick Installation Guide M73-APO09-380

Linux Server Configuration Guidelines

Nixu SNS Security White Paper May 2007 Version 1.2

State Health Repository Tool (SHRT) Testing Instructions

Maltego Tungsten as a collaborative attack platform BlackHat 2013

1. Introduction. 2. Web Application. 3. Components. 4. Common Vulnerabilities. 5. Improving security in Web applications

Security Advice for Instances in the HP Cloud

WEB APPLICATION FIREWALLS: DO WE NEED THEM?

AI Engine Rules June 2014

Migration and Building of Data Centers in IBM SoftLayer with the RackWare Management Module

User Guide Zend Server Community 4.0.3

April 11, (Revision 2)

Acunetix Website Audit. 5 November, Developer Report. Generated by Acunetix WVS Reporter (v8.0 Build )

Using PHPIDS to Understand Attacks

F5 Silverline Web Application Firewall Onboarding: Technical Note

NETWORK SECURITY HACKS

Top Ten Web Attacks. Saumil Shah Net-Square. BlackHat Asia 2002, Singapore

EC-Council CAST CENTER FOR ADVANCED SECURITY TRAINING. CAST 619 Advanced SQLi Attacks and Countermeasures. Make The Difference CAST.

WWPass External Authentication Solution for IBM Security Access Manager 8.0

LockoutGuard v1.2 Documentation

Powerful, customizable protection for web applications and websites running ModSecurity on Apache/Linux based web-servers

SB 1386 / AB 1298 California State Senate Bill 1386 / Assembly Bill 1298

Firewalls P+S Linux Router & Firewall 2013

Defending your Web Applications from Attack: Presenter: Damira Pon, UAlbany. NYS Forum Web & Accessibility Workgroup Talk. NYS Forum Training Room

How To Protect A Network From Attack From A Hacker (Hbss)

NovaTech NERC CIP Compliance Document and Product Description Updated June 2015

Hardened Hosting. Quintin Russ. OWASP New Zealand Chapter th December 2011

DIGIPASS Authentication for Microsoft ISA 2006 Single Sign-On for Outlook Web Access

Check list for web developers

Security Power Tools

FileCloud Security FAQ

Powerful Online Solutions HOSTING. Price List. Surge Media Pty Ltd MAINTENANCE & SUPPORT Price List 1

DMZ Gateways: Secret Weapons for Data Security

Web Application Firewall

REDCap General Security Overview

LICENSE4J LICENSE ACTIVATION AND VALIDATION PROXY SERVER USER GUIDE

Windows Remote Access

NETWORK SECURITY. Scott Hand. Melanie Rich-Wittrig. Enrique Jimenez

Web Application Security

Contents. 1. Infrastructure

User Guide. You will be presented with a login screen which will ask you for your username and password.

Single sign-on websites with Apache httpd: Integrating with Active Directory for authentication and authorization

Web Application Guidelines

CSE598i - Web 2.0 Security OWASP Top 10: The Ten Most Critical Web Application Security Vulnerabilities

CLEARSWIFT SECURE Web Gateway HTTPS/SSL decryption

Threat Modelling for Web Application Deployment. Ivan Ristic (Thinking Stone)

Transcription:

Wordpress Security A guide on how to not get hacked when using wordpress. David Kennedy (ReL1K) http://www.secmaniac.com Twitter: Dave_ReL1K

So about wordpress. The number one website and blogging software out there to date. A free and open-source based project with heavy backing for creating entire websites and creating dynamic blog/information sharing. PHP + MySql based sites has been hacked a number of times, and probably will be hacked again J

Wordpress Hacked?!

Some of the major risks Plugins are third party tools that can be added to wordpress to enhance functionality or security. Plugins are third party tools that can be added to wordpress to decrease functionality or security. Plugins are vulnerable and are often the brunt for most of the attacks. Ensure you know what your using when you install your plugins..

What risk do you have? Injection flaws (including OS), XSS, full system compromise, etc. As with any type of software, as it becomes more popular the more it s attacked. Wordpress is a major attack vector right now as many websites use it.

My setup Pick and choose Reverse Proxy running application firewall (you can use mod_security for free). Heavily stripped down kernel No access other than port 80, host integrity monitoring through OSSEC and deny hosts. Virtualized environment that is snapshotted and backed up on a daily basis. Remove all dynamic content until I need it (will explain).

Reverse Proxy The reverse proxy tunnels HTTP based traffic on a non-standard port in my back-end network. Multi-tiered DMZ that separates the MySQL database from the front-end web application. Egress filtering is heavily performed to not allow outbound connections except to Fedora updates and Wordpress. Mod-Security, free open source rules for Apache, a signature based WAF.

Stripped down OS Only install what you need. Remove any kernel level packages you don t need.

Non Standard Ports Move SSH off of its default port and lock it down with Denyhosts if you use it. DenyHosts is a brute force detection tool that after X amount of attempts will block the host IP through IPTables On the reverse proxy, recommend moving your backend HTTP server and MySQL ports to non-standard ports.

The BIG One.htaccess.htpasswd In most cases the wp-includes folder will allow directory browsing, make sure you remove that and lock down access to only what you need: Order Allow,Deny Deny from all <Files ~ ".(css jpe?g png gif js)$"> Allow from all </Files>

.htaccess continued Lock down the wp-admin interface in wp-admin/ # Auth File AuthUserFile /var/www/html/wp-admin/.htpasswd AuthGroupFile /dev/null AuthName "Not Found" AuthType Basi <Limit GET> require valid-user </Limit> <Files.htaccess> deny from all </Files>

Only allow by IP Address Lock down the wp-admin interface in wp-admin/ AuthName OMG AuthType Basic <Limit GET POST> order deny,allow deny from all allow from X.X.X.X </Limit>

Blacklist IP Addresses Quick script I wrote if you want to block via IP Tables, could also use.htaccess #!/usr/bin/python import subprocess choice=raw_input("enter IP to blacklist: ") subprocess.popen("iptables -I INPUT -s %s -j DROP" % (choice), shell=true).wait() print "Done.."

OSSEC HIDS Open-Source platform for monitoring platform integrity and active responses against attack. Be careful in the reverse proxy model, it can blacklist the reverse proxy on the back-end web server. Anything modified on the OS, email notifications are sent. Fine tune alerts and ensure email is working properly.

Other useful pointers User different passwords and ports on each *nix system. Rename the wordpress default MySQL tables (wp_blah). Also remove the xmlrpc.php file, seems to get targeted a lot. Anything modified on the OS, email notifications are sent. Fine tune alerts and ensure email is working properly.

Useful pointers cont. Make the main wordpress directory only writable by root when not using it. Ensure the wp-directories are not set for directory listings. If you don t care about reboots, etc. schedule auto cron jobs for updating the systems automatically and forcing a reboot afterwards

ihazwordpress.py

Some useful Security Plugins Login Lockdown Looks for failed attempts from the same source address and blocks if threshold hit. Secure Wordpress Removes standard attack patterns, hides certain information leakage, renames files, etc. Don t install just any plugins, these are usually what causes you to get owned.

Questions? J http://www.secmaniac.com davek@social-engineer.org Twitter: Dave_ReL1K

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information