8 ways to hack a wordpress website

8 WAYS TO HACK A WORDPRESS SITE

WordCamp Porto 2013 Daniel Kanchev

Before We Begin…• 7+ Years of WordPress

experience

• 5 years with SiteGround

• Love FOSS

• Addicted to extreme and not so secure sports

Why should YOU care?

1. OUTDATED WORDPRESS CORE

1. OUTDATED WORDPRESS CORE

• WP 3.7.1 - MAINTENANCE RELEASE • WP 3.6.1 - SECURITY RELEASE • WP 3.5.2 - SECURITY RELEASE • WP 3.5.1 - SECURITY RELEASE • WP 3.4.2 - SECURITY RELEASE • WP 3.4.1 - SECURITY RELEASE • WP 3.3.3 - SECURITY RELEASE • WP 3.3.2 - SECURITY RELEASE • WP 3.3.1 - SECURITY RELEASE • WP 3.2.1 - MAINTENANCE RELEASE

1. OUTDATED WORDPRESS CORE

• WP 3.7.1 - MAINTENANCE RELEASE • WP 3.6.1 - SECURITY RELEASE • WP 3.5.2 - SECURITY RELEASE • WP 3.5.1 - SECURITY RELEASE • WP 3.4.2 - SECURITY RELEASE • WP 3.4.1 - SECURITY RELEASE • WP 3.3.3 - SECURITY RELEASE • WP 3.3.2 - SECURITY RELEASE • WP 3.3.1 - SECURITY RELEASE • WP 3.2.1 - MAINTENANCE RELEASE

80%

UPDATE, UPDATE, UPDATE!

2. OUTDATED PLUGINS/THEMES

“Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection”

http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf

WP PLUGINS SECURITY STATE

• timthumb.php Security Vulnerability

• W3 Total Cache Vulnerability

NOTABLE EXAMPLES

LIVE DEMONSTRATION

3. UPDATED BUT STILL VULNERABLE

“8 out of 10 sites included base64 encoding in their themes.”

Siobhan McKeown

FREE THEMES/PLUGINS ?!

TRUSTED DEVELOPERS

USE WAF

4. WEAK LOGIN DETAILS

Do you log in with username “admin” ?

KEEPCALM

AND LET ME

SHOW YOU WHY

CHANGE THE ADMIN USER

UPDATE wp_users SET user_login = ‘Yourname+_admin’ where user_login = ‘admin’;

STRONG PASSWORDS

Comedy is acting out optimism!

Use a whole sentence or a favourite quote:

5. MALWARE

SECURE YOUR COMPUTERS• Keep your OS and all programs updated

• Install Anti-Virus software

• Use personal firewalls

• Open sites via HTTPS whenever possible

• Use SSH or SFTP instead of FTP

6. VULNERABLE SERVER SOFTWARE

WATCHA TALKIN ABOUT

SOME EXAMPLES

• PHP-CGI Vulnerability - versions before 5.3.12/5.4.2

• MySQL/MariaDB Vulnerability - versions before 5.5.25

• Apache range header DoS - versions before 2.2.20

• Update server software

• Follow security bulletins

• Hire professional sysadmins

7. INCORRECTLY CONFIGURED SERVER

APACHE SYMLINK VULNERABILITY

public_html/fred.txt —> /home/otheracct/public_html/wp-config.php

Add to httpd.conf or .htaccess file: SymLinksIfOwnerMatch

The Problem:

The Solution:

• Find a good host

• Hire professional sysadmins

8. WRONG PERMISSIONS + ISOLATION

• Folders: 755 • Files: 644 • wp-config.php: 444

THE CORRECT PERMISSIONS

SSH COMMAND TO CORRECT PERMISSIONS

• find /wordpress -type d -exec chmod 755 {} \; !

!

• find /wordpress -type f -exec chmod 644 {} \;

GENERAL GUIDELINES• Use Secret Keys - http://api.wordpress.org/secret-

key/1.1/salt

• Move wp-config.php to parent folder

• Use SSL for wp-login.php

• Allow admin access only from certain IPs

QUESTIONS ?

THANK YOU!

Daniel Kanchev

@dvkanchev daniel.k@siteground.com

http://slideshare.net/siteground

REFERENCES• http://blog.sucuri.net/2013/05/from-a-site-compromise-to-full-

root-access-symlinks-to-root-part-i.html

• http://httpd.apache.org/security/CVE-2011-3192.txt

• http://thehackernews.com/2012/06/cve-2012-2122-serious-mysql.html

• http://blog.spiderlabs.com/2012/05/php-cgi-exploitation-by-example.html

• http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPress-Top-50-Plugins.pdf