Follow along at https://slides.mtekk.us/wumpls2013!

Viewing Notes

How to see this presentation

Some hotkeys:

  • Arrow keys to navigate (slide on touch devices)
  • H = highlight any code snippets
  • P = toggle speaker notes (if any)
  • F = fullscreen viewing
  • W = toggle widescreen
  • O = see an overview
  • ESC = toggles off these goodies

Some Stats (from Page.ly)

3,844,879 Bad requests over 15 day period

That’s ~2.9 per second!

Of these:

  • 88% HTTP violations
  • 8% violate proprietary Page.ly rules
  • 2% XSS, CSRF, SQLi, other
  • 2% Unknown request method

The Enemy

  1. Real Hackers
    • Determined
    • Usually state sponsored
    • They will get in
  2. Script Kiddies
    • Fly-by-night
    • Use pre-packed scripts
    • Use botnets
  3. Bots
    • Usually controlled by a Real Hacker or Script Kiddie
    • Responsible for vast majority of attacks

What is Security?

Security is…

  • a process employed to mitigate the risk of loss
  • an ongoing effort

The Security Pyramid

security_pyramid1

Prevention

  • Keep all of you software up to date
    • WordPress, plugins, themes, PHP, server OS, etc
    • The OS and apps on the devices you use to access WordPress
  • Practise good password hygiene
    • Use good passwords
    • Stay away from bad passwords: password, admin, admin123, iloveyou
    • Don’t use the same password everywhere
    • Use a password service such as 1Password or LastPass

Prevention Continued

  • Be aware of how you access and manage your site
    • FTP is not encrypted
      • FTPS, SFTP, and SCP are more secure options
    • Be wary of public WiFi
    • Use least least privileged account (don’t do everything as administrator/root)
  • Use a VPN when managing your site while on an untrusted network
  • Consider enabling and forcing SSL/TLS logins to your WordPress dashboard
    • Requires a SSL Certificate

A Word on Permissions

Best practise is to use the least privileged account that can still do the particular task.

  • Use Author or Editor role for the accounts writing and publishing content within WordPress
  • Don’t use a root account for FTPing data to your server
    • Use account with only access to the relevant site
  • Don’t use a root account when SSHing into your server
    • Use a less privileged account and use sudo or su when you need more privileges
  • File permissions are important too
    • Directories should be 755
    • Files should be 644

Server Level Security

Some security related tasks can be performed more efficiently at a lower level (rather than running as a plugin within WordPress).

  • Real time scanning
  • HTTP Request validators/sanitizers
  • Firewalls
    • IPCop, dedicated network appliances

Use a Quality Webhost

  • WP Engine, Page.ly
  • Keep up to date on:
    • OS (kernel updates)
    • HTTPd (Apache, Nginx, etc)
    • PHP
    • MySQL
  • Shared vs VPS vs Dedicated
    • Shared hosting can have exploit spill over from one site to several others
    • VPS and Dedicated can be more secure (no site to site spill over)

Application Level Security

Don’t Mix Production with Development

  • Don’t leave phpMyAdmin unprotected
  • Disable the Theme & Plugin code editor
    • Place the folloing in your wp-config.php
    define('DISALLOW_FILE_EDIT', true);

Avoid Bad Plugins and Themes

  • Look out for shady plugins and themes
    • BlogPress SEO
  • Official WordPress.org plugin and theme repositories are good but are not perfect
    • AddThis, W3C Total Cache, WP Touch bad commit incident
    • WPSandBox, HWSandBox incident
  • Be wary of themes and plugins that use timthumb.php
    • Old versions are insecure
    • WordPress includes similar functionality

Spotting Bad Code

  • PHP supports several ways of execution arbitrary code:
    eval(wp_get_referer())
    @assert(wp_get_referer())
    assert($_SERVER['HTTP_X_FORWARD_FOR'])
    $matches[1]($matches[2])
  • Obfuscated/encrypted code:
    base64_decode("CQk8L3A+DQoJPC9mb3JtPg0KCTxmb3JtIGFjdGlvbj0iYWRt…
    $o="QAAACg07…

Questions?

John Havlik (@mtekkmonkey)

Find these slides at http://slides.mtekk.us