Hacking WordPress... and countermeasures.

Hacking WordPress
&
Countermeasures
NESTOR ANGULO DE UGARTE
WORDCAMP OSAKA 2019
#WCOSAKA

Who I am 7
u Computer Science Engineer &
Technology consultant
u Photographer & Early Adopter
u Truly curious guy
u 2015: SUCURI
Incident Response & Easy SSL
u 2019: GoDaddy Spain
Interim Head of IT @ GoDaddy
Spain

Where is カ
ナリア諸島
8

9
About
u Sucuri: Anaconda
(No Securi / Security)
u Website security
u Fully remote (people from > 25
countries around the world)
u 2008: Foundation
u 2017: Proud part of the
GoDaddy family
u Free scanners:
u Sitecheck
(sitecheck.sucuri.net)
u Performance
(performance.sucuri.net)

10
#WCOsaka2019 Nestor Angulo (@pharar)

Concepts
GIVING CONTEXT
11
#WCOsaka2019NestorAngulo(@pharar)

DISCLAIMER 12
Any sensitive information has been protected/encrypted to
preserve privacy. Any similiarity with reality is a coincidence.
I’m responsible of what I say, not what you interpret.
Always ask an expert.

#WCOsaka2019 Nestor Angulo (@pharar) 13

#WCOsaka2019 Nestor Angulo (@pharar) 14
ハッキングされた企業と、
ハッキングされたことをま
だ知らない企業の2種類があ
ります。

HACKER VS Cyberterrorist 15
Hacker:
Curious person who loves to go
beyond limits or convetionalisms.
Cyberterrorist / Cracker:
Computer Hacker, whom intentions are
always aligned to enrich himself in a zero-
sum game situation.
The bad guy

Hacker Hat Colours 16
u Black Hat
Cyberterrorist,
thief
u Grey Hat
White Hat using
illegal procedures
u White Hat
Security Analyst,
ethical hacker

Malware
u Software intentionally designed to cause
damage to a computer, client, or computer
network.
u Some types:
u Backdoors, zero-day
u Exploits
u Trojan horses, Fremium plugins
u Ransomware, Spyware
u Adware, Scareware
17

CyberSecurity
& Web Security
18
u Cybersecurity:
Security in the digital world
u Web Security:
Field of Cybersecurity
u Covers what happens
through port 80 / 443

FACTS 19
Site hacking
almost never is
client-oriented
(98% of cases)
Almost always
happens due to a
deficient monitoring
/ maintenance
A SSL certificate
is not an
antihacking shield
Patches & security
updates appear
almost always after
hacking exploits
Errare Humanum Est
(Human being fails)
Security never is
(nor will be)
100% effective

FACTS
20
Source: Website Hack Trend Report 2018 – sucuri.net

The Art of War
IN THE MIND OF YOUR ENEMY

Common Targets 22
Users info Database
Website
Content
Infrastructure Bot Net Reputation

Know your weaknesses 23
u You are your weakest point
u You can be scammed
u Passwords.
u Vulnerable to brute force attacks
u Leftovers
u Admin users
u Outdated/vulnerable software
u Enabled/Disabled not-in-use
plugins/themes
u Non-secure connection (avoid public wifi)
u Vulnerable to Man-In-the-Middle attacks

Hacking WordPress. The Process 24
Vulnerability
->Exploit
Injection
Final code Backdoor
Spam /
defacement
BotNode Final code

Definitions 25
u Vulnerability
u Bug in the code or posibility of misuse
that can be exploited to perform
unauthorized actions within a
computer system.
u Exploit
u Software that leverages a
vulnerability
u Backdoor
u Malware which allows remote
execution of code

WPScan
Vulnerability
Database
wpvulndb.com
26

Gallery of Horrors
27

Example 1:
Photographer
Gallery
30

31

32

DEFACEMENTS
38
Partial / full replacement of website
frontend.
Very obvious
Easy detection:
- Users (hear them!)
- Scanners
Target:
Awareness or social/political
revindication

BLACK HAT
SEO / SPAM
45
Spam/unwanted content in
your site
Detection:
- Scanners (Easy)
- Users (hear them!)
- Search Engine warnings
Target:
Your SEO and reputation

Definitions 47
u DoS attack
- Denial of Service
- Overhelmed application due to a
huge amount of petitions
u DDoS attack
u Distributed DoS
u BotNet
u Net of websites linked to act
coordinated
u Have bot nodes and a bot master

BOTNETS,
CRYPTOMINERS,
DDOS
51
Affecting to your infrastructure
Detection:
- Usually difficult
- Strange use of resources
- File Integrity Scanner
WAF recommended
Target:
- Your server’s resources
- User’s resources.
- Zombie node

Countermeasures
REACTIVES AND PROACTIVE MEASURES
52

Characters in the Story
(if something happens)
53
You
• Owner /
Admins
• Developer &
Designer
• Users/clients
Hosting
Provider
• Agent / C3
• Support &
Backups
Security
Expert
• Security
department
• External
services

Security in Layers 54
u You ( the weakest layer )
u Your device ( Antivirus )
u Your connection ( SSL )
u Your website ( WAF )
u Your credentials ( Strong Passwords / 2FA )
u Your site security ( monitor / updates )
u Your server security ( monitor / updates )
u Your database ( monitor )
u Maintenance tasks

Measures: Reactive vs Proactive 55
Reactive:
When bad things have
already happened
Pain mitigation
Proactive:
Before anything bad
happens
Risk mitigation

Reactive
measures
u Scan your site:
uStatus: Sitecheck.sucuri.net
uBlacklist: Virustotal.com
u CRC: Check, Remove and
Change
u Update
u Restore a backup
56

57

Proactive
measures
u Reduce admins, plugins and
themes
u Backups
u Updates
u Invest in Hosting & Security
u WAF
58

The more Doors,
the higher Risk
59
“To Caesar, what is Caesar’s”.
Admin stuff with admin account. The
rest, with a limited account
The more admins, plugins and themes
the more risk (even when disabled).
All user’s passwords MUST be
unique and strong
(better with 2FA when possible)
Applied to all layers
(wp-admin, [S]FTP, cPanel, dashboard,
db, …)

BACKUPS 60
u Have a backups strategy
uNEVER store the backups in your
production server
uA clean and FUNCTIONAL
backup will be your best friend a
bad day

BACKUPS 61
u Have a backups strategy
uNEVER store the backups in your
production server
uA clean and
backup will be your best friend a
bad day

Updates
62
u PLUGINS
u THEMES
u CORE
u PHP
u APACHE / NGINX
u SERVER
u CPANEL / PLESK
u …

Updates
63
Source:
Web Professional Security
Survey 2019 – Sucuri.net

Remember to Invest in 64
SECURITY HOSTING

Hosting 65
FIRST LAYER OF
YOUR SITE’S DEFENSE
BALANCE BETWEEN
PRICE AND FEATURES
THEY ARE IN CHARGE OF THE
SERVER’S SERVICES, DATABASE
AND MAINTENANCE

Shared hosting vs dedicated
66

Source: 2019 Sucuri survey to ecommerce owners. 67

WAF
Your guard
dog
68
FILTERS ALL YOUR
WEB TRAFFIC
PROTECTS AGAINST
XSS, DDOS, …
PATCHS VIRTUALLY WIDELY
KNOWN SOFTWARE
VULNERABILITIES
IF IT INCLUDES CDN,
IMPROVES YOUR SITE’S
SPEED &
PERFORMANCE
FORENSIC ANALISYS
TOOL
ALLOWS MANUAL
BLOCKING

WAF
Your guard
dog
69
FILTERS ALL YOUR WEB
TRAFFIC
PROTECTS AGAINST XSS,
DDOS, …
PATCHS VIRTUALLY WELL
KNOWN SOFTWARE
VULNERABILITIES
IF IT INCLUDES CDN,
YOUR SITE WILL IMPROVE
ITS SPEED AND
PERFORMANCE
FORENSIC ANALISYS
TOOL
ALLOWS MANUAL
BLOCKING

70

71

ありがとうござ
いました︕
ご質問は︖
72
@pharar #WCOSAKA2019

Hacking WordPress... and countermeasures.

More Related Content

What's hot (20)

Similar to Hacking WordPress... and countermeasures. (20)

More from Nestor Angulo de Ugarte (6)

Recently uploaded (20)

Hacking WordPress... and countermeasures.