the moment my site got hacked

Marko Heijnen CODEKITCHEN

The moment my site got hackedWordCamp Switerland, Zurich 2015

0. The Story

I have set things up

Hardening WordPress• Difficult password

• VPN access to home is required to login as super admin

• Files can’t be changed by PHP

• define('DISALLOW_FILE_MODS', true);

• Renamed wp-content folder

Other positive effects • A lot of functionality is custom written

• PHP FPM with Opcache requires restart for changes to be effected

• WordPress Network install

And then it’s all for having things up-to-date

Normally I keep everything up-to-date

But one plugin slipped my attention

It all started with an internal e-mail at my job

I start checking to see if I can reproduce it

😱😱😱

1. Shock & Denial

Checking the log files showed how they managed it

Checking the log files showed the failed

• 202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "POST //?var=upload HTTP/1.1" 200 116 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"

• 202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "GET /wp-content/file.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"

• 202.69.240.177 - - [20/Feb/2015:14:34:52 +0200] "GET /content/file.php HTTP/1.1" 404 11767 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"

2. Anger

Having that stupid rewrite

Why didn’t I updated my plugins?

Why didn’t I had any protecting for this in place

3. Working Through

Start fixing things

Start fixing things• Update all plugins

• Check the upload directory for more PHP files and delete them all

• Don’t allow PHP to be ever executed inside uploads

• See if everything still is untouched

I was lucky I have git but what about you?

Checksum checker• Checks the hash of your files with hashes of the

original

• Not for WordPress core but for your plugins and themes

• wpcentral.io/api/checksums/plugin/tabify-edit-screen/0.8.3

How to prevent things like this happening again?

Application firewall• Something that actively protects you against

vulnerabilities such as cross-site scripting (XSS) and SQL injection

• Sucuri or CloudFlare as a service

• NinjaFirewall as a plugin

• Currently I’m using modSecurity

• Now looking at the rule sets of owasp.org

How to detect if it happens

Builded a custom tool

List of all sites

General overview of a site

Security checks for the site

Security checks for the site

Security checks for the site

List of all servers

4. Acceptance & Hope

Things I learnedfrom this

Things I learned• Don’t expect plugin developer to announce

publicly that they have or had security issues

• Read the log files more often

• Work pro active on securing my site

• Check out the latest and greatest tools for securing and checking your sites

Last but not least: Some questions for you

Some questions for you• What does your host do to protect you?

• What do you do yourself?

• How good is your wp-login.php protected?

• Did you hardening your site?

• How secure are your backups?

• Do you know what people trying to do to your site?

Marko Heijnen• Founder of CodeKitchen

• Lead developer of GlotPress

• Core contributor for WordPress

• Organizer for WordCamp Belgrade

Marko Heijneninfo@markoheijnen.com

@markoheijnen

Thank you for listening

@markoheijnen markoheijnen.com

codekitchen.eu