the moment my site got hacked
TRANSCRIPT
Marko Heijnen CODEKITCHEN
The moment my site got hackedWordCamp Switerland, Zurich 2015
0. The Story
I have set things up
Hardening WordPress• Difficult password
• VPN access to home is required to login as super admin
• Files can’t be changed by PHP
• define('DISALLOW_FILE_MODS', true);
• Renamed wp-content folder
Other positive effects • A lot of functionality is custom written
• PHP FPM with Opcache requires restart for changes to be effected
• WordPress Network install
And then it’s all for having things up-to-date
Normally I keep everything up-to-date
But one plugin slipped my attention
It all started with an internal e-mail at my job
I start checking to see if I can reproduce it
😱😱😱
1. Shock & Denial
Checking the log files showed how they managed it
Checking the log files showed the failed
• 202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "POST //?var=upload HTTP/1.1" 200 116 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"
• 202.69.240.177 - - [20/Feb/2015:14:34:51 +0200] "GET /wp-content/file.php HTTP/1.1" 301 178 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"
• 202.69.240.177 - - [20/Feb/2015:14:34:52 +0200] "GET /content/file.php HTTP/1.1" 404 11767 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.31 (KHTML, like Gecko) Chrome/26.0.1410.63 Safari/537.31" "-"
2. Anger
Having that stupid rewrite
Why didn’t I updated my plugins?
Why didn’t I had any protecting for this in place
3. Working Through
Start fixing things
Start fixing things• Update all plugins
• Check the upload directory for more PHP files and delete them all
• Don’t allow PHP to be ever executed inside uploads
• See if everything still is untouched
I was lucky I have git but what about you?
Checksum checker• Checks the hash of your files with hashes of the
original
• Not for WordPress core but for your plugins and themes
• wpcentral.io/api/checksums/plugin/tabify-edit-screen/0.8.3
How to prevent things like this happening again?
Application firewall• Something that actively protects you against
vulnerabilities such as cross-site scripting (XSS) and SQL injection
• Sucuri or CloudFlare as a service
• NinjaFirewall as a plugin
• Currently I’m using modSecurity
• Now looking at the rule sets of owasp.org
How to detect if it happens
Builded a custom tool
List of all sites
General overview of a site
Security checks for the site
Security checks for the site
Security checks for the site
List of all servers
4. Acceptance & Hope
Things I learnedfrom this
Things I learned• Don’t expect plugin developer to announce
publicly that they have or had security issues
• Read the log files more often
• Work pro active on securing my site
• Check out the latest and greatest tools for securing and checking your sites
Last but not least: Some questions for you
Some questions for you• What does your host do to protect you?
• What do you do yourself?
• How good is your wp-login.php protected?
• Did you hardening your site?
• How secure are your backups?
• Do you know what people trying to do to your site?
Marko Heijnen• Founder of CodeKitchen
• Lead developer of GlotPress
• Core contributor for WordPress
• Organizer for WordCamp Belgrade
Thank you for listening
@markoheijnen markoheijnen.com
codekitchen.eu