Speaking Engagements

Google Search: inurl:/wp-content/plugins/vulnerable-plugin/

Posted on by ChloeCon

Quick Reference Guide

Who is this person?

I am Chloe, a Threat Analyst for Wordfence. I have the following security certifications: C|EH (Certified Ethical Hacker) SSCP (System Security Certified Practitioner) Security+ CySA+ (Cybersecurity Analyst+) PenTest+ When I am not working (or while I am?), I enjoy traveling the world and exploring new places.

Google Hacking. AKA: Google Dorking

In my own terms, a methodology that uses Google Search functions to discover vulnerabilities and confidential information on sites that can be used to “break in.” 

Not the most “common” or “practical” method used to discover vulnerabilities, however, it has the potential to lead to serious information disclosure and  is fun & exciting for demonstration purposes.

Security Basics

CIA Triad.

Core security responsibilities include the protection of: 

Confidentiality: The protection of confidential data and ensuring information isn’t disclosed to unauthorized eyes. 

Integrity: Ensuring data does not become modified at rest, in transit, or just at all, period.

Availability: Ensuring resources remain available, with minimal downtime.

How does the protection of confidentiality apply to WordPress?
  • Ensuring customer data isn’t exposed. 
  • Ensuring passwords are not exposed. 
  • Ensuring directories aren’t exposed, or content of sensitive file types. 
  • Ensuring there is no unauthorized access to the dashboard.

Common Attack Methods to Compromise Confidentiality: Authentication Bypass, credential compromise

How does the protection of integrity apply to WordPress?
  • Ensuring posts/content aren’t modified to contain spam.
  • Ensuring data isn’t modified. 
  • Ensuring files aren’t modified to contain backdoors or redirects.

Common Attack Methods to Compromise Integrity: SQL Injections, Credential Compromise, Arbitrary options updates

How does the protection of availability apply to WordPress?
  • Protection against DDoS attacks. 
  • Protection against Brute Force Attacks (which can sometimes exhaust resources)

Common Attack Methods to Compromise Availability: DDoS, xmlrpc.php overload

Defense in depth

A security concept where security is applied in multiple layers so that if one security measure fails you/your site is protected by the next measure put in place.  

Risk Tolerance

Important to determine what security controls you would like to implement.

Hardening (.htaccess)

  • Disable /xmlprc.php if not needed by your site to help protect against brute force and DDoS attacks.
# Block WordPress xmlrpc.php requests
<Files xmlrpc.php>
order deny,allow
deny from all
allow from 123.123.123.123
</Files>
  • Disable directory listing.
Options -Indexes
  • Enable .htpasswd protection 
AuthType Basic
AuthName "Password Protected Area"
AuthUserFile /path/to/.htpasswd
Require valid-user
https://www.htaccesstools.com/htpasswd-generator/

Hardening (wp-config.php)

  • Disable file editing in the WordPress Dashboard
/** Disable file editing in the WordPress dashboard */
define( 'DISALLOW_FILE_EDIT', true );
  • Enable WordPress auto-updates for themes/plugins and core.
/** Auto updates for all plugins, themes, and core */
add_filter( 'auto_update_plugin', '__return_true' );
add_filter( 'auto_update_theme', '__return_true' );
add_filter( 'auto_update_core', '__return_true' );
  • Force the use of SSL over /wp-admin (we will talk more about SSL later)
define('FORCE_SSL_ADMIN', true);
  • Generate Secret Keys/Salts
https://api.wordpress.org/secret-key/1.1/salt/

More Hardening… 

  • Change default ‘Admin’ username.
    • Make sure your new username is strong and unique. 
    • You can do this with a plugin, through your sites database, or by creating a new user and deleting the old user. 
  • Haven’t used that plugin in a year? Delete unnecessary plugins and themes.
  • Making sure plugins/themes/core remain up to date.
    • Maybe an auto-update failed? 
  • Disable PHP execution in folders where it isn’t required. (Uploads directory)
    • Create an .htaccess file, upload it to the directory you want to disable PHP execution and add the following to the file:
<Files *.php>
Order allow,deny
Deny from all
</Files>
  • Install an SSL certificate. 

Login Security

Password Strength

  • Complex: Contains at least 1 special character (@,#,$,%,^,&,*, etc…)
  • Length: At least 7-14 characters.
  • Unique/Diverse: Contain a combination of several unique characters (1,2,3,4,5,6,7,8,9) (!,@,#,$,%,^) (ABCDEabcde)

Never Reuse Passwords

Use a good password manager:

Alternative to password manager? Create strong unique phrases you can remember.

Two-Factor Authentication

The use of two-factors to authenticate: 

  • Something you know: Password, pin, security questions, etc…
  • Somewhere you are: Geolocation (You’ve signed in from a new location), etc..
  • Something you have: Token, authenticator app on your phone, etc…
  • Something you are: Biometics, fingerprint, iris scan, etc…

Limiting Login Attempts

This limits the amount of times a user can attempt to log into your site and can block requests by a specific set of rules. Helps protect against login security attacks. 

Several Plugins Available To Help Protect your Login Security

To name a few: 

Continuous Monitoring and Updates

Security Audits

Typically an inspection that goes through various points to determine if everything is up to date and there are no security holes in your system.

Checks things like:

  • Is your software up to date? (MySQL, WordPress, Plugins, Themes?)
  • Is there any valuable information being disclosed that shouldn’t be?

Malware/Vulnerability Scanning

Malware Scanner:

  • Helps discover unwanted malware that may be present on your system that you didn’t know about.

Vulnerability Scanner:

  • Helps detect unknown vulnerabilities.

A few recommendations:

Logging

Enable logging.

  • Access Logs (Apache logs)

If your site ever gets compromised, you will have a nice set of logs to help you (or a forensic remediator you hire) with the information needed to determine  the intrusion source and infection date.  

Logs will help tell you a lot about what is happening with your sites.

Backups

Important to keep backups so if you ever are compromised you have a way to restore. (Or simply if something breaks.) 

You can use built in hosting backups or a plugin like: 

Install a Web Application Firewall.

WordPress has a wide attack surface and powers a lot of the internet’s websites. Plugins/Themes/Core code in general is just susceptible to vulnerabilities. Everybody makes mistakes, even if they don’t want to!

This can help block malicious attacks/users and protects against things like:

  • SQL injections
  • XSS vulnerabilities
  • CSRF
  • And more…

A few recommendations… 

Install a Security Plugin

Provides several additional security features adding additional layers of protection 

Usually a friendly user interface that makes it easier to secure your site. 

  • Some security plugin features:
    • WAF
    • Login Security (Brute Force, Limit Login Attempts, 2FA) 
    • Traffic logging. 
    • Malware scanners

A few popular security plugins…

 

Leave a Reply

Your email address will not be published. Required fields are marked *