Secure your Wordpress

Secure Wordpress Bachaav Session A Null Community Initiative 30 – Nov - 2013

Agenda • Understand • How to Setup • Security Configuration

Agenda • Understand – How Wordpress Works – File and Folder Co-relations • How to Setup • Security Configuration

Demo Setup • VirtualBox VM – NAT interface for Internet Access – Hostonly connection for normal testing – sudo ifconfig => get the IP Address • Various URL – http://IP/wordpress – http://IP/phpmyadmin • Credentials – Username:wordpress – Password:wordpress

How Wordpress Works ● ● Index.php – Define WP_USE_THEMES – include(wp-blog-header.php) Wp-blog-header – include(wp-config.php) -> db and other constants – include(wp-settings.php) ● ● ● lots and lots of includes Plugins from PLUGIN_DIR Pluggable_functions loaded (can be overridden by plugins) – Path Declaration – Query Parsing and assignment – HTTP Headers – Request Parsing – Template Redirections – Theme ● ● ● ● Header Loop Widget / Sidebar Footer Reference : http://codex.wordpress.org/User:DavidHouse/Wordpress_Code_Flow

File and Folders Co-relations ● wp-config.php ● wp-settings.php ● index.php ● .htaccess ● /wp-admin/ ● /wp-content ● – /plugins – /themes /wp-includes

Agenda • Understand • How to Setup – Setup over FTP / SSH – Setup via SVN • Security Configuration

Setup • Shared hosting – Use Hosting Control Panel – Upload Via FTP and run install.php • VPS / Dedicated / Cloud Server – Upload via ssh / ftp – Sync via SVN

Wordpress Setup

Agenda • Understand • How to Setup • Security Configuration – Basic Server hardening – Understanding attack vectors – Implement Protections

Base Server Hardening • This session is wordpress focused so we will not cover about server hardening in details

Core Level Attacks ● Present Unpatched Issues – Full Path Disclosures – Enumeration Issues ● ● ● ● ● Username Attachment Plugins Themes – Account Bruteforce – Version disclosure and Multiple places Previously exploited issues – XMLRPC based SSRF attack – D-DoS and more

Other Attacks ● Plugin / Theme using old Files ● Vulnerable Code in Core ● Vulnerable Code in Plugin / Themes ● Permission and Access Issues

How to Defend ● ● ● ● Core Modifications is not recommended as every upgrade modifies core files. Implement Custom HTACCESS based restrictions Implement Hook / function override via custom theme templates Even theme modification is a absolute no – no as new update will override it.

HTACCESS ● ● Redirections – RewriteCond %{REQUEST_URI} robots.txt – RewriteRule ^abracadabra/ http://google.com [R=301,L] Custom Directives – DirectoryIndex index.html – ServerSignature Off – Header unset Etag

Theme modification the right way ● Child Theme folder : all files picked first from this and then from parent ● style.css /* ● – Theme Name: Anantshri – Theme URI: – Description: – Author: – Author URI: – Template: – Version: – */ – @import url(“../twentytwelve/style.css”); http://www.anantshri.info/ Child theme for the twenty twelve Anant Shrivastava http://anantshri.info/about/ twentytwelve 0.1.0 functions.php : Can be used to provide all function overrides – remove_action( ‘widgets_init’, ‘xyz_widgets_init’ ); – add_action( ‘widgets_init’, ‘abc_widgets_init’ );

User / Attachment Enumeration ● Index.php?author=1 – ● Redirects to /author/<username> Index.php?attachment=1 – Redirects to Individual Attachment URL

Plugin / Theme Enumeration ● How it is identified – Predictable URL : wp-content/plugin , themes – Predictable file : readme.txt and plugin specific assets(js or css)

Account Bruteforce / Enumeration ● Possible to Enumerate Accounts due to different Error Messages

More Issues ● Full Path Disclosures display_error : Off (php.ini) ● ClickJacking protection ● swf and timthumb related attacks ● Issues related to wp-includes folder ● Comment Spam ● Dangerous Methods (PUT and more) ● XMLRPC issues ● Automated scanners ● Wordpress header code

Plus a lot more ● This should help us in getting started and since you are now aware of various functions and ways to control them its an open playground now.