Attacking WordPress

The best part about this presentation, aside from the scrollable slides, is that it <i>didn&#x27;t break the back button</i>. :-)<p>I think it&#x27;s a nice high level intro to exactly how easy it is to exploit an un-patched site. Obviously not ground breaking, but a nice intro nonetheless.<p>I think the key takeaway is, assume anything on or near your Wordpress is compromised. Because the attackers have IP maps of pretty much every Wordpress site, what versions, and what plugins they are running, so the moment an exploit is published their botnets will be attacking you within minutes. This already happened to Drupal and no reason to expect it&#x27;s not happening to Wordpress as well.<p>The best defense is not storing anything which is not already public on the server, and a single-click restore feature which should be used liberally anytime a priv-escalating exploit is patched. (assume you were compromised, even in the absence of any logs indicating that you were)

I&#x27;m very surprised by the unwise compromise remediation advice:<p>&gt;Remove any files, pages, posts, comments or processes added by the attacker. If in doubt as to whether you got everything, set up a new WordPress site from scratch and then restore your last known good backup into it.<p>&gt;Change all passwords used by the site. Also change your hosting provider and database passwords.<p>All this after showing how easy it is to hide a backdoor.<p>If you have reason to believe your server is compromised, not only should you <i>always</i> wipe the web app and restore from backup (delete all of &#x2F;var&#x2F;www or equivalent and repopulate with your backup), you should wipe the server and reinstall the OS (or just request a new image to be spun up if it&#x27;s a VPS&#x2F;VM) too, unless you can 100% prove that the attacker didn&#x27;t get root access, and you know everything they did, and know file permissions are set properly everywhere so www-data (or equivalent) couldn&#x27;t read or write anything sensitive outside of the web server directories.<p>And even then, it saves you a lot of time, effort, and anxiety to just nuke and reimage by default.<p>This is yet another reason why frequent backups are extremely important. Just make sure you&#x27;re restoring to a known good backup (hopefully you can confirm the time of compromise).

I have my clients wordpress sites hosted as follows:<p>$Owner (owns directory, has rwx) $Owner-cgi (in group of $Owner, which has r-x, and only rwx in uploads) Everyone (can read files in upload, but cannot even read wp-config.php, or other similar files).<p>nginx runs as nobody, and so can read the static files, uploads, etc. But if nginx is hacked, it still can&#x27;t read database configuration, etc.<p>Each $Owner-cgi user is what php-fpm (or HHVM, probably in the future) runs as. logged in users can upload new media content, but cannot install new plugins, edit php files, etc.<p>To upload new plugins, wordpress has a pretty cool &#x27;use ftp&#x27; feature, which lets logged in users type in a ftp user on the server, which lets them install new plugins. The username&#x2F;password they use is the $Owner one. The FTP daemon only allows localhost access, and the $Owner user doesn&#x27;t have shell access.<p>nginx is set up to block a whole bunch of standard things (such as any request with wp-config in it...)<p>This setup automatically blocks most of the exploits that are around, and is pretty easy to use. It also means that even if a plugin does get exploited, there&#x27;s very little that can be done, without knowing the FTP username &amp; password (which is long, and random).<p>All of this enforced and configured by ansible. Setting up a new client site takes about 2 minutes. (Answer a few questions from my &#x27;make a new client&#x27; script, and then run the ansible site.yml)

I always give the webserver read only access to the file system, except the uploads directory, and then prevent the webserver from being able to execute php inside the uploads directory.<p>You can&#x27;t update plugins via the admin with this setup, that is instead done with a deployment script.<p>I&#x27;ve deployed many WP sites with this setup and have never been hacked.<p>Oh fail2ban monitoring wp-login is also essential.

Note: Do not press &quot;n&quot;. For me, on Firefox, the site goes into an infinite loop of pop-up windows.

The biggest update to Wordpress that always been missing is an ability to customize directory structure to make it harder for scripts to poll for plugins, themes, versions and whatnots.

This was a great presentation. It gave me some practical things to change to increase the security of my WP install.<p>That said, seeing the ease with which WP can be hacked makes me once again question whether to switch to a simpler blog platform that poses a smaller attack surface. Anybody have experience with &#x2F; recommendations of such systems?

I was expecting to see WPScan - it&#x27;s had quite the refinements throughout the years.