Speaker: Vlad Lasky – Securing Your WordPress Website

Vlad Lasky

Vlad Lasky

Like any web application, there are measures we can take to improve the security of our WordPress site. That’s why we’re excited to have Vlad Lasky sharing his expertise on security at WordCamp.

Vlad is a computer systems engineer with a humorous and educational story to tell about WordPress security. His presentation will give every site administrator tips on how to harden their WordPress installation against would-be attackers and avoid inadvertently doing things that could compromise site security.

At WordCamp Gold Coast, you’ll be presenting on security. What are your top three security tips for every WordPress site?

1. Rename your administrator account from the default “admin” to something non-generic. This will foil most automated scripts that trawl through WordPress websites on the Internet and attempt to crack passwords by brute force.

2. Be cautious when downloading themes and plugins hosted on websites other than wordpress.org. There have been many cases of third-party sites hosting themes or plugins that have been tampered with to contain malicious code that could compromise your site.

3. Regularly install updates to WordPress and your plugins. Security holes are frequently discovered and then rectified in these updates. Whenever security updates are announced, malicious people react by looking for vulnerable WordPress sites that have not been updated.

Have you ever had a security exploit in your own or a colleague’s WordPress site? If so, how did you find & fix it?

Yes, in the most ironic of circumstances – it happened at a previous workplace – A financial software company. In early 2009, I convinced the company to replace their run-down old ASP-based website with a beautiful new WordPress site.

On April Fools’ Day 2009 , the IT support team decided to play a prank on the director who was the main poster on the site – they wanted to make it look like the new website had been hacked, so they created a mock website with a vandalised front page containing photos of supermodels and crude graffiti. They then reconfigured the network router so that internal requests to access the website were redirected to the mock website, but people from outside would see the actual site.

Whilst everyone was laughing at the director’s shock when he saw the site, a real hacker performed a PHP injection attack on the actual website.

It was detected quickly by a stroke of luck, I happened to be logged in to the hosting web server via SSH and noticed lots of .htaccess files scattered throughout the WordPress folders, accompanied by .php files with strange filenames made up of random 8-digit numbers. The timestamp on those files indicated that they had been created that day.

I analysed the code. The .htaccess files overrode the 404 error handler which is invoked whenever a user attempts to access a non-existent page. The error handler would execute a piece of code in the strangely named PHP file, which was obfuscated with gzip-compression and base64 encoding. After decoding it, I discovered its purpose was to download files from another website located in China.

To disinfect the site, I wrote a Linux shell script to identify all the files that had been created in the last week. After manually looking over this list, all the files were deleted in one go. I then confirmed that no other files had been modified by doing a file diff with a previous website backup.

To prevent re-infection, I checked the access logs and blocked the IP addresses associated with these requests by adding a “deny” statement to the .htaccess file in the WordPress base directory.

After we reported this to the company’s web hosting provider, they enabled the application firewall module “mod_security” in Apache, which contains logic to block HTTP requests that are suspected of being injection attempts.

The rapid detection and disinfection was very fortunate. After analysing the access logs over the next few days, I detected many requests from search engines that were trying to access non-existent content on the site with let’s just say “sexily-named” URLs. I suspect that the hackers planned to use the corporate website as a file distribution point for inappropriate content.

What are you most looking forward to at WordCamp Gold Coast?

To see what passionate people have done with WordPress, to share knowledge and to have fun in a nice sunny location.

Thanks Vlad, that’s a great story! I look forward to learning and discussing more about WordPress security you at the camp!

This entry was posted in Announcements, Speakers and tagged , , , . Bookmark the permalink.

Comments are closed.