SlideShare a Scribd company logo

How to investigate and recover from a security breach in WordPress

Otto Kekäläinen
Otto Kekäläinen

This document summarizes Otto Kekäläinen's talk about investigating and recovering from a WordPress security breach at his company Seravo. On November 9th, 2018 four WordPress sites hosted by Seravo were compromised due to a vulnerability in the WP GDPR Compliance plugin. Seravo's security team launched an investigation that uncovered malicious user accounts, identified the vulnerable plugin as the entry point, and cleaned up the sites. The experience highlighted the importance of having an incident response plan even when security best practices are followed.

1 of 39
Download to read offline
How to Investigate and Recover from a Security Breach Real-life Experiences with WordPress Otto Kekäläinen @ottokekalainen WordCamp Nordic March 8, 2019
● A CEO who codes at Seravo.com ● Written WP themes and plugins, contributed to WordPress Core, MySQL, MariaDB, Debian, Ubuntu, Linux kernel, AppArmor… ● Linux and open source advocate Otto Kekäläinen
I’ve spoken many times about what WordPress site owners should focus on to keep their site secure... wordpress.tv/?s=otto+kekäläinen
...but not today. This talk is different.
This talk is about Friday, November 9th 2018.
Premium hosting and upkeep for WordPress HTTP/2 TESTED UPDATES 24/7 UPKEEP
Upkeep: If a site goes down, we bring it up again. Covers security incidents.
2018-11-09 11:37:48 <redacted>.seravo.com ALERT ! ! ! 2018-11-09 11:40:26 <redacted>.seravo.com ALERT ! ! ! 2018-11-09 11:40:42 <redacted>.seravo.com ALERT ! ! ! 2018-11-09 11:42:37 <redacted>.seravo.com ALERT ! ! ! Just one ordinary Friday (not even 13th!)
Weird siteurl – on all 4 sites! Mistake by site admin? – No way Targeted attack on one and same company? – Plausible, but weird modus of operandi Security breach? – Definitely! $ wp option get siteurl http://erealitatea.net
High alert – 4 sites down for investigation 1. First responder notifies security officer on-call 2. Process list saved and further PHP execution frozen 3. Customer notified about on-going security incident 4. Response escalation: 3 investigators working in parallel
11:55
Security breach investigation questions ● What is happening? Is it stopped? ● What happened before? When did this start? ● Is there malicious code somewhere? Backdoors planted? ● What files or database contents has changed? Which changes are malicious? ● Who did what? What IP addresses and other identifiers are linked to what actions?
Security breach investigation questions ● How did they get in? ● What level of access did they gain? ● What data could have leaked? ● What was their motive? ● What damage was caused?
Investigation and recovery steps 1. Make a new backup 2. Compare backups wp-backup-list-changes diff -ur wordpress backup/wordpress 3. Check last WP and SSH logins Store current state Reveal file and database changes Detect unauthorized use based on anomalies in timestamps or IP geolocation
Investigation and recovery steps 4. wp core verify-checksums wp plugin verify-checksums --all wp package install seravo/wp-checksum wp checksum all --details Compare WordPress core, plugin and theme files to their original versions as downloaded from wp.org
Modified plugin code found ..but was a false alert, modification most likely a mistake by real plugin author who released two plugin variants published with same version number. $ wp checksum diff plugin entry-views inc/widget-entry-views.php Executing diff /tmp/1541763665-4CBDYu.tmp wordpress/htdocs/wp-content/plugins/entry-views/inc/widget-entry-views.php 49c49 < $this->WP_Widget( --- > parent::__construct(
13:31
Investigation and recovery steps 5. wp user list 6. wp db query 'SELECT post_modified, id, post_title, post_name, post_type FROM wp_posts ORDER BY id DESC LIMIT 50;' View recent new users View recent new contents
Two suspected attacker user accounts Variants of trollherten and different .ru email addresses found on multiple of the investigated sites. $ wp user list +----+---------------+--------------+----------------------+---------------------+---------------+ | ID | user_login | display_name | user_email | user_registered | roles | +----+---------------+--------------+----------------------+---------------------+---------------+ | 12 | t2trollherten | | trollherten@mail.com | 2018-11-08 13:36:03 | administrator | | 13 | t3trollherten | | t3trollherten@bk.ru | 2018-11-08 14:42:09 | administrator | +----+---------------+--------------+----------------------+---------------------+---------------+
Bingo! usernames, timestamps, IP addresses, email +----+---------------+--------------+----------------------+---------------------+---------------+ | ID | user_login | display_name | user_email | user_registered | roles | +----+---------------+--------------+----------------------+---------------------+---------------+ | 12 | t2trollherten | | trollherten@mail.com | 2018-11-08 13:36:03 | administrator | | 13 | t3trollherten | | t3trollherten@bk.ru | 2018-11-08 14:42:09 | administrator | +----+---------------+--------------+----------------------+---------------------+---------------+ These can be given to grep /data/log for log data mining
The entry 109.234.37.214 - - [08/Nov/2018:15:36:02 +0200] "GET / HTTP/1.1" 200 19027 "-" 0.301 109.234.37.214 - - [08/Nov/2018:15:36:02 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.220 109.234.37.214 - - [08/Nov/2018:15:36:03 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.258 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-login.php?action=register HTTP/1.1" 302 5 "-" 0.648 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "GET /wp-login.php?checkemail=registered HTTP/1.1" 200 1463 "https://<redacted>/wp-login.php?action=register" 0.129 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.163 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.167 $ host 109.234.37.214 214.37.234.109.in-addr.arpa domain name pointer host-109-234-37-214.hosted-by-vdsina.ru. User agent was: "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
POST /wp-admin/admin-ajax.php ● Seravo does not log POST requests for good reasons ● So what was the payload that granted magic powers to the attacker? ● Luckily we have other PHP and database logs...
Anomalies in database use ● Weird empty WordPress options value updates ● Unusual requests to database table wpgdprc_access_requests ● What plugin does that belong to? $ grep -rF wpgdprc_access_requests wp-gdpr-compliance/ wp-gdpr-compliance/Includes/AccessRequest.php: return $wpdb->base_prefix . 'wpgdprc_access_requests'; wp-gdpr-compliance/uninstall.php: $wpdb->query("DROP TABLE IF EXISTS `{$wpdb->base_prefix}wpgdprc_access_requests`");
14:03
Hmm.. Recent wp-gdpr-compliance plugin code changes smell like SQL injection fixes
Point of entry known ● The plugin WP GDPR Compliance Plugin most likely route ● Fix: remove it from all 4 sites $ wp plugin deactivate --uninstall wp-gdpr-compliance
14:35
More information started coming in ● When the US woke up (in European afternoon) and published blogs the Sucuri RSS feed we subscribe showed interesting stuff: blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-wit h-wp-gdpr-compliance-plugin-vulnerability.html ● Then more and more other reports were found: a. www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in- wp-gdpr-compliance-plugin-exploited-in-the-wild/ b. vitalisec.blogspot.com/2018/11/wp-gdpr-plugin-attack.html c. wpvulndb.com/vulnerabilities/9144
Vulnerability details ● A SQL injection flaw in WP GDPR Compliance allowed a remote attacker to set arbitrary WP option values a. First allow anybody to register with users_can_register=1 b. Then set default_role=”administrator” for all new users c. Register an account, log in and do whatever an admin can do ● Reported to wpvulndb.com by Adrian Mörchen / moewe.io ● Fixed in WP GDPR Compliance version 1.4.3
Fix issue globally for all our customers commit 2ffb891415628ead16263e1fa09d78dac9e5dcdd Author: Ville Korhonen Date: Fri Nov 9 14:51:18 2018 +0200 Add WP GDPR Compliance plugin to urgent updates WP GDPR Compliance < 1.4.3 has critical SQL injection flaw which allows simple privilege escalation. <https://plugins.trac.wordpress.org/changeset/1970313> Added to Seravo’s update systems as an urgent update
14:51
Investigation and recovery steps 7. Based on findings, clean up the site a. Recover clean version from backups b. Remove malicious code and content manually 8. As a precaution, reset all WordPress user sessions and passwords wp-reset-all-passwords In this case option A was not possible, but luckily option B was quite easy as backups showed only one potential malware file was injected.
Investigation and recovery steps 9. As extra precaution, scan the site for malware one more time when it is otherwise deemed to be clean Using Seravo’s custom made WordPress/PHP malware scanner
2018-11-09 15:26:22 <redacted>.seravo.com RESOLVED 2018-11-09 15:17:49 <redacted>.seravo.com RESOLVED 2018-11-09 15:29:03 <redacted>.seravo.com RESOLVED 2018-11-09 15:20:24 <redacted>.seravo.com RESOLVED All sites clean and finally back online
Investigation and recovery steps 10. Elevated monitoring and follow-up for site once it has been re-opened, just in case there was more attack avenues not discovered during the investigation. During the investigation Seravo sent 8 status update e-mails to the site owner and the customer mobilized their own team to support the effort and they also sent us valuable additional information. A few additional emails from Seravo to the customer followed over the weekend and next week to confirm all necessary measures had been completed.
Notification e-mail from new registration of ‘trollherten’ users ● Later we found out the site owner did get an email notification from WordPress about the new user named “trollherten” but since the e-mail was vague and did not contain any alarming information, the person who read the e-mail ignored it.
Luckily this was not a targeted attack ● Most likely the attacker just wanted to own the site and use it to redirect traffic, spam, mount more attacks against other sites etc. ● The site itself or the data it had was not the target and most likely not used.
Be prepared: no security is perfect ● No plugin author makes perfect code. ● All plugins on the site were updated a week earlier, the vulnerability was used close to zero-day. ● Unreasonable for site admin to read deeply all notification e-mails. ● Fact: sometimes even good security isn’t enough. One also needs to have a security incident response plan. ● We do. Do you?
Thank you! @ottokekalainen
Ad

Recommended

Improving WordPress performance (xdebug and profiling)
Improving WordPress performance (xdebug and profiling)Improving WordPress performance (xdebug and profiling)
Improving WordPress performance (xdebug and profiling)
Otto Kekäläinen
 
The 5 most common reasons for a slow WordPress site and how to fix them – ext...
The 5 most common reasons for a slow WordPress site and how to fix them – ext...The 5 most common reasons for a slow WordPress site and how to fix them – ext...
The 5 most common reasons for a slow WordPress site and how to fix them – ext...
Otto Kekäläinen
 
Use Xdebug to profile PHP
Use Xdebug to profile PHPUse Xdebug to profile PHP
Use Xdebug to profile PHP
Seravo
 
Search in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize itSearch in WordPress - how it works and howto customize it
Search in WordPress - how it works and howto customize it
Otto Kekäläinen
 
Less and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developersLess and faster – Cache tips for WordPress developers
Less and faster – Cache tips for WordPress developers
Seravo
 
Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101Seravo.com: WordPress Security 101
Seravo.com: WordPress Security 101
Seravo
 
Automatic testing and quality assurance for WordPress plugins
Automatic testing and quality assurance for WordPress pluginsAutomatic testing and quality assurance for WordPress plugins
Automatic testing and quality assurance for WordPress plugins
Otto Kekäläinen
 
10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...10 things every developer should know about their database to run word press ...
10 things every developer should know about their database to run word press ...
Otto Kekäläinen
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!
WordCamp Cape Town
 
Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...
Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...
Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...
Andrea Cardinali
 
Modern Web Application Development Workflow - EclipseCon US 2014
Modern Web Application Development Workflow - EclipseCon US 2014Modern Web Application Development Workflow - EclipseCon US 2014
Modern Web Application Development Workflow - EclipseCon US 2014
Stéphane Bégaudeau
 
Xdebug, KCacheGrind and Webgrind with WampServer
Xdebug, KCacheGrind and Webgrind with WampServer Xdebug, KCacheGrind and Webgrind with WampServer
Xdebug, KCacheGrind and Webgrind with WampServer
Mediovski Technology
 
Drupal Development Tips
Drupal Development TipsDrupal Development Tips
Drupal Development Tips
Chris Tankersley
 
Scalable talk notes
Scalable talk notesScalable talk notes
Scalable talk notes
Perrin Harkins
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
WP Engine
 
Care and feeding notes
Care and feeding notesCare and feeding notes
Care and feeding notes
Perrin Harkins
 
Improving WordPress Performance: Xdebug and PHP profiling
Improving WordPress Performance: Xdebug and PHP profilingImproving WordPress Performance: Xdebug and PHP profiling
Improving WordPress Performance: Xdebug and PHP profiling
Seravo
 
SQL Server - CLR integration
SQL Server - CLR integrationSQL Server - CLR integration
SQL Server - CLR integration
Peter Gfader
 
Jenkins Setup Document
Jenkins Setup DocumentJenkins Setup Document
Jenkins Setup Document
mobi fly
 
Bigger Stronger Faster
Bigger Stronger FasterBigger Stronger Faster
Bigger Stronger Faster
Chris Love
 
How I learned to stop worrying and love the .htaccess file
How I learned to stop worrying and love the .htaccess fileHow I learned to stop worrying and love the .htaccess file
How I learned to stop worrying and love the .htaccess file
Roxana Stingu
 
Front End Website Optimization
Front End Website OptimizationFront End Website Optimization
Front End Website Optimization
Gerard Sychay
 
Modern Web Application Development Workflow - EclipseCon France 2014
Modern Web Application Development Workflow - EclipseCon France 2014Modern Web Application Development Workflow - EclipseCon France 2014
Modern Web Application Development Workflow - EclipseCon France 2014
Stéphane Bégaudeau
 
Building a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared ToBuilding a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared To
Raymond Camden
 
Front-End Performance Optimizing
Front-End Performance OptimizingFront-End Performance Optimizing
Front-End Performance Optimizing
Michael Pehl
 
How to make your Webpack builds 10x faster
How to make your Webpack builds 10x fasterHow to make your Webpack builds 10x faster
How to make your Webpack builds 10x faster
trueter
 
High Performance Snippets
High Performance SnippetsHigh Performance Snippets
High Performance Snippets
Steve Souders
 
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and GulpOptimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Matthew Davis
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
Ad

More Related Content

What's hot (20)

Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!
WordCamp Cape Town
 
Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...
Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...
Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...
Andrea Cardinali
 
Modern Web Application Development Workflow - EclipseCon US 2014
Modern Web Application Development Workflow - EclipseCon US 2014Modern Web Application Development Workflow - EclipseCon US 2014
Modern Web Application Development Workflow - EclipseCon US 2014
Stéphane Bégaudeau
 
Xdebug, KCacheGrind and Webgrind with WampServer
Xdebug, KCacheGrind and Webgrind with WampServer Xdebug, KCacheGrind and Webgrind with WampServer
Xdebug, KCacheGrind and Webgrind with WampServer
Mediovski Technology
 
Drupal Development Tips
Drupal Development TipsDrupal Development Tips
Drupal Development Tips
Chris Tankersley
 
Scalable talk notes
Scalable talk notesScalable talk notes
Scalable talk notes
Perrin Harkins
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
WP Engine
 
Care and feeding notes
Care and feeding notesCare and feeding notes
Care and feeding notes
Perrin Harkins
 
Improving WordPress Performance: Xdebug and PHP profiling
Improving WordPress Performance: Xdebug and PHP profilingImproving WordPress Performance: Xdebug and PHP profiling
Improving WordPress Performance: Xdebug and PHP profiling
Seravo
 
SQL Server - CLR integration
SQL Server - CLR integrationSQL Server - CLR integration
SQL Server - CLR integration
Peter Gfader
 
Jenkins Setup Document
Jenkins Setup DocumentJenkins Setup Document
Jenkins Setup Document
mobi fly
 
Bigger Stronger Faster
Bigger Stronger FasterBigger Stronger Faster
Bigger Stronger Faster
Chris Love
 
How I learned to stop worrying and love the .htaccess file
How I learned to stop worrying and love the .htaccess fileHow I learned to stop worrying and love the .htaccess file
How I learned to stop worrying and love the .htaccess file
Roxana Stingu
 
Front End Website Optimization
Front End Website OptimizationFront End Website Optimization
Front End Website Optimization
Gerard Sychay
 
Modern Web Application Development Workflow - EclipseCon France 2014
Modern Web Application Development Workflow - EclipseCon France 2014Modern Web Application Development Workflow - EclipseCon France 2014
Modern Web Application Development Workflow - EclipseCon France 2014
Stéphane Bégaudeau
 
Building a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared ToBuilding a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared To
Raymond Camden
 
Front-End Performance Optimizing
Front-End Performance OptimizingFront-End Performance Optimizing
Front-End Performance Optimizing
Michael Pehl
 
How to make your Webpack builds 10x faster
How to make your Webpack builds 10x fasterHow to make your Webpack builds 10x faster
How to make your Webpack builds 10x faster
trueter
 
High Performance Snippets
High Performance SnippetsHigh Performance Snippets
High Performance Snippets
Steve Souders
 
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and GulpOptimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Matthew Davis
 
Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!Anthony Somerset - Site Speed = Success!
Anthony Somerset - Site Speed = Success!
WordCamp Cape Town
 
Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...
Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...
Gestione avanzata di WordPress con WP-CLI - WordCamp Torino 2017 - Andrea Car...
Andrea Cardinali
 
Modern Web Application Development Workflow - EclipseCon US 2014
Modern Web Application Development Workflow - EclipseCon US 2014Modern Web Application Development Workflow - EclipseCon US 2014
Modern Web Application Development Workflow - EclipseCon US 2014
Stéphane Bégaudeau
 
Xdebug, KCacheGrind and Webgrind with WampServer
Xdebug, KCacheGrind and Webgrind with WampServer Xdebug, KCacheGrind and Webgrind with WampServer
Xdebug, KCacheGrind and Webgrind with WampServer
Mediovski Technology
 
Drupal Development Tips
Drupal Development TipsDrupal Development Tips
Drupal Development Tips
Chris Tankersley
 
Scalable talk notes
Scalable talk notesScalable talk notes
Scalable talk notes
Perrin Harkins
 
Developers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLIDevelopers, Be a Bada$$ with WP-CLI
Developers, Be a Bada$$ with WP-CLI
WP Engine
 
Care and feeding notes
Care and feeding notesCare and feeding notes
Care and feeding notes
Perrin Harkins
 
Improving WordPress Performance: Xdebug and PHP profiling
Improving WordPress Performance: Xdebug and PHP profilingImproving WordPress Performance: Xdebug and PHP profiling
Improving WordPress Performance: Xdebug and PHP profiling
Seravo
 
SQL Server - CLR integration
SQL Server - CLR integrationSQL Server - CLR integration
SQL Server - CLR integration
Peter Gfader
 
Jenkins Setup Document
Jenkins Setup DocumentJenkins Setup Document
Jenkins Setup Document
mobi fly
 
Bigger Stronger Faster
Bigger Stronger FasterBigger Stronger Faster
Bigger Stronger Faster
Chris Love
 
How I learned to stop worrying and love the .htaccess file
How I learned to stop worrying and love the .htaccess fileHow I learned to stop worrying and love the .htaccess file
How I learned to stop worrying and love the .htaccess file
Roxana Stingu
 
Front End Website Optimization
Front End Website OptimizationFront End Website Optimization
Front End Website Optimization
Gerard Sychay
 
Modern Web Application Development Workflow - EclipseCon France 2014
Modern Web Application Development Workflow - EclipseCon France 2014Modern Web Application Development Workflow - EclipseCon France 2014
Modern Web Application Development Workflow - EclipseCon France 2014
Stéphane Bégaudeau
 
Building a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared ToBuilding a PWA - For Everyone Who Is Scared To
Building a PWA - For Everyone Who Is Scared To
Raymond Camden
 
Front-End Performance Optimizing
Front-End Performance OptimizingFront-End Performance Optimizing
Front-End Performance Optimizing
Michael Pehl
 
How to make your Webpack builds 10x faster
How to make your Webpack builds 10x fasterHow to make your Webpack builds 10x faster
How to make your Webpack builds 10x faster
trueter
 
High Performance Snippets
High Performance SnippetsHigh Performance Snippets
High Performance Snippets
Steve Souders
 
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and GulpOptimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Optimising Your Front End Workflow With Symfony, Twig, Bower and Gulp
Matthew Davis
 

Similar to How to investigate and recover from a security breach in WordPress (20)

Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
hernanibf
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
Denise (Dee) Teal
 
WordPress News, Views and Stuff October 2016
WordPress News, Views and Stuff October 2016WordPress News, Views and Stuff October 2016
WordPress News, Views and Stuff October 2016
WordPress Sydney
 
Heroku Tips and Hacks
Heroku Tips and HacksHeroku Tips and Hacks
Heroku Tips and Hacks
Luan Nguyen
 
Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOps
Aarno Aukia
 
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
William Chong
 
Blinded Stack Overflow: Just Another Common Technique
Blinded Stack Overflow: Just Another Common TechniqueBlinded Stack Overflow: Just Another Common Technique
Blinded Stack Overflow: Just Another Common Technique
Thomas Gregory
 
October Patch Tuesday Analysis 2018
October Patch Tuesday Analysis 2018October Patch Tuesday Analysis 2018
October Patch Tuesday Analysis 2018
Ivanti
 
Backing up your WordPress website – it’s not optional
Backing up your WordPress website – it’s not optionalBacking up your WordPress website – it’s not optional
Backing up your WordPress website – it’s not optional
R-Cubed Design Forge
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
Will Schroeder
 
What You Need to Know About WordPress & WooCommerce Plugins.pdf
What You Need to Know About WordPress & WooCommerce Plugins.pdfWhat You Need to Know About WordPress & WooCommerce Plugins.pdf
What You Need to Know About WordPress & WooCommerce Plugins.pdf
BeePlugin
 
Patch Tuesday Analysis - December 2015
Patch Tuesday Analysis - December 2015Patch Tuesday Analysis - December 2015
Patch Tuesday Analysis - December 2015
Ivanti
 
Webhooks
WebhooksWebhooks
Webhooks
Priyank Thada
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
Shady A. Sharaf
 
Next Video Build:UCAN Build Apps with IPFS and W3UI Slides
Next Video Build:UCAN Build Apps with IPFS and W3UI SlidesNext Video Build:UCAN Build Apps with IPFS and W3UI Slides
Next Video Build:UCAN Build Apps with IPFS and W3UI Slides
Neven6
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
Digamber Pradhan
 
August Patch Tuesday Analysis
August Patch Tuesday AnalysisAugust Patch Tuesday Analysis
August Patch Tuesday Analysis
Ivanti
 
Security Function
Security FunctionSecurity Function
Security Function
Samuel Soon
 
Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014Malware Detection with OSSEC HIDS - OSSECCON 2014
Malware Detection with OSSEC HIDS - OSSECCON 2014
Santiago Bassett
 
WordPress Security Presentation
WordPress Security PresentationWordPress Security Presentation
WordPress Security Presentation
Andrew Paton
 
Fix me if you can - DrupalCon prague
Fix me if you can - DrupalCon pragueFix me if you can - DrupalCon prague
Fix me if you can - DrupalCon prague
hernanibf
 
Responsible [digital] Home Ownership
Responsible [digital] Home OwnershipResponsible [digital] Home Ownership
Responsible [digital] Home Ownership
Denise (Dee) Teal
 
WordPress News, Views and Stuff October 2016
WordPress News, Views and Stuff October 2016WordPress News, Views and Stuff October 2016
WordPress News, Views and Stuff October 2016
WordPress Sydney
 
Heroku Tips and Hacks
Heroku Tips and HacksHeroku Tips and Hacks
Heroku Tips and Hacks
Luan Nguyen
 
Automated Server Administration for DevSecOps
Automated Server Administration for DevSecOpsAutomated Server Administration for DevSecOps
Automated Server Administration for DevSecOps
Aarno Aukia
 
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
5 年後還是新手 - WordPress Plugin 開發大冒險 - GOTY
William Chong
 
Blinded Stack Overflow: Just Another Common Technique
Blinded Stack Overflow: Just Another Common TechniqueBlinded Stack Overflow: Just Another Common Technique
Blinded Stack Overflow: Just Another Common Technique
Thomas Gregory
 
October Patch Tuesday Analysis 2018
October Patch Tuesday Analysis 2018October Patch Tuesday Analysis 2018
October Patch Tuesday Analysis 2018
Ivanti
 
Backing up your WordPress website – it’s not optional
Backing up your WordPress website – it’s not optionalBacking up your WordPress website – it’s not optional
Backing up your WordPress website – it’s not optional
R-Cubed Design Forge
 
A Year in the Empire
A Year in the EmpireA Year in the Empire
A Year in the Empire
Will Schroeder
 
What You Need to Know About WordPress & WooCommerce Plugins.pdf
What You Need to Know About WordPress & WooCommerce Plugins.pdfWhat You Need to Know About WordPress & WooCommerce Plugins.pdf
What You Need to Know About WordPress & WooCommerce Plugins.pdf
BeePlugin
 
Patch Tuesday Analysis - December 2015
Patch Tuesday Analysis - December 2015Patch Tuesday Analysis - December 2015
Patch Tuesday Analysis - December 2015
Ivanti
 
Webhooks
WebhooksWebhooks
Webhooks
Priyank Thada
 
WordPress Security 101
WordPress Security 101WordPress Security 101
WordPress Security 101
Shady A. Sharaf
 
Next Video Build:UCAN Build Apps with IPFS and W3UI Slides
Next Video Build:UCAN Build Apps with IPFS and W3UI SlidesNext Video Build:UCAN Build Apps with IPFS and W3UI Slides
Next Video Build:UCAN Build Apps with IPFS and W3UI Slides
Neven6
 
Word campktm speed-security
Word campktm speed-securityWord campktm speed-security
Word campktm speed-security
Digamber Pradhan
 
August Patch Tuesday Analysis
August Patch Tuesday AnalysisAugust Patch Tuesday Analysis
August Patch Tuesday Analysis
Ivanti
 
Security Function
Security FunctionSecurity Function
Security Function
Samuel Soon
 
Ad

More from Otto Kekäläinen (20)

FOSDEM2021: MariaDB post-release quality assurance in Debian and Ubuntu
FOSDEM2021: MariaDB post-release quality assurance in Debian and UbuntuFOSDEM2021: MariaDB post-release quality assurance in Debian and Ubuntu
FOSDEM2021: MariaDB post-release quality assurance in Debian and Ubuntu
Otto Kekäläinen
 
MariaDB quality assurance in Debian and Ubuntu
MariaDB quality assurance in Debian and UbuntuMariaDB quality assurance in Debian and Ubuntu
MariaDB quality assurance in Debian and Ubuntu
Otto Kekäläinen
 
DebConf 2020: What’s New in MariaDB Server 10.5 and Galera 4?
DebConf 2020: What’s New in MariaDB Server 10.5 and Galera 4?DebConf 2020: What’s New in MariaDB Server 10.5 and Galera 4?
DebConf 2020: What’s New in MariaDB Server 10.5 and Galera 4?
Otto Kekäläinen
 
Technical SEO for WordPress - 2019 edition
Technical SEO for WordPress - 2019 editionTechnical SEO for WordPress - 2019 edition
Technical SEO for WordPress - 2019 edition
Otto Kekäläinen
 
How MariaDB packaging uses Salsa-CI to ensure smooth upgrades and avoid regre...
How MariaDB packaging uses Salsa-CI to ensure smooth upgrades and avoid regre...How MariaDB packaging uses Salsa-CI to ensure smooth upgrades and avoid regre...
How MariaDB packaging uses Salsa-CI to ensure smooth upgrades and avoid regre...
Otto Kekäläinen
 
DebConf 2019 MariaDB packaging in Debian BoF
DebConf 2019 MariaDB packaging in Debian BoFDebConf 2019 MariaDB packaging in Debian BoF
DebConf 2019 MariaDB packaging in Debian BoF
Otto Kekäläinen
 
The 5 most common reasons for a slow WordPress site and how to fix them
The 5 most common reasons for a slow WordPress site and how to fix themThe 5 most common reasons for a slow WordPress site and how to fix them
The 5 most common reasons for a slow WordPress site and how to fix them
Otto Kekäläinen
 
Technical SEO for WordPress
Technical SEO for WordPressTechnical SEO for WordPress
Technical SEO for WordPress
Otto Kekäläinen
 
Automatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesAutomatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themes
Otto Kekäläinen
 
WordPress-tietoturvan perusteet
WordPress-tietoturvan perusteetWordPress-tietoturvan perusteet
WordPress-tietoturvan perusteet
Otto Kekäläinen
 
Technical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionTechnical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 edition
Otto Kekäläinen
 
Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP Profiling
Otto Kekäläinen
 
MariaDB adoption in Linux distributions and development environments
MariaDB adoption in Linux distributions and development environmentsMariaDB adoption in Linux distributions and development environments
MariaDB adoption in Linux distributions and development environments
Otto Kekäläinen
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
Otto Kekäläinen
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
Otto Kekäläinen
 
Find WordPress performance bottlenecks with XDebug PHP profiling
Find WordPress performance bottlenecks with XDebug PHP profilingFind WordPress performance bottlenecks with XDebug PHP profiling
Find WordPress performance bottlenecks with XDebug PHP profiling
Otto Kekäläinen
 
Testing and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressionsTesting and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressions
Otto Kekäläinen
 
Git best practices 2016
Git best practices 2016Git best practices 2016
Git best practices 2016
Otto Kekäläinen
 
MariaDB Developers Meetup 2016 welcome words
MariaDB Developers Meetup 2016 welcome wordsMariaDB Developers Meetup 2016 welcome words
MariaDB Developers Meetup 2016 welcome words
Otto Kekäläinen
 
MariaDB in Debian and Ubuntu: The next million users
MariaDB in Debian and Ubuntu: The next million usersMariaDB in Debian and Ubuntu: The next million users
MariaDB in Debian and Ubuntu: The next million users
Otto Kekäläinen
 
FOSDEM2021: MariaDB post-release quality assurance in Debian and Ubuntu
FOSDEM2021: MariaDB post-release quality assurance in Debian and UbuntuFOSDEM2021: MariaDB post-release quality assurance in Debian and Ubuntu
FOSDEM2021: MariaDB post-release quality assurance in Debian and Ubuntu
Otto Kekäläinen
 
MariaDB quality assurance in Debian and Ubuntu
MariaDB quality assurance in Debian and UbuntuMariaDB quality assurance in Debian and Ubuntu
MariaDB quality assurance in Debian and Ubuntu
Otto Kekäläinen
 
DebConf 2020: What’s New in MariaDB Server 10.5 and Galera 4?
DebConf 2020: What’s New in MariaDB Server 10.5 and Galera 4?DebConf 2020: What’s New in MariaDB Server 10.5 and Galera 4?
DebConf 2020: What’s New in MariaDB Server 10.5 and Galera 4?
Otto Kekäläinen
 
Technical SEO for WordPress - 2019 edition
Technical SEO for WordPress - 2019 editionTechnical SEO for WordPress - 2019 edition
Technical SEO for WordPress - 2019 edition
Otto Kekäläinen
 
How MariaDB packaging uses Salsa-CI to ensure smooth upgrades and avoid regre...
How MariaDB packaging uses Salsa-CI to ensure smooth upgrades and avoid regre...How MariaDB packaging uses Salsa-CI to ensure smooth upgrades and avoid regre...
How MariaDB packaging uses Salsa-CI to ensure smooth upgrades and avoid regre...
Otto Kekäläinen
 
DebConf 2019 MariaDB packaging in Debian BoF
DebConf 2019 MariaDB packaging in Debian BoFDebConf 2019 MariaDB packaging in Debian BoF
DebConf 2019 MariaDB packaging in Debian BoF
Otto Kekäläinen
 
The 5 most common reasons for a slow WordPress site and how to fix them
The 5 most common reasons for a slow WordPress site and how to fix themThe 5 most common reasons for a slow WordPress site and how to fix them
The 5 most common reasons for a slow WordPress site and how to fix them
Otto Kekäläinen
 
Technical SEO for WordPress
Technical SEO for WordPressTechnical SEO for WordPress
Technical SEO for WordPress
Otto Kekäläinen
 
Automatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themesAutomatic testing and quality assurance for WordPress plugins and themes
Automatic testing and quality assurance for WordPress plugins and themes
Otto Kekäläinen
 
WordPress-tietoturvan perusteet
WordPress-tietoturvan perusteetWordPress-tietoturvan perusteet
WordPress-tietoturvan perusteet
Otto Kekäläinen
 
Technical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 editionTechnical SEO for WordPress - 2017 edition
Technical SEO for WordPress - 2017 edition
Otto Kekäläinen
 
Improving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP ProfilingImproving WordPress Performance with Xdebug and PHP Profiling
Improving WordPress Performance with Xdebug and PHP Profiling
Otto Kekäläinen
 
MariaDB adoption in Linux distributions and development environments
MariaDB adoption in Linux distributions and development environmentsMariaDB adoption in Linux distributions and development environments
MariaDB adoption in Linux distributions and development environments
Otto Kekäläinen
 
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
WordPress security 101 - WP Jyväskylä Meetup 21.3.2017
Otto Kekäläinen
 
WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017WordPress security 101 - WP Turku Meetup 2.2.2017
WordPress security 101 - WP Turku Meetup 2.2.2017
Otto Kekäläinen
 
Find WordPress performance bottlenecks with XDebug PHP profiling
Find WordPress performance bottlenecks with XDebug PHP profilingFind WordPress performance bottlenecks with XDebug PHP profiling
Find WordPress performance bottlenecks with XDebug PHP profiling
Otto Kekäläinen
 
Testing and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressionsTesting and updating WordPress - Advanced techniques for avoiding regressions
Testing and updating WordPress - Advanced techniques for avoiding regressions
Otto Kekäläinen
 
Git best practices 2016
Git best practices 2016Git best practices 2016
Git best practices 2016
Otto Kekäläinen
 
MariaDB Developers Meetup 2016 welcome words
MariaDB Developers Meetup 2016 welcome wordsMariaDB Developers Meetup 2016 welcome words
MariaDB Developers Meetup 2016 welcome words
Otto Kekäläinen
 
MariaDB in Debian and Ubuntu: The next million users
MariaDB in Debian and Ubuntu: The next million usersMariaDB in Debian and Ubuntu: The next million users
MariaDB in Debian and Ubuntu: The next million users
Otto Kekäläinen
 
Ad

Recently uploaded (20)

Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New VersionPixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
saimabibi60507
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 
Revolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptxRevolutionizing Residential Wi-Fi PPT.pptx
Revolutionizing Residential Wi-Fi PPT.pptx
nidhisingh691197
 
Maxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINKMaxon CINEMA 4D 2025 Crack FREE Download LINK
Maxon CINEMA 4D 2025 Crack FREE Download LINK
younisnoman75
 
Solidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license codeSolidworks Crack 2025 latest new + license code
Solidworks Crack 2025 latest new + license code
aneelaramzan63
 
How can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptxHow can one start with crypto wallet development.pptx
How can one start with crypto wallet development.pptx
laravinson24
 
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New VersionPixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
Pixologic ZBrush Crack Plus Activation Key [Latest 2025] New Version
saimabibi60507
 
EASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License CodeEASEUS Partition Master Crack + License Code
EASEUS Partition Master Crack + License Code
aneelaramzan63
 
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Exceptional Behaviors: How Frequently Are They Tested? (AST 2025)
Andre Hora
 
Download YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full ActivatedDownload YouTube By Click 2025 Free Full Activated
Download YouTube By Click 2025 Free Full Activated
saniamalik72555
 
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software DevelopmentSecure Test Infrastructure: The Backbone of Trustworthy Software Development
Secure Test Infrastructure: The Backbone of Trustworthy Software Development
Shubham Joshi
 
WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)WinRAR Crack for Windows (100% Working 2025)
WinRAR Crack for Windows (100% Working 2025)
sh607827
 
Landscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature ReviewLandscape of Requirements Engineering for/by AI through Literature Review
Landscape of Requirements Engineering for/by AI through Literature Review
Hironori Washizaki
 
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Salesforce Data Cloud- Hyperscale data platform, built for Salesforce.
Dele Amefo
 
Douwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License codeDouwan Crack 2025 new verson+ License code
Douwan Crack 2025 new verson+ License code
aneelaramzan63
 
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
How Valletta helped healthcare SaaS to transform QA and compliance to grow wi...
Egor Kaleynik
 
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
What Do Contribution Guidelines Say About Software Testing? (MSR 2025)
Andre Hora
 
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
TestMigrationsInPy: A Dataset of Test Migrations from Unittest to Pytest (MSR...
Andre Hora
 
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New VersionF-Secure Freedome VPN 2025 Crack Plus Activation New Version
F-Secure Freedome VPN 2025 Crack Plus Activation New Version
saimabibi60507
 
The Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdfThe Significance of Hardware in Information Systems.pdf
The Significance of Hardware in Information Systems.pdf
drewplanas10
 
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& ConsiderationsDesigning AI-Powered APIs on Azure: Best Practices& Considerations
Designing AI-Powered APIs on Azure: Best Practices& Considerations
Dinusha Kumarasiri
 
Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025Avast Premium Security Crack FREE Latest Version 2025
Avast Premium Security Crack FREE Latest Version 2025
mu394968
 

How to investigate and recover from a security breach in WordPress

  • 1. How to Investigate and Recover from a Security Breach Real-life Experiences with WordPress Otto Kekäläinen @ottokekalainen WordCamp Nordic March 8, 2019
  • 2. ● A CEO who codes at Seravo.com ● Written WP themes and plugins, contributed to WordPress Core, MySQL, MariaDB, Debian, Ubuntu, Linux kernel, AppArmor… ● Linux and open source advocate Otto Kekäläinen
  • 3. I’ve spoken many times about what WordPress site owners should focus on to keep their site secure... wordpress.tv/?s=otto+kekäläinen
  • 4. ...but not today. This talk is different.
  • 5. This talk is about Friday, November 9th 2018.
  • 6. Premium hosting and upkeep for WordPress HTTP/2 TESTED UPDATES 24/7 UPKEEP
  • 7. Upkeep: If a site goes down, we bring it up again. Covers security incidents.
  • 8. 2018-11-09 11:37:48 <redacted>.seravo.com ALERT ! ! ! 2018-11-09 11:40:26 <redacted>.seravo.com ALERT ! ! ! 2018-11-09 11:40:42 <redacted>.seravo.com ALERT ! ! ! 2018-11-09 11:42:37 <redacted>.seravo.com ALERT ! ! ! Just one ordinary Friday (not even 13th!)
  • 9. Weird siteurl – on all 4 sites! Mistake by site admin? – No way Targeted attack on one and same company? – Plausible, but weird modus of operandi Security breach? – Definitely! $ wp option get siteurl http://erealitatea.net
  • 10. High alert – 4 sites down for investigation 1. First responder notifies security officer on-call 2. Process list saved and further PHP execution frozen 3. Customer notified about on-going security incident 4. Response escalation: 3 investigators working in parallel
  • 11. 11:55
  • 12. Security breach investigation questions ● What is happening? Is it stopped? ● What happened before? When did this start? ● Is there malicious code somewhere? Backdoors planted? ● What files or database contents has changed? Which changes are malicious? ● Who did what? What IP addresses and other identifiers are linked to what actions?
  • 13. Security breach investigation questions ● How did they get in? ● What level of access did they gain? ● What data could have leaked? ● What was their motive? ● What damage was caused?
  • 14. Investigation and recovery steps 1. Make a new backup 2. Compare backups wp-backup-list-changes diff -ur wordpress backup/wordpress 3. Check last WP and SSH logins Store current state Reveal file and database changes Detect unauthorized use based on anomalies in timestamps or IP geolocation
  • 15. Investigation and recovery steps 4. wp core verify-checksums wp plugin verify-checksums --all wp package install seravo/wp-checksum wp checksum all --details Compare WordPress core, plugin and theme files to their original versions as downloaded from wp.org
  • 16. Modified plugin code found ..but was a false alert, modification most likely a mistake by real plugin author who released two plugin variants published with same version number. $ wp checksum diff plugin entry-views inc/widget-entry-views.php Executing diff /tmp/1541763665-4CBDYu.tmp wordpress/htdocs/wp-content/plugins/entry-views/inc/widget-entry-views.php 49c49 < $this->WP_Widget( --- > parent::__construct(
  • 17. 13:31
  • 18. Investigation and recovery steps 5. wp user list 6. wp db query 'SELECT post_modified, id, post_title, post_name, post_type FROM wp_posts ORDER BY id DESC LIMIT 50;' View recent new users View recent new contents
  • 19. Two suspected attacker user accounts Variants of trollherten and different .ru email addresses found on multiple of the investigated sites. $ wp user list +----+---------------+--------------+----------------------+---------------------+---------------+ | ID | user_login | display_name | user_email | user_registered | roles | +----+---------------+--------------+----------------------+---------------------+---------------+ | 12 | t2trollherten | | [email protected] | 2018-11-08 13:36:03 | administrator | | 13 | t3trollherten | | [email protected] | 2018-11-08 14:42:09 | administrator | +----+---------------+--------------+----------------------+---------------------+---------------+
  • 20. Bingo! usernames, timestamps, IP addresses, email +----+---------------+--------------+----------------------+---------------------+---------------+ | ID | user_login | display_name | user_email | user_registered | roles | +----+---------------+--------------+----------------------+---------------------+---------------+ | 12 | t2trollherten | | [email protected] | 2018-11-08 13:36:03 | administrator | | 13 | t3trollherten | | [email protected] | 2018-11-08 14:42:09 | administrator | +----+---------------+--------------+----------------------+---------------------+---------------+ These can be given to grep /data/log for log data mining
  • 21. The entry 109.234.37.214 - - [08/Nov/2018:15:36:02 +0200] "GET / HTTP/1.1" 200 19027 "-" 0.301 109.234.37.214 - - [08/Nov/2018:15:36:02 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.220 109.234.37.214 - - [08/Nov/2018:15:36:03 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.258 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-login.php?action=register HTTP/1.1" 302 5 "-" 0.648 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "GET /wp-login.php?checkemail=registered HTTP/1.1" 200 1463 "https://<redacted>/wp-login.php?action=register" 0.129 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.163 109.234.37.214 - - [08/Nov/2018:15:36:04 +0200] "POST /wp-admin/admin-ajax.php HTTP/1.1" 200 36 "-" 0.167 $ host 109.234.37.214 214.37.234.109.in-addr.arpa domain name pointer host-109-234-37-214.hosted-by-vdsina.ru. User agent was: "Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/36.0.1985.143 Safari/537.36"
  • 22. POST /wp-admin/admin-ajax.php ● Seravo does not log POST requests for good reasons ● So what was the payload that granted magic powers to the attacker? ● Luckily we have other PHP and database logs...
  • 23. Anomalies in database use ● Weird empty WordPress options value updates ● Unusual requests to database table wpgdprc_access_requests ● What plugin does that belong to? $ grep -rF wpgdprc_access_requests wp-gdpr-compliance/ wp-gdpr-compliance/Includes/AccessRequest.php: return $wpdb->base_prefix . 'wpgdprc_access_requests'; wp-gdpr-compliance/uninstall.php: $wpdb->query("DROP TABLE IF EXISTS `{$wpdb->base_prefix}wpgdprc_access_requests`");
  • 24. 14:03
  • 26. Point of entry known ● The plugin WP GDPR Compliance Plugin most likely route ● Fix: remove it from all 4 sites $ wp plugin deactivate --uninstall wp-gdpr-compliance
  • 27. 14:35
  • 28. More information started coming in ● When the US woke up (in European afternoon) and published blogs the Sucuri RSS feed we subscribe showed interesting stuff: blog.sucuri.net/2018/11/erealitatea-net-hack-corrupts-websites-wit h-wp-gdpr-compliance-plugin-vulnerability.html ● Then more and more other reports were found: a. www.wordfence.com/blog/2018/11/privilege-escalation-flaw-in- wp-gdpr-compliance-plugin-exploited-in-the-wild/ b. vitalisec.blogspot.com/2018/11/wp-gdpr-plugin-attack.html c. wpvulndb.com/vulnerabilities/9144
  • 29. Vulnerability details ● A SQL injection flaw in WP GDPR Compliance allowed a remote attacker to set arbitrary WP option values a. First allow anybody to register with users_can_register=1 b. Then set default_role=”administrator” for all new users c. Register an account, log in and do whatever an admin can do ● Reported to wpvulndb.com by Adrian Mörchen / moewe.io ● Fixed in WP GDPR Compliance version 1.4.3
  • 30. Fix issue globally for all our customers commit 2ffb891415628ead16263e1fa09d78dac9e5dcdd Author: Ville Korhonen Date: Fri Nov 9 14:51:18 2018 +0200 Add WP GDPR Compliance plugin to urgent updates WP GDPR Compliance < 1.4.3 has critical SQL injection flaw which allows simple privilege escalation. <https://plugins.trac.wordpress.org/changeset/1970313> Added to Seravo’s update systems as an urgent update
  • 31. 14:51
  • 32. Investigation and recovery steps 7. Based on findings, clean up the site a. Recover clean version from backups b. Remove malicious code and content manually 8. As a precaution, reset all WordPress user sessions and passwords wp-reset-all-passwords In this case option A was not possible, but luckily option B was quite easy as backups showed only one potential malware file was injected.
  • 33. Investigation and recovery steps 9. As extra precaution, scan the site for malware one more time when it is otherwise deemed to be clean Using Seravo’s custom made WordPress/PHP malware scanner
  • 34. 2018-11-09 15:26:22 <redacted>.seravo.com RESOLVED 2018-11-09 15:17:49 <redacted>.seravo.com RESOLVED 2018-11-09 15:29:03 <redacted>.seravo.com RESOLVED 2018-11-09 15:20:24 <redacted>.seravo.com RESOLVED All sites clean and finally back online
  • 35. Investigation and recovery steps 10. Elevated monitoring and follow-up for site once it has been re-opened, just in case there was more attack avenues not discovered during the investigation. During the investigation Seravo sent 8 status update e-mails to the site owner and the customer mobilized their own team to support the effort and they also sent us valuable additional information. A few additional emails from Seravo to the customer followed over the weekend and next week to confirm all necessary measures had been completed.
  • 36. Notification e-mail from new registration of ‘trollherten’ users ● Later we found out the site owner did get an email notification from WordPress about the new user named “trollherten” but since the e-mail was vague and did not contain any alarming information, the person who read the e-mail ignored it.
  • 37. Luckily this was not a targeted attack ● Most likely the attacker just wanted to own the site and use it to redirect traffic, spam, mount more attacks against other sites etc. ● The site itself or the data it had was not the target and most likely not used.
  • 38. Be prepared: no security is perfect ● No plugin author makes perfect code. ● All plugins on the site were updated a week earlier, the vulnerability was used close to zero-day. ● Unreasonable for site admin to read deeply all notification e-mails. ● Fact: sometimes even good security isn’t enough. One also needs to have a security incident response plan. ● We do. Do you?