SlideShare une entreprise Scribd logo

WPM: Wordpress IN Paranoid MODE

Télécharger en tant que PPTX, PDF
Telefónica
Telefónica

Project developed by Chema Alonso & Pablo Gonzalez from Eleven Paths about configure WordPress in Paranoid Mode using Latch at SQL queries operations in MySQL. The idea is to Latch INSERT, UPDATE and DELETE Operations in Worpress tables with MySQL triggers. More info at: https://github.com/ElevenPaths/WPM-Wordpress-in-Paranoid-Mode

Technologie
1  sur  19
MY WORDPRESS IN PARANOID MODE Chema Alonso (@chemaalonso) https://www.elevenpaths.com http://www.elladodelmal.com
(SOME) WORDPRESS RISKS  My plugin has a Code Injection Bug  Someone stole an identity  My WordPress is under Attack!!
HARDEN IT!  Harden OS  (GNU/Linux Hardening)  Harden DB  (MySQL Hardenig)  Harden WordPress  (Main & Plugins)  Harden Users  (Awarness & Tools) www.0xword.com
PUT A LATCH ON IT!
1) HARDEN WORDPRESS USERS http://www.slideshare.net/elevenpaths/instalacin-de-latch-en-word-press
2) HARDEN OS: GNU/LINUX SSH http://www.slideshare.net/elevenpaths/latch-unix-espaol
3) WORDPRESS IN PARANOID MODE (LATCHING MYSQL DB)  Create triggers in critical tables of Wordpress  This triggers allow or deny 3 actions:  Insert  Update  Delete  Trigger verify Latch to carry out an action:  Latch ON = Action  Latch OFF = Blocked
CREATE LATH APP (LATCH DEVELOPER AREA) https://latch.elevenpaths.com
INSTALL WPM (./INSTALL.SH <APPID> <SECRET>)
STEP 1: PAIRING MYSQL & LATCH (GIVE ME TOKEN => PAIRING)
STEP 2&3: CREATING OPERATIONS (RELAX AND ENJOY)
STEP 4: COMPILATION & INSTALL (LIB_MYSQL_UDF.SO)
STEP 5: UNLOAD MYSQL PROFILE (MYSQL APPARMOR PROFILE BLOCK CODE EXECUTION)
STEP 6: CREATING MYSQL TRIGGERS (READ-ONLY, ADMINISTRATION, EDITION)
YOU GOT LATCH IN WPM
LATCH WPM: READ-ONLY MODE  Read-Only Mode:  Nobody can login in WordPress.  No one can make changes in MySQL.  wp_usermeta Table:  insert, delete and update blocked if ‘read-only’ operation enabled  If ‘read-only’ mode is deactivated then you can login
LATCH: ADMINISTRATION MODE  Protects:  Delete on wp_users  Update on wp_users  Insert on wp_users  SQL Injection Bugs:  No Delete  No Update  No Insert
LATCH: ADMINISTRATION MODE  Trigger on wp_users:  Delete Action  Verify Latch  Abort SQL Operation
QUESTIONS?  WPM -WordPress in Paranoid Mode  https://github.com/elevenpaths  Https://community.elevenpahts.com  Chema Alonso  (@chemaalonso)  https://www.elevenpaths.com  http://www.elladodelmal.com

Recommandé

Latch MyCar: Documentation
Latch MyCar: DocumentationLatch MyCar: Documentation
Latch MyCar: Documentation
Telefónica
 
Owning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsOwning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnets
Chema Alonso
 
Protect your website
Protect your websiteProtect your website
Protect your website
Muthu Natarajan
 
Hackers secrets
Hackers secretsHackers secrets
Hackers secrets
Tengku Maulana
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.
Marcin Chwedziak
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
Himanshu Kumar Das
 

Recommandé

Latch MyCar: Documentation
Latch MyCar: DocumentationLatch MyCar: Documentation
Latch MyCar: Documentation
Telefónica
 
Owning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnetsOwning bad guys {and mafia} with javascript botnets
Owning bad guys {and mafia} with javascript botnets
Chema Alonso
 
Protect your website
Protect your websiteProtect your website
Protect your website
Muthu Natarajan
 
Hackers secrets
Hackers secretsHackers secrets
Hackers secrets
Tengku Maulana
 
Secure All The Things!
Secure All The Things!Secure All The Things!
Secure All The Things!
Dougal Campbell
 
Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.Hardening WordPress. Few steps to more secure installation.
Hardening WordPress. Few steps to more secure installation.
Marcin Chwedziak
 
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web ApplicationNull bhopal Sep 2016: What it Takes to Secure a Web Application
Null bhopal Sep 2016: What it Takes to Secure a Web Application
Anant Shrivastava
 
Bug Bounty for - Beginners
Bug Bounty for - BeginnersBug Bounty for - Beginners
Bug Bounty for - Beginners
Himanshu Kumar Das
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
Dougal Campbell
 
Digital Strategy Works - Moving Wordpress
Digital Strategy Works - Moving WordpressDigital Strategy Works - Moving Wordpress
Digital Strategy Works - Moving Wordpress
Digital Strategy Works LLC
 
Wampserver installation ajay-di-sharma
Wampserver installation ajay-di-sharmaWampserver installation ajay-di-sharma
Wampserver installation ajay-di-sharma
Ajay Di Sharma
 
WP Sandbox Presentation WordCamp Toronto 2011
WP Sandbox Presentation WordCamp Toronto 2011WP Sandbox Presentation WordCamp Toronto 2011
WP Sandbox Presentation WordCamp Toronto 2011
Alfred Ayache
 
Setting Up Wordpress Offline
Setting Up Wordpress OfflineSetting Up Wordpress Offline
Setting Up Wordpress Offline
Amol Dhir
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
Angela Bowman
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
SiteGround.com
 
How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.
DrupalCampDN
 
Vagrant WordCamp Hamilton
Vagrant WordCamp HamiltonVagrant WordCamp Hamilton
Vagrant WordCamp Hamilton
Paul Bearne
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
Dre Armeda
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...
Jim Birch
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
Chetan Gole
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
Zachary Russell
 
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
Tareq Hasan
 
Разработка плагина для Wordpress
Разработка плагина для Wordpress Разработка плагина для Wordpress
Разработка плагина для Wordpress
Amin Benarieb
 
"><h1>muthu</h1>
"><h1>muthu</h1>"><h1>muthu</h1>
"><h1>muthu</h1>
muthu muthu
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Vasile
 
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWordÍndice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
Telefónica
 
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
Telefónica
 

Contenu connexe

Similaire à WPM: Wordpress IN Paranoid MODE

The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 
How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.
DrupalCampDN
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Brian Layman
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
Jeroen van Dijk
 

Similaire à WPM: Wordpress IN Paranoid MODE (20)

The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
 
Higher Order WordPress Security
Higher Order WordPress SecurityHigher Order WordPress Security
Higher Order WordPress Security
 
Digital Strategy Works - Moving Wordpress
Digital Strategy Works - Moving WordpressDigital Strategy Works - Moving Wordpress
Digital Strategy Works - Moving Wordpress
 
Wampserver installation ajay-di-sharma
Wampserver installation ajay-di-sharmaWampserver installation ajay-di-sharma
Wampserver installation ajay-di-sharma
 
WP Sandbox Presentation WordCamp Toronto 2011
WP Sandbox Presentation WordCamp Toronto 2011WP Sandbox Presentation WordCamp Toronto 2011
WP Sandbox Presentation WordCamp Toronto 2011
 
Setting Up Wordpress Offline
Setting Up Wordpress OfflineSetting Up Wordpress Offline
Setting Up Wordpress Offline
 
Your WordPress Website Is/Not Hacked
Your WordPress Website Is/Not HackedYour WordPress Website Is/Not Hacked
Your WordPress Website Is/Not Hacked
 
Protect Your WordPress From The Inside Out
Protect Your WordPress From The Inside OutProtect Your WordPress From The Inside Out
Protect Your WordPress From The Inside Out
 
How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.How to? Drupal developer toolkit. Dennis Povshedny.
How to? Drupal developer toolkit. Dennis Povshedny.
 
Vagrant WordCamp Hamilton
Vagrant WordCamp HamiltonVagrant WordCamp Hamilton
Vagrant WordCamp Hamilton
 
WordPress End-User Security
WordPress End-User SecurityWordPress End-User Security
WordPress End-User Security
 
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012Neo word press meetup ehermits - how to keep your blog from being hacked 2012
Neo word press meetup ehermits - how to keep your blog from being hacked 2012
 
The Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/PressThe Enterprise Wor/d/thy/Press
The Enterprise Wor/d/thy/Press
 
Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...Command line for the beginner - Using the command line in developing for the...
Command line for the beginner - Using the command line in developing for the...
 
Securing Word Press Blog
Securing Word Press BlogSecuring Word Press Blog
Securing Word Press Blog
 
Locking down word press
Locking down word pressLocking down word press
Locking down word press
 
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011WordPress Theme & Plugin development best practices - phpXperts seminar 2011
WordPress Theme & Plugin development best practices - phpXperts seminar 2011
 
Разработка плагина для Wordpress
Разработка плагина для Wordpress Разработка плагина для Wordpress
Разработка плагина для Wordpress
 
"><h1>muthu</h1>
"><h1>muthu</h1>"><h1>muthu</h1>
"><h1>muthu</h1>
 
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress EcosystemDan Catalin Vasile - Hacking the Wordpress Ecosystem
Dan Catalin Vasile - Hacking the Wordpress Ecosystem
 

Plus de Telefónica

Los retos sociales y éticos del Metaverso
Los retos sociales y éticos del MetaversoLos retos sociales y éticos del Metaverso
Los retos sociales y éticos del Metaverso
Telefónica
 

Plus de Telefónica (20)

Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWordÍndice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
Índice de libro "Historias Cortas sobre Fondo Azul" de Willy en 0xWord
 
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
Índice del libro: Máxima Seguridad en Windows: Secretos Técnicos. 6ª Edición ...
 
Índice del libro "Hacking Web3: Challenge Acepted!" de 0xWord
Índice del libro "Hacking Web3: Challenge Acepted!" de 0xWordÍndice del libro "Hacking Web3: Challenge Acepted!" de 0xWord
Índice del libro "Hacking Web3: Challenge Acepted!" de 0xWord
 
Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...
Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...
Índice del libro "Amazon Web Services: Hardening de Infraestructuras Cloud Co...
 
Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...
Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...
Índice del Libro "Ciberestafas: La historia de nunca acabar" (2ª Edición) de ...
 
Índice del Libro "Storytelling para Emprendedores"
Índice del Libro "Storytelling para Emprendedores"Índice del Libro "Storytelling para Emprendedores"
Índice del Libro "Storytelling para Emprendedores"
 
Digital Latches for Hacker & Developer
Digital Latches for Hacker & DeveloperDigital Latches for Hacker & Developer
Digital Latches for Hacker & Developer
 
Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"
Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"
Índice del libro "Hardening de servidores GNU / Linux 5ª Edición (Gold Edition)"
 
WhatsApp INT: OSINT en WhatsApp
WhatsApp INT: OSINT en WhatsAppWhatsApp INT: OSINT en WhatsApp
WhatsApp INT: OSINT en WhatsApp
 
Índice del libro "De la Caverna al Metaverso" de 0xWord.com
Índice del libro "De la Caverna al Metaverso" de 0xWord.comÍndice del libro "De la Caverna al Metaverso" de 0xWord.com
Índice del libro "De la Caverna al Metaverso" de 0xWord.com
 
20º Máster Universitario de Ciberseguridad UNIR
20º Máster Universitario de Ciberseguridad UNIR20º Máster Universitario de Ciberseguridad UNIR
20º Máster Universitario de Ciberseguridad UNIR
 
BootCamp Online en DevOps (and SecDevOps) de GeeksHubs Academy
BootCamp Online en DevOps (and SecDevOps) de GeeksHubs AcademyBootCamp Online en DevOps (and SecDevOps) de GeeksHubs Academy
BootCamp Online en DevOps (and SecDevOps) de GeeksHubs Academy
 
Índice del libro "Ciberseguridad de tú a tú" de 0xWord
Índice del libro "Ciberseguridad de tú a tú" de 0xWordÍndice del libro "Ciberseguridad de tú a tú" de 0xWord
Índice del libro "Ciberseguridad de tú a tú" de 0xWord
 
Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...
Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...
Índice del libro "Open Source INTelligence (OSINT): Investigar personas e Ide...
 
Índice del libro "Social Hunters" de 0xWord
Índice del libro "Social Hunters" de 0xWordÍndice del libro "Social Hunters" de 0xWord
Índice del libro "Social Hunters" de 0xWord
 
Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...
Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...
Índice del libro "Kubernetes para profesionales: Desde cero al despliegue de ...
 
Los retos sociales y éticos del Metaverso
Los retos sociales y éticos del MetaversoLos retos sociales y éticos del Metaverso
Los retos sociales y éticos del Metaverso
 
Índice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWord
Índice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWordÍndice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWord
Índice del Libro "Ciberestafas: La historia de nunca acabar" de 0xWord
 
Índice del libro "Docker: SecDevOps" 2ª Edición de 0xWord
Índice del libro "Docker: SecDevOps" 2ª Edición de 0xWordÍndice del libro "Docker: SecDevOps" 2ª Edición de 0xWord
Índice del libro "Docker: SecDevOps" 2ª Edición de 0xWord
 
Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...
Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...
Índice del libro "Malware moderno: Técnicas avanzadas y su influencia en la i...
 

Dernier

Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 

Dernier (20)

FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWEREMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
EMPOWERMENT TECHNOLOGY GRADE 11 QUARTER 2 REVIEWER
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
WSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering DevelopersWSO2's API Vision: Unifying Control, Empowering Developers
WSO2's API Vision: Unifying Control, Empowering Developers
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 

WPM: Wordpress IN Paranoid MODE

  • 1. MY WORDPRESS IN PARANOID MODE Chema Alonso (@chemaalonso) https://www.elevenpaths.com http://www.elladodelmal.com
  • 2. (SOME) WORDPRESS RISKS  My plugin has a Code Injection Bug  Someone stole an identity  My WordPress is under Attack!!
  • 3. HARDEN IT!  Harden OS  (GNU/Linux Hardening)  Harden DB  (MySQL Hardenig)  Harden WordPress  (Main & Plugins)  Harden Users  (Awarness & Tools) www.0xword.com
  • 4. PUT A LATCH ON IT!
  • 5. 1) HARDEN WORDPRESS USERS http://www.slideshare.net/elevenpaths/instalacin-de-latch-en-word-press
  • 6. 2) HARDEN OS: GNU/LINUX SSH http://www.slideshare.net/elevenpaths/latch-unix-espaol
  • 7. 3) WORDPRESS IN PARANOID MODE (LATCHING MYSQL DB)  Create triggers in critical tables of Wordpress  This triggers allow or deny 3 actions:  Insert  Update  Delete  Trigger verify Latch to carry out an action:  Latch ON = Action  Latch OFF = Blocked
  • 8. CREATE LATH APP (LATCH DEVELOPER AREA) https://latch.elevenpaths.com
  • 10. STEP 1: PAIRING MYSQL & LATCH (GIVE ME TOKEN => PAIRING)
  • 11. STEP 2&3: CREATING OPERATIONS (RELAX AND ENJOY)
  • 12. STEP 4: COMPILATION & INSTALL (LIB_MYSQL_UDF.SO)
  • 13. STEP 5: UNLOAD MYSQL PROFILE (MYSQL APPARMOR PROFILE BLOCK CODE EXECUTION)
  • 14. STEP 6: CREATING MYSQL TRIGGERS (READ-ONLY, ADMINISTRATION, EDITION)
  • 15. YOU GOT LATCH IN WPM
  • 16. LATCH WPM: READ-ONLY MODE  Read-Only Mode:  Nobody can login in WordPress.  No one can make changes in MySQL.  wp_usermeta Table:  insert, delete and update blocked if ‘read-only’ operation enabled  If ‘read-only’ mode is deactivated then you can login
  • 17. LATCH: ADMINISTRATION MODE  Protects:  Delete on wp_users  Update on wp_users  Insert on wp_users  SQL Injection Bugs:  No Delete  No Update  No Insert
  • 18. LATCH: ADMINISTRATION MODE  Trigger on wp_users:  Delete Action  Verify Latch  Abort SQL Operation
  • 19. QUESTIONS?  WPM -WordPress in Paranoid Mode  https://github.com/elevenpaths  Https://community.elevenpahts.com  Chema Alonso  (@chemaalonso)  https://www.elevenpaths.com  http://www.elladodelmal.com