Doc’s WordPress News Drop is a weekly report on the most pressing WordPress news. When the news drops, I will pick it up and deliver it right to you.
At this year’s DefCon, Hanno Böck described how hackers can find a fresh new WordPress install within 30-60 minutes of going live. Don’t be nervous though, in this week’s video we talk about how you can protect a fresh WordPress install.
WordFence shared an excellent write up of Hanno’s presentation, which you can read here, as well as another article on how hackers can take advantage of WordPress sites that have not yet been configured.
Love WordPress News, but hate reading? This is Doc Pop’s News Drop.
Each year, thousands of hackers head to Las Vegas for DefCon, the world’s largest information security convention. At least I hope it is. I DO NOT want to piss of the hackers…
At this year’s event, Hanno Böck gave a talk titled “How to Hack Web Applications Before Installation” which describes how hackers can find a fresh WordPress install within thirty minutes of going live. 30 minutes!
That means that by the time you are still picking which two factor authentication plugin to go with, hackers may already be targetting your site.
So how is this possible? Using certificate transparency data, anyone can see new SSL certificates with 30-60 minutes of being issued. That data includes the new site’s domain name. Certificate transparency is an open standard that allows people to monitor SSL certificates as they are issued, to make sure no one is trying to use improper SSL certs. It’s a transparent and good system, but it’s also a clever way for hackers to find new sites that might not have been fully configured yet.
The flow would be something like this, you set up new site with a host that offers free SSL certs with each install. Within 30-60 minutes, hackers will have found your new site via the certificate transparency report. Then the hacker users a script that monitors your site for the set up configuration file and, this is the key part, if your new WordPress site has not been configured yet, the hacker runs the set-up config script to gain backdoor access to your site. This script exploits the default settings that most fresh WordPress sites start off with. You’ll never ever know they are in there.
Let me guess, you were just about to push a new WordPress install but now you are a little hesitant? Don’t be. Just be sure to follow these steps.
First off, it’s a new install, which means you are probably using the newest/safest version of WordPress. The key thing you need to do when you make that site live is to finish the set up configuration as soon as possible. That includes setting up a unique username for your admin and a very secure password. If you can easily remember it, it’s not a good password, use a password generator and finish that set up asap.
Some WordPress hosts will also offer a way to block traffic on your site. For instance, WP Engine has a “block traffic on production” option that adds a password to access any pages on your site.
Big shout out to WordFence security, who ran excellent recaps about Hanno Böck’s DefCon talk as well as another great article specifically about how hackers can exploit new WordPress sites that have not yet been configured. We’ve included links to those articles as well as Hanno’s DefCon talk in the description below.
That’s it for this week’s News Drop, if you have any other great DefCon talks that we may have missed, please let us know about them in the comments below and as usual, be sure to like and subscribe to this channel if you like what we are doing. We’ll see you next week.