hey George I hope you’re going well i’m good how are you so we are we are very uh uh it is good to have you on board on this security boot camp uh so so the uh I think we we can start with the introduction uh first you can introduce yourself to the audience and then we can start the presentation uh like the topic is about eststeroid and how we can use it to identify the bugs and all the things uh so so the stage is yours yeah sure so hi everyone I am Joel i’ve been working with Malapress’s technical writer for close to four years now uh however have been working with WordPress since the very early years um I remember WordPress sort of starting coming out before that we used to work with Jumla quite a bit um so I have uh I have a deep appreciation for WordPress and the role it plays in democra democ democ democratizing the internet excuse me um have worked in several roles within IT for a very long time as IT manager systems administrator now more recently as a technical writer as well deep passion for uh security and in this presentation we’re talking how to identify WordPress threats using stride I think uh we can start with the presentation so we have your present and the people are are waiting for the present presentation like on the discussion of your topic so here’s on the screen so yep perfect thank you very much so hello everyone again uh I am Joel and in this presentation we’ll be discussing threat modeling for WordPress so more specifically maybe we will be looking at one particular threat model which is called stride uh and how this can help us understand and mitigate threats in WordPress environments so uh if you can go to the What is Threat Modeling? next slide please yeah so what is threat modeling uh to better understand what threat modeling is maybe we should start by answering the question of what is a threat there are different definitions um however one that’s by Cambridge dictionary uh very fitting for this context which tells us uh something unpleasant or violent will happen especially if a particular action or order is not followed so what this tells us is that uh we can reduce the likelihood of future violence or unpleasantness if we take action in in the present uh this is precisely why TR modeling is important uh so hold that thought as we examine a more technical definition of the word threat so next slide please so a more technical definition comes courtesy of the NIST uh which reads as follows so any circumstance or event with the potential to adversely impact organizational operations including mission functions image or reputation organizational assets or individuals through an information system via unauthorized access destruction disclosure modification of information and/or denial of service also the potential for a threat source to successfully exploit a particular information system vulnerability so it is it is uh a mouthful but if we dissect it uh we can see what we can take away from this including what are the threats and the repercussions so we can look at the threats first so we have unauthorized access destruction disclosure modification of information n of service and system vulnerability exploitation and the repercussions of these uh number of threats are adverse impact of organizational operations including on its mission its functions its image reputation organization assets and individuals so now through this we are starting to get a clear picture not only what the threats are but how these threats can manifest themselves what the repercussions are and ultimately how we can mitigate the risk of these threats if we can go next slide please so threat modeling allows us to identify threats so that particular action can be taken so that unpleasant things don’t happen now and in the future so while modeling might sound like a big fancy word at its core it’s very simple it’s a checklist basically and by using these sort of checklists uh we can be reasonably sure that we have covered all of our bases and are thereby in a relatively secure position so keep in mind that uh risk can never be eliminated it can be managed it can be reduced but never eliminated so through these checklists what we have um is uh surefire way that we have covered all of our bases uh one way now one way to protect yourself from security breaches is to install one or more security uh plug-in however this is not a strategy this is more like hoping for the best and hoping for the best is not effective WordPress security so to make sure that our WordPress strategy or WordPress security strategy rather aligns with real world threats we can use threats modeling to ensure that we are in a secure position uh next slide please so yeah so uh at Malipress every year we do a WordPress security survey we did one last year uh we run the survey online and in person excuse Importance of Threat Modeling me and in person at WCU wcu is run over the two three days that we are there and the online survey was run for a couple of months and uh in last year’s survey we asked respondents whether they have experienced a security breach and 72% of our respondents indicated that they have experienced at least one security breach half of them nearly 50% indicated that they experienced more than one so this these are not small numbers by stretch of the imagination so it’s definitely security deserves our attention because a security breach can lead to um as we saw a number of uh unpleasant things basically now uh one common misconception among uh administrators and website owners is that their website is not big enough to be targeted by an attack but it’s not necessarily the case uh bad actors can uh breach a website for a number of reasons including to form a botn net to attack a secondary target uh through uh a campaign of geopolitical aggression which at the moment we are going through quite a lot uh to help the competition might not necessarily be the competitor but someone who has a vested interest in seeing you fail and see someone else succeed and just because they can as a target sort of practice so they are gearing up to attack a bigger website but they will use your website as target practice so threat models such as strike have been de developed to address threats in the real world uh which is uh why they are important uh a few slides ago we so what are the threats that I system IT systems face uh from the NIST definition but what are the threats that we press websites face specifically there’s a number of them there’s uh breaches where someone gains access unauuthorized access to your website data theft manipulation and uh deletion for a number of reasons that I just covered uh and basically and uh loss of service uh these are some of the threats there are many many more but uh they can give you a better idea of what are the threats that you are facing so how does how does threat modeling help us so think of checklist and to to-do lists um as something that helps us to remember tasks we need to do in the future and they help us ensure that everything need that needs to be done gets done threat models work in the same vein uh they are they work as a checklist to make sure that uh we need that uh what we need to do in the future website gets done basically now stride which is what we’re going to cover in this presentation is not the only one uh there are a number of others and stride might not necessarily be the one for you uh which one you choose will uh largely depend on a number of things so there’s the environment which is the scope and size of your website so you have a small block site or you have you have a driving e-commerce site or a large multi-sight network that’s going to uh um uh influence which model you choose as well as the your risk appetite and resource availability because all resources are finite and limited be it man hours financial resources expertise we always have to make a number of tradeoffs and basically and basically based on is we will choose a model that fits our requirements the most so obviously there is stride which we’ll be covering in some detail today however there’s al also a tech trees there’s dread pasta Overview of STRIDE Framework tribe and a few others um so as I said yes your type of environment your scope size your appetite the market you operate in as well as any applicable laws might mean a different model would be a better fit so more than anything the purpose of this presentation is to introduce you to threat modeling and help you understand how threat modeling can help you as uh your you and your organization and how you can start implementing uh threat modeling within your organization so what is it about stride where does it come from so stride was developed by Microsoft way back in 1999 it is used extensively even to today as a foundational tool in software development however it has been adopted and adapted by different organizations uh to fit different scenarios so it’s not just u in software development but also in systems management so stride is an acronym and it stands for spoofing tempering repudiation information disclosure denial of service and elevation of privilege so these are the threats that uh we are going to be focusing on for this threat um uh yeah so while stripe has originally been developed for software development so even if you are a plug-in developer this can work for you uh to make sure that uh the plug-in is following all security best practices but it can also be adopted in systems management which is what we’ll be seeing today for the most part basically to ensure that uh your WordPress websites are secure so if you can go to the next slide please so we’ll start with the first one which is spoofing uh spoofing is when a person or program successfully masquerades as someone else so how can this happen in WordPress next slide please so we have weak or compromised uh weak or compromised passwords excuse me so attackers use either credential stuffing or brute force attacks to login so brute force attacks are basically trying every single sort of combination until one works credential stuffing is a bit different so of course uh you you might be concerned with uh securing your WordPress websites but um Real-world STRIDE Examples uh many users and and people ultimately uh reuse the same passwords as they do for your websites on other websites so suddenly you need to be concerned with the security of other websites because if another website if another website gets breached and uh the passwords get stolen and leaked or maybe they get uh someone will try to sell them on the dark web now attackers are going to use the those very same password to try to breach your website which is which brings us to the next to the next point excuse me uh two factor authentication very very important with two factor authentication even if credentials are stolen to FA would prevent unauthorized access this is because um uh even if they have the right password they still need D2 to FA code and something else that you need to beware aware of are fake login pages through fishing uh this can starts through a man-in-the-middle attack where someone redirects your redirects traffic to a fake login page they will typically use a very uh similar uh URL so for example u work with uh Melopress they might add an extra L in Melopress which can be very difficult to see especially if you see the URL that’s very sort of close and then you introduce event password and they steal your login information so how do we address this uh so first is through strong authentication so have a password policy which uh says how long a password should be and the complexity um upper case and lowerase characters special characters alpha numeric uh non-recycling of password so let’s make sure that users are not using the passwords they just had or password that was two passwords old basically there are separate there there are there’s two different ways that we can do One is we can ask to the users nicely or not um send them an email make sure that the passwords your that your password means meet these requirements or else we can have a plug-in to make sure that uh those are met our password policy requirements are met at times uh SSL TLS so SSL we don’t use anymore even though we still refer to TLS as SSL sometimes but it’s TLS and this is the certificate uh secret certificate that basically tends your websites in HTTPS and what this does is it encrypts password from uh not password encrypts the traffic sorry including passwords uh from uh the WordPress web server to the visitors and users this makes it more difficult for me in the middle attacks to take place and reduces the risks of fishing two factor authentication as uh we explained even if the password uh password gets leaked uh whoever is trying to gain access would still need the 2FA code which can be sent via authenticator app on your phone or via email now we um have also the push notifications and u password keys to reduce the risk uh if you have any forms um whether it’s login forms or whether it’s uh contact us forms uh use uh capture this will reduce the risk of bots submitting uh fishing attempts to get us to redirect somewhere else uh use capture and limit login attempts this helps us with uh brute force attacks we can basically stop a user so after three failed attempts five seven whatever you choose again it’s all about risk management the user account gets blocked gets locked they can get either un unlocked automatically after some time or else through a manual unlock which makes it more secure because then the user has to get in touch moving to the next one which is tempering so what is tempering unauthorized changes to data insertion of malicious codes code tempering and files tempering next slide how uh how how the tempering work works several ways we can have malicious plugins or theme which contain back doors and then allows enter to gain access this like most like the vast majority of uh plugin the plug-in and theme developers do test their plugins and obviously are uh develop plugins in good faith you need to be uh wary and avoid basically null uh plugins and themes which are uh premium plugins and teams that are basically of correct and sold for much lower cost you don’t know the person where they’re coming from they’re probably not um the most upstanding uh citizens so uh inserting a back door is probably not beneath them uh they also have vulner vulnerabilities uh that include uh um SQL injections and cross-ite scripting not much we can do but uh there are some steps that we can take and unauthorized file edits via insecure permissions so it happens a lot we are um the process of troubleshooting something ch 777 to make sure that it’s not a permissions issue don’t go there stay away uh whatever you you are troubleshooting should work with the right permissions so uh assigning 777 is never the answer even whilst uh you are troubleshooting in fact we see many heads to WordPress sites containing modified index.php PHP Monitoring & Logs files mostly but also uh WP config which contains uh login information for the MySQL server and the HD access so how do we address this uh next slide please so one way is through file monitoring uh so for example at Malapress we do have a completely free plugin called Malapress file monitor what it does is so you do a scan it’s it and it and it will create a hash of uh all files and all directories next time you scan it will create another hash and compare the new hash with the old hash uh it can also u uh compare uh your WordPress core files with what is available in the official WordPress repository so if the if anything has changed it will straight away and this is a this is a very uh fails safe way so to speak uh of trying to see whether u in the micious code has been inserted and another way is through activity logs so keep a log of who’s logging in and when what are they accessing what are they modifying uh the principle of least privilege uh which tells us that uh user accounts should only have access to what they need to do not more or less so if you have very specific roles in your uh your organization use a role editor use a role editor to basically create roles for those functions for those functions malware scanner always helps if there’s uh some known malware running on your system this will help us uh to find it as uh I said in the previous slide only use uh themes and plugins and plugins from reputable sources so do make do do your homework uh and uh see what experience other users have had with the plug-in or theme uh do check how responsive they are and uh how often they update the plug-in or team ultimately no one is perfect even uh the most reputable reputable sorry team or plug-in can have a vulnerability uh no matter how much uh no matter how much testing uh is done before public release but see how responsive they are you can check if it’s on WordPress repository you can check there you can like the uh previous presentation was from patchte you can you can check on patchte as well um to see how often they had a vulnerability how do they go about fixing it to make sure that even if something happens you are covered and that the plug-in developer is not going to abandon you and uh and try to fix it as soon as possible and uh always set the proper file permissions always they should always be read only especially files like WP config which contain important information about the database next slide so moving to the next one repiation fancy word which means denial of performed actions so next slide how does this happen in WordPress so we can have uh an employee deleting content or changing settings but uh when questioned denies that it was them so this can happen uh lack of logging of user action so if we don’t if we don’t have an activity log uh on our website we don’t have any sort of recourse so if a user denies doing particular action we don’t have a leg to stand on we can’t don’t have any evidence to basically uh uh that would tell us a different story it can um if we have if you not have an audit trail or a poor audit trail on critical changes so for plug-in installations between account creations there’s a big chance that you won’t know it’s one thing if you have one user and a handful of and handful of plugins but if you have hundreds or thousands of users and many plugins installed one new user one new plug-in probably not going to notice it so uh next slide so how do we mitigate uh these um these um WordPress threats so very important activity logging which keeps a record of when users log in log out the time their IP what they did what they didn’t do uh this is done through a plug-in uh you can also have the plug-in send you notifications via email or SMS when certain things happen so for example send me a notification whenever an admin user account is created very very important um uh same for users logging in logging out keep a record with their IP and everything so if something happens we can always go back to understand what the activities that led to this uh same with the web server logs and the server logs and the logs of the server itself if we have access to them uh let’s let’s make sure that they are on so if something happens we can always revert back to them next slide please so the next in uh stride about halfway through information disclosure does it mean authorized access to sensitive data uh next slide how does information disclosure how how how can it happen in WordPress so we have exposed files sensitive content sensitive information so either through server misconfiguration which allows certain sensitive files to be exposed uh leftover files either through uh when we are troubleshooting something rename a file backup and forget to remove it vulnerabilities there was one in 2018 a while back like so WordPress is very secure but then again vulnerabilities can happen there was one in 2018 the WordPress rest API that allowed unauuthorized access to user details and um some we can have a plug-in that uh displays SQL errors which can reveal for example the table names and structure and that is that is giving uh bad actors more information to use in their attempt to breach our WordPress website so how do we mitigate the risks of uh information disclosure so always make sure that restrict access to critical files disable directory Denial of Service (DoS) listing ensure all software is up to date and ensuring all software is up to date basically works for most of the threats and as we mentioned in uh in a previous threat uh make sure you have a TLS certificate so one thing that you will that you will notice for sure is that uh some of the things some of the mitigations apply for different trends and these are the mitigations that we we need the these are the lowh hanging fruit so make sure that they always there and something like TLS not only encrypts the traffic uh between WordPress and visitors but it can also for example help you with SEO because search engine prefer search engines prefer websites that have TLS so there’s no reason to not have TLS many uh hosting providers make it very very easy to install TLS certificate so if you don’t have one just go ahead and install them next one next slide so we’re almost at the end this is the penalty one denial of service so not sure what’s happening to this slides but see they got a bit squashed uh it’s service un unavailability excuse me due to an attack or a vulnerability so how can this happen in WordPress so we all know about DOS so DDOS attacks so when you can have an attacker or a number of attackers sending a a lot of data uh to our WordPress server until it can no longer service new requests that’s a DD OS attack uh brute force attack so repeated attempts to overload the server uh XML XML RPC abuse so they send massive requests to the XML RPC.php until the server can no longer service new request and poorly optimized plugins as well so you can have a plug-in uh with poorly optimized SQL queries that once we hit a number of users uh the plug-in basically will take the uh the uh web server so how do we uh address the line of service uh threats the next slide so rate limiting we can ask to limit to limit the uh request rates CDN so now uh we are sort of uh we are moving the risks to the CDN server and DNS and sorry CDN CDNs typically have DDOS mitigation systems in place such as they how they respond to malicious uh user traffic they shut it down and rooting so DDN roots through to a number of server number of servers so uh it is uh spreading uh requests uh across number of servers which reduces the risk of a successful video install a firewall whether it’s a plug-in or the server level if you have access but do have a firewall and always optimize the database and uh the server if you have access okay moving to the next one and the last one elevation of priv of elevation of privilege excuse me so this is when a Elevation of Privilege user account assumes responsibilities that they were not intended to have how does this happen in WordPress next slide so you can have v vulnerable tokens that allow privilege escalation so there was a case in a past uh a past case where a vulner vulnerability where a plug-in sorry had a vulnerability that allow attackers to gain admin access it can also have misconfigured your user roles so you created uh custom user roles and you mistakenly assigned a role uh capability that you should not have or exploiting unpatched WordPress vulnerabilities so in 2022 for example hackers exploited a bug in a plug-in that allows allowed the creation of administrator access so these things happen regardless of how uh um of how well known the plug-in is these can happen so we need to take some mitigations so if I can move to the next slide please so what are the mitigations so always audit and remove unused user accounts especially admin accounts and uh ideally have uh uh you can there are plugins that will automatically uh disable inactive user accounts this is the this is the best way if you don’t want to don’t want to plug make sure that every so often you audit admin accounts on the side so if you’re not sure this count is history news or not look it user can always ask us for access after uh always always always keep WordPress core themes and plugins updated have an update so whether you want to uh install updates as soon as through automatic updates so as soon as they become available installed or that’s one end at the other end uh you want you would want to test all updates in a staging environment before rolling them out to live typically this is used if you have a highly customized environment and you want to make sure that new updates don’t uh break your website that’s fine obviously but have a tradition uh make sure that you are constantly uh aware when you plug when new updates are released I’m sorry and that you test them as soon as possible uh use a custom role plug-in to create custom roles keeping uh in line with uh the principle of least uh principle least privilege and as we mentioned in other chats keep an activity log ideally with notifications so when something that is high risk uh happens we are informed straight away so uh next slide so yes so uh WordPress is a secure CMS system and uh lot of effort goes into making it secure however we need to take ownership of hardening uh our uh WordPress website and circuit security maintenance keep in mind security is an ongoing process not a one-time setup or fix which is why I use detentionally security maintenance and using threat models such as stride whenever we are auditing our security systems are whenever we are auditing press we have something uh to go through so is this done is this done is this done uh several meth as we noticed as well in the presentation several mitigations help us across the board such as uh keeping everything updated having having an activity log and such these are the lowhanging fruits that have the best bang for buck so always start from there so you cover as much as possible uh especially if your resources are limited if you can’t handle all of this in one in uh one go pick the ones that are that helps that help with multiple sort of threats start from there back for buck and then as you iterate start addressing uh the other m mitigations and very very important stay informed so AI has already started to change uh how cyber security works significantly so for example before when it come when when it came to spoofing or spam it was always some Nigerian prince uh this doesn’t happen anymore so much now it’s highly customized efforts i received uh an email recently someone pretending to have read Evolving Threats & Final Advice one of my articles and they mentioned what helped them and how like I could see that certain things didn’t make a lot of sense but if you’re not uh sort of if you’re not looking for it it’s very easy uh to get sort of sucked in so AI is changing security um cyber security significantly and which means we need to stay informed more and more and uh it is very now it’s making it harder to uh differentiate between something that is legitimate something that it is not the same time hardware advance advancement or make it easier to for example break uh uh to uh to crack passwords excuse me uh passwords that don’t follow best practices can be corrected in seconds in seconds so some things like having a password policy is very very very important so stay informed read blogs uh or watch podcasts or attend boot camps like like uh the one uh we are in now to basically make sure that you can stay ahead that’s it uh last slide so again I am Joel i work at technical when I was teaching my since the start of my career many many moons ago I’m quite old and uh yeah I really hope that you found this presentation useful yeah Joel I think it is very insightful and very informative to understand the stride framework uh so let’s have a look on the comment section I think we have some questions for you u and the first question is from uh Christina uh the question is who have warned us this that activity logs use a lot of server resources is there any way to mitigate that yeah actually it’s a very very good question um so uh when it comes to activity logs it’s not that they use a lot of server resources it actually depends on the number of users and uh how much how much activity how active those users are on the server so for example if you have uh five users who log in once a week that’s one thing but if you have 100 users who are logged in eight hours a day that’s a very very different thing so uh one you need to be careful uh of which uh the plug-in that you choose so you uh try to test the different ones see how much resources they use and of course you need to make sure that uh the package you have is uh has uh it comes with enough resources to handle the amount of activity you have on your web server great uh so Joel we have another question from Resty and the question is what security tools can we use on IWP site uh which would not ne negatively affect the site performance and is there a minimum recommendation uh recommended server specification that would run these tools while maintaining performance site so yes very good question uh again and this all depends as I mentioned in the at the start of the presentation all resources are finite so we can’t have unlimited resources so there that server resources um manawares and all of that and uh we can’t have the fastest server in the world so uh we need to understand how uh we need to understand how much risk are we willing to take on so now having said that so for example a firewall is very important but the firewall is going to be examining all of the traffic that is coming in so that’s going to use more resources than for example a 2FA uh security plug-in which is which uh works only when the users is logging in but uh there isn’t a minimum recommended server specs because it all depends on how much risk you are willing to take on so what I would suggest is first understand like this is the risk I’m willing to take on i I’m not willing to take this risk so these are the plugins that I need install those plugins and make sure that they are working make sure that you test different different ones from different vendors pick the one that you’re most comfortable with once you have that then do a test on your web server like what is the respon how fast is it does the response rate is it working within the parameters that I’m happy with yes everything is fine no then look at upgrading the server or if not willing to upgrade the server then you need to reassess how much risk are you willing to take on but you you the way that I see it the way they see it always start like which are the plugins that are a must for me these plugins I need to have install those plugins once you do run the tests is it fast enough yes no yes all is good no let’s look at how we can upgrade the server might need to look at a different uh hosting provider or might need to spend a bit of extra uh to to basically get the next sort of next server up or next two servers up but always start with these are the plugins I need this is the risk that I’m willing to assume and work work your way from there okay uh we have the last question uh that is related to logs so Carlos is asking what to look in logs how to systematically monitor activity to find suspicious activity yes uh very good question so of course there are um uh a number of things that we need to uh be on the lookout for so for example a user logging in is not something that we should monitor uh all the time but however if a user log logs in outside of their usual hours then that’s something that we might need to have a look at uh as I mentioned earlier there’s the creation of administrator accounts typically this is something that is very important if a plug-in got installed or removed again something that we need to be on the lookout for now uh if we are checking so as a disclosure at press we do have an activity log plug-in called WP activity log um uh you with using activity log you can choose what to log and not to log so basically give you a list of all activities and you can choose I want to log these and not these obviously keep in mind that what you do not log is lost so I do not suggest it but if you are uh short on resources that’s one thing that you can do and then you can create not notifications obviously log everything because the information that you don’t have you are blind to you can never know so always log everything and you can go back you can always revert back to that information something happens but uh for example WP log also has notifications uh so you can build a notification like if user log in between this time and this time send me another notification via email and then once we receive that notification via email or SMS we can uh go back to the log and say okay show me all logs of this user so we can see if the user logged outside of normal hours we can see what they logged in to do and we can get in get in touch with with that user make sure that like this is the legitimate login if we can’t we can look at the log see what they did what they access what they changed did not change and all of that but uh it’s it’s keep in mind that it’s also environment dependent so for example if you have an e-commerce store with WooCommerce then there are there are other things that uh you need to be on the lookout for but again through notifications you can really narrow it down and keep the log and then once you the notification go to the log filter it like I want to see uh activity by this user or activity by this IP and then you can find if something um risky has happened basically it was it was wonderful from your side Joel and I again thank you for the wonderful presentation i hope people like it learn from it that’s it from Joel uh Joel’s end and I again thank him to take time for this presentation and participate in the security boot camp uh so uh thank you so much Joel for your time