Last week our team attended Black Hat and DefCon in Las Vegas, two of the biggest information security conferences on earth. DefCon alone attracts approximately 20,000 information security professionals, researchers, government employees and fans. To say it is very busy is an understatement.
One of the interesting presentations at DefCon this year discussed a way for attackers to quickly find new WordPress installations to target. The presentation was given by Hanno Böck, and in it he discusses a method attackers can use to find a WordPress website just 30 minutes after it has been installed for the first time.
About three weeks ago, we published a blog post titled “The WPSetup Attack: New Campaign Targets Fresh WordPress Installs” where we discuss how we are seeing attackers specifically target fresh WordPress installs and how to avoid being attacked. Hanno expands on this risk in his presentation.
Certificate Transparency is an open standard that allows the online community to monitor SSL certificates that have been issued to websites. This allows, for example, websites like Facebook to monitor if someone has ordered an SSL certificate for one of their domains. It also allows security teams to monitor if a certificate authority (companies that issue SSL certificates) has mistakenly issued a certificate it shouldn’t have.
Anyone can use certificate transparency data to see new SSL certificates that have been issued. The data includes the website domain name. Hanno’s research showed that within 30 to 60 minutes of a new SSL certificate being issued, attackers can see it in the certificate transparency report. This provides attackers with a way to discover new websites to attack.
The sequence of events would go something like this:
- You order a new website hosting package from a hosting provider. Your order includes a free or paid SSL certificate for your domain.
- The SSL certificate is issued once your order completes.
- 30 minutes later, attackers see your fresh website listed in the certificate transparency report.
- At that time – 30 minutes later – you are halfway through completing your website setup and are just beginning to install WordPress.
- An attacker is constantly monitoring your new domain, and as soon as they see the setup script, they run it, install a back door and then reset your site to the state it was in so that you don’t notice.
We described how the WPSetup attack works in our post three weeks ago. This new technique gives attackers a way to reliably find and attack fresh websites as they are being set up.
Last week we also discussed the risk of using utility scripts like searchreplacedb2.php which don’t have any authentication, and that anyone on the Internet can access. The technique described above to discover freshly installed websites could also target these utility scripts. Thirty minutes after installing a new website, you probably think no one knows about it yet and that it is OK to install a utility script that isn’t protected by a password. Using the above technique, an attacker can scan your site for temporary utility scripts and also use them to gain entry if they are unprotected by a password or authentication.
To avoid all of the attacks above while you are setting up your new website, we suggest either limiting access to your IP or setting up basic authentication. Both of these can be done using .htaccess.
How to Limit Access to Your Site Based on IP Address
You can limit access to your website so that only your IP address can access the site. Here are the steps to do that.
- Find out what your IP address is by visiting whatsmyip.org.
- Create a file called .htaccess in your website root directory.
- Place the text below in the file and replace the marker with your IP address.
deny from all
allow from <your ip>
That should block anyone who isn’t from your IP address from accessing your web applications. Test it by using FTP or SSH to change the IP slightly and you should lose access to the website. Make sure you aren’t using a web based file manager, or you will block yourself when you do this test.
Once you have set this up so that only your IP can access your site, you can go ahead and continue setting up WordPress and anything else knowing that no one else can abuse your setup scripts.
To remove the access control, simply delete the above lines from your .htaccess file and access for everyone else will be restored.
How to Set Up Basic Authentication
Setting up basic authentication is a bit more complex. You will need access to a Linux shell to be able to create your password file. Once you have set up basic authentication, your browser will pop-up a prompt to enter a username and password whenever you access your site. The basic procedure is as follows:
First you need to use the htpasswd utility on the Linux command line to create a password file. The command to create the file looks like this. Replace ‘mark’ with your own username. You should be prompted for a password.
htpasswd -c /homedir/webroot/.htpasswd mark
If you need to install htpasswd to run the above command, you can find it in the apache2-utils package on Ubuntu Linux. If you don’t have access to htpasswd, we suggest you contact your hosting provider for help creating the password file.
Once you have created the password file, you need to add the following to a .htaccess file in your website root. Make sure you replace the path to the .htpasswd file with your own path to your password file.
AuthName "Put anything here"
Once you are done, you should see a prompt for a username and password when you try to access any part of your website. Enter your username and password to access your site and continue setup. This will prevent an attacker from accessing your site while you are busy setting it up.
To remove the above access control, delete the above lines from your .htaccess file and access for everyone else will be restored.
This is another great example of attackers using evolving techniques to identify targets and attack websites. We now know that attackers can easily identify new websites and attack them while they are being configured. As long as you use the techniques described above while your site is in setup mode, you should be safe from this kind of attack. Please share this post with the community to make them aware how attackers quickly find fresh WordPress installs.