Hasta el 24 de noviembre, ¡participa en el Hack Your Innovation Contest!

Discovering WordPress in Paranoid Mode

por
29 de octubre de 2024
Compartir artículo
WordPress in Paranoid Mode
You may remember, a few years ago, a PoC we did on how to protect WordPress in paranoid mode where, in addition to protecting the user login with the Latch plugin for WordPress and doing a hardening to WordPress and at the operating system level by blocking SSH access with the Latch plugin for UNIX, we did a protection at the database level with the creation of different triggers that allow to protect INSERT, UPDATE & DELETE operations.
This work was reflected in different conferences where Chema Alonso spoke about it and the importance of controlling, through a second authorization factor, the modification of data or information. In the talk “My  WordPress in Paranoid  Mode“Chema talked about it at Open Expo in 2016:
In addition, the 2016 repository can still be accessed through its Github link, although it is currently non-functional due to dependencies on some MySQL library. This posed a challenge for us, as we wanted to make the dependencies go away.
In the new version of WordPress in Paranoid Mode this has been achieved, as we have created an architecture where performance and delays are improved compared to the first proof of concept. We no longer depend on the network, so latency is drastically reduced.
For the more technical, we leave you a small workshop, from the 11PathsTalks where we explain how WordPress in Paranoid Mode works!  In this workshop we talk at a low level about the proposed solution and how it covers the need to have control over the editing and modification of the data.
This already allowed you to create different double authorization schemes or approval flows that allow you to control when and how data will be modified or under what circumstances, in addition to what you could already do to protect the WordPress Login with Latch.
As a summary and in order to show you the new features, we will tell you how this (new) WordPress in Paranoid Mode works. To protect the database, three operations are created in the Tu Latch application that allow control in different ways:

Suscríbete a nuestra newsletter!

Entérate antes que nadie de nuestras ofertas y novedades

  • Read-Only: This is the most restrictive mode of all. When the latch is set to read-only mode, no user can login to WordPress. Only reading is allowed, so it is not possible to make changes to the database (insert, update or delete).
  • Edition: In this mode the edition (wp_posts table) is protected, so neither the creation of new posts, nor the edition, nor the deletion is allowed.
  • Administration: This mode allows you to protect the creation, update or deletion of users, as it acts to protect the wp-users table.
When a trigger is triggered, the state of the Latch status is checked to see if the operation is allowed. This involves making a call to the Latch service service each time a trigger is triggered.
Now, we have created a new revision of this PoC, where some improvements have been included to adapt it to current workflows and some sections have been optimized. The biggest change, optimizing response times and improving data handling efficiency.
  • Instead of making a request to the Latch service every time the trigger is activated, the use of the WebHooks provided by Latch has been implemented. This has been a noticeable improvement to solve latency and performance issues.
  • The agent knows the status of the latches (and they are updated through the WebHook). This allows to improve the speed of queries to see if you have access to the creation, modification or deletion of the WordPress table being protected.
  • A GUI has been developed to guide you through the different steps of installing the agent locally and remotely.
In order for the installation to be performed correctly, there are some requirements:
  • Connection with the database engine that contains the WordPress database to protect: This connection must be made with the root user. This is important since the creation of the new database that will have the status of the stored latches per operation must be done, as well as the creation of a user for the management and consultation of this table.
  • Connection to the Latch application: You must have a Latch developer account to create the application and obtain its application ID and secret. In this way, the installer will create the corresponding operations (read-only, edition, administration) and store them in the database.
  • Agent installation: The agent runs in the background on a machine with access from the internet and which will be validated as the WebHook of the Latch application. From the GUI the agent can be installed on the local machine or on a remote machine via SSH. The machine has to have the following dependencies installed: python3, python3-pip and gunicorn. The installation tests have been run on Python version 3.12.
You have the new WordPress in Paranoid Mode code available in the GitHub latch-plugin-wipm repository.
Just in the video above we show you how the installer works, which as you can see is really simple and “friendly” so you can use it in your WordPress in Paranoid Mode! fortifications …. as it should be.
Finally, as you know, we have the Latch  Hack Innovation Contest so you can make integrations as spectacular as this one and win a prize. In this blog article you can read all the details to win the prize: “Your Latch “Hack Your Innovation Contest”: Make a PoC & Hack for 1.000 €“.
Greetings and…
Happy Coding!
By Pablo González Pérez, Microsoft MVP in Security and Security Researcher in the ‘Ideas Locas’ team at Telefónica Innovación Digital, and Álvaro Núñez-Romero, researcher in the Ideas Locas team .
Pablo González Pérez, escritor de los libros "Metasploit para Pentesters", "Hacking con Metasploit: Advanced Pentesting" "Hacking Windows", "Ethical Hacking", "Got Root", “Pentesting con Powershell” y de "Empire: Hacking Avanzado en el Red Team", Microsoft MVP en Seguridad y Security Researcher en el equipo de "Ideas Locas" de Telefónica Innovación Digital. Para consultas puedes usar el Buzón Público para contactar con Pablo González

Más artículos de interés