This work was reflected in different conferences where Chema Alonso spoke about it and the importance of controlling, through a second authorization factor, the modification of data or information. In the talk “My WordPress in Paranoid Mode“Chema talked about it at Open Expo in 2016:
In addition, the 2016 repository can still be accessed through its Github link, although it is currently non-functional due to dependencies on some MySQL library. This posed a challenge for us, as we wanted to make the dependencies go away.
In the new version of WordPress in Paranoid Mode this has been achieved, as we have created an architecture where performance and delays are improved compared to the first proof of concept. We no longer depend on the network, so latency is drastically reduced.
This already allowed you to create different double authorization schemes or approval flows that allow you to control when and how data will be modified or under what circumstances, in addition to what you could already do to protect the WordPress Login with Latch.
As a summary and in order to show you the new features, we will tell you how this (new) WordPress in Paranoid Mode works. To protect the database, three operations are created in the Tu Latch application that allow control in different ways:
Subscribe to our newsletter!
Find out about our offers and news before anyone else
Read-Only: This is the most restrictive mode of all. When the latch is set to read-only mode, no user can login to WordPress. Only reading is allowed, so it is not possible to make changes to the database (insert, update or delete).
Edition: In this mode the edition (wp_posts table) is protected, so neither the creation of new posts, nor the edition, nor the deletion is allowed.
Administration: This mode allows you to protect the creation, update or deletion of users, as it acts to protect the wp-users table.
When a trigger is triggered, the state of the Latch status is checked to see if the operation is allowed. This involves making a call to the Latch service service each time a trigger is triggered.
Now, we have created a new revision of this PoC, where some improvements have been included to adapt it to current workflows and some sections have been optimized. The biggest change, optimizing response times and improving data handling efficiency.
Instead of making a request to the Latch service every time the trigger is activated, the use of the WebHooks provided by Latch has been implemented. This has been a noticeable improvement to solve latency and performance issues.
The agent knows the status of the latches (and they are updated through the WebHook). This allows to improve the speed of queries to see if you have access to the creation, modification or deletion of the WordPress table being protected.
A GUI has been developed to guide you through the different steps of installing the agent locally and remotely.
In order for the installation to be performed correctly, there are some requirements:
Connection with the database engine that contains the WordPress database to protect: This connection must be made with the root user. This is important since the creation of the new database that will have the status of the stored latches per operation must be done, as well as the creation of a user for the management and consultation of this table.
Connection to the Latch application: You must have a Latch developer account to create the application and obtain its application ID and secret. In this way, the installer will create the corresponding operations (read-only, edition, administration) and store them in the database.
Agent installation: The agent runs in the background on a machine with access from the internet and which will be validated as the WebHook of the Latch application. From the GUI the agent can be installed on the local machine or on a remote machine via SSH. The machine has to have the following dependencies installed: python3, python3-pip and gunicorn. The installation tests have been run on Python version 3.12.
Just in the video above we show you how the installer works, which as you can see is really simple and “friendly” so you can use it in your WordPress in Paranoid Mode! fortifications …. as it should be.
Pablo González Pérez, escritor de los libros "Metasploit para Pentesters", "Hacking con Metasploit: Advanced Pentesting" "Hacking Windows", "Ethical Hacking", "Got Root", “Pentesting con Powershell” y de "Empire: Hacking Avanzado en el Red Team", Microsoft MVP en Seguridad y Security Researcher en el equipo de "Ideas Locas" de Telefónica Innovación Digital. Para consultas puedes usar el Buzón Público para contactar con Pablo González
