| This 32 message thread spans 2 pages: 32 (  2 ) > > || |
|How to Secure Wordpress Sites|
32.4 million wordpress powered pages makes for a nice target
Lately hackers are less interested in being mischievous and more interested in making fast cash by burning your site in the search engines. Hackers are smart and have alot of time to look for exploits. When they find an exploit they can use it to hack wordpress sites and make alot of money in a few days. To avoid being hacked you should reduce that bullseye on your back which hackers are looking for.
Let me be clear - every situation is different. Your situation may not apply here. I am not claiming that every wordpress site is being hacked as I speak. I do think that if you make your living from a wordpress site, it would probably be smart to minimize hacking risks.
Upgrade Wordpress Version
This is a double edged sword. If you don't upgrade you are exposed to known exploits. If you do upgrade you are exposed to unknown exploits. The lesser evil are the unknown exploits since alot fewer people are targeting them. It sucks, the situation is not going to get better anytime soon.
Need to Know Basis
It was nice to have that wordpress link in the footer to let everyone know who powers your blog. Now it is a bullseye for hackers looking for new targets. Your users don't need to know you use wordpress, remove this beacon for hackers. While you are at it remove the wordpress version info from the code. This is even more dangerous since it tells the hackers exactly which exploits will open your site wide open.
Search and Rename
Taking the "need to know" concept even further, you should go search and rename anything (folders, databases, urls, etc) that starts with "wp-". You may not be able to rename everything on existing blogs. Try your best. The more unique and less cookie cutter your blog is, the harder it will be for hackers to find it and exploit it.
Prevent Access to Wordpress Folders
Once hackers find your blog they will try to get into your folders. Stop them! Using htaccess, only allow your ip address access to wp-admin (which is the most critical folder). Matter of fact be proactive and block any wordpress folders that don't need to be accessible. Also try to minimize access whenever possible, only allow access .html, .css, etc. This will help decrease the chance of hackers from abusing your blog.
Danger Plugins Ahead
By blocking those folders you closed the front door but plugins allow for a huge backdoor. Plugins can be comprised and turned into 8 lane highway of attack. Minimize the plugins you use and remove what you do not need.
Admins are Trouble
Many people have created a master user account for their blog with the username "admin". Don't be like everyone. Kill the admin account and rename it something unique. While you are at it make sure your password is not "password".
Go through your template and start making everything unique. Give your site flavor. Instead of saying "blog comments" rename it to "readers thoughts". Instead of "blog archive" rename it "knowledge database". Again this is about avoiding the cookie cutter approach and minimizing the target on your back. ps - your template may include some files that can be exploited.
Avoid Untrusted Internet Connections
We love blogging 24/7. That free open wifi is very tempting. It is also an unnecessary risk. You can be exposing your username and password. Even if you are at a tradeshow, the hardwired internet kiosks are not secure. Only use internet connections that you fully control. Think I'm paranoid? I know someone that tapped an internet kiosk at an internet conference just to win a bet. What better place to get access to a large volume of powerful websites than an internet conference? Your information can be tapped by recording the data sent and also let us not forget through keystroke tracking
In general if you don't need it, get rid of it. If you need it, minimize it. If you can't minimize it, rename it. Most hack attacks are not custom attacks. It is more efficient & profitable for a hacker to automate attacks using common exploit. Raise your site above the cookie cutter level and avoid those automated attacks. Good luck!
Thanks for some great tips Greg. Incredibill has made it his mission to let everyone know how secure Wordpress is [google.com] especially as compared to a hosted service [webmasterworld.com]. So there's fair warning.
Then there are a few more tips from Matt Mullenweg [webmasterworld.com] and others, as well as our own Inredibill's suggestion to block some query strings and UAs [webmasterworld.com].
Personally, on a setup as open and vulnerable as Wordpress (or most CMS), I think the best defense is a backup plan. Literally. Depending on how busy your site is, daily or hourly DB dumps archived on a rotating basis is a ncecessity, because it's probably more of a "when" question than an "if" question.
The same things that make the most common platforms popular are the same things that make them vulnerable
- huge user base means a huge target worth shooting at
- open architecture means large holes that are difficult ot plug without losing functionality that many users desire
- an all things to all people approach means many holes
- again, the open architecture means many contributors often without serious code review, so even if the core is solid, the plugins and modules create points of vulnerability.
Does that mean don't use them? Depends on your risk tolerance of course. For a content-based site, a CMS saves you so much development time... but if you're on a popular platform, you'll get probed daily and can count on at the very least, spam inundation, at worst, being completely owned.
Here's a much simpler method to secure a WordPress site:
Host With WordPress
When you host it on WordPress's service then they deal with all the security concerns and backups since they're specialists in the software and it's completely FREE unless you want upgrades.
For a low fee, much less than the hassle of trying to keep WordPress updated and secured, you can domain map the WordPress blog to your own domain.
Hassle free, worry free, and only a nominal fee to use your own domain.
All the benefits of WordPress with none of the risk.
What could be better?
|That free open wifi is very tempting. It is also an unnecessary risk. |
Free open wifi is not risky if you make sure that the URLs start with https (not with http) when you browse. Then all data sent and received will be securely encrypted. The only problem is when you want to access servers that do not support SSL.
|Free open wifi is not risky if you make sure that the URLs start with https (not with http) when you browse. Then all data sent and received will be securely encrypted. The only problem is when you want to access servers that do not support SSL. |
Not true, if wifi router is cracked attacker install ssl-proxy (also known as man in the middle) to get all stuff in clear text format.
Thanks for the education, Greg.
|search and rename anything (folders, databases, urls, etc) that starts with "wp-" |
I was looking at a download of version 2.3 of WP. A quick scan showed about 50+ files starting with WP_.
How many folks have actually employed the renaming tip? Was it simply a matter of running a search and replace program or did you experience any "procedural headaches"?
Do you then have to undertake the renaming process for all plugins or at least search them all?
[edited by: Webwork at 11:45 am (utc) on July 30, 2008]
|Not true, if wifi router is cracked attacker install ssl-proxy (also known as man in the middle) to get all stuff in clear text format. |
Uh, that is not true (it's FUD at best). One of the main purposes of SSL encryption (https) is to prevent man-in-the middle attacks of that and other kinds.
Any information that leaves your computer and the remote server is encrypted. A man in the middle cannot decrypt it even if he "cracks a wifi router". If what you wrote was true, then e-commerce (internet banking, etc.) would cease to exist.
WordPress 2.6 adds some nice security.
1. They finally turn xmlrpc off by default (I always had to manually delete the xmlrpc.php file manually)
2. They use separate cookies, where the admin cookie is only transmitted if you are actually admin and using admin features (by locking down cookie paths).
3. SSL is supported out of the box with additional SSL cookie security as well
If you look at the developments in store for 2.7 via their TRAC you can see they are also looking at some tricks to lock down plugin code to prevent plugins from affecting other files.
WP CLUB RULE #1: DON'T MESS WITH ANYTHING OUTSIDE OF WP-CONTENT!
You want to upgrade? You'll have to live with what WP has given you.
I normally upgrade in 5 minutes, and I have several VERY heavily modified WP sites. One of them is barely recognizable as a WP site. I do everything by the book. I have several -very complex- custom plugins that totally subvert the standard WP user experience, and several standard ones that I keep up to date. If you do it right, you can customize almost anything in WP from the wp-content directory.
By the way, this means NOT renaming all your directories. Any hacker worth their salt would figure out it's WP in about 30 seconds. The only people you'll fool by renaming directories will be the silliest of script k1661e5, and, if they can hack you, well, maybe you need to learn the hard way (like I did).
If you mess with the standard WP install, you make upgrading more difficult. What happens when upgrades become difficult? That's right, upgrades become less frequent. Sometimes those X.X.1 upgrades are emergency fixes to gaping flaws. You need to be able to upgrade quickly and easily.
I have had CMS sites pwn3d because I hacked the core, and was reluctant to upgrade. That was a very hard lesson, and one I took to heart.
I have not always gotten along with the folks at WP, but I have to hand it to them, they have created a system that works, and works well. That's why I continue to use it. They have API hooks to just about every element of the system. I haven't found a place yet that can't be reached by a hook. However, the docs are a typical wiki mess, and I often have to trace through the code to find it.
I also drop a .htaccess file in the root of the wp-content directory that has a few lines that look like this:
AddType text/plain .smarty .txt .php .php3 .php4 .htm
.html .shtm .shtml .cgi .pl .pm .py .php5 .jar .asp
.jsp .js .rb .rhtml .ruby .cf .cfm .cfml
Allow from all
I sometimes need to let certain PHP files be executable in the plugins, but I do this on a one-at-a-time basis.
I throw in a blank index.html file (I think one comes in the standard install anyway), and I have any password/login information stored outside the HTTP tree. The wp-config imports this file, as opposed to having the info hardcoded into it.
Not perfect, but it keeps someone from executing code in the wp-content directory (like the uploads folder). 90% of WP is includes that run as elements of the index.php file, so you could get REAL tinfoil, and declare a .htaccess file that only allows that file (and the admin one) to run.
Also, don't go plugin-happy. Just use ones that you REALLY NEED for the operation of the site, and carefully vet every one.
There are some REALLY DANGEROUS plugins that do things like let site authors write executable PHP in any post. If you add these plugins, prepare to be pwn3d.
[edited by: ergophobe at 4:06 pm (utc) on July 30, 2008]
[edit reason] fixed sidescroll [/edit]
Is there a good Wordpress to Blogger migration tool ?
Tip #1. Use Drupal if you can.
Tip #2. If you must use Wordpress, edit php.ini and add...
disable_functions = exec,passthru,shell_exec,system,proc_open,popen,curl_exec,curl_multi_exec,parse_ini_file,show_source
This way when your WordPress install gets exploited [and it will -- just give it some time], there is less chance for the average bot and script kiddy to compromise the system.
[edited by: TowerOfPower at 1:39 pm (utc) on July 30, 2008]
|Tip #1. Use Drupal if you can. |
Um, Drupal has had it's share of security issues and is way overpowered for 99% of website needs.
There's over 100 issues over three years listed here: [drupal.org...]
[edited by: amznVibe at 2:00 pm (utc) on July 30, 2008]
|Uh, that is not true (it's FUD at best). One of the main purposes of SSL encryption (https) is to prevent man-in-the middle attacks of that and other kinds. |
Generally hard to do but the owner of a public wireless access point can in principle conduct MITM attacks on the users. Please *educate yourself* if you are going to use free / cafes access point. Here is a quick demo:
|Generally hard to do but the owner of a public wireless access point can in principle conduct MITM attacks on the users. Please *educate yourself* |
What attacks? What will he do with securely encrypted data? Educate me, please. :-)
Your data is no longer encrypted with MITM attack. If I were attacker I can see all your password, login info and so on. Did you visited the url I gave you? I'm talking about insecure network here such as cafe wifi...
That works, but it also depends on the victim approving untrusted certificates.
Can we keep this on Wordpress security (and leave the specific pros and cons of using open wifi to another discussion)?
I have to go with cmarshall on renaming willy-nilly. Once you've hacked core, you've gone down a bumpy road.
That said, it would be simple enough to write a script to do that. But anything that makes upgrades harder is likely to make them less frequent.
I thought it was part of discussion. Anyway, I'm a long time wordpress user and don't follow any of these security tips. Never got hacked, this problem is usually related to shared server environment. I run and manage my own server. Not a single hack since 1999 :) . I manage security at OS level and all other tips are nothing but security through obscurity.
Please note that I'm not saying above tips are bad, but I just prefer to manage them at OS level.
|Your data is no longer encrypted with MITM attack. |
The data is encrypted by the browser on your computer and by the server software on the remote server.
Therefore, what you claim is impossible, unless your computer or the server is compromised (which they are not -- if we talk about man-in-the-middle attacks).
"Cracked routers" or compromised DNS servers ("men in middle") can not be used for attacks if you use proper SSL cerificates (any webmaster can get one from a public certificate authority for a few dollars per year).
Again, if what you say was true, e-commerce would not exist now.
>> I thought it was part of discussion.
It is sort of, but it's more of a general security question. It's a good point to raise, but there's enough there for its own thread (probably several) if we get off into staying secure while surfing.
Hmmm . . I get the impression that the suggestion to secure WP by renaming files may spawm it's own problems.
Someone please beat me about the head (verbally, only, please) to convince me that renaming files is definitely the way to go.
Might it be a case where renaming only "a few specific highly targeted files" would have a deterrent effect? (Do the "known programs and/or practices" look for "all files" or do they default to looking for certain primary "WP files"?)
Lastly, limiting access to a designated IP address wouldn't work for most of us since most of us don't have dedicated IP addresses, right?
If you really want to go tinfoil, then set up a .htaccess that restricts access and execution privileges to all files except for index.php and admin/admin.php. Since WP is all includes, then these are the only files that are ever actually executing at any given time (However, you need to allow HTTP access to various .js and .css files).
Set up your wp-config.php to import a file from outside the HTTP tree as credentials. Heck, if you want, run everything as SSL, but that will be a dog.
What everyone is going for anyway is SQL injection, and most of these types of issues are introduced by peripherals, such as plugins or custom themes. Try not to interact directly with the database in your own work, and test out your plugins for SQL injection vulnerabilities.
Basically, what hackers go for is a "foot in the door." Once they have access to the DB, then they can do pretty much whatever they want, regardless of how hardened your system is.
When I scan my ssh logs every morning, I still see thousands of attempts, nearly every night, to access backdoors left by Fluffi Bunni. Those guys have been out of business for quite some time.
For the WIFI paranoids, I started a new thread:
How Safe is SSL from MITM (Man In The Middle) Attacks? [webmasterworld.com]
I use an External Vulnerability Scanner on my site and on my customers sites.
Every day they scan all my sites, There is no need to install anything on the site and all the reports are kept on my account in their system.
I think that this is exactly like anti virus software. Everybody has one on their laptop, right? so why aren't you protecting your website?
Google up "external vulnerability scanner" there are many companies that do this kind of service.
One thing that Drupal is working on for Drupal 7 is a security suite, which basically does unit testing with an eye to security. Obviously, it won't catch everything, but I think it will help you intelligently evaluate modules without having to understand all the code.
Hopefully Wordpress 3 will have a unit testing suite for stability and security for plugin and theme developers. That would get rid of a lot of vulnerabilities, or at least you would be warned.
|I think that this is exactly like anti virus software. |
Anti-virus checks your server for malicious files from the INSIDE so just because the vulnerability scanner doesn't find anything doesn't mean you're safe.
The external vulnerability scanner can only report known vulnerabilities from the outside and it's entirely possible that the first person to find a vulnerability in your server closed the hole to keep out other invaders and to stop your tool from reporting the flaw.
|it's entirely possible that the first person to find a vulnerability in your server closed the hole to keep out other invaders |
You are right, if your server is already infected, probably nothing can help.
However, the advantage in external scanning is that this service should find the vulnerability before the first attacker finds it.
And even if there was an attacker around, in many cases, after a break-in the attackers leave a listening service that can be detected by an external scanner. The good scanners are also designed to find backdoors, not only sql injection or cross site scripting holes.
Im sure you have seen houses secured with a big fence + 2 locks on the door + alarm system + a scary dog running in the back yard...
An external vulnerability scanner is definately not the only thing you should do to make your system secure, but it is an important part of your security protection suit.
|the advantage in external scanning is that this service should find the vulnerability |
Isn't there a huge assumption built into "the advantage"? Isn't hacking about being at the bleeding edge? Entering where no one sees you coming?
I'm sorry but I don't get that anyone's "scanning service" is synonymous with "cutting edge hacking" and in that respect the endorsemet of the service reads more like marketing talk than an objective apprciation of what IncrediBILL is talking about.
Chances are pretty good that a scanning service is spending its time checking for known exploits, not the next one to be released, and in that regard any ISP worth their fees ought to be taking care of the issues the scanning service provides: updatinga and patching the server, proactively seeking info about new exploits, etc. If your ISP / server host isn't doing that then it's time to move your website, not time to pay for another service - one that ought to be provided as a matter of course by an server provider or server admin.
|any ISP worth their fees ought to be taking care of the issues the scanning service provides: updatinga and patching the server, proactively seeking info about new exploits, etc |
No matter how hardened the ISP makes his server, the biggest vulnerability is actually the CUSTOMERS that install all of the vulnerable open source software (WordPress) that allows hackers to infiltrate the server.
That's another reason why I use my own dedicated servers so my site isn't at risk because of all the other people that don't know what they're doing sharing the server.
This is also why I recommend using WordPress hosting options instead of hosting it yourself because the WordPress hosts specialize in it and I would assume they know how to properly secure those sites, otherwise they wouldn't be in business long.
That's right. The best an ISP can do for you is run everything in a virtual-style account so that I can only mess up my own account, not yours too. I think the decent hosts partition off their servers that way and prevent the worst exploits.
I can't expect them to save me from myself. If they got into that business, they would lose customers. I want a host that gives me plenty of rope to hang myself, but doesn't let their other customers hold the other end for me. Beyond that, their hands are tied... er so to speak
| This 32 message thread spans 2 pages: 32 (  2 ) > > |