Sanjeev Sabhlok's notes on technology, hardware, gardening

Hack-proof your WordPress installation and web server

Download the Word file that seeks to consolidate my – ongoing! – learnings here.

As a common user of WordPress software hosted on my own domain, I find web security to be my greatest problem.  

What are the vulnerabilities of WordPress and web servers?

Php software in which WordPress is written, is the key vulnerability. This leads to vulnerabilities in phpMyAdmin, dokuwiki, phpBulletin – which act as gateways to the UNIX shell and MySQL database. Also, many plugins create vulnerabilities, not being written by expert programmers. Since it is impossible to run a WordPress blog without using plugins (and php code), the whole thing is a SECURITY NIGHTMARE!

In general, methods of hacking apparently  include: Code injection, Web Servers, HTTP Methods, SQL Injection, CRLF Injection, Cookie Manipulation, Script Language Error, cross-Site Scriptng. The vulnerabilities of an ordinary WordPress user are so extensive that the ordinary WordPress blog is certain to get hacked. The wave of attacks occurring in the world is now almost out of control. See this excellent slideshow.

Solutions to protect your WordPress blog

Given that you can't master web security, do the following. These are band-aid solutions, and only provide a second-best alternative (to hiring professional help), but they will keep the blog going for a while.

[For ways to recover from a (frequent) WordPress disaster, click here]

Keep WordPress installation up to date

Apparently these guys are aware of how the WordPress loopholes are being exploited, and they try to resolve security issues with each update.

Install WordPress security software/ plugins

a)  WP Security Scan(which pointed out I had a number of security holes, particularly not having .htaccess files)

b)   BulletProof Security – this installs .htaccess files. If plugin directories are visible to external people they can crack the security loophole of the lowest security protected plugin (i.e. older version plugins). Once they can get in, apparently then can get shell access.

Watch out for "growing" web-disk

If your web disk (hard disk usage on the serve) is growing without explanation, that's a warning bell! Excessive use of monthly bandwidth is also a give-away.

Check where the "growth" is taking place

Use "Disk Space Usage" option in control panel to find out where the growth is occurring

Run the Clam AV anti-virus software from the control panel

Most hackers have installed phishing and other rubbish, including virus, on your server. This can be readily detected by this anti-virus software. It then neutralises all files that have been detected. Most importantly it will show you the locations of these directories, and you can search these places and remove the files. The kinds of viruses found on my server include:DoS.Linux.Blitz

Flooder.Bloop
Flooder.Nestea
Flooder.Rycol
Flooder.Slice-1
Flooder.Smurf-1
Flooder.Xess
PHP.Mailer-7
Spoofer.Midav

Run Webmail (Horde)

This will often show thousands of phishing emails that have bounced. The emails are important since they'll show up the locations of the attack files. Destroy the files.

Many examples of inserted code exist, but these were from recent emails:

freedomteam.in/blog/wp-content/forum-avatars/mailer.php

SQL injection attacks discovered:

Boss, there was an injected target on sabhlokcity.com/2011/03/review-of-geoffrey-millers-spent/?cid=21997&wpmp_tp=1&wpmp_switcher=desktop by 66.249.72.80

Boss, there was an injected target on sabhlokcity.com/wp-content/themes/whitehouse/single.php by 196.217.232.73

Boss, there was an injected target on sabhlokcity.com/2010/05/get-used-to-it-the-climate-always-changes by 200.107.238.156

Look for particular file types

Create an alias whereis='find ~/ -name', or just run find ~/ -name followed by the following file types
a) *zip*
b) mailer.php
 
Other dangerous file names I've found over the past few months include:
exploit.conf
cb.php
cur
case.edu
smurf6
s          
rc8
nestea
sl3
alpha
vadimI
slice3
bloop
sl2
smurf5
slice2
flood.zip

Check .bash_history 

Assuming you are using a bash shell, check the shell history.  It is possible that it will contain the steps the attacker took to setup a backdoor onto the system.

Change passwords

I've not done this much since it seems that most times it appears to me that hackers don't actually discover your password: they over-write it on the MySQL database. However, this is advised by a few people on the internet.

Learn from Google's web security website

Google operates a blog for Webmasters. Subscribe to it. Use this information to learn more about web security. For instance, this post.

Read/ subscribe to websites that provide hints on security:

Try using web security software

There is software that claims to detect security gaps in one's website. First, this yields a lot of technical jargon which few can understand. Second, one of these, in "attacking" my website to determine security gaps, hung up and never finished, creating gigabytes of stuff on the server. Be very careful while using these software!

 

FREE
 
PAID
 

 

How to recover from sql injection attack

 

Print Friendly

sabhlok

View more posts from this author

Leave a Reply

Your email address will not be published. Required fields are marked *