MemberJan 30, 2019 at 11:04 am
Why is it WordPress has a bad name when it comes to security?
Primarily because the attack surface (files available to exploit) is MASSIVE. Take a look at your installation, see all the 100s of php files and folders? Well every single one of them could be another spot to exploit. To start, remove all files that say README, or INSTALL.txt etc. Next of the very most core steps to secure your new WP install, lock down the /wp-admin (also renaming it would be better in addition) by IP Address. Even if you allow your home ISP cablemodem /24 like 22.214.171.124/24, your blocking millions of ips, and only allowing 255 to actaully get at your login page.
Change username to not equal – admin
There is many scripts out there to enumerate wordpress usernames from from linux command link (google: git wpscan3)
If this script cant get AT your login page, its going to have a hell of a time enumerating usernames, and dictionary attack is out of the question.
Set proper permissions on ALL files and folders. I cannot speak for WP indefinately, however, all the scripts, css/html on my website are chmod 644, all the folders (directories) are chmod 755 . I have had no problems with those. The only time a file on your webserver should be chmod 777 (read write execute for the world), is temp files, and specific files that need to be modified on the fly, like cache, temp, etc. Take a look (with filezilla for instance) at your files right click them / properties look at the chmod values for various files. if you see 777, you need to take a step back and re-examine if this file/dir needs rwx world permissions (very very few files need this).
My last suggestion other then the very basic obvious thing (UPDATE daily, and MINIMIZE themes and plugins, if you arent actively using a theme or plugin, it is another attack vector surface to exploit. Disable anything not being used. WP will tell you if its needed.
Setup a custom 404 (error not found) page .. take a look at mine https://tranceattic.com if you goto ANY page off my domain that doesnt exist, or try to hack it (ie: https://tranceattic.com/youareowned) .. Youll see my custom 404 page, custom picture and your IP, and user agent, time date and what you tried to view/modify. This gets logged into a mysql DB and after 3, it trips an alarm and blocks your ip for an hour)
Verify your robots.txt file is allowing OR disallowing the proper directories. For instance I would nearly garuntee you do NOT want /wp-admin/* to be crawled by any search engines .. Add:
You get the idea.
Hopefully this helps if you want more suggestions or want your site checked out, id be happy to give you a quick rundown of how it looks from hacker perspective.
#9x / efnet :: @tranceattic twitter
Log in to reply.