wordpress security basic

If you want to know if your website is secure you can better start with attacking it.

For this demo I will be using mainly kali Linux, which is a great basic pentesting tool.

Download it here

I run it with VMware workstation 12, because you know VMWare.

The vulnerability score (CVE)

when you got this running start the Metasploit framework and upgrade it to the latest version.

after that let’s just start with a basic nmap scan, this will try to test which ports are open at what is running there, let’s take a look at this

Okay I added a few parameters to check which version is running and also -F which makes sure to check the 1000 most used ports.

as you can see it has 3 ports of the 1000 most used ports open.

Let’s take a look if these are breakable:

22 ssh uses OpenSSH 7.2p2 -> google it 

okay as you can see the first on is quite scary:

it seems like OpenSSH before 7.3 does not limit password lengths, so a Denial of service is possible if you have openBSD or fedora, I will test it on my server with this script

next up we have our apache ports: 80 and 443 -> CVE report
note: I automatically redirect traffic to https

don’t freak out about the amount of CVE’s you see, most of them are about specific cases and anything below 7 is either not really relevant or almost nobody can do it.


robots.txt

next up a hacker will surely look into what is running on your webserver and what they can extract from it.

let’s first surf to:

https://notabadvmwareblog.com/robots.txt

the robots.txt is a small text file that let’s google and other web crawlers know you don’t like these web pages indexed.

But these are the best pages for hackers to look into, actually nobody except your ip should be able to access the admin page.


users not allowed on admin page

note: it could be you get another ip from your ISP, because nobody wants to pay for a static ip, using Telenet in Belgium I noticed I got my ip address for 4 years. but make sure you can access VPS to update the ip.

you can let apache throw a nice 403 forbidden by creating a .htaccess at the right location:

/var/www/html/wp-admin

laying it at /var/www/html/ will make your awesome website only visible for you, which is fine to of course

root@ubuntu-512mb-testopenvpn:/var/www/html/wp-admin# cat .htaccess
order deny,allow
# Denies all IP’s
Deny from all
# This will allow the IP xx.xx.xx.xx -> replace xx with your ip
allow from xx.xx.xx.xx

note: Don’t use vmware as your ssh for your password, if a hacker really wants to break your site they probably can, but you don’t want script kiddies using your VPS for monero mining.

no need to restart apache2, it will take care of it, be sure to test it using a proxy

satisfying isn’t it?

Hackers can use ip spoofing to access the page anyway, but it is about making it harder.


 locking out

I also like timeouts for bad passwords, because I once hacked a SQL 2012 which seemed perfectly fine to test 1000+ passwords for SA every minute, making it look like it was designed for brute force attacks.

for this I use this plugin: Login LockDown,

ip lockout for 1 hour every 3 tries should do the trick.

Now this was basic security for WordPress 101


afterthoughts

things I already think about:

  • We should keep our current version of WordPress hidden using .htaccess
  • Mysql is not showing in our NMAP scan, which means it is not in the 1000 most used ports
  • I haven’t used Kali not nearly as much as u would like to, but i am already tired

Geef een reactie

Je e-mailadres zal niet getoond worden. Verplichte velden zijn gemarkeerd met *