wordpress security basic

If you want to know if your website is secure you can better start with attacking it.

For this demo I will be using mainly kali Linux, which is a great basic pentesting tool.

Download it here

I run it with VMware workstation 12, because you know VMWare.

The vulnerability score (CVE)

when you got this running start the Metasploit framework and upgrade it to the latest version.

after that let’s just start with a basic nmap scan, this will try to test which ports are open at what is running there, let’s take a look at this

Okay I added a few parameters to check which version is running and also -F which makes sure to check the 1000 most used ports.

as you can see it has 3 ports of the 1000 most used ports open.

Let’s take a look if these are breakable:

22 ssh uses OpenSSH 7.2p2 -> google it 

okay as you can see the first on is quite scary:

it seems like OpenSSH before 7.3 does not limit password lengths, so a Denial of service is possible if you have openBSD or fedora, I will test it on my server with this script

next up we have our apache ports: 80 and 443 -> CVE report
note: I automatically redirect traffic to https

don’t freak out about the amount of CVE’s you see, most of them are about specific cases and anything below 7 is either not really relevant or almost nobody can do it.


robots.txt

next up a hacker will surely look into what is running on your webserver and what they can extract from it.

let’s first surf to:

https://notabadvmwareblog.com/robots.txt

the robots.txt is a small text file that let’s google and other web crawlers know you don’t like these web pages indexed.

But these are the best pages for hackers to look into, actually nobody except your ip should be able to access the admin page.


users not allowed on admin page

note: it could be you get another ip from your ISP, because nobody wants to pay for a static ip, using Telenet in Belgium I noticed I got my ip address for 4 years. but make sure you can access VPS to update the ip.

you can let apache throw a nice 403 forbidden by creating a .htaccess at the right location:

/var/www/html/wp-admin

laying it at /var/www/html/ will make your awesome website only visible for you, which is fine to of course

root@ubuntu-512mb-testopenvpn:/var/www/html/wp-admin# cat .htaccess
order deny,allow
# Denies all IP’s
Deny from all
# This will allow the IP xx.xx.xx.xx -> replace xx with your ip
allow from xx.xx.xx.xx

note: Don’t use vmware as your ssh for your password, if a hacker really wants to break your site they probably can, but you don’t want script kiddies using your VPS for monero mining.

no need to restart apache2, it will take care of it, be sure to test it using a proxy

satisfying isn’t it?

Hackers can use ip spoofing to access the page anyway, but it is about making it harder.


 locking out

I also like timeouts for bad passwords, because I once hacked a SQL 2012 which seemed perfectly fine to test 1000+ passwords for SA every minute, making it look like it was designed for brute force attacks.

for this I use this plugin: Login LockDown,

ip lockout for 1 hour every 3 tries should do the trick.

Now this was basic security for WordPress 101


afterthoughts

things I already think about:

  • We should keep our current version of WordPress hidden using .htaccess
  • Mysql is not showing in our NMAP scan, which means it is not in the 1000 most used ports
  • I haven’t used Kali not nearly as much as u would like to, but i am already tired

WordPress troubles

Okay after installing a WAMP stack I noticed the first problems:

my site would go offline with the message:

Error establishing a database connection

When I would do something with the site like installing new plugins it would suddenly go offline, be offline for like 10 minutes and come back on after a while.

Mysql seemed to be crashed but starting it would not make it magically work.

The more I logged on and did stuff to fix it, the longer it went offline

logs are located in /var/log/mysql

It is wise just to search for the word ERROR.

Initializing buffer pool, total size = 128M
[ERROR] cannot allocate memory for the buffer pool

I am just running out of memory, that is why me consuming memory with my actions did a bad job. Mysql would keep trying to restart until it worked.

Now reading a little more into it it seems like mysql allocates 128M of RAM, but does not use it all, you could lower it, but I don’t think that will do any good.

My virtual private server counting in at 1 vcpu and 512 MB of RAM is just underpowered.

I now run at 2 vcpu and 2GB of RAM, not had a problem since

As a second thought I am thinking about scaling down my images to the smallest size possible using some loss full compression.

You have to also have at least a few high res images to build your site I think.