Post on 18-Jan-2017
transcript
WordCamp Bologna 2012
About me
37 years oldBorn in Turin (Italy)Co-Founder mavida.comWordPress Lover
http://maurizio.mavida.comhttps://twitter.com/miziomonhttp://www.linkedin.com/in/mauriziopelizzone
1. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
WordCamp Bologna 2012
1. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
WordCamp Bologna 2012
1. Info collection2. Password Brute force attack3. Exploit4. Human mistakes5. Server vulnerabilities6. Network vulnerabilities7. File Permissions
WordCamp Bologna 2012
Prevent user enumeration (?author=n)
RewriteCond %{QUERY_STRING} (^|&)author=RewriteRule . http://%{SERVER_NAME}/? [L]
WordCamp Bologna 2012
1. Block Access to login / admin2. Prepare custom login url3. Check key presence
Hide wp_(login|admin|registrazion)
WordCamp Bologna 2012
Full code here: https://gist.github.com/3003290
RewriteRule ^login /wp-login.php?key=12345g&redirect_to=… [L]
RewriteCond %{HTTP_REFERER} !^wp-admin…RewriteCond %{QUERY_STRING} !^key=12345RewriteRule ^app/wp-login\.php http://%{SERVER_NAME}/? [R,L]
WordCamp Bologna 2012
Options All -IndexesOrder Allow,DenyDeny from all
<Files ~ "\.(xls|doc|rtf|pdf|zip|rar|mp3|flv|swf|png|gif|jpg|js|css)$"> Allow from all</Files>
<Files permitted-filename.php> Allow from all</Files>
Deny php execution
WordCamp Bologna 2012
Shrink plugins number
1. Remove inactive plugin2. Remove useless plugin3. Remove dangerous plugin4. (Evaluate code integration)
WordCamp Bologna 2012
DISALLOW PLUGIN INSTALL / UPDATE
/** * edit your wp-config.php */
define('DISALLOW_FILE_EDIT', true); define('DISALLOW_FILE_MODS',true);
WordCamp Bologna 2012
WordCamp Bologna 2012
Use STRONG password
Insecure Password• giulia76• password• 123456• qwerty• matrix
Secure Password• D7u8hI928FJYusx• Z5BLl20T8by1524• TLv7p64P63V5Hr1• 6b83668I15qRP2I• Um2d4Ejd9T1ExPr
http://strongpasswordgenerator.com/
Rename wp-content
/** * edit your wp-config.php */
define( 'WP_CONTENT_DIR', dirname( __FILE__ ) . '/public' );define( 'WP_CONTENT_URL', 'http://' . $_SERVER['HTTP_HOST'] . '/public ' );
WordCamp Bologna 2012
Move WordPress Core
/** * edit your wp-config.php */define( 'WP_SITEURL', 'http://' . $_SERVER['SERVER_NAME'] . '/wordpress-core/');define( 'WP_HOME', 'http://' . $_SERVER['SERVER_NAME']);
/** * edit your index.php */define('WP_USE_THEMES', true);require('./wordpress-core/wp-blog-header.php');
WordCamp Bologna 2012
WordCamp Bologna 2012
Codex References
• http://codex.wordpress.org/Hardening_WordPress
• http://codex.wordpress.org/Administration_Over_SSL
• http://codex.wordpress.org/Editing_wp-config.php
RULES FOR BLACKHOLE
RewriteEngine On RewriteBase / RewriteRule ^(admin|wp-admin|wp-content)$ blackhole/ [L] RewriteRule ^(phpinfo|phpmyadmin)$ blackhole/ [L]
WordCamp Bologna 2012
BLACKHOLE PLUGIN<?php/*Plugin Name: blackholePlugin URI: http://maurizio.mavida.com/Description: blackholeLicense: GPLVersion: 0.1Author: Maurizio PelizzoneAuthor URI: http://maurizio.mavida.com
*/
if (!is_admin()){include($_SERVER['DOCUMENT_ROOT'] . "/blackhole/blackhole.php"); }
WordCamp Bologna 2012
Other
Thank you
Maurizio Pelizzone@miziomonmaurizio@mavida.comhttp://maurizio.mavida.com
WordCamp Bologna 2012