WordPress.org

Ready to get started?Download WordPress

Forums

[closed] I dont need help but i have questions (25 posts)

  1. mario4
    Member
    Posted 3 years ago #

    Hello guys .
    I have some questions about wordpress.

    I know that most of wordpress website get hacked every day because they have a problem . This problem is called wp-config.php
    Trust me i know what im talking .

    Now this problem it push me to make some questions :
    1. If i like to change the name of the config file without destroying my wp_blog , can I do it and how ?? I just want to rename it .
    2.I also want to rename wp-login.php and wp-admin
    3.If this is not possible i want something else . I want to block reset password in wp-login.php .

    Can someone give me answers . Thanks for reading this post . take care .

  2. webjunk
    Member
    Posted 3 years ago #

    No. I do not trust you know what you are talking about. Have several hundred WordPress websites been going for years and never been hacked. Never had to do anything undocumented.

  3. esmi
    Forum Moderator
    Posted 3 years ago #

    This problem is called wp-config.php

    No it's not.

    You might want to have a read of http://ottopress.com/2009/hacked-wordpress-backdoors/

  4. mario4
    Member
    Posted 3 years ago #

    I sayed I know what im talking because i know . give me a link to wordpress website and i will give proof how that websites gets hacked in 10 minutes .

    This is not a threat . I just want to make my wordpress website 100 % secured .

    So can someone help me by answer my questions ?

  5. Robbie JW
    Member
    Posted 3 years ago #

    The PHP files can't be view by a normal user unless you have FTP access to the server, therefore you can't read wp-config.php

    Also when you reset your password the old password remains until you click the link in the email

  6. CyberWizard
    Member
    Posted 3 years ago #

    I sayed I know what im talking because i know . give me a link to wordpress website and i will give proof how that websites gets hacked in 10 minutes .

    Sure mario, here is a link to a wordpress site: http://wordpress.org/wp-admin

    Now, I will sit here and wait for your excuse about why "wordpress.org is too secure for you to hack". I am 100% positive that you will either not respond or have and excuse for not being able to do it.

  7. ClaytonJames
    Member
    Posted 3 years ago #

    I am interested in your lack of success as well. Please report your results.

  8. mario4
    Member
    Posted 3 years ago #

    Guys . I want to tell ya something . I love wordpress and i will never change it with something else . What im trying to do here its help my self and if i can to help you (wordpress staff).

    this text is quoted from : http://ottopress.com/2009/hacked-wordpress-backdoors/

    A backdoor is code that has been added to your site.
    It will most likely be code not in the normal WordPress files. It could be in the theme, it could be in a plugin, it could be in the uploads directory.
    It will be disguised to seem innocuous, or at least non threatening.
    It will most likely involve additions to the database.

    Im sorry dude but WTF ? What I see here is that you dont have a clue about exploiting webapplications , trojans , shellcodes , POC .
    First of all its not called a backdoor , we call it exploit/ing.
    Second to catch a bad guy you must think like he thinks .(try to understand what i wanna say here .)

    I can help you by my way to patch some problems on wordpress .

    If you like i will make a video how i massive hack wordpress websites .

    Let me know ...

  9. CyberWizard
    Member
    Posted 3 years ago #

    Umm, we still have not seen you hack the one I gave you a link to. I posted the link 28 minutes ago and you said it could be done in 10...

  10. ClaytonJames
    Member
    Posted 3 years ago #

    Guys . I want to tell ya something . I love wordpress and i will never change it with something else . What im trying to do here its help my self and if i can to help you (wordpress staff).

    this text is quoted from : http://ottopress.com/2009/hacked-wordpress-backdoors/

    Isn't that from the link esmi suggested you read? In fact most everyone here regularly, might be aware that the source you quoted does indeed know what he's talking about. </irony> I think the question now (still), is do you actually have presentable evidence to contribute to the community, that your assertions are both true, and consistently reproducible? In other words, if you believe you can prove it, then submit it for inspection.

    "Where do I report security issues?"

    Send an email with the details to security@wordpress.org.

  11. mario4
    Member
    Posted 3 years ago #

    I know where to report them ClaytonJames .

    No one gave me answers for my questions .

  12. sharecommons
    Member
    Posted 3 years ago #

    Boy, what a debate here. I don't think you can hack a wordpress blog "unless" the blog owner installs your exploited code. Even according to this:

    A backdoor is code that has been added to your site.
    It will most likely be code not in the normal WordPress files. It could be in the theme, it could be in a plugin, it could be in the uploads directory.
    It will be disguised to seem innocuous, or at least non threatening.
    It will most likely involve additions to the database.

    Unless the blog owner installs some code/plugin which is exploited or gives FTP user/password or gives Admin username/password to anyone, there isn't a way to hack a blog. Well, let's just forget about this debate although I'm sure many people here would love to understand what can you do to a blog but let's just talk about what you wish to know.

    First of all, you are trying to make some "major" changes to the WordPress files. You wish to change the wp-config.php file which I think can be done. If you know even little bit about PHP, you would begin with looking in the index.php file in your WP blog's root. That file should have indications of where to look the config.php file. Then you can perhaps change the name at couple of places, wherever necessary and then try playing around to make things work.

    Then you are asking to change wp-login.php which I believe can be done with little effort. Once again, you will have to hard code the changes in many files that link to wp-login.php file.

    The best of all is renaming the wp-admin folder altogether. I guess, you are inviting trouble. May be after changing many files, you will be able to make it work with the new admin folder.

    Now a few observations:
    Are you sure, after doing all of this crap, your blog will be 100% secure?
    Well, if someone is "so dying" to hack your blog, they will soon discover the correct admin link.
    What about upgrading your blog? Whenever you will install updates from WordPress, all those changes will be gone. If you say that you won't update your blog, then you are again inviting hackers.

    THINK! How much security is "enough". Hope this info helps you in some way.

  13. mario4
    Member
    Posted 3 years ago #

    sharecommons i would like to thank you so much for your time . I read all your post .
    I know that if i do a massive change , it will give me houndred of errors and i think i will spend mouch time to figure it .

    Im not a good php coder or something . I know basics of php , but if someone can code a plugin ... a plugin that helps you to rename the wp-config.php file ... that sir that would be awesome and i promice you wordpress websites hacked will decrease by 40% (minimum)

  14. sharecommons
    Member
    Posted 3 years ago #

    I'm an intermediate just like you mario4 and certainly what you are suggesting is worth a thought. I'm not sure if any "plugin designer" would give this a thought but what we can do:

    I have WampServer installed on my computer and I have installed a WP blog on my computer for testing purpose. I'll see if I can do something of this sort. I'm not sure how much successful I'll be at damaging my WP installation :)

    But I promise to keep you in the loop if I'm able to discover something new :D

    In the mean time, keep up with your 'search' for answers to your questions. Good luck man!

  15. mario4
    Member
    Posted 3 years ago #

    thanks dude . i appreciate that .

    To other guys . Im ready to make a video tutorial on hacking a wordpress website in 2-4 minutes. Tell me if you want to see it so i will record it and publish it on youtube or somewhere else .

    ***Remember i dont take nothing from this . I m just finghtin to optimize wordpress and make it better .

  16. sharecommons
    Member
    Posted 3 years ago #

    I'll love to see anything that helps making WordPress a better software. Thank you mario4 for taking the time to help improving WP.

    I would suggest you "not to" include information about the tools that can be used to the bad stuff. Don't think anyone here would "appreciate" popularizing the tools that can be used to do the bad stuff. But yeah, for education purpose, please do show whatever is necessary to secure a WP blog. I'll love to have the link when you upload it on Youtube.

  17. Rev. Voodoo
    Volunteer Moderator
    Posted 3 years ago #

    I really do think the WP devs take security seriously.

    So I'm sure they would appreciate knowing if you can actually demonstrate gaining access to the wp-config

  18. elfin
    Moderator
    Posted 3 years ago #

    To other guys . Im ready to make a video tutorial on hacking a wordpress website in 2-4 minutes. Tell me if you want to see it so i will record it and publish it on youtube or somewhere else .

    If you think you can do this then send an email to security@wordpress.org as already suggested. they will give it the attention it deserves, and if a reply is necessary then you will hear back from them fairly quickly.

  19. cubecolour
    ɹoʇɐɹǝpoɯ
    Posted 3 years ago #

    If you want an extra level of security because you are concerned that your wp-config.php contains your database password and is in the public_html directory of the web server, just move it up a level so it is outside the public_html: http://codex.wordpress.org/Hardening_WordPress#Securing_wp-config.php

    If your WP is in a subdirectory of public_html, so moving it up a level will mean it is still within public_html, you can protect it by adding

    <files wp-config.php>
    order allow,deny
    deny from all
    </files>

    to your .htaccess file

  20. mario4
    Member
    Posted 3 years ago #

    @sharecommons I m doing it manually . I dont need tools .

    @Rich 'elfin' Pedley its ok dude i know

    @cubecolour : thanks dude , I allready have done that .

    I have something else about the video . I will create it but i dont wanna get in trouble for that . ITs just for educational purpose .

  21. Samuel Wood (Otto)
    Tech Ninja
    Posted 3 years ago #

    LOL.

    Here you go. Here's a link to my wp-config.php file:
    http://ottodestruct.com/wp-config.php

    Go ahead. Hack your way in.

  22. It's not wp-config.php

    http://wordpress.org/news/2010/04/file-permissions/

    Seriously. IF you can hack someone's site, it's because their server is insecure. No matter how many precautions you take, if the barn door is open, the horse will done get stole.

  23. mario4
    Member
    Posted 3 years ago #

    Otto your wish will become true... really soon .

    ipstenu : I know and i agree , but i want to do all my best to protect my stuff .

  24. Then secure the ever loving snot out of your server and follow the standard, accepted, proven-to-be-reliable, file permission settings for your files (be they WordPress, Drupal, Joomla or MovableType). But crying wolf like you are is bad form and causes more harm than good.

    If you really care about WordPress, you don't do this screaming at the clouds business. You email the security people, as many have told you. Tell security@wordpress.org exactly what steps should be taken to hack into a site. I promise, they care.

    You're not helping anyone, claiming to be able to hack into any WP site like this.

  25. mrmist
    Forum Janitor
    Posted 3 years ago #

    This thread is going nowhere. mario4, I think you have all the answers you need, as well as some site URLs that have been offered to you.

    As has been pointed out, if you wish to improve WordPress, mail the security email address with your exploit details.

Topic Closed

This topic has been closed to new replies.

About this Topic

Tags