WordPress.org

Ready to get started?Download WordPress

Forums

I THINK I HAVE A SOLUTION FOR 90% OF ALL SITES BEING ATTACKED (34 posts)

  1. HairyPotter
    Member
    Posted 8 years ago #

    What a loser do when he tries to discover a victim to attack? In the case of wordpress, he searches google for the phrase PROUDLY POWERED BY WORDPRESS. This is the start.

    Now, the loser have a list of sites using wordpress.

    The second phase involves the fact that he knows the name of all wordpress' PHP files. If some of these files has vulnerabilities, he will use them to exploit the site.

    NOW THE SOLUTION FOR ALL PROBLEMS:

    1) imagine that, during installation wordpress files could be named to whatever names user's want. Imagine a page during installation where the admin could change the names of all wordpress files. The real names of all files could be on a database.

    2) during the installation all wordpress files would be renamed to those chosen by user and these names stored on a database that would be used by WP to know each name.

    3) third, the phrase PROUDLY POWERED BY WORDPRESS should be replaced by an image with the same phrase. Of course, the name of this image could be changed during installation. Same could be done for every string constant on wordpress. Everything constant should allow replacing to make wp's installations hard to find on google.

    I do that for a long time with scripts like FormMail.pl...that I use under other hard to guess names...

    That's it.

    I am suggesting this cause my wp installation was attacked and a loser has posted 720 thousand port-sex-medicine advertisings in a week.

    I hope this can be used in some way.

  2. VaamYob
    Member
    Posted 8 years ago #

    That's called, "security by obscurity"

    People do that with ports, i.e. run ssh or smtp on some random port number instead of the standard port.

    With your solution, there still has to be one file that is guaranteed to be in an exact location, with an exact name: wp-config.php

    You have to know HOW to connect to the database to get the names of the other files.

  3. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Please do not post in capitals.
    It's the equivalent of SHOUTING and is considered rude.

  4. HairyPotter
    Member
    Posted 8 years ago #

    There's no reason why wp-config.php cannot have other name. Everything can be on a database. The only file with the same name will be index.php, but this can be anything and a loser cannot search in google for index.php in order to find wp installations.

    The only thing that guarantees a successful search in google is a constant and unique name, like wp-config.php. If one can rename that for xyz.php, it will be invisible in google.

  5. vkaryl
    Member
    Posted 8 years ago #

    Actually, one could I suppose go through all the program files and replace "wp-config.php" with whatever name one chose to use for that file. There might be a hundred places which would need replacement, no idea for sure.

    Now, the possibility exists that something in the database would need rearranging with that as well. I don't know one way or the other, since while I can manipulate the info in the database I really don't have any background in mysql programming.

  6. TechGnome
    Moderator
    Posted 8 years ago #

    There's no reason why wp-config.php cannot have other name. Everything can be on a database. The only file with the same name will be index.php, but this can be anything and a loser cannot search in google for index.php in order to find wp installations.

    OK since it's apparent that you have thought this out.... tell me, how does WP connect to the database? The database information is in the wp-config.php file.... only it's no longer called wp-config.php, it's now called xyz-muwahahaha.php .... so how would WP "know" that's where the DB info is?

    -tg

  7. Mark (podz)
    Support Maven
    Posted 8 years ago #

    Numerous ways of discovering blogs can be done, not least the inurl search and picking other bits from wp code and googling them.
    This method of hiding files / folders has also been discussed and like Vaamyob says, it's a poor one.

  8. Not to mention that the whole renamed files thing would be a support nightmare.

    User: I've got an error in pink-aardvark.php

    Forums: Errr?

  9. Mark (podz)
    Support Maven
    Posted 8 years ago #

    LOL!!

  10. scaturan
    Member
    Posted 8 years ago #

    hahah, that some pissed off WordPress user! that's a lotta of viagra, cialis and all those things.

    hosting providers just need to be a little bit more, proactive. mod_security, conditional logging, etc.. :)

    my 2 cents :)

  11. HairyPotter
    Member
    Posted 8 years ago #

    come on boys...

    database name, username and pass would be in index.php.
    Why use a unique name like wp-config.php if one can use a generic name like index.php? As I said, just one file cannot be renamed, index.php and index.php can be anything. The idea is to mask all occurrences of the name WORDPRESS and replace them for images with different names.

  12. Ming
    Member
    Posted 8 years ago #

    You still need to address Podz' concerns. Filenames are only one way to detect an installation.

  13. HairyPotter
    Member
    Posted 8 years ago #

    what concerns? have you read what I said? I said get rid of all words, phrases, etc., that could identify wp installation. That's it. Better this way than the present way. My blog was invaded by someone who found it thru google. I have traced the guy on my logs and he first googled for wordpress, find my blog and posts 720 thousand sex-casino-viagra cr*p!
    /&%/#%!

  14. chillbilly
    Member
    Posted 8 years ago #

    ive used another more CMS type set up and it was a sinch ta take out anything related to the systems name or type...then it was just a mater of ditchin the version # of the footer and afew other spots.

    wp_config.php should realy just be config.php like everything else ive used...but what ever...no weird erectile disfuntional fixing medication adds on my set up yet :)

  15. Ming
    Member
    Posted 8 years ago #

    I said get rid of all words, phrases, etc., that could identify wp installation. That's it.

    That's it? Fair enough, but you've just asked for the entire WP engine to be rewritten. Not to mention requiring everyone to have custom themes as ones like Kubrick, and the dozens based upon it, can be easily identified.

    We also need to deal with the substantial performance hit that would be created when looking up every single random directory and file. And, as has been mentioned, support becomes nearly impossible.

    Speaking of security, how was your WP hacked? An earlier version with a known vulnerability? Something newer (which you've reported to security@wordpress.org)?

  16. Kafkaesqui

    Posted 8 years ago #

    http://codex.wordpress.org/Hardening_WordPress

    I'd suggest reading this for anyone serious about securing their WP install.

  17. lunabyte
    Member
    Posted 8 years ago #

    IMHO, the idea is interesting, but would need refined.

    Instead of custom names for files, it would be more feasible perhaps to just customize the directory names. These could be a part of the config file, along with the current options, then instead of a hard coded directory path, simply replace it with a variable.

    Then, instead of logins being processed and handled in the adim dir, they could be ran through the main installation directory. This would keep the relavent directory names out of the URI, and further obscure the directories used.

    Kind of a half and half. Not fool proof, but maybe a more balanced alternative.

  18. marke1
    Member
    Posted 8 years ago #

    Lunabyte: Instead of custom names for files, it would be more feasible perhaps to just customize the directory names. These could be a part of the config file, along with the current options, then instead of a hard coded directory path, simply replace it with a variable.

    I was thinking about this the other day -- vars to define where we want wp-content, wp-includes, etc. Then it wouldn't be static across every WP install in the universe.

    Anyway, I think there is a solution for 100% of all sites begin attacked -- paraphrasing LarryFodder ( no offense intended there, but if that's your real name then, hey, wanna buy a bridge?):

    Buy this and install it between your computer and Internet connection on all your computers, including any of your hosting servers

    Then sit back and have a cigarette :-)

  19. NuclearMoose
    Member
    Posted 8 years ago #

    THANKS FOR ALL OF YOUR SUGGESTIONS, HAIRY! I WONDER WHY MATT AND RYAN AND A FEW DOZEN OTHER HIGHLY-INTELLIGENT AND EXPERIENCED PROGRAMMERS INVOLVED IN CODING WORDPRESS DIDN'T THINK OF THIS BEFORE. YOU'RE A GENIUS!

  20. spencerp
    Member
    Posted 8 years ago #

    LOL!!

    spencerp

    P.S. I sense a 2.0.2 version release real soon! =)

  21. IIIIIIIV
    Member
    Posted 8 years ago #

    If anyone is that paranoid about being hacked, then don't install the software to begin with.

    Just use MySpace or something and let God sort it out if it goes south.

  22. Conceit
    Member
    Posted 8 years ago #

    NuclearMoose: It's really dumb to blame someone's idea with the argument

    [sarcasm]
    "Those genius-mega-intelligent people from mars would have done before. You are stupid. Do not talk !"
    [/sarcasm]

    Reminds me of "God said earth is a disc. It is a disc. If it was a ball, we would fall off from the bottom of the ball."

    I guess if Matt and Ryan and all the other genius supermales are as superb as you think, they do explicitly not want that kind of dogmatism here.

    And, by the way, you're ways TOO LOUD !

  23. NuclearMoose
    Member
    Posted 8 years ago #

    Conceit (aptly named)
    I never said anybody was stupid -- that's your interpretation. I was also responding to the post in the same way the topic was entitled, using ALL CAPS.

    Thanks for your comments.

  24. Conceit
    Member
    Posted 8 years ago #

    Oh.. Then "YOU'RE A GENIUS!" wasn't ironic, of course. Sorry, misunderstood. But "Conceit (aptly named)" probably is, or not ? Who knows. The pretty great thing about irony is that you can use it as fits, and never make a clear assertion.

    So, did you want to offend me when you said "Conceit (aptly named)", no of course not, either you did not want as you said "YOU'RE A GENIUS!" to HairyPotter. You are - of course - just submitting your neutral and factual opinion to a more or less technical discussion. Probably I also misunderstood this.

    But in one point you're right. You were both too loud.

    Thanks for YOUR comments.

  25. NuclearMoose
    Member
    Posted 8 years ago #

    You're welcome!

  26. Conceit
    Member
    Posted 8 years ago #

    Need more coffee... :))

  27. NuclearMoose
    Member
    Posted 8 years ago #

    Me too! :^)

  28. HairyPotter
    Member
    Posted 8 years ago #

    Thanks to all those who understood and tried to accept and considere the ideas I posted. I also agree that stupid are those who always accept the former opinions and knowledge and never offer his/her position, standing as heretic after the Inquisition... (I am dramatic today... someone listening to violins out there?)...

    So, let's start modifying all stuff... :-)

  29. Security by obscurity is not security at all.

    If I can view your blog, I can find out where your WordPress files are located at in most cases and if I can't, then I can just start guessing. It won't take me long to find them.

    While the suggestion is appreciated, it's somewhat clear you're new to the web development world, so just take our word for it that it's a waste of time. ;)

  30. HairyPotter
    Member
    Posted 8 years ago #

    Viper007Bond, unfortunately you are wrong in everything you said.

    You are assuming that I use easy words, but I can use any word in any language. Will you guess a word in French or German? And if I name the file as "xT12314lsd23.php" how will you discover it? Guessing?

    The other point is that you are assuming that every cracker is an expert. 99% of those guys invading sites are completely morons who follow a recipe: 1) google for some site using WP 2) use the file xyz.php and do bla bla bla...

    If you make your site invisible (not common) to google, how will they discover it? It's like a car alarm. The alarm will not stop a pro, but will stop 99% of the morons.

    You are wrong again when you said I am new to the web develpment world. I am developing for the web since 1996 and in PHP since 2000. I never have a site invaded before using WordPress, due to the fact that I never name any of my directories and files using english words or obvious words in any language (too many crackers speaking english, so this is the language they will try).

    Another common error I never do, is to show detailed error messages, the king of messages that can guide the cracker. For example. If you put a login screen where one have to fill username and password, you can have 2 situations: unknown username or wrong password. If you show an error message saying: WRONG PASSWORD, the cracker will know he have a correct username.

    Things like that make the difference.

    My site cracked site was written in French and Portuguese. The cracker was located in the USA. Do you think the site was cracked by an american who knows french and portuguese? No. I will tell you: the site was googled by the words PROUDLY POWERED BY WORDPRESS (I have a log entry with cracker's IP and such string googled) and the guy knew the files to crack, due to the fact they had the original names.

    I agree that such modifications I suggested were difficult to implement on the first phase, cause many code would have to be rewritten, but it will turn crackers like hard.
    :-)

    I am not expecting no one to accept the ideas I exposed. Those were just my ideas. I think they can help.

    thanks.

Topic Closed

This topic has been closed to new replies.

About this Topic