WordPress.org

Support

Support » Alpha/Beta » I THINK I HAVE A SOLUTION FOR 90% OF ALL SITES BEING ATTACKED

I THINK I HAVE A SOLUTION FOR 90% OF ALL SITES BEING ATTACKED

  • What a loser do when he tries to discover a victim to attack? In the case of wordpress, he searches google for the phrase PROUDLY POWERED BY WORDPRESS. This is the start.

    Now, the loser have a list of sites using wordpress.

    The second phase involves the fact that he knows the name of all wordpress’ PHP files. If some of these files has vulnerabilities, he will use them to exploit the site.

    NOW THE SOLUTION FOR ALL PROBLEMS:

    1) imagine that, during installation wordpress files could be named to whatever names user’s want. Imagine a page during installation where the admin could change the names of all wordpress files. The real names of all files could be on a database.

    2) during the installation all wordpress files would be renamed to those chosen by user and these names stored on a database that would be used by WP to know each name.

    3) third, the phrase PROUDLY POWERED BY WORDPRESS should be replaced by an image with the same phrase. Of course, the name of this image could be changed during installation. Same could be done for every string constant on wordpress. Everything constant should allow replacing to make wp’s installations hard to find on google.

    I do that for a long time with scripts like FormMail.pl…that I use under other hard to guess names…

    That’s it.

    I am suggesting this cause my wp installation was attacked and a loser has posted 720 thousand port-sex-medicine advertisings in a week.

    I hope this can be used in some way.

Viewing 15 replies - 1 through 15 (of 33 total)
  • That’s called, “security by obscurity”

    People do that with ports, i.e. run ssh or smtp on some random port number instead of the standard port.

    With your solution, there still has to be one file that is guaranteed to be in an exact location, with an exact name: wp-config.php

    You have to know HOW to connect to the database to get the names of the other files.

    Mark (podz)

    @podz

    Support Maven

    Please do not post in capitals.
    It’s the equivalent of SHOUTING and is considered rude.

    There’s no reason why wp-config.php cannot have other name. Everything can be on a database. The only file with the same name will be index.php, but this can be anything and a loser cannot search in google for index.php in order to find wp installations.

    The only thing that guarantees a successful search in google is a constant and unique name, like wp-config.php. If one can rename that for xyz.php, it will be invisible in google.

    Actually, one could I suppose go through all the program files and replace “wp-config.php” with whatever name one chose to use for that file. There might be a hundred places which would need replacement, no idea for sure.

    Now, the possibility exists that something in the database would need rearranging with that as well. I don’t know one way or the other, since while I can manipulate the info in the database I really don’t have any background in mysql programming.

    TechGnome

    @techgnome

    Moderator

    There’s no reason why wp-config.php cannot have other name. Everything can be on a database. The only file with the same name will be index.php, but this can be anything and a loser cannot search in google for index.php in order to find wp installations.

    OK since it’s apparent that you have thought this out…. tell me, how does WP connect to the database? The database information is in the wp-config.php file…. only it’s no longer called wp-config.php, it’s now called xyz-muwahahaha.php …. so how would WP “know” that’s where the DB info is?

    -tg

    Mark (podz)

    @podz

    Support Maven

    Numerous ways of discovering blogs can be done, not least the inurl search and picking other bits from wp code and googling them.
    This method of hiding files / folders has also been discussed and like Vaamyob says, it’s a poor one.

    Not to mention that the whole renamed files thing would be a support nightmare.

    User: I’ve got an error in pink-aardvark.php

    Forums: Errr?

    Mark (podz)

    @podz

    Support Maven

    LOL!!

    hahah, that some pissed off WordPress user! that’s a lotta of viagra, cialis and all those things.

    hosting providers just need to be a little bit more, proactive. mod_security, conditional logging, etc.. 🙂

    my 2 cents 🙂

    come on boys…

    database name, username and pass would be in index.php.
    Why use a unique name like wp-config.php if one can use a generic name like index.php? As I said, just one file cannot be renamed, index.php and index.php can be anything. The idea is to mask all occurrences of the name WORDPRESS and replace them for images with different names.

    You still need to address Podz’ concerns. Filenames are only one way to detect an installation.

    what concerns? have you read what I said? I said get rid of all words, phrases, etc., that could identify wp installation. That’s it. Better this way than the present way. My blog was invaded by someone who found it thru google. I have traced the guy on my logs and he first googled for wordpress, find my blog and posts 720 thousand sex-casino-viagra cr*p!
    /&%/#%!

    ive used another more CMS type set up and it was a sinch ta take out anything related to the systems name or type…then it was just a mater of ditchin the version # of the footer and afew other spots.

    wp_config.php should realy just be config.php like everything else ive used…but what ever…no weird erectile disfuntional fixing medication adds on my set up yet 🙂

    I said get rid of all words, phrases, etc., that could identify wp installation. That’s it.

    That’s it? Fair enough, but you’ve just asked for the entire WP engine to be rewritten. Not to mention requiring everyone to have custom themes as ones like Kubrick, and the dozens based upon it, can be easily identified.

    We also need to deal with the substantial performance hit that would be created when looking up every single random directory and file. And, as has been mentioned, support becomes nearly impossible.

    Speaking of security, how was your WP hacked? An earlier version with a known vulnerability? Something newer (which you’ve reported to security@wordpress.org)?

    http://codex.wordpress.org/Hardening_WordPress

    I’d suggest reading this for anyone serious about securing their WP install.

Viewing 15 replies - 1 through 15 (of 33 total)
  • The topic ‘I THINK I HAVE A SOLUTION FOR 90% OF ALL SITES BEING ATTACKED’ is closed to new replies.