• What a loser do when he tries to discover a victim to attack? In the case of wordpress, he searches google for the phrase PROUDLY POWERED BY WORDPRESS. This is the start.

    Now, the loser have a list of sites using wordpress.

    The second phase involves the fact that he knows the name of all wordpress’ PHP files. If some of these files has vulnerabilities, he will use them to exploit the site.


    1) imagine that, during installation wordpress files could be named to whatever names user’s want. Imagine a page during installation where the admin could change the names of all wordpress files. The real names of all files could be on a database.

    2) during the installation all wordpress files would be renamed to those chosen by user and these names stored on a database that would be used by WP to know each name.

    3) third, the phrase PROUDLY POWERED BY WORDPRESS should be replaced by an image with the same phrase. Of course, the name of this image could be changed during installation. Same could be done for every string constant on wordpress. Everything constant should allow replacing to make wp’s installations hard to find on google.

    I do that for a long time with scripts like…that I use under other hard to guess names…

    That’s it.

    I am suggesting this cause my wp installation was attacked and a loser has posted 720 thousand port-sex-medicine advertisings in a week.

    I hope this can be used in some way.

Viewing 15 replies - 16 through 30 (of 33 total)
  • IMHO, the idea is interesting, but would need refined.

    Instead of custom names for files, it would be more feasible perhaps to just customize the directory names. These could be a part of the config file, along with the current options, then instead of a hard coded directory path, simply replace it with a variable.

    Then, instead of logins being processed and handled in the adim dir, they could be ran through the main installation directory. This would keep the relavent directory names out of the URI, and further obscure the directories used.

    Kind of a half and half. Not fool proof, but maybe a more balanced alternative.

    Lunabyte: Instead of custom names for files, it would be more feasible perhaps to just customize the directory names. These could be a part of the config file, along with the current options, then instead of a hard coded directory path, simply replace it with a variable.

    I was thinking about this the other day — vars to define where we want wp-content, wp-includes, etc. Then it wouldn’t be static across every WP install in the universe.

    Anyway, I think there is a solution for 100% of all sites begin attacked — paraphrasing LarryFodder ( no offense intended there, but if that’s your real name then, hey, wanna buy a bridge?):

    Buy this and install it between your computer and Internet connection on all your computers, including any of your hosting servers

    Then sit back and have a cigarette 🙂




    P.S. I sense a 2.0.2 version release real soon! =)

    If anyone is that paranoid about being hacked, then don’t install the software to begin with.

    Just use MySpace or something and let God sort it out if it goes south.

    NuclearMoose: It’s really dumb to blame someone’s idea with the argument

    “Those genius-mega-intelligent people from mars would have done before. You are stupid. Do not talk !”

    Reminds me of “God said earth is a disc. It is a disc. If it was a ball, we would fall off from the bottom of the ball.”

    I guess if Matt and Ryan and all the other genius supermales are as superb as you think, they do explicitly not want that kind of dogmatism here.

    And, by the way, you’re ways TOO LOUD !

    Conceit (aptly named)
    I never said anybody was stupid — that’s your interpretation. I was also responding to the post in the same way the topic was entitled, using ALL CAPS.

    Thanks for your comments.

    Oh.. Then “YOU’RE A GENIUS!” wasn’t ironic, of course. Sorry, misunderstood. But “Conceit (aptly named)” probably is, or not ? Who knows. The pretty great thing about irony is that you can use it as fits, and never make a clear assertion.

    So, did you want to offend me when you said “Conceit (aptly named)”, no of course not, either you did not want as you said “YOU’RE A GENIUS!” to HairyPotter. You are – of course – just submitting your neutral and factual opinion to a more or less technical discussion. Probably I also misunderstood this.

    But in one point you’re right. You were both too loud.

    Thanks for YOUR comments.

    You’re welcome!

    Need more coffee… :))

    Me too! :^)

    Thanks to all those who understood and tried to accept and considere the ideas I posted. I also agree that stupid are those who always accept the former opinions and knowledge and never offer his/her position, standing as heretic after the Inquisition… (I am dramatic today… someone listening to violins out there?)…

    So, let’s start modifying all stuff… 🙂

    Security by obscurity is not security at all.

    If I can view your blog, I can find out where your WordPress files are located at in most cases and if I can’t, then I can just start guessing. It won’t take me long to find them.

    While the suggestion is appreciated, it’s somewhat clear you’re new to the web development world, so just take our word for it that it’s a waste of time. 😉

    Viper007Bond, unfortunately you are wrong in everything you said.

    You are assuming that I use easy words, but I can use any word in any language. Will you guess a word in French or German? And if I name the file as “xT12314lsd23.php” how will you discover it? Guessing?

    The other point is that you are assuming that every cracker is an expert. 99% of those guys invading sites are completely morons who follow a recipe: 1) google for some site using WP 2) use the file xyz.php and do bla bla bla…

    If you make your site invisible (not common) to google, how will they discover it? It’s like a car alarm. The alarm will not stop a pro, but will stop 99% of the morons.

    You are wrong again when you said I am new to the web develpment world. I am developing for the web since 1996 and in PHP since 2000. I never have a site invaded before using WordPress, due to the fact that I never name any of my directories and files using english words or obvious words in any language (too many crackers speaking english, so this is the language they will try).

    Another common error I never do, is to show detailed error messages, the king of messages that can guide the cracker. For example. If you put a login screen where one have to fill username and password, you can have 2 situations: unknown username or wrong password. If you show an error message saying: WRONG PASSWORD, the cracker will know he have a correct username.

    Things like that make the difference.

    My site cracked site was written in French and Portuguese. The cracker was located in the USA. Do you think the site was cracked by an american who knows french and portuguese? No. I will tell you: the site was googled by the words PROUDLY POWERED BY WORDPRESS (I have a log entry with cracker’s IP and such string googled) and the guy knew the files to crack, due to the fact they had the original names.

    I agree that such modifications I suggested were difficult to implement on the first phase, cause many code would have to be rewritten, but it will turn crackers like hard.

    I am not expecting no one to accept the ideas I exposed. Those were just my ideas. I think they can help.


    ah, just to complement…
    like in war, obscurity is not security, I agree.
    Obscurity is camouflage!

Viewing 15 replies - 16 through 30 (of 33 total)
  • The topic ‘I THINK I HAVE A SOLUTION FOR 90% OF ALL SITES BEING ATTACKED’ is closed to new replies.