How to secure a wordpress site

What do sites like Interview Mantra, Bilforsikring, Prepared Marketing, and 1.5 million other WordPress sites have on common? They have all been hacked at one time or someone has tried to hack them. Find out how to secure your wordpress site.

WordPress was developed by Matt Mullenweg in 2003.WordPress is a popular CMS for building a new website for both newbie’s as well as tech nerds, hackers all around the world keep on trying to find new loopholes and vulnerabilities within WordPress to hack it. In fact, now-a-days this is one of the major concerns among new businesses and some of them try to avoid using WordPress for this hack phobia.

WordPress security is often referred to as “hardening”. It is just like the process of adding reinforcements to your castle. It’s all about bolstering the gates and putting lookouts on every tower. But that term doesn’t always allow you to realize the details that go into improving site security.

“8 out of 10 sites included base64 encoding in their themes.”

Siobhan McKeown

Here are some of the ways to secure and make almost impossible for a hacker to hack WordPress.

  1. Use fast and secure hosting 

People always look for the unlimited plan accounts with unlimited space, unlimited bandwidth and unlimited domains for their hosting because they think that it will be cheaper that way. But what they never understand is that what a trap they are falling into. In short, there is nothing unlimited or free in this universe. Not even sun light, it is also going to run out one day one way or another. Big brand companies use the “UNLIMITED” tag to lure newbie users to get them online and after that provide such a pathetic service that they will almost feel forced to upgrade to a more costly VPS server.

  1. Always Change the Default “admin” username

WordPress installation on any server has become so easy nowadays that most of the people just ignore these minor things. No matter whether you use the default WordPress installer or any one click installer that comes with your server control panel, make sure you change the primary admin username to anything else from the default “admin”. This is very important. The reason it is most important is that most hackers use Brute Force Attack tools to randomly guess your username and password for successful login.

  1. Always use a super strong complex password and keep on changing it

 According to report by Global consultancy Deloitte that over 90 percent of user-generated passwords, even those considered strong by IT departments will be vulnerable to hacking. I know everyone knows this and it is a very basic thing, but trust me every hacker use it when it’s needed. Make sure your WordPress admin password contains a combination of Uppercase, Lowercase, Alphanumeric, special characters (e.g. @, #,?), and are at least 12 characters long. In this way, you can give the hacker a real pain to actually decrypt your password. Make your habit to change your passwords at least once in three months.

  1. Disable Directory Indexing and Browsing

On most web servers directory listing has been enabled by default for the much good reason, but after your website development has been completed, just open the .htaccess file present in the root directory or under the public_html directory of your server and add this following code at the top of your existing htaccess code.

Options -Indexes

This will disable the directory listing feature of your server and anyone who tries to access a server directory that doesn’t have a index.html or index.php file will return a 403 Forbidden error. The above code will work for Apache as well as Lightspeed servers but if you have an nGinx server, contact your server admin to enable this on your website.

If you do not disable this feature in your website hackers can easily follow along with your directory structure and find out what exact files you have on your server and how they are arranged. This gives them an advantage of knowing your site perfectly. So, you must enable it. Folders like wp-content or wp-includes in WordPress sites contain sensitive data that isn’t required for everyone to see it. As you know, the wp-content folder contains your themes, plug-in, and media uploads. Hackers can find potential exploits by going through these files. So yes, in a way, you’re making the hacker’s job easy by not disabling directory browsing.

  1. Always keep your WordPress core, themes & plugins updated

Although it is true that updating WordPress core, theme or plugins may break your site sometimes but it only occurs for 0.001% of the website who uses badly coded themes and plugins. The reason things get broken after the update is that sometimes the developer of the theme you are using or some plugin in your site has stopped supporting and updating its code. So, when WordPress deprecate any function, those theme/plugins still tries to access it and end up having lots of PHP error.

I suggest using a backup system like UpdraftPlus Premium or BackupBuddy and creating a backup of your entire site before updating. In this way, if something bad can happen you can still restore back to your previous working version of you site. No matter what the case is, always keep your site updated with the latest version of WordPress, installed themes and plugins. Developer releases patch every other day to fix the vulnerabilities in their software as soon as they get spotted or notified.

  1. Limit Login Attempts

Hackers try to exploit weak password vulnerability by using scripts that enter different combinations until your website cracks. To prevent this, you can limit the number of failed login attempts per user.

For example, you can say after 5 failed attempts, lock the user out temporarily. If someone has more than 5 failed attempts, then your site block their IP for a temporary period of time based on your settings. You can make it 5 minutes, 15 minutes, 24 hours, and even longer.

  1. Disable XML-RPC in WordPress

Hackers are using the XML-RPC function in WordPress for DDoS botnet attacks as well as Brute Force attacks. The XML-RPC function was originally designed to be used an intranet notification system for WordPress users. But few use it anymore due to spam. In March 2014, Sucuri reported 162,000 sites being used in DDoS attacks without the site owner’s knowledge via security holes in XML-RPC.

The XML-RPC vulnerability escalated into active hacking via Brute Force attacks. I recommend to Input Code to your Theme to block XML-RPC to disable.

  1. Delete the unused or unnecessary themes & plugins

It’s easy for a hacker to target unused themes/plugins or things that are installed but disabled to get pass the security of your website by targeting the vulnerabilities in those themes and plugins. As these things are already disabled in your site, so you are not going to notice any prominent change in the code of those themes/plugins and hackers use this to their advantage. Also, many times when you install a plugin on your site and then disabled it over time the actual developer of that plugin stop updating that plugin and hackers use vulnerabilities within those old theme/plugins to hack your site. So, always keep the things that you actually use on your site, if there is a list of plugin and themes which are installed in your WordPress installation but you don’t use it, just DELETE them. Whether it is a theme or plugin that comes with the default installation of WordPress or something you have separately installed earlier. This same rule applies to them all. Only keep the things you need and get rid of the rest.

It’s the fact the biggest security hole in a WordPress site comes not from WordPress itself but from plugins and themes. For example, the TimThumb hack, which is the largest successful hack against WordPress sites to date, came from plugins and themes that packaged the TimThumb library in their code and not from WordPress itself.

 “Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection”

  1. Secure your computers

 Keep your computer secure by acting on some of these rules:

  • Keep your OS and all programs updated
  • Install Anti-Virus software
  • Use personal firewalls
  • Open sites via HTTPS whenever possible
  • Use SSH or SFTP instead of FTP
  1. Use of plugins like Jetpack Protect filter

Some people think that Jetpack plugin is a very resource consuming plugin but let me tell you that all of you are wrong about this plugin. Jetpack is actually an amazing plugin that has been made for WordPress. The problem is that people use it in the wrong way and end up with a slow website and they point the finger to this plugin.

After installing Jetpack plugin most people just enable all the filters available within the plugin, which is not a good thing to do. Instead what you should do is go to Jetpack Settings in your WordPress dashboard and enable specifically those filters you truly need for your site and disable the rest.

But don’t forget to enable the “Protect” filter of Jetpack as it will help your site from getting attacked by Brute Force attackers and also safeguard your site from fake login attempt. This is a really useful filter which will not only protect your site from hackers but also safeguard your site from server slow down due to multiple random requests by hackers.

  1. Use AdvancednoCaptechreCaptcha plugin

The Google noCaptchareCaptcha is the predecessor of the original Google reCaptcha (v1) which used to show up annoying illegible captchas to do a simple task. But noCaptchareCapcha doesn’t show any annoying captcha instead it just asks you to click a checkbox and if Google thinks that your IP is suspicious then it asks you to select some specific picture from a list of the picture. This is really great and makes solving captcha a painless process.

WordPress has an awesome plugin named Advanced noCaptchareCaptcha which will allow you to enable noCaptchareCaptcha in your WordPress login page, signup page and even in comment form which is great as now hacker bots cannot just keep trying to guess the proper login credential of your site because they can’t get pass the captcha.

Also as noCaptchareCaptcha is a Google project so you can trust that its fraud detection algorithm is up to date with latest hacking trends. I will suggest you enable this plugin for your comment form to which will not just reduce the number of your spam comment, but also save your site from hacker bots who try to do SQL injection via comment forms.

  1. Only use trusted themes and plugins

Always use or install themes or plugins from trusted websites because in most of the cases though provide completely built a free website, there is a high chance that those themes and plugin has malicious code which can compromise your website security. If you are installing free themes or plugins, only install them through your WordPress plugin installer or download them from WordPress plugin repository.

  1. Set the proper permission for files and folders

Always set proper and right permissions for example If you have cPanel access log in to your file manager and make sure all the files of your site has permission set to 644 and all the directories have permission set to 755 unless some plugin especially asks you to set some special permission to some special folders. Like some cache plugin asks users to set the permission to /wp-contents/cache/ folder to 777. These are an exceptional case, but for rest of the file follow the above permission structure.

  • Folders: 755
  • Files: 644
  • wp-config.php: 444

SSH COMMAND TO CORRECT PERMISSIONS

  • find /wordpress -type d -exec chmod 755 {} \;
  • find /wordpress -type f -exec chmod 644 {} \;

Conclusion

You can remain safe if you follow my tips that I’ve described above besides installing a bunch of plugins and slow down your site for no good reason ever. Think again before you choose cheap hosting services like GoDaddy, Bluehost, Hostgatore, JustHost, Hostdime etc. These companies sell hosting at an extremely cheap price. But you may end up having a slow and unsecured hosting experience.

Securing a WordPress site is not as easy task it’s much more than installing a security plugin and walking away. It needs to fill out a complete strategy. Some you might’ve known about before but it is my hope that some were new discoveries. Sometimes, it’s the simple things you haven’t thought of yet that spell the difference between a mediocre security strategy and a great one.

 

Back Orifice 2000: A Step Beyond Back Orifice

The launch of Back Orifice 2000 was announced at DEF CON 7th Edition in 1999. BO 2000 was originally developed by Christien Rioux (DilDog), a member of Cult of the Dead Cow. He was in the development team of L0phtCrack or LC, Windows password audit and recovery tool. In 2006, he co-founded Veracode, a Massachusetts-based application security company. He is also the Chief Scientist in Veracode.

BO 2000 is a step up over its predecessor Back Orifice, which was developed by Josh Buchbinder (Sir Dystic) and launched at DEF CON 6th Edition in 1998. It contains several advancements over its predecessor. The first and most important of them is increased scope. Back Orifice had support for only Windows 95 and Windows 98. In addition to those two, BO 2000 has support for Windows NT, Windows 2000, Windows XP, & Windows Vista. BO 2000, also known as BO2K, has a leaner structure. It includes large organizations in its scope whereas its predecessor’s scope was limited to individuals and small businesses. BO 2000 comes as a server-client duo and has a modular structure which makes it easy for users to add additional features. It also comes with a configuration utility which helps to configure the server application. It is difficult for network monitoring software solutions to detect its presence. It has real-time keystroke logging and real-time desktop viewing feature. It supports strong encryption.

BO2K faced moral and legal questions from the experts. It did not take long for it to be categorized as a malware. F-Secure Labs categorizes it as a backdoor Trojan. McAfee Inc. profiles BO 2000 as a malware of type Trojan and subtype Remote Access. It also lists a lesser known alias of BO2K, Orifice2k.srv. Symantec Corporation detects it as a Trojan Variant. Microsoft too detects it as a Trojan with alert level Severe. Most of the big names in the antivirus industry have made detailed removal guide available for BO2K. The BO2K process uses various tricks to keep running on the remote system, one of them being repeatedly changing its process ID and spawning backup processes (processes which will ensure BO2K backdoor keeps running even if one process is killed). BO2K has been used by cyber criminals extensively. Although some publications such as Windows IT Pro were a bit positive about BO2K’s corporate future, in the September 2002 issue of Security Administrator Microsoft predicted, “its default stealth mode and obviously harmful intent mean the corporate world probably won’t embrace it anytime soon.” Microsoft’s firm stand against BO2K irritated Cult of the Dead Cow and they challenged Microsoft “to voluntarily recall all copies of its Systems Management Server network software.” ZDNet was strongly against the prevailing negative sentiment around BO2K.

Despite the controversial nature of the software, there is no uncertainty regarding the fact that BO2K was an example of excellent craftsmanship in software development. The developers thought of almost everything a person might need for seamless remote administration. The last stable release of BO2K was in 2007. A lot has happened since then. It’s time for Cult of the Dead Cow to start work on a new version of BO.

SMBRelay: The Program Which Gave Microsoft a Headache for More Than 7 Years

In 2001, Cult of the Dead Cow, a US hacker group released SMBRelay. The group started in 1984 and created waves all over the world numerous times through its controversial software releases. The SMBRelay project was the brainchild of Josh Buchbinder. The hacker world knows him by the name Sir Dystic. He wrote SMBRelay in less than two weeks. He also authored Back Orifice, which was released in 1998. Similar to Back Orifice, SMBRelay too was focused on Microsoft Windows systems.

SMBRelay is an SMB MITM attack tool written mainly in C++. An MITM attack or a Man-in-the-Middle attack is an attack which allows the attacker to sit in the middle of a communication stream between two unsuspecting parties. Through an MITM attack, the attacker can read, store, or alter the information coming from the source and simply forward it to the destination. It’s a concept known to even novice hackers. SMBRelay is not an average MITM tool. It uses some pretty advanced tactics which set it apart from other run-of-the-mill MITM tools. SMBRelay requires administrator privilege to run. Xfocus Team, a non-profit organization focused on security research, has a detailed article which explains in great depth how SMBRelay works, it “receives a connection on port 139, connects back to the connecting computer’s port 139, and relays the packets between the client and server of the connecting Windows machine, making modifications to these packets when necessary”. The interesting thing is it is impractical to block port 139 as it is used for NetBIOS sessions. The software has in-built support for multi-threading and is capable of handling multiple connections at the same time. It generates new IP addresses in sequence and removes an IP address when target host gets disconnected. SMBRelay stores transmitted NTLM password hashes in a text file named hashes.txt (NTLM stands for NT LAN Manager, a network security protocol suite from Microsoft). The format used is suitable for later cracking by a program such as L0phtcrack. SMBRelay is run with the smbrelay command. It gives the best results with machines such as Windows NT and Windows 2000. The compatibility with 9x and ME is not good. It cannot work with NTLMv2 which uses 128-bit encryption. A second version of the program, SMBRelay2 was released later which is compatible with “any protocol NetBIOS is bound to.”

In an interview with The Register, a world-renowned online tech outlet, Sir Dystic lambasted Microsoft for not taking care of well-known protocol flaws to ensure backward compatibility. He added that merely having a firewall does not offer any protection against the security flaw. Now comes the hilarious part. SMBRelay was launched on March 21, 2001. It took Microsoft more than seven years (2792 days, to be exact) to write a patch. The security bulletin MS08-068 was published on November 11, 2008. The patch fixes the vulnerability in the MS Server Message Block (SMB) Protocol. The bulletin mentioned that the vulnerability allowed remote code execution and an attacker who had successfully exploited the vulnerability was able to “install programs; view, change, or delete data; or create new accounts with full user rights.” The update was rated as Important. Discussions on hacker blogs and platforms stand evidence to the fact that SMBRelay still remains a tool of interest for security researchers.

Hacking of Your Car Is Possible on Android Phones

We are now living in an era of being connected to the internet or via wireless technology. From smartphones to cars, manufacturers are rushing to connect mobile phones and vehicles to perform various functions like driverless cars and so on. Meanwhile, some mobile apps are now able to summon vehicles just as we have seen in Knight Rider. With the advancement of technology comes the danger – these phones can be hacked and when hackers can launch terror or hijack vehicles with ease.

A test has been conducted on at least nine vehicles built by seven companies that are connected with Android apps and they are all vulnerable to attacks. Researchers from Kaspersky, a software security firm, confirmed that most mobile apps, which have been downloaded over a million times, do not even have basic software defence system for drivers to protect themselves in case of an attack. Hackers can root a phone or trick users into installing malicious malware code, unlock the vehicle and start the ignition key.

The Ignition Remix

As of today, researchers have refused to name specific mobile apps that they tested over the fear that their publication would help car thieves. However, they argue their studies should make the car industry take to consider car security in a serious manner.  It is time connected car application developers treat their products just like banking apps, according to Kaspersky lead researcher Viktor Chebyshev.

In the worst-case scenario, researchers have found that hacker can access to locked vehicles; vehicle thieves would require other tricks for more serious attacks, like controlling the key or maybe disabling the vehicles’ immobiliser, which is a system that prevents vehicles from being stolen. They found that Tesla’s cars which permit a car to be driven via smartphone app only is an excellent example of how hacking a mobile phone can lead to theft, even though Tesla cars were not a part of their research.

The security experts’ analyses are based on the mobile apps themselves—they only ‘hacked’ into one of the affected vehicle models in question. And, they claim that there was no need for injecting Android malware to pull off the dirty tricks thieves or terrorists can pull to cause damage. They also warned that poorly built apps that lacked proper coding are vulnerable to vehicle thieves and they highlighted a case in which hacker forums are showing interest in hacking of apps-connected vehicles. They clearly display offers to buy & sell connected vehicle app credentials including their usernames and passwords, shockingly even PIN numbers and the unique Vehicle Identification Numbers (VINs) of different vehicles. The usual rate runs into hundreds of dollars per such account. Chebyshev said that cybercriminals are preparing for such attacks and the vehicle industry should take notice of these online activities.

The Kaspersky security researchers have highlighted three techniques for exploiting Android applications they tested. (iOS is much more difficult for hackers to attack). They found that, except one app, stored the apps username, password, or both in unencrypted manner in the mobile device’s storage. And, when rooting the victim’s mobile phone —by exploiting full privileges in the phone’s OS —an expert hacker can get access to those stored account login details and send them off to his command-and-control server. Hackers could also trick vehicle owners into downloading an altered/hacked versions of car apps in order to steal login details. Alternatively, car thieves can infect mobile phones with malwares that can launch an “overlay” attack: When the car-app starts, the malware could immediately detect that it is loading and it can preempt it with some fake user interface and the steals the details and transfer the same to some remote location. A hacker may also infect the app with multiple overlays in order to spoof off any connected car app the innocent victim may load.

Time to Buckle Up

The security experts also said that they have reported their findings to several companies whose cars are highly vulnerable. However, they noted that most problems are not even security bugs, so much as a lack of proper safeguards. Encrypting the login credentials stored on a mobile device, adding two-stage authentication or maybe a fingerprint authentication, or maybe creating integrity checks in the apps could work to prevent malicious code from being injected into the apps.

This is not the first time makers of app connected cars are facing safeguards issues in their products. Toyota, Nissan,and Ford has also been vulnerable to hacking. It is also important to note that the problem is not solely confined to phones using Android system. Security expert Samy Kamkar, back in 2015, explained how he could deploy a tiny piece of hardware hidden on a vehicle to intercept login credentials from apps based on iOS like Onstar (GM), UConnect (Chrysler), mbrace (Mercedes-Benz) and Remote (BMW) — all via wirelessly. Kamkar’s hacking method also allowed him to locate a car from a remote location, unlock it, and in some cases start the ignition. In such attack, he said there won’t be “no warnings” and your car credentials would be easily stolen and reused by the hacker “without phone modifications” while comparing his attack method with the one conducted by Android hackers as suggested by security experts at Kaspersky.

As connected vehicles are gaining huge interest among buyers, researchers at Kaspersky said manufacturers must be able to lock down mobile apps that could control their products even as both ethical malware testers and criminal hackers gear up to find flows in their systems. It may be better if we can open the car door without ever triggering the car alarm, however these functionalities are just being explored, said Kaspersky lead researcher Mikhail Kuzin, adding car makers “will have to add new security features to make users lives more convenient and at the same time prevent attacks”. It’s time app makers and car makers take utmost care in security issues, and do it right.

Career in Cyber Security

Everyday millions of people get new job opportunities and millions more lose their jobs. Current word is too much competitive and to keep pace with the modern world and win the competition you need to take the right decision and choose the right career path now. In the IT industry there is a long list of job opportunities for you if you have the right skillset. You can be a software engineer, mobile application developer, web designer, sysadmin, etc. Most of the renowned companies around the world care less about academic results and more about your skill in the specific fields.  Among all IT professions Cyber Security is among the most lucrative ones.

Cyber Security was once the realm of defense and government agencies but nowadays every industry is looking for an expert Cyber Security specialist. The reason behind this is crystal clear. Today every business has their online presence in this or that way. Most of the businesses and companies are conducting their activities through internet – a thriving modern business is impossible without the help of some type of cloud infrastructure. Whether the businesses and companies are passing their data through public internet service or private extranet or intranet they are vulnerable to digital attack or data breach. Even the bank you are using for money transaction, the AMT machine you are using for withdrawing money or the POS through which you are paying bill in the superstore near your home are all passing the transaction data through network. Almost no business can exist today without the help of internet and each of them need to secure their system from any type of digital attack over the network for a sustainable business. So, all of them need people with the expertise in Cyber Security.

You maybe prompted to ask about the salary and future in Cyber Security career. I am providing some valuable information here for you. A report from CISCO says that more than one million job openings are left unfilled in the whole word where almost 200k job openings are left unfilled in U.S. alone. Cyber Security market is expected to grow $170 billion by 2020. Your salary can range from $88k to $328k depending on your skill. So, if you can make yourself a skilled person in Cyber Security you will not have to run for jobs, instead companies will run for you.

Now, the question arises, “How can I become a Cyber Security professional?” To be a Cyber Security professional you do not need to have Computer Science (CS) degree but if you have degree or background in CS it will be very helpful for your learning and your career. The learning curve is not very smooth, neither very steep. With a decent analytical ability you can excel more in this field. A lot of universities, companies and professional institutes are providing professional trainings on it. CISCO is one of the leading companies to provide professional IT courses and Cyber Security is one of their main concern. Whenever you are going to take a course on Cyber Security make sure that they are providing a certificate that is globally recognized. Compared to other IT jobs Cyber Security jobs put some more weight on professional certification. If it is hard for you to attend training physically you can take online courses. You can choose online course form Lynda, Pluralsight, Udemy, etc. So, do not wait any more if you want a bright future. Start your learning today to ensure a better tomorrow.

Back Orifice: The Controversial Remote Administration Tool

Some programs solve problems, and some create controversies. Josh Buchbinder’s Back Orifice falls in the second category. Back Orifice was designed as a remote administration tool but it ended up being classified as a malware. Back Orifice was launched at DEF CON 6th Edition on August 1, 1998. Developer Josh Buchbinder/ Sir Dystic is a member of the hacker group Cult of the Dead Cow which started in Texas, US.

The name Back Orifice is derived from Microsoft BackOffice Server, which was a server product bundle from Microsoft released in 1994 and discontinued in 2001. Back Orifice comprises two modules, one server module and one client module. The client module is used to control the server module running on a different machine. The client module is capable of performing a host of operations on the remote machine including execution of any application, keystroke logging, restarting, locking, file content viewing, file transfer in both directions (to and from the remote machine), and retrieval of screen saver password and cached passwords. It also supports screen capture, network traffic monitoring, and connection redirection. Third-party plugins can be easily added to the software. Back Orifice uses TCP & UDP protocols and runs on port 31337. Back Orifice works on local area networks and on the internet. It’s a freeware and is available for download on Cult of the Dead Cow official site. In order to install Back Orifice, first, the server application needs to be installed on the remote machine. The server application is a standalone executable file of around 122 KB. The application copies itself to the Windows system directory and adds a value carrying the server application filename to the registry. Back Orifice server module is compatible with Windows 95 & 98 but not with Windows NT.

The press release which was published from Cult of the Dead Cow during the launch mentions that the main goal of releasing the software in the public domain was to draw the attention of people to the serious security flaws of the Microsoft Windows operating system. It also criticized Microsoft for their lackluster attitude toward security. In spite of its noble motive, the software was categorized by the leading antivirus companies as a malware and it was not without reason. First, the server application deletes itself when executed. Second, the server application does not show up on the Windows task list. Third, it automatically starts every time Windows starts. Symantec Corporation explains, “the tool can be used by an unscrupulous user (e.g., the attacker) to compromise the security of a computer running Windows 95 or Windows 98, for example, to steal secret documents, destroy data, etc.” Due to its ease of use, Back Orifice was a favorite among wannabe hackers. It was used by hackers as a Trojan horse. Most antivirus solutions automatically detect and take appropriate action against Back Orifice. It can also be removed manually by running the MS-DOS command DEL C:\WINDOWS\SYSTEM\EXE~1.

Although it is arguable whether Back Orifice missed its intended goals, being accepted as a reliable remote administration tool and increasing security awareness among users, it will always be considered an important milestone in security research.