Attacking WordPress sites run by Information poor
Somehow, being bad can be fascinating. Probably anyone who was born between the 1970s and early 1990s and touched a PC during their school days has …
I wrote about how to attack WP, but if you take the minimum security measures to build a WP site, you won’t end up in the same situation as in the previous article. So, here are the minimum measures.
The more complex your login password is, the more difficult it will be to crack. Google “create a password” and go to a password creation site. I mean, you don’t need to remember your password. Just save it in your browser. Or let iOS or other operating systems remember your password and authenticate it with your fingerprint or face. I know it’s obvious, but I wonder how many sites don’t do this.
First of all, if you have a corporate site, do not use the following email address for the WP administrator.
If you can create an email address for your site, you can make it something a little harder to guess, like “[email protected]”. Also, it’s a good idea to avoid “admin”, “company name”, “representative’s name”, etc. for the WP administrator’s user name.
The default login URLs are “/wp-login.php” and “/wp-admin”, so it’s easy to get login attempts.
https://ja.wordpress.org/plugins/wps-hide-login/
For example, “/1015-login” would be fine.
BASIC authentication is also easy, so let’s apply it. Just create a .htpasswd file and add it to your .htaccess. This step is important. And you can save the authentication information in your browser.
If you google “create htpasswd”, you can easily find out how to create it.
# .htaccess
<Files wp-login.php>
AuthUserFile "/your_server_path/.htpasswd"
AuthName "Basic Auth"
AuthType Basic
Require valid-user
</Files>
Satisfy Any
SetEnvIf REQUEST_URI "^/1015-login(.*)" restricted_url
Order allow,deny
Allow from all
Deny from env=restricted_url
AuthUserFile "/your_server_path/.htpasswd"
AuthGroupFile /dev/null
AuthName "Restricted Files"
AuthType Basic
require valid-user
By the way, BASIC authentication changes the password to a base64 string, and also gives it to the unencrypted Header part of the communication. That’s why some people are saying that it’s easily compoundable and can be breached, but what? What? Stake out a cafe for hours, watch someone trying to log in to WP using the cafe’s wifi, and then break into the router to intercept the person’s communication and break through BASIC authentication? I’m sure it’s possible, but the fact that it costs so much is enough to counteract it.
If you have access to xmlrpc.php enabled, it’s very dangerous. WP is stupid, but it’s enabled by default. You can disable access as follows.
# .htaccess
<Files xmlrpc.php>
Order Allow,Deny
Deny from all
</Files>
It was this xmlrpc.php that I wrote about in How to Attack WP. Also, if you check the access logs of many WP sites, you will see that there are many suspicious accesses to this xmlrpc.php. In other words, there are rogues all over the world who are attacking this xmlrpc.php.
All of the above settings can also be done with plugins, so if you’re interested, Google it.
The corporate website of a company I know was a very serious company website, but it was covered with pornographic banners. It’s better to increase security as much as possible, that’s for sure. You think, “My company doesn’t collect personal information, and no one will target my site. Your site might be hacked and used as a stepping stone to attack other sites, and you might be involved in criminal activities. Then, even though you didn’t commit any crime, the police may come and take you away, and you may have to eat katsudon until your innocence is proven.
Somehow, being bad can be fascinating. Probably anyone who was born between the 1970s and early 1990s and touched a PC during their school days has …
As of April 2022, almost all infrastructure and network engineers have probably never heard of NYM. On the other hand, some of you may have arrived at …