Hardening Wordpress And Making It Hacker-Fabulous

[0062]

OK, so I believe a member of this community has developed a hot new WordPress attack scanner. I've got my scanner plugins installed but I still feel like my WordPress site is a huge pile of SQL vulnerabilities and opporunities for leaking databases, XSS, RFI/LFI, and other penetration.

Beyond having a scanner plugin, what more can I do to harden WordPress? Is it an intrinsically vulnerable system or can the security be pretty tight? Frankly, I have a $100 reward for anyone who hacks my site and I want to post even more tempting challenges for people to hack it, but I feel like right now it's just not up to snuff [it's not really ready yet, so don't ask for the URL lol].

In addition to security I would like my WordPress to look leet, have some leet features, and ideally not be recognized as WordPress. I used to build websites in the 90's and early 00's, but I just have not had the time to stay current, thus WordPress is a very attractive option. But I feel like some lamer having this cookie-cutter pre-coded solution... so can I at least hack it in the sense of making it appear to be a hand coded site?

I have a plugin called hide-login that changes some of the default WordPress directories and I've modified a public domain theme to remove the dead giveaways, but what more can I do?

Finally, what are your favorite themes for hacking/tech stuff, if any? I like the Commodore theme but its formatting doesn't hold up well on anything but desktop based IE and Chrome.

[ihackforfun]

Securing WP, Joomla etc is relatively simple:

1. install it in a local virtual machine

2. create content

3. transform the website into a static html website (e.g. jekyll)

4. put the static html on your hosting

This does not work for websites that absolutely need a lot of scripting like online shops ...

btw, your reward is dangerous, I don't know how your hosting is but probably you are on a shared server with a bunch of others who will suffer is some script kiddie puts the server down ... A lot of shared hosting is not very well defended ... And of course they might come and blame you for it ... Since people might actually try something on your website withpout having a decent contract with you and your hosting firm I'm confident it will be considered illegal in most countries ...

[0062]

Thanks iHackforFun! :)

You had some good ideas. I do need my MySQL databases running though, because I have comments, galleries, and plans for more community building. I did forget to mention I have Cloudflare enabled so DDOS is not a concern.

btw, your reward is dangerous, I don't know how your hosting is but probably you are on a shared server with a bunch of others who will suffer is some script kiddie puts the server down ... A lot of shared hosting is not very well defended ... And of course they might come and blame you for it ... Since people might actually try something on your website withpout having a decent contract with you and your hosting firm I'm confident it will be considered illegal in most countries ..

ROFL ROFL, no, no it's neither illegal or against the Terms of Service. You don't have to be a digital gangster to challenge people to hack you LOL. Many sites do this and I can't imagine why it would be against anyones rules (and on that note I'll reward anyone who can hack this account). Providing hack-this contests is a vital part of the hacking community and hacking history because it gives up and coming hackers some legitimate targets so that they don't have to break the law.

I've been hacking hackthissite.org for years myself. I think you were in the DDOS mindset, but not only do I not consider that hacking (officially in my contest and as a matter of taste) it's non-issue because in addition to Cloudflare the host has secure servers and is extremely helpful with my website. He's certainly seen it many times and has no objection to say the least.

Edited September 17, 2012 by 0062

[digip]

Wordpress for the most part is secure, with the rare bug here and there. Its for the most part, and generally all 3rd party plug-ins and themes that get you into trouble. Especially ones you buy from one off designer sites or places like theme forest, that offer pretty much anyone the ability to sell their themes, then have them updated from the designers sites, where bugs get introduced by copying and pasting in other peoples code, over and over again, without ever checking to see if the original authors put out security updates.

With respect to the attack scanner plug-in, thats a project myself and Bwall put together, and unless you are running the full version of the plug-in, you are only logging attacks on your site, not preventing them. The free version of our plug-in is to log and show you what kinds of attacks are being launched at your site. You can use that to keep on top of things, but if you want the potential attacks blocked, for one that may exist on your site, you would need the full version of the plug-in which has a built in Firewall and more rules and features to stop attacks. File upload vulnerabilities for example, from non-logged on admins, we don't log that in the free version. We not only log it, but also block it in the full version.

With regard to any site, and any CMS package you choose, they all have their weaknesses. More importantly, is the safegards you take in hardening your website itself, the server OS, and software other than the CMS too, because even with a plug-in like ours, it can't prevent attacks outside of Wordpress or ones we aren't actively looking for, so if you had say a script such as a file uploader, that lives outside of the WordPress umbrella and we can't see it, you won't be protected from someone abusing it. We also can't see other attacks that don't involve wordpress, such as brute force attempts say on your FTP or SSH logins, which are outside the scope of WordPress to begin with, so to secure and harden your site, it involves just as much work to secure WordPress, as it does the rest of the server.

Nothing is full proof. The only thing you can do with security, is make it harder for someone to get in. Thats all ANY security product can ever hope to do, no matter what the OS, and no matter what the security product, or vendor tells you. You can only do what you can, to make it that much harder for someone to get in, and with enough time, and expertise, someone trying to get in, will get in, and it might not even involve physically hacking their way into your system as much as it might be a simple phish, or social engineered attack to get you to do something the attacker wants you do to, such as clicking a link, or reading an email.

[ihackforfun]

@0062:

Speaking as a professional penetration tester, if in Europe you try to hack a site/webserver without signing a contract (your invitiation is by no means a contract, I cannot even validate you have the rights to a certain website) you will be in trouble (in case they find out who you are). Even with the correct contracts in place between the both of us and your hosting, I would not be safe, any ISP seeing traffic that is obviously malicious could cut off the connection (not that they are monitoring or even willing to do so) and in case something goes wrong (let's say I take the server off line by accident) all these legal documents are not guaranteed to keep me out of court ...

I'm not claiming that many people get caught or are running into trouble with this but then again I don't want to be that one person they want to make an example from :-)

If you want your wordpress install tested, a better way would be to install it in a virtualbox or other VM and make it available for download, that way anybody can test without risks and still report problems back to you ... The web server security is not tested this way but since that is up to your hosting you probably care less about that anyway ...