WordPress Potential Attack Flows – How To Fix – MVC


Is WordPress your MVC of choice? Are you having a LIVE WordPress site? then come the crucial questions

  • How much secure is your WordPress MVC?
  • How Crucial is your WordPress MVC to your business?
  • is your WordPress Mission Critical?

Then You are at serious risks if You do not follow the next steps… There are many ways to protect a site but a rule of thumb states that The First Step Is The Best Step!?! Alternatively You could google “WordPress Security” and yes one can code snippets to counteract this but WordPress is always under development so new updates are to be expected. So Version Control (Git / Google Codes) would be a priority!

I am so sure that my down to earth advise is so prominent to deliver success and stealth on an individual basis.

To secure your WordPress MVC and make it harder for unwanted individuals to attack your website a series of Security Implementations have to be rolled in, tested and stabilised.

  • Backups – As a rule of thumb a backup process must be implemented through CRON or other means and make sure these backups are kept off site! This is a Data Protection Act 1998 UK Requirement!!!
  • Rename the wp-admin folder (The Most Important of ALL) –  Be very careful on this!!! Easier steps coming on how to do this!
  • .HTACCESS FILE to be specific and stealth enough not to allow a site critical web directory to be HTTracked.

System Integrity, folder rights and many more security flows as well as setting up the right .HTACCESS can be addressed by making use of the following plugins

Acunetix Secure WordPress(By far one of the greatest tools in the market!) This basically allows you to literally bespoke your WordPress (Backend / Frontend) to fit your business / organisation requirements! My recommendation is to make a backup first (so easy with this plugin) then turn all RED lights to GREEN (not for the faint hearted)! Document every changes and archive procedures undertaken!

This is a free and comprehensive security tool that helps you secure your WordPress installation and suggests corrective measures for: securing file permissions, security of the database, version hiding, WordPress admin protection and lots more.

  • Passwords
  • File permissions
  • Database security
  • Version hiding
  • WordPress admin protection/security
  • Removes WP Generator META tag from core code

Akismet – This checks your comments against the Akismet web service to see if they look like spam or not and lets you review the spam it catches under your blog’s “Comments” admin screen.

Prevent XMLRPC (Something to consider) - There’s a vulnerability in WordPress’s XMLRPC implementation, that permits trackback spam – even when you disable trackbacks. The only way to prevent this spam is to disable XMLRPC entirely. Some people have suggested renaming or deleting the xmlrpc.php file, but this is not a good idea, because it’s altering core code and not trivial for novice users to undo. This plugin completely disables WordPress’s XMLRPC functions, and doesn’t alter or rename any core files. You can enable XMLRPC again by simply disabling this plugin.

See http://www.acunetix.com/blog/web-security-zone/wordpress-pingback-vulnerability/ for detailed information about the vulnerability in WordPress’s XMLRPC handler.

WTC Comment Cleaner - If you receive comments through your WordPress Blog website then there is a high chance that one day, not some day, that you fall pray simply by having allowed malicious codes to be into your comments.

This plug-in prevents your blog visitors from adding malicious code to their comments by stripping out all html, css, javascript tags from comments, except those you allow in the plugin’s page, thus enhancing your blog security.

Rename wp-login.php (A Must for All WordPress Sites)- If One knows your backdoor location of your house without consent then there is a serious issue to address. Before I got into WordPress I intensely was and still am Joomla and pound for pound WordPress has impressed me with its versatility and capability towards providing optimum service at a fraction!

But We’re coders and out there… surely there are decoders so the game never ends!

PLEASE RENAME OR STEALTH EVERY MISSION CRITICAL DIRECTORIES OR FILES

DO NOT LET THE OUTSIDE WORLD GUESS WHERE THE BACKDOOR / BACKEND OF YOUR SYSTEM IS LOCATED

This is a very light plugin that lets you easily and safely change wp-login.php to anything you want. It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. The wp-admin directory and wp-login.php page become inaccessible, so you should bookmark or remember the url. Deactivating this plugin brings your site back exactly to the state it was before. And I should admit every WordPress site should have this plugin! So easy for someone to maliciously DOS a site!

NB. Remember the name that you have given as parse to wp-admin directory for that would be the link to use in future to login!

Make sure to enforce Company / Organisation Policy once name parse is implemented (Guess this is the secret of the house)

Once name parse is implemented logout then try:

Screenshot from 2014-07-08 01:31:53

 

Good Luck

About these ads
About

“I am not what I ought to be, I am not what I want to be, I am not what I hope to be in another world; but still I am not what I once used to be, and by the grace of God I am what I am”

Tagged with: , , ,
Posted in MVC
One comment on “WordPress Potential Attack Flows – How To Fix – MVC
  1. nextdime says:

    Reblogged this on NextDime Networks and commented:

    Secure your WordPress Blog of Face The Consequences!

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

Member of The Internet Defense League

Enter your email address to follow this blog and receive notifications of new posts by email.

Join 406 other followers

Follow NextDime Networks on WordPress.com
My Community
Follow me on Twitter
Top Rated Posts
My Gravatar
nextdime

nextdime

“I am not what I ought to be, I am not what I want to be, I am not what I hope to be in another world; but still I am not what I once used to be, and by the grace of God I am what I am”

Verified Services

View Full Profile →

Follow

Get every new post delivered to your Inbox.

Join 406 other followers

%d bloggers like this: