Preparing for a Penetration Test - wordpress

I have made the case for using WordPress as a CMS for an important project.
IT has challenged me to build out this base WP installation alongside the local (WAMP) served intranet and lock it down the best I can. They will then attack the installation with enterprise level penetration testing software.
I am only privy to a minimum amount of details however some security tools I am up against have been mentioned and will be used in conjunction with enterprise level software:
Kali.org
Tools from darknet.org.uk
Watabo
What I've done:
Wiped all basic WP out-of-the-box data such as Administrator username, changed login page URL, removed ajax calls, leveraged all options within iThemes Security plugin (which is pretty impressive) and a few of my own.
My question is for advanced advice on securing WordPress running 2015 theme and its PHP framework and Database. Proper htaccess configuration and possible pitfalls. Advice on any advanced methods of securing a website where it's likely to fail a pen test.

It's not easy to make a website completely invulnerable, especially if you have chosen Wordpress.
You should update your Wordpress website constantly. It means that you have to follow all the updates and install them immediately. Sometimes it's not easy to do, if everything is working as it should, and the database is not small. Wordpress is the most popular open source CMS in the world and many people want to crack it, write crawlers which are searching vulnerabilities online etc.
Simple steps to increase the security of any website:
Close a port if you don't use it or install firewall, tcpwrapped etc.
Don't use FTP, ever. Use SSH instead.
Don't make rights 777 on the whole folder. Make it 555 and when you need to upload some image or something else change the rights to 777 or 755 (if you do it by ssh). After doing your job change rights back to 555. Nobody couldn't upload payload or other malicious code to your website through the front end if it's not allowed for writing.
Check your website for sql injection vulnerability.
Don't use simple passwords. You could even change your passwords every month.
Don't duplicate passwords.
Regularly update your software.
For back end security you could use some IDS, for example Snort - https://www.snort.org/, but it's not easy to configure properly. Furthermore you should understand how a network works, tcp/ip, attack types and so much more.
Use OpenBSD as your server operating system if you do not understand the information security well. It was created with an emphasis on increased security.
Take some network scanner (for example nmap) and test your server for vulnerabilities.
Finally: I wouldn't recommend to use Wordpress for the reliable security :) and to say more I need to take a look at the website.

Related

Single username/password for MediaWiki+phpBB+WordPress

I am building a web consisting of MediaWiki and phpBB as its subcomponents. Also WordPress may be added in future. My current problem is to choose a single unified authentication method (not to force users to have a special MediaWiki account, a special phpBB account, etc.).
Which approach would you recommend me? The basic limitation is that it is a simple LAMP server (no LDAP database). Possibilities I know about:
Use a decentralized protocol such as OpenID, OAuth 2.0, etc. I would prefer this approach. However, OpenID is not supported by Google any more so OAuth 2.0 would be probably more appropriate.
Use DB of users from phpBB and install some plugin to other subcomponents (MediaWiki extension for phpBB auth.)
Use DB of users from MediaWiki and install some plugin to phpBB.
Use some specialized web application for user credentials management and install plugins both to MediaWiki and phpBB.
I think the main point you already understand: You need one of your new platforms to be the central user store. The problem you know have to find out:
What platform has the plugins to interact with each other? It's possible, that you find plugins, that only works "in one direction", and for mediawiki itself you will find a log of outdated extensions, that maybe won't work anymore with the latest mediawiki versions and updates.
The other point is, that you should think about WordPress now, too. After you selected one central user store you mostly can't change it with a lot of work, so I would check for an integration of WordPress now, too.
Looking at that and a short search i wouldn't prefer MediaWiki to be the central user storage, and i'm not sure, if phpBB is the best solution, too :/
I think one of the best would be to use LDAP, extensions and plugins seems to be supported and working for the latest versions of each software. You yould have a central user store, which could be easily integrated in other applications, too. What is the reason you can't use it, an LAMP stack could handle this, too?
The second solution i would consider to choose is to use Google's user store and access it vi OAuth 2.0. MediaWiki, phpBB and WordPress supports this with plugins and/or extensions.
At the end of the day a login is a login is a login. All the custom fields specific to individual applications can be properly bridged with plug-ins. Make the app that will require the most babysitting your main database and thus login system. In many cases it's the forum, but that really varies by site.
I would caution that many new forum admins eventually want to upgrade from phpBB to something that's more powerful and modern. I was one of those admins. Yes, phpBB is as good as an open-source forum gets, but it just doesn't compete with the commercial forum apps. So keep that in mind if you make phpBB your main database.

Drupal 7 security implementation

I have a hostgator website on which I installed Drupal. It was working fine until last weekend. I am primarily a .net developer and am not sure about the configuration of this open source application.
Recently, I noticed a large number of user accounts being created who never even logged in before. So, after setting up Google analytics, I determined that my site was hacked. I made this determination because the majority of the traffic and user flow is coming form RUSSIA, SERBIA and ROMANIA, hackers haven!
I realised that my website was not secure. So now I put the site into mainitainance mode, uninstalled the existing Drupal 7, and installed a new installation. It is very fresh now and I am on a mission to find some good security pratices.
I would like to know what security measures that I can implement other than these.
Also, how would I connect to my website's command line to change the file permission settings? Currently, I am using Filezilla and right clicking to change the properties.
Thanks, and apologies for the long question.
P.S. This is my website.
Hostgator provides SSH access. Use tool like WinSCP to transfer files and PuTTy to access command line. Once you get command line access, you will be hopefully able to install Drush on Hostgator. Drush will help you do many administrative stuff using command line and it is highly recommended to use. Since you are a .Net developer, I assume that you might be using Windows for development. Good news is that you can install Drush on Windows too.
Are you sure that your site was really hacked? Because, if you go to Account setting page (http://your-site/admin/config/people/accounts) and look under Who can register accounts?, you will see three options there. The default is "Visitors can create account". If you do not change this setting to something else, your new site will again face the same problem. Otherwise, you can select option Require e-mail verification when a visitor creates an account.
Another way to reduce number of spammers creating account on your Drupal site is to install CAPTCHA or reCAPTCHA module and configure it to show challenge to users when they create an account. This will block many spammers. You can also block specific IP range using Apache .htaccess file. You will find .htaccess file in your Drupal installation folder.
Another good practice is to periodically update Drupal core and contributed modules for security fixes. If you goto page admin/reports/updates, you will see what module requires an update. Command line and Drush will help you streamlining some part of this process.
If you regularly update Drupal (core & modules), use SSH for file transfer and apply correct file permissions, your site should be all secure. It is not that hard to maintain a secure Drupal site, given all the help is available for Drupal security team and Drupal community.
There is a Drupal Group (forum) that deals with Best Practices in Drupal Security that provides a number of excellent suggestions on how to secure Drupal sites. As for accessing your site via the command-line, I checked and Hostgator allows for SSH access on all of their hosting plans. You should be able to login via SSH, change to the sub-directory within your Drupal installation and change the permissions of a file or directory using the 'chmod' command.
Good luck!

Easy maintainance of database-based CMS sites (WordPress...)?

Well, with entirely file-based CMS you can easily put the whole directory into version control system to record any changes to the site. The synchronization with the server would be also trivial because it would only involve uploading the files via ftp.
With these benefits in mind, I am a little puzzled about the popularity of databases as the only storage mode, even when the CMS in question is meant to be used by amateurs for small websites.
How does your versioning and synchronization workflow looks like?
What kind of simplified versioning/synchronization workflow would you suggest for a casual, non-tech, WordPress user, to give them the benefit of working locally and encouraging them to have a backup of their site?
Most CMS systems nowadays tend to have some or other backup solution in place to help you. Since Wordpress is a CMS for the masses and also caters for the non-tech population, you're sure to find a plugin that can help you with this. I know it's built-in backup solution just backups posts etc. to XML, but even this does a pretty decent job of restoring over a clean wordpress installation and working fine.
But I found this plugin (which works for Wordpress and Joomla) by asking Google, which most probably is the answer to your question: XCloner
Also in terms of workflow, specifically for Wordpress, don't give the user Admin privileges, but editor or contributor or something, so they can still edit content, etc. but not make changes that could mess up the CMS itself. And maybe this XCloner plugin can do some kind of recurring backup or something. Otherwise, I suggest you move to a LAMP stack hosting environment where you can at least have cron jobs setup to backup your databse and files regularly. Most hosing companies do this in any case at no cost.
Wordpress also keeps revisions of all posts and pages, so if a user doesn't like an update they've made, the full revision history is available. Be sure to check screen options at the top to see that Revisions is checked, if you aren't seeing this option. Kind of a nice built-in.
Can also (depending on host) have scheduled database/file backups through cPanel, in addition to scheduled database backup plugins through WordPress. Some will save remotely or even email the database out.

Sandboxes and Wordpress, Joomla or Drupal Sites?

I'm looking into building database driven websites based on opensource platforms in a sandbox area rather than having them accessible via the final URL until clients have paid up.
Is anyone aware of any problems this may cause with paths or functionality, or, know of any good articles on the subject?
many thanks
Shaun
There is no bad effect on functionality just because it is in sandbox. Generally, Joomla is almost location independent (untill and unless you are driving multiple websites from same joomla installation)
For security purpose secure the URL via .htaccess file (if more security required then setup a cron to update password every X hours, and email new details to user)
I would suggest having a cut-down, less privileged or demo account for signup users that can still enjoy the overall experience of your site without the full functionality of your killer-webapp services. "Restricting" them in a Sandbox area that is not even the actual site would not be as appealing and convincing as it could be for them to go from "freemium to premium" customers.
I develop all joomla sites on a local server and then upload to the production server once approved. In Joomla, when I upload the files to the production server, I usually need to change the mysql server as well and it can all be changed from the configuration.php file

how to prevent hacking of a WP site

I have a WP install, and every few weeks some hackers keep adding some bunk script to the bottom of certain files, making the WP site not function. I've changed the user/pass to WP and this obviously isn't working. I'm thinking since they are effecting files that are not visible via the WP login files (which are just theme files) then does this mean they are getting access to the FTP and making their hacks there? If they are getting into FTP then why wouldn't they just remove all docs?
Any insight would be greatly appreciate it. While I appreciate the billable hours to find/remove this code every few days the client isn't as excited about it as I am.
then does this mean they are getting access to the FTP and making their hacks there?
Likely yes. There are a lot of automated hacks of sites to include scripts/iframes pointing at security hole exploits.
These exploits typically install a fake-antivirus program and other trojans, including, often, FTP password stealers. These compromised FTP accounts are then used to infect other sites in the same way.
So, you need to ensure any and every machine that is used to access the FTP site is totally clean. Don't trust one single anti-virus to say you're clean, because today's anti-virus is utterly useless at catching the wide range of trojans out there today.
Especially don't trust an antivirus that claims to have ‘cleaned’ an infection, because it is very likely it hasn't cleaned everything. If you find a trojan or have at some point recently had an AV find a trojan (that isn't a false positive, another huge problem of today's hopeless anti-virus software), it's time to reinstall the OS because that's the only way to be sure.
Then change the passwords again, worry about all the other passwords of yours it might have stolen, and finally migrate to SFTP for uploading your files. FTP is an insecure ancient relic that nobody should still be using for admin in this century.
(Another possibility would be that the host itself was hacked, if you're sharing a server. Check other sites on the same machine that aren't accessible through your FTP account and see if they're affected the same.)
If they are getting into FTP then why wouldn't they just remove all docs?
Where would be the profit in that?
The vast majority of exploits out there today are from criminal businessmen after users' cash, not hacker kids doing it for fun.
You can try installing...
"Akismet" Plug-in
WP-SpamFree
I am using 3 plugins together:
Akismet
Spam Free Wordpress
WP-SpamFree
I think you may try install even more and see if it help solving the problem.
Update to latest version.

Resources