WordPress and user enumeration through Author Pages rant

Yes. This will be a bit of a rant about WordPress.

Don’t get me wrong. I love and adore WordPress. Hell, I live WordPress. But there are just some things I really don’t like about it (at least from a security perspective).

Most of my major issues are with the default settings of a clean install of WordPress. I’m talking about features such as the XML-RPC protocol, author pages, file editing in the backend (on themes, plugins and core files).

Let’s take “author pages” as an example. I know from experience that this feature of WordPress is being used by just a fairly limited number of sites running WordPress.
However, when author pages are active, it’s easy to derive the usernames. This only leaves hackers the necessity of ascertaining the password and they’re inside your backend.

If you’d like to know the impact, just add “/?author=1” behind your domainname in the address bar. If author pages are active, it’ll redirect to a url that contains something like “/author/username”. And this “username” is actually the one you use to log into your wp-admin-backend.

And yes, I know there are plugins that can block this for you (such as https://nl-be.wordpress.org/plugins/disable-author-pages/ and several security plugins that offer it as an option), but that’s not my point.

The thing is that these settings are active by default, without an option in the WordPress backend to easily disable them.

My proposition:
Let’s make these functions an “opt-in” functionality. Let them be disabled by default and let’s make it possible to enable them if this is really needed for a specific website. This would make a huge number of WordPress sites that little bit more secure.

I’ve decided I won’t site back and I’ve already started working on a security plugin that will disable all of these features and create an “opt-in” menu under “Settings” in the WordPress backend. More on that soon!

 

Block xmlrpc attacks via .htaccess

XMLRPC is a protocol that is enabled by default in WordPress. However, since version 3.5 the option to disable this function was removed from the WordPress backend. Since this protocol is prone to attacks, which can be used to try several hundreds of username and password combinations in one single request, it’s paramount to disable this.

You could do this through a plugin, but a more efficient way would be to add following RewriteRule to your .htaccess:

RewriteRule ^xmlrpc.php$ "http://0.0.0.0/" [R=301,L]

Hiding your htaccess file

A great way to improve your security is hiding your htaccess file, since this file usually contains quite some information that can be indicative of the structure of your website or the content management system that was used to create the site. This can be done by taking two distinctive steps:

1. htaccess file permissions

First you’ll need to set the file permissions of your .htaccess to 644.

2. Add this to your .htaccess file

# secure htaccess file
<Files .htaccess>
order allow,deny
deny from all
</Files>

WordPress security improvement: adding 2-factor authentication

Another great way to improve the overall security of your WordPress website, is by adding two-factor authentication to your WordPress security measures. It improves your security since it requires 2 seperate elements to be entered before a user will be granted access and is, by default, a better solution than just using a username and password combination to log in. Two-factor authentication usually requires you to enter both a pincode/token of some sort and validate another element before access is granted.

How this improves your WordPress security

Using 2-factor authentication helps to effectively protect your website against following attacks and vulnerabilities:

  • Brute-forcing attacks
  • Weak passwords set by the end-user
  • Passwords that have be intercepted via man-in-the-middle attacks

But that’s enough theoretical chitchat already. Let’s go over the best options available today:

Continue reading →

Prevent PHP execution in wp-content/uploads

Prevent PHP Execution in wp-uploads and improve WordPress Security

When hackers are able to ascertain your WordPress credentials, there’s a good chance they’ll try and upload a backdoor into your WordPress website via the backend. A backdoor is a script, usually PHP, that allows them to perform actions on your website/webspace (such as creating malicious files, resetting permission, …). So it is paramount to prevent PHP execution all together. This way you can limit the actions a hacker can perform if your credentials do get compromised.

How to prevent PHP execution:

To ensure no .php files can be executed, I’d suggest you create a .htaccess file in /wp-content/uploads containing following code:

Continue reading →