Website Security

You built a site or are thinking about building a site using the latest and greatest web design software. Be it WordPress, phpBB, or one of the many others currently available, everything is up to date and you start dealing with the content and getting visitors. What comes next, are the spam bots, the scanners for a specific vulnerability, or another type of security threat. In no way is any site fully secure, look at Chase, Target, and Home Depot. Much like an operating system that has software added in, a website that has plugins, mods, or other forms of 3rd party software installed can open up new loopholes and cracks in the existing secure files. For example, this updated site has been up less than a month, and already I can see a steady stream of exploit attempts using plugins that I do not have installed. I will post some of the links just to give a better understanding of what I am referring to.

  • /wp-content/plugins/fb-infiltrator/formsubmit.php
  • /wp-content/218.php
  • /wp-content/themes/archin/hades_framework/option_panel/ajax.php
  • /wp-content/plugins/Lead-Octopus-Power/css/popup.css
  • /ckeditor/ckfinder/core/connector/aspx/connector.aspx
  • /ckeditor/ckfinder/core/connector/php/connector.php
  • /ckeditor/ckfinder/core/connector/asp/connector.asp
  • /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php
  • /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
  • /admin/fckeditor/editor/filemanager/connectors/php/connector.php
  • /fckeditor/editor/filemanager/connectors/asp/connector.asp
  • /fckeditor/editor/filemanager/connectors/aspx/connector.aspx
  • /administrator/index.php
  • /wp-content/themes/konzept/includes/uploadify/upload.php
  • /wp-content/plugins/all-in-one-seo-pack/images/default-user-image.png
  • /wp-content/plugins/wysija-newsletters/readme.txt
  • /password_forgotten.php
  • /wp-login.php
  • /browserconfig.xml *
  • /wp-admin/post-new.php *
  • /oscommerce/password_forgotten.php *
  • /catalog/password_forgotten.php *
  • /shop/password_forgotten.php *
  • /store/password_forgotten.php *
  • //catalog/password_forgotten.php *
  • //store/password_forgotten.php *
  • //oscommerce/password_forgotten.php *
  • //shop/password_forgotten.php *
  • /wp-login.php?checkemail=registered *
  • //wp-content/plugins/infusionsoft/readme.txt **
  • /wp-content/plugins/sexy-contact-form/includes/fileupload/index.php **
  • //wp-content/themes/konzept/includes/uploadify/upload.php **
  • /wp-content/themes/konzept/includes/uploadify/upload.php **
  • /site-news/website-security/wp-content/themes/konzept/includes/uploadify/upload.php **
  • /site-news/website-security//wp-content/themes/konzept/includes/uploadify/upload.php **
  • /web-console/ServerInfo.jsp **
  • /webmanage/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp **
  • /manage/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp **
  • /cart/include/version.php **
  • /xcart/include/version.php **
  • /include/version.php **
  • /store/include/version.php **
  • /shop/include/version.php **
  • /order/include/version.php **
  • /market/include/version.php **
  • /buy/include/version.php **

Now, there are more hits than just these individual ones.  Being vigilant and checking 404 hits as well as legitimate site hits allows one to see what is trying to be accessed on your site.  Lets look at the links individually:

  • /wp-content/plugins/fb-infiltrator/formsubmit.php
  • /wp-content/plugins/Lead-Octopus-Power/css/popup.css
  • /ckeditor/ckfinder/core/connector/aspx/connector.aspx
  • /ckeditor/ckfinder/core/connector/php/connector.php
  • /ckeditor/ckfinder/core/connector/asp/connector.asp
  • /admin/fckeditor/editor/filemanager/browser/default/connectors/php/connector.php
  • /admin/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp
  • /admin/fckeditor/editor/filemanager/connectors/php/connector.php
  • /fckeditor/editor/filemanager/connectors/asp/connector.asp
  • /fckeditor/editor/filemanager/connectors/aspx/connector.aspx
  • /oscommerce/password_forgotten.php *
  • /shop/password_forgotten.php *
  • /store/password_forgotten.php *
  • /catalog/password_forgotten.php *
  • //catalog/password_forgotten.php *
  • //store/password_forgotten.php *
  • //oscommerce/password_forgotten.php *
  • //shop/password_forgotten.php *
  • /web-console/ServerInfo.jsp **
  • /webmanage/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp **
  • /manage/fckeditor/editor/filemanager/browser/default/connectors/asp/connector.asp **
  • /cart/include/version.php **
  • /xcart/include/version.php **
  • /include/version.php **
  • /store/include/version.php **
  • /shop/include/version.php **
  • /order/include/version.php **
  • /market/include/version.php **
  • /buy/include/version.php **

 

I can clump these links together as the same address tried to access them on my site.  Obviously they were after a major loophole and tried to use any of the possible instances of it being found on my site to get in.  A simple Google search brings up sites that have either errors or logs of hits on this group of links.  Someone has found a security glitch, although it has not gotten as far as becoming a major security threat as of yet.  This mod would not find itself on my site at any time, just from the fact that its obviously not secure.

  • /administrator/index.php
  • /password_forgotten.php
  • /wp-login.php
  • /wp-login.php?checkemail=registered *
  • /wp-admin/post-new.php *

This next group is quite another interesting area to watch.  You have random hits to login pages that don’t exist; or they exist and are getting no referring links from the homepage.  Any time you see this, especially a IP address continuously hitting a login page, could signify someone trying to access your backend via brute force attacks.   A brute force attack can be summed up as using a username over and over while changing the password to gain access to the backend of the site.  There are a few ways to block this type of attack, most notably:

  • Do not use the Admin or Administrator username.  This rule can be used on any site, not just WordPress.
  • Do not use basic passwords ( a word found in a dictionary, your real name, your site name, company name, username, or a short password )
  • Use a plugin that limits the number of login attempts ( this should be standard with WordPress don’t you think? )
  • Block access to a page or folder through a plugin or .htaccess file.
  • Password protect a page or folder using .htpasswds file.
  • Limit access to a file or folder using an IP address via .htaccess file

If you are really security conscious, you may find a mixture of these will work best.

 

This last group of hits also can raise a red flag of warning:

  • /wp-content/themes/konzept/includes/uploadify/upload.php *
  • /wp-content/themes/archin/hades_framework/option_panel/ajax.php
  • /wp-content/plugins/all-in-one-seo-pack/images/default-user-image.png
  • /wp-content/plugins/wysija-newsletters/readme.txt
  • /browserconfig.xml *
  • /wp-content/218.php//wp-content/plugins/infusionsoft/readme.txt **
  • /wp-content/plugins/sexy-contact-form/includes/fileupload/index.php **
  • //wp-content/themes/konzept/includes/uploadify/upload.php **
  • /wp-content/themes/konzept/includes/uploadify/upload.php **
  • /site-news/website-security/wp-content/themes/konzept/includes/uploadify/upload.php **
  • /site-news/website-security//wp-content/themes/konzept/includes/uploadify/upload.php **

A text file, image file, and upload file; why the worry?  These can be another type of probe, to see if your using the theme, mod, or plugin for a later attack.  The best way to combat this in some cases requires renaming plugin folders prior to uploading them.  This then requires editing files in the plugin to understand the new folder name.  Perhaps in the future plugin authors will give you the capability of renaming a plugin folder just to block exploits through the plugin.

All in all, these web hits that I posted are from the past eight weeks of having the site up.  Some of the hits have been 20+ times or less, but all are something to keep an eye on.  Being vigilant is the first way to understand and combat these constant threats to your site.  If you know of some other method of securing your backend or a specific plugin/mod that helps secure, please comment below.  I hope this post helps you.

 

* Updated 9/30/14 to show more hits from Russian hackers/spammers.

** Updated 10/24/14 to show more plugins that are vulnerable.