Dyon Technologies – WordPress Vulnerabilities and Prevention

WordPress Vulnerabilities and Prevention

SQL Injection and URL Hacking:
– Insert following to the .htaccess file

<IfModule mod_rewrite.c> RewriteEngine On RewriteBase / RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK) [NC] RewriteRule ^(.*)$ – [F,L] RewriteCond %{QUERY_STRING} \.\.\/ [NC,OR] RewriteCond %{QUERY_STRING} boot\.ini [NC,OR] RewriteCond %{QUERY_STRING} tag\= [NC,OR] RewriteCond %{QUERY_STRING} ftp\: [NC,OR] RewriteCond %{QUERY_STRING} http\: [NC,OR] RewriteCond %{QUERY_STRING} https\: [NC,OR] RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR] RewriteCond %{QUERY_STRING} mosConfig_[a-zA-Z_]{1,21}(=|%3D) [NC,OR] RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR] RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$|<|>|ê|”|;|\?|\*|=$).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*("|'|<|>|\|{||).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%24&x).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(%0|%A|%B|%C|%D|%E|%F|127\.0).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(globals|encode|localhost|loopback).* [NC,OR] RewriteCond %{QUERY_STRING} ^.*(request|select|insert|union|declare).* [NC] RewriteCond %{HTTP_COOKIE} !^.*wordpress_logged_in_.*$ RewriteRule ^(.*)$ – [F,L] </IfModule>
Access to Sensitive Files
– Insert following to the .htaccess file

Options All -Indexes<files .htaccess>Order allow,denyDeny from all</files><files readme.html>Order allow,denyDeny from all</files><files license.txt>Order allow,denyDeny from all</files><files install.php>Order allow,denyDeny from all</files><files wp-config.php>Order allow,denyDeny from all</files><files error_log>Order allow,denyDeny from all</files><files fantastico_fileslist.txt>Order allow,denyDeny from all</files><files fantversion.php>Order allow,denyDeny from all</files>
Default Admin Account
– Create a new administrator account and delete the default “Admin” account
Default Prefix in the database
– Use prefix other than “wp_”
Brute-Force Attacks
– Brute-force attack will be almost impossible with login limit and penalty timeout

Difficulty level: Intermediate
Recurring Risk: No

Want us to do this for you? It takes about 1 hour depending on the size of site.
Skill level required – Intermediate level
Our rate is $40 per hour ( min. 2 hours)
Call us at: +65 6511 4585 (Office hours)
Message us at: +65 8263 1460 (24 hours)
Email us at: enquiry@dyontech.com
Visit our website at: www.dyontech.com

By |May 12th, 2015|Categories: Technical Support||Comments Off

About the Author: Dyon

We create beautiful websites and clever applications using the the latest W3C web standards guidelines and industry's best practices. Over the years we've made a reputation for building websites that look great and easy-to-use. Please feel free to contact us. We strive 24x7 from 8am to 11pm.

Not having a website or having a website that is not crawlable is the biggest mistake he sees.
Matt Cutts, Google's Head

When you buy an Apple product you open it up, the box is beautiful, the packaging is beautiful, the entire experience is really wonderful.
Matt Cutts, Google's Head

User experience should always be your number one concern. If it’s not good for your user, don’t do it.
Amit Singhal, Google's Snr VP

Overall, its all about high quality content and catering to your audience in a speedy website.
Amit Singhal, Google's Snr VP

Google ranks sites based on popularity. If authoritative sites link to you, you must be good, and therefore you get to the top of the list.
Matt Cutts, Google's Head

"After you've said it two or three times, Google has a pretty good idea — 'OK, this page has something to do with this keyword,' ".
Matt Cutts, Google's Head