Category: Security

  • The Longer Term Effects of the Paris Tragedy

    Having recently lived in France for a year, my heart goes out to the French people. I lived in South Western France, but fell in love with Paris as a city of art, philosophy, history and music. That it was targeted with such violence last night is a travesty of epic proportions.

    London Bridge
    London Bridge lit up with the colors of the French Flag tonight.

    At this time there are 129 deaths and 352 injured according to Le Monde.

    I’d like to spend a few minutes thinking about the longer term effects of what just happened in Paris. My background if you don’t know me is: I’m a CEO of a cyber security company, I’m a software engineer and I’m interested in public policy.

    2,977 victims died in the World Trade Center attacks on September 11th 2001. The attacks had a profound effect on public policy and foreign policy world-wide. The result was a US led war in Afghanistan and a further war with Iraq. The cost and effect of these wars continue to this day, 14 years later.

    The WTC attacks also led to the Patriot Act and a huge increase in surveillance by the United States and intelligence partners. The intelligence partners are the “Five Eyes”  which include the USA, United Kingdom, Canada, Australia and New Zealand. The Patriot act was the tip of the iceberg and since the Snowden revelations we have now learned the depth and breadth of the increase in intelligence gathering and surveillance post 9/11.

    The Oriental Pearl Tower in Shanghai showing French colors tonight.
    The Oriental Pearl Tower in Shanghai showing French colors tonight.

    The impact of the WTC attacks can, today, in my opinion, be compared to the impact of the Pearl Harbor attack in the way it changed US foreign policy and public policy. The day after the Pearl Harbor attack, the US declared war on Japan and Roosevelt and later Truman demanded the ‘unconditional surrender’ of Japan as the only acceptable end to the conflict.

    More recently, post 9/11 in the United States and world-wide the public appetite for conflict had started to taper off starting in 2008 with the Obama campaign that ran on a platform of exiting Iraq.

    Added to this there was a tapering in the public appetite and tolerance of surveillance with the Manning leaks published on Wikileaks in 2010 and the Snowden revelations in 2013.

    The number of casualties in Paris yesterday are not as high as Pearl Harbor or 9/11, but we live in a post 9/11 World where we already have an increase in conflict and surveillance. The public also has an increased sensitivity to these kinds of attacks.

    The Brandenburg Gate in Berlin
    The Brandenburg Gate in Berlin

    In my view, the Paris attacks will bring us back to the world-wide climate we encountered immediately post 9/11. It will ensure that France enters any war it hopes will reduce the threat of domestic terror and France will go beyond that. France will actively, as the USA did, seek retribution for the attacks yesterday. Manuel Valls (France’s Prime Minister – the equivalent of a Chief Operating Officer) said today that “We must annihilate the enemies of the Republic”, which sets the tone of the response going forward.

    If this had happened in the absence of 9/11, the French response would have been severe, but would not necessarily have been backed by a long term global response. Because this is post 9/11 and because it refreshes the global memory of the impact of terrorism, this will have a much wider influence on global governments and their public and foreign policy.

    The Sydney Opera House Tonight
    The Sydney Opera House Tonight

    I expect that there is a show of solidarity with France that goes beyond countries displaying the French flag on public and private buildings last night and tonight.

    France will likely be brought closer into the Five Eyes intelligence sharing arrangement which has so far excluded all European countries with the exception of the United Kingdom. [And in fact had an adversarial relationship with countries like Germany]

    In response to Charlie Hebdo, France passed a new surveillance law in May that allows the monitoring of phone calls and emails without the authorization of a judge. The law also requires ISP’s to install devices to sniff Internet traffic and make that traffic available to French intelligence services. The law is essentially the USA Patriot Act without the need for a FISA court to authorize surveillance.

    San Francisco City Hall
    San Francisco City Hall

    The tragedy yesterday will likely provide the impetus to pass additional laws that cover anything that legislation earlier this year may have missed. That earlier law doesn’t appear to have missed much.

    I hold no strong opinions either way on public surveillance. That we appear to need surveillance, I consider tragic. I’d also prefer to not have secrets, but a thought experiment I came up with a few years ago seems to indicate that the need for secrets is inevitable.

    My interest is in understanding what will happen next, and we appear to be headed into a deeper spiral of surveillance, conflict and secrecy. I’d prefer that things were different, but I’m angry too.

  • Why security back-doors for governments are a bad idea

    Bruce Schneier has written yet another spectacularly lucid piece on why the the FBI shouldn’t be able to force technology vendors in the USA to add back-doors to their products.

    The current proposal which is probably going to get the backing of the Obama administration, will levy fines of $25,000 per day on technology vendors that don’t add back-doors to their systems to allow government monitoring.

    Schneier argues that history has shown that those back-doors are inevitably used by criminals and foreign governments with ill intent and leave people, the vast majority of whom aren’t criminals, less secure and less free.

     

     

     

  • Personal Cybersecurity 101

    Defense Secretary Chuck Hagel used his first visit to Asia to ask China to stop hacking into and spying on our networks. You don’t need the perspicacity of Nostradamus to see that: Spending on Cybersecurity over the next few years and decades by the defense department will skyrocket and rival every other division of the US DoD. It is also a harbinger of the risks and attacks to come.

    Today cyberattacks are what we use instead of misiles to slow down a country when they’re trying to make nuclear weapons. And that was 3 years ago.

    While governments may be rapidly building armies of cyber warriors, like the US Cyber Command in Maryland, individuals are relatively defenseless and most of us aren’t even aware of the risks of being attacked in cyberspace.

    To illustrate the risk, here’s how I’d target a specific individual:

    • Create a payload designed to infect their OS X or Windows workstation. The infection would log all keystrokes and send them periodically to my anonymous email address. It would also give me remote access on demand to their workstation to peruse and download files. 
    • Leave the infection lying around their home and place of work on USB thumb drives hoping they’ll install it.
    • Mail a thumb drive to them with the Google logo on it on an envelope that appears to come from Google with a nice letter explaining how they won something.
    • If that doesn’t work I’d crack their home WEP or WPA wifi encryption, gain access to their network and run a vulnerability scanner like OpenVAS on their workstation to find holes. Then I’d fire up Metasploit and exploit and access whatever I want to.
    • Gain access to all the target’s online and offline data.
    • I’m looking for as much personal data as I can find, specifically a social security number.
    • If I’m still unable to get access to that, I’d try social engineering. I’d send them a piece of mail with a bank letterhead and logo warning that an account is about to be suspended with an 800 number that is actually my number. Authenticating themselves when calling my number would require they provide their full social security number and other valuable data.

    The point here is that if someone who knows what they’re doing decides to target you, you’re in trouble. You can use stronger encryption on your home network, use strong passwords, install anti-virus and firewall software and so on. But at some point you’re going to slip-up and they’re going to gain access to sensitive data that lets them do a lot of damage in your life.

    Once you’ve taken the obvious precautions, here’s what I suggest to help protect yourself.

    • Sign up with a reputable identity monitoring or credit monitoring service. I particularly like the feature of receiving SMS alerts when a threat is detected.
    • Get a reputable credit card like Visa Signature that reverses fraud transactions no-questions-asked and immediately issues a new card. Use this for online purchases and keep a close eye on your account activity.
    • Only use your debit card to draw cash from trusted ATM machines. Never use it for online transactions.
    • Keep your cash in several savings accounts, monitor them carefully and make sure that all authentication to access those accounts is strong. Two factor authentication where you enter a password and then also have to enter a code sent to your phone is an excellent additional layer of security.
    • Pull your credit history yourself from time to time to monitor it.
    • Dont get social-engineered. If someone calls you up, says they’re from an institution you bank with or trust and starts trying to get information from you, ask them for their full name, position and a callback number. Then don’t call it back. Instead call the main switchboard of the institution and ask for that individual. If they don’t exist, try the callback number, if they answer, hang up and call the cops with the info.
    • Never use the same password across services or websites. If you do, when one website gets hacked, your username/email and password will get out and at some point a hacker will try that combo on all other major online services. You could choose a base password, and then add something to that password that uses some attribute of the website (like the domain name) and runs it through a formula you’ve memorized. For example, you could have a base password of ‘1c00ld01phin’ and take the first four letters of the domain name, rotate the letters by one and add the position of the first letter in the alphabet as digits to the end. So ebay.com would become ‘1c00l101phinfcbz5’. That’s a simplistic formula and you can beef it up by adding letters or digits at the beginning or at a specific position within your base password.
    • If you run a website or a server on the net, make sure all software on the system is up-to-date. Install OpenVAS or Nessus, learn how to use it and run a vulnerability scan on your own system every quarter. You can also find out what your home IP address is using whatsmyip.org and use the same tools to run a scan on your home IP address. You can also run the scan from your home network to any workstation or mobile device like an iPad or iPhone on your network to find out if your own machines have security holes.

    It’s surprisingly easy to hack into someone’s life. I’ve had websites hacked and my family has been hit with identity theft (drivers license stolen from mailbox) and it’s a real pain to dig yourself out. But with a little preparation you can minimize the risk and if it does strike, catch it early and recover quickly.

  • Shoutout to Bluehost

    Bluehost reached out to me a few weeks ago to say “Hi, and by the way we love Wordfence”. I was doubly stoked because they have been my favorite WordPress host for some time now. To date I still haven’t found a single performance issue or vulnerability on their platform. Their stuff just works!

    So we’ve become friends and today they gave us a very nice mention on their blog.

    We’ve been crazy busy at Wordfence with a ton of new signups and I haven’t had time to set up a blog for www.wordfence.com, so in the mean time I thought I’d post my love for Bluehost here. Wordfence blog coming soon!!

    If you’re looking for a way to secure WordPress, get Wordfence here!

  • How to (really) choose WordPress Hosting

    I am the creator and maintainer of Wordfence, an anti-virus and security plugin for WordPress. We are still a young plugin, but already are about to pass 50,000 downloads.

    Often when our customers have a problem with Wordfence, they create a temporary admin account for me and I sign in to their (usually) hosted WordPress site to diagnose it. So I’ve experienced a large number of WordPress hosts over the last few months.

    Wordfence is a fairly complex plugin. It has an admin interface that provides real-time traffic views and these contact our API servers in real-time to do things like resolve the geolocation of IP addresses. Admin’s can also kick off a scan and watch it run and of course scheduled scans run in the background on a regular basis.

    The background scans have provided a fair amount of insight into which hosts have issues and which don’t: For example when a WordPress cron job or a Wordfence scan starts a scheduled event, it needs the server to be able to connect back to itself. A surprisingly large number of servers are unable to do this because they don’t know their own hostname or have some other problem.

    I’ve also seen a number of servers that have trouble making connections to external servers like our API server. Some have intermittent issues and some don’t make the connection at all.

    Perhaps the most frequent problem I’ve seen is too little memory for WordPress. This manifests in several ways:

    • The most common is that the php.ini memory_limit variable is set too low. 30 Megs is a common setting which is too low for a WordPress site running many plugins or one or two complex plugins or themes.
    • The next most common is the Apache RLimitMem setting is set too low and so Apache will prevent PHP from allocating more memory even if memory_limit is set to a high value. I’ve frequently seen RLimitMem settings that are low with a high php.ini memory_limit value – an obvious misconfiguration.
    • The most difficult to diagnose problem is where the host has configured PHP and Apache with high memory values, but there is a killer daemon running on the host that simply kills any process that grows beyond a certain size. This is rare, but it exists.
    To give you some perspective on how serious too little memory is, here is how it usually manifests itself: A customer installs plugins until they are right at the threshold of the maximum memory their host has provided. They then install one more plugin and it causes WordPress to “white screen” meaning that your WordPress site simply doesn’t load. This usually means the plugin needs to be uninstalled via FTP because the WordPress admin interface is no longer available.
    I’ve run across several hosts who limit the maximum running time of an Apache process to as little as 15 seconds. This is not enough for longer running WordPress cron jobs. We have coded a workaround in Wordfence for hosts like these, but this will still affect WordPress’s own scheduled jobs if they run longer than 15 seconds.

    Another problem I ran across 2 months ago is a very (very) large WordPress host who’s deployment system was corrupting WordPress core files. This means every new WordPress install started off as corrupt. We spotted this because Wordfence alerted that core files on a fresh install were different from the originals. We thought this was a bug, but it turns out their deployment system was corrupting a core file in a way that created subtle bugs in the editing interface of WordPress. They have undertaken to fix the issue and I haven’t confirmed if they have.

    And finally there’s performance. When I sign in to various hosts to diagnose issues I’ll sometimes experience a snappy interface and occasionally it’s just dog slow. The WordPress admin interface, which tends to consume more memory and CPU than a non-authenticated site visitor, just screams that the host is overselling their virtual servers because it takes a while to load.

    When we first created Wordfence we bought space on the top WordPress hosting providers and made sure our software ran on all of them. It’s now several months later and I’ve had the experience of working with many customer installations across many more hosts.

    When choosing a host, find out the following:

    • What is the real memory limit? [In php.ini, apache2.conf and any other limits]
    • What is the longest time a process can run before they kill it?
    • Install Wordfence on the new machine and verify core files are intact.
    • Make sure the interface is snappy and stays that way.
    • Make sure the host has been in business for a while and will be for the foreseeable future.

    The one host that in my experience stands out head and shoulders above others is Bluehost. They are one of the larger hosts and I’ve never had a problem with performance, memory, scheduled jobs or anything else on one of their WordPress installs. Starting today I’m recommending our clients head over there to get rock solid WordPress hosting.

  • The Rise of the Data Smuggler

    I always thought the idea of physically smuggling data was absurd. Even physically transporting data seemed silly to me because if you have broadband you can simply upload or download it. For really big data I have a gigabit connection at a data center where I rent space, so sometimes I’ll do a massive download and just show up at the facility with a 1.5 terrabyte drive and hit the local Starbucks while it takes a few minutes to copy over what I’ve downloaded.

    I have either given or thrown away countless USB thumb drives I’ve been given as gifts from Google AdWords and other companies. What’s the point?

    Two things changed my mind about why physically transporting data is interesting. A conversation with Sebastian Thrun (creator of Google Street View) that I had a few years back where he told me that Fedexing data is, and probably always will be, the highest bandwidth way of moving data around. That’s why Google uses Fedex to send hard drives from their Street View vans back to headquarters.

    The second thing that changed my mind was a new law in the UK that makes it illegal to not hand over encryption keys if the police want to decrypt your data. The penalty is two to five years in prison for simply refusing to hand over the keys. The logical outcome is that a lot of energy will now be spent on hiding the existence of encrypted data.

    I think two fields will emerge. The first is the art of hiding encrypted data when transferring it across a wire. If time is not a factor then this may be the way to go. Simply altering the sequence or transmission times of TCP packets can encode data, although it will be very low bandwidth.

    The second area where I think you’ll see more activity is the physical hiding of data. The reason I think more energy will be spent in this area is because it allows for very high bandwidth. If you can hide a 2 terrabyte drive and take a 6 hour journey to get it fro A to B, your bandwidth is 776 Megabits per second. Try and get that on your cable modem or ADSL link.

    Data storage devices that self destruct aren’t interesting when it comes to solving this problem. A self destructing drive lets police know that you have data that you never allowed them to decrypt, so presumably you’ll get your 2 to 5 years. The data needs to be invisible.

    Storing data on or inside your body may be one solution. According to Scientific American:

    The human brain consists of about one billion neurons. Each neuron forms about 1,000 connections to other neurons, amounting to more than a trillion connections. If each neuron could only help store a single memory, running out of space would be a problem. You might have only a few gigabytes of storage space, similar to the space in an iPod or a USB flash drive. Yet neurons combine so that each one helps with many memories at a time, exponentially increasing the brain’s memory storage capacity to something closer to around 2.5 petabytes (or a million gigabytes). For comparison, if your brain worked like a digital video recorder in a television, 2.5 petabytes would be enough to hold three million hours of TV shows. You would have to leave the TV running continuously for more than 300 years to use up all that storage.

    I’m not sure I would want to upload data directly to my brain, lest I overwrite the breathing function. But biological data storage is clearly worth looking at if your intent is to hide data.

    So maybe Johnny Mnemonic wasn’t so absurd after all:


     

  • Introducing Wordfence, the Ultimate WordPress security plugin.

    Exec Summary: Last year this WordPress blog was hacked which led me to discover the timthumb vulnerability you may have heard of. I fixed timthumb and worked with Ben, the author to release timthumb 2.0. Then I started work on Wordfence, what I hope will be the best security plugin in the business for WordPress. Wordfence is now completing beta testing. Install it, it’s free and it will help protect your site and keep you off Google’s malware list and in the search results. For beginners: you install Wordfence by going to your WordPress blog’s “Plugins” menu, clicking “Add New” and searching for “Wordfence”.

    Full Post:

    Last year on August 1, this WordPress blog was hacked. Thankfully I caught it quick enough to stay of Google’s malware list. I retraced the hacker’s steps and discovered a zero day vulnerability in many WordPress themes and plugins in the form of a popular image resizer called timthumb.php.

    So I rewrote timthumb.php and worked with the author of timthumb and some of the WordPress team to merge my code into timthumb and we launched it as timthumb version 2.0.

    But getting hacked made me realize that as awesome as WordPress is, it can do security better.

    So I dropped everything and spent the last few months writing what I hope will be the last word in WordPress security.

    A few days ago I quietly released Wordfence into the WordPress plugin repository. Since then I’ve been working with some amazing WordPress publishers to make Wordfence even better and I’ve been rapidly rolling out improvements, enhancements and (yes, believe it or not) a few bug fixes. I’d say Wordfence is getting close to finishing Beta testing at this point.

    Except for two (rather minor) features, Wordfence is completely free. It is also backed up by a cluster of cloud based scanning servers that do most of the heavy lifting to keep your site running super fast.

    Here are some of the more notable ways Wordfence enhances your WordPress security:

    • Scans your core files against a reference copy which I maintain in our cloud servers.
    • Lets you see what has changed, how the file has changed and even repair it.
    • Scans your comments, posts and all files including core, themes, plugins and everything else under your WordPress root directory for malware, virus signatures, vulnerabilities and (very importantly) URL’s that are known to host malware or viruses.
    • I want to re-emphasize the last point. Wordfence keeps known dangerous URL’s, including ALL URL’s that are on Googles’ safe browsing list, out of your comments, pages, posts and files. This is by far my favorite feature because it’s virtually gauranteed to keep you off the dreaded red-page-of-death-malware-list that Chrome and Google use to ban sites.
    • Wordfence comes with a complete firewall that lets you set up rules based on the type of traffic and either throttle or block offenders with an SEO safe 503 (come back later) HTTP message.
    • Another favorite feature of mine is that you can block fake Google crawlers. I actually added this after I tested Wordfence on this site because I couldn’t believe how many scrapers were pretending to be Googlebot. So now they are all instantly blocked.
    • Wordfence uses Google’s recommended reverse-forward DNS verification to sift the fake Googlebots from the real ones.
    • It includes login security against every form of brute force attack out there including abusing your lost-password form.
    • And what’s the point of having all this awesome security if you can’t see who is visiting, who’s getting blocked and what humans and robots are doing? So Wordfence includes real-time traffic that wait..for…it…
    • …Includes crawlers, scrapers, robots and all non-human traffic. Something you can’t get from Google Analytics or any other Javascript based analytics package.
    • I’ve even broken out Googlebot, other crawlers, 404 errors, humans and there’s an All Hits view.
    • And of course it includes commercial grade city-level geolocation which is another feature that comes from our cloud servers.
    • Wordfence is also built using much of the knowledge I’ve gained building Feedjit’s real-time analytics so it is careful to minimize any impact on network, website and mysql database performance and keep your website running super-fast.

    Most importantly, Wordfence comes with a commercial license if you prefer first-class support and support forums for free users including a generic WordPress security forum where I’m happy to answer general config questions.

    Improving WordPress security is going to be a marathon, not a sprint. I’m in this for the long haul. So check out Wordfence now by installing it on your blog and work with me to make the Web and WordPress more secure.

     

  • WordPress Security: Which is more secure? A VPS or a VHost?

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    In web server admin parlance, a VPS is a Virtual Private Server and a VHost is a virtually hosted website. There were a few questions regarding security on VPS’s and VHosts in my previous post on “Seven ways I could hack into your WordPress website“, so I thought I’d clarify what the difference is between WordPress hosted on a Virtual Private Server (VPS) vs WordPress on a Virtual Host (VHost) and what the security implications are of each configuration.

    A Virtually Hosted Website (VHost)

    In the early days of the web, you would have a single physical machine running a single operating system running a single web server. That web server would serve up a single website.

    HTTP 1.0 introduced the optional “Host:” header and HTTP 1.1 made it mandatory with any web request that a browser sends. The effect of this is that when a web browser sends a request to any web server, it lets the server know which website it wants to see. Because web servers know what website a browser expects, they can now host an unlimited number of websites. This is called virtual hosting.

    When you have a virtually hosted website, you are sharing a single server and operating system with many other websites. Your files and the files of other websites are stored on the same operating system. You all share the same web server and the server chooses which of your websites it needs to serve based on what a web browser requests when it connects to that web server.

    Usually on a virtually hosted website, you won’t have access to other website files and they won’t have access to yours. This is usually done by giving you a unique username that you use to sign in and your username only has permissions to view your files.

    A Virtual Private Server (VPS)

    A VPS is a little different. Normally when you install any operating system, you install it directly on a machine like a server or workstation. With a VPS, you first install a base operating system like Windows or Linux. Then you install a virtual machine hosting platform called a Hypervisor. Examples of Hypervisor’s are VMWare and Xen.

    Within the Hypervisor you can then install multiple virtual machines. These pretend to be physical hardware and when you boot them up you get a BIOS message similar to when you boot up a physical machine.

    Within these virtual machines you can then install an operating system like Linux or Windows. Using this config you can have potentially hundreds of virtual machines running on a single physical machine.

    So to summarize, you have a physical machine running an operating which runs a hypervisor which runs multiple virtual machines and each virtual machine runs its own operating system. Within these operating systems you run your own web server, have the files for your website and do anything else you feel like doing. It’s impossible for someone on another virtual machine to access your virtual machine.

    Linode is one of the most popular virtual machine hosting providers and they use the Xen Hypervisor to host Linux virtual machines.

    So which is more secure?

    By now you’ve probably already figured it out: Running your own virtual machine that is completely segmented from everyone else is usually the more secure option. Here are a few reasons why:

    1. If your web host messed up the machine configuration or permissions, then other users may be able to access your files.
    2. If another user’s WordPress installation gets hacked, it may be possible for the hacker to gain read or in rare cases read and write access to your files.

    Another thing I like about having a VPS instead of a VHost is that you have your own IP address. On the Internet, IP addresses can get blacklisted, particularly if you’re sending email. If your web application sends email e.g. if you’re using the WordPress “Subscribe to Comments” plugin, then your emails may be flagged as spam if another user on the same server is sending a lot of spam.

    With a VPS you have your own IP address, so as long as the IP address wasn’t already black-listed when you got it from your web host (I’ve seen it happen) then only you are responsible for how that IP address is perceived on the Net.

    In conclusion: While VPS’s tend to cost slightly more (about $20/month from Linode), they are well worth the extra cost when it comes to protecting your website and your reputation. As always please post any questions in the comments and I’ll either answer them directly or in a future post.

    Caveat: I have generalized greatly when it comes to VPS and VHost configurations. There are many variants including Type I and Type II Hypervisors, shared hosting where a single OS hosts one web server instance per website and many more. I’ve described two common VPS and VHost configs above for illustrative purposes, however the VPS config I describe is probably the most common configuration used by VPS providers.

     

  • WordPress Security: Seven Ways I Could Hack Into Your WordPress Site

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    I’m getting emails from people who are interested in securing their WordPress blogs or websites. If I was going to hack your WordPress blog or website, here are the first seven things I would try and how you could prevent me from getting in:

    1. Upgrade to the newest version of WordPress

    I would look up known vulnerabilities in old versions of WordPress. Then I would scan the web looking for sites that are running an old version of WordPress that I know has a hole in it. I would automate the whole process. Once my automated script finds your blog running an old WordPress version, I would simply drop right in through the hole that security databases have known about for months or even years.

    You can stop me from doing this by upgrading to the latest version of WordPress which is version 3.2.1 at the time of this writing.

    2. Upgrade all your themes and plugins to their newest versions

    In case you’re running the newest WordPress, I would look at your themes and plugins. I would try to find an old version of a theme with a known hole in it. Then I would drop right in and have my evil way with your server.

    You can stop me by keeping all your themes and plugins up to date and upgrading immediately when a new version is released.

    3. Get rid of the ‘admin’ user

    If your WordPress core files, themes and plugins are up to date, I would try to guess your ‘admin’ password. I know the ‘admin’ user exists on most WordPress sites, so I would write a script that keeps trying to log-in using all the words in my dictionary.

    You can stop me by creating a new user with “administrator” privileges. Then delete the old admin user and make sure you assign all admin’s posts and pages to your new admin user.

    4. Make sure all your passwords are strong

    OK so your site is a little more secure than I thought. But I’m not out of tricks yet. When you publish a blog entry, I will look at the name of the user who published the post. Then I will use my good old automated password guessing script to throw a whole dictionary at your login page using the username that I saw authored your newest blog entry.

    You can stop me by making sure your password doesn’t exist in a dictionary and uses numbers and a mix of upper and lower-case letters.

    5. Know what other web applications you have installed

    Hmmm. You’re a tough customer. But I’m not done yet. WordPress isn’t the only application I could use to get in. Many websites also have forum software, helpdesk software and other applications installed. Security holes are regularly discovered in these applications, so I will scan your site and find out what other apps you have and see if any of them are old versions with known security problems.

    You can stop me by making sure all your other applications are up to date and don’t have any known security holes in them that the vendor may have released fixes for.

    6. Make sure all other public services running on your web server are secure

    Your site looks secure so I’m going to fight dirty. I will use a tool called ‘nmap’ to scan for open ports on the machine that runs your WordPress installation. Ah I see you have an email server running IMAP along with an FTP server. I’ll try to log in to your email server and FTP server by guessing your passwords. I’ll also check to see if the server software or the operating system is an old version that has known security holes I can exploit.

    You can stop me by making sure your blog host keeps your WordPress server secure and up to date. They should be running a new version of Linux or whichever operating system you are using. The operating system should have the latest patches and all services running on the machine should be known about, should be necessary and should have hard to guess passwords. Don’t be afraid to quiz your blog host about this.

    7. Make sure you don’t get social’d

    Well, your site seems too secure for me to hack in using my tech skills. So I’m going to use my charming personality. I’ll call you up, pretend I work for your hosting company and try to get any information from you that might be useful. Passwords would be first prize, but I’ll take anything I can get: Staff names, your favorite pet, internal phone numbers, products and services your company uses, your birthday, anything that might help me guess passwords or find juicy targets that give me a way in.

    You can stop me by making sure you never give out passwords over the phone and don’t give out information unless you’ve verified who you’re talking to. A good tactic if someone has called you is to simply ask them for a call-back number. Then verify who the company is, that the number belongs to them and call them back.

    Social engineering is the number #1 tactic hackers use to get into secure networks. Read the second comment on this recent Hacker News post (posted a week ago) for an example of how you might call up a company and get the last four digits of someone’s credit card. You might also find this story interest about how css-tricks almost lost their domain a few days ago.

    Now that you know most of my sneaky hacker ways, you might want to read this WordPress article on how to further secure your WordPress site and keep hackers out.

  • WordPress Security: Have you been hacked?

    Big News [April 24th, 2012]: I’ve launched Wordfence to permanently fix your WordPress site’s security issues. Click here to learn more.

    I’m reposting this again because many of the emails I’m getting say “if you’re still interested”. Please contact me at mmaunder at gmail.com if your wordpress installation has been hacked. I need you to send me any files the hacker left on your system. To return the favor I will include you in a free beta program we’ll be launching within weeks that will solve your WP security problems for the forseeable future.

    Email any compromised WordPress files, malware, WordPress backdoors or trojans to mmaunder at gmail.com. Thanks.