SteveDickinson
WordPress

Intro

I developed this Web site, along with Quintic utilising WordPress. Initially I incorporated WordPress into my own, self generated web site as a means of providing bloging functionality. I subsequently took the plunge and merged the two aspects of the site to produce an integrated web site. However, I was very specific about my site should look and interact.

There are a plethora of themes available with WordPress, and potentially one of them could have provided the look and feel that I desired. Indeed it is even conceivable that the default themes form WordPress could be readily customised to do what I wanted. Trouble is I did not know enough about WordPress to know how to verify if either of those two scenarios were possible.

So instead I decided to write my own theme. This blog is, in part, a historic recollection of my experience and the knowledge gained, and in part an actual day to day diary of what I have done.

Security

I had already taken the general advice on securing the site.

  • Access to Admin features was restricted to a defined set of IP address
  • Apache would not serve up Directory Listings
  • Apache would not serve up file content
  • Single Admin user.
  • Installed a security plugin to monitor activity

Low and behold, the security plugin – Securi – started reporting BruteForce attacks. The attacks had not succeeded in any actaul log-ins, but what was concerning was that they were using actual UserNames. In particular the user-name I had selected for Admin (Which was not Admin!)

That was disconcerting. How had the perpetrator managed to get hold of the UserNames?

It transpires that with WordPress obtaining Usernames is actually quite easy. If you submit a request https://www.site-name.com/?author=1, then, assuming Author with Id = 1 exists, WordPress will open up a page for that user and the url will contain the actual username.

All the attacker has to do is just go through 1, 2, 3…. up to however high she/he likes and will collect a number of Usernames.

I accept that getting the usernames is only a small step towards gaining access to the site, but it is one that I would rather not be that easy to overcome. Also, if you do have users to your site, then you really should protect their information.

As it transpires there is a relatively simple solution to this issue. The following lines of code added to the sites main .htacess file will ensure that, unless you are issuing the request from an Admin site, that the request will be ignored.

RewriteEngine On
RewriteCond %{REQUEST_URI} !^/wp-admin [NC]
RewriteCond %{QUERY_STRING} author=\d
RewriteRule ^ /? [L,R=301]

PCs, Tablets, Smartphones

Next major WordPress project is to make my site multi-device friendly. I have duckduckgo’d how to make WordPress sites multi-media friendly, and I’ll be honest have not got very far. I do realise there would never be an easy, works for all, solution (Even though there are a couple of plugins that suggest they can) but I was hoping for some guideance on how to achieve it.

Leave a Reply