Click here to load reader
Upload
arief-mardianto
View
212
Download
0
Embed Size (px)
Citation preview
Security And .htaccess in WordPress
|=---------------=[ Security And .htaccess in WordPress ]= --------------=|
|=----------------------=[ Author : jos_ali_joe ]=----------------------=|
|=---------------------=[ [email protected] ]=----------------------=|
This article i'm made reference articles from r3m1ck entitled Securing your WordPress (IndonesianVersion)
Post In : http://www.exploit -id.com/articles/securing-your-wordpress-indonesian-version
This article is only a little extra from my brother r3m1ck
okay now go to simple articles Security And .htaccess in WordPress
Quite a lot of security loopholes WordPress. Generally located on root directory. There is also located onthe parent directory / main.
CMS WordPress consists of three main directories :
1. wp-admin
2. wp-content
3. wp-includes
In each directory contains quite a lot of files. In fact there are more directories in of main directory.So,Any security WordPress CMS loopholes in current directory;especially if exploited via URL?Here iscomplete list of WordPress vulnerabilities that could lead to 'bug' in the form of error messages.Complete with security
1. domainname/wp-settings.php
Security Tips
1. Login to your hosting control panel ( domainname/cpanel).
2. Go to main WordPress folder.
If using Cpanel, go to public_html> wp -settings.php
if using Spanel, go to the site directory> site's domain name> www> wp -settings.php
3. Add / paste the code to eliminating error :
ini_set(“display_errors”, 0);error_reporting(0);
Precisely at bottom of the opening code from PHP <?php
look images
4. Click save to new settings.
2. domainname/wp-admin/filename
Here is a list of filenames in your wp -admin directory that could bring up an error when exploited via aURL:
admin-functions.phpmenu.phpmenu-header.phpoptions-head.phpupgrade-functions.php
Examples of vulnerabilities : http://your.domain.name.com/wp -admin/menu.php
Security Tips
1. like with the above method, Add / paste the code to eliminating error
example if file menu.php .
ini_set(“display_errors”, 0);error_reporting(0);
look images
3. Do the same in files contained in the wp -admin, as in list above4. location directory :
public_html > wp-admin > filename (if using cPanel)
go to site directory> domainname> www> wp -admin (if using SPanel)
Examples of security : http://your.domain.name.com/wp -admin/menu.php
3. domainname/wp-admin/includes/
domainname/wp-admin/includes/filename
This directory contains quite a lot of 'bugs' or vulnerabilities if exploited further to files. With a URLpattern as above, then error that displays the hosting account username could be look / appear.
Examples of vulnerabilities : http://your.domain.name.com/wp -admin/includes/admin.php, Here is a listof filenames in your wp-admin directory that could bring up a n error when exploited via URL:
admin.phpclass-ftp-pure.phpclass-ftp-sockets.phpclass-ftp.phpclass-wp-filesystem-direct.phpclass-wp-filesystem-ftpext.phpclass-wp-filesystem-ftpsockets.phpclass-wp-filesystem-ssh2.phpcomment.phpcontinents-cities.phpfile.phpmedia.phpmisc.phpplugin-install.phpplugin.phptemplate.phptheme-install.phpupdate.phpupgrade.phpuser.php
How to Secure ?
You simply create a file .htacces in wp -admin/includes directory.
1. Login to your hosting control panel (domainname/cpanel).2. Go to public_html > wp-admin > includes (if using cPanel) , go to site directory> domainname>
www> wp-admin > includes (if using SPanel)3. Create a new file in location of wp -admin > includes . with the name .ht acces (in txt format) , txt
file which will be rename with the name ' .htaccess '.4. Copy under code in file .htaccess
# PHP error handling for production serversphp_flag display_startup_errors offphp_flag display_errors offphp_flag html_errors offphp_flag log_errors onphp_flag ignore_repeated_errors offphp_flag ignore_repeated_source offphp_flag report_memleaks onphp_flag track_errors onphp_value docref_root 0php_value docref_ext 0# [see footnote 3] # php_value error_reporting 999999999php_value error_reporting -1php_value log_errors_max_len 0
5. Click save to new settings.
The above code is useful for displaying error in general,effect of adding the file .htaccess with the scriptabove you can look
http://your.domain.name.com/wp -admin/includes/
http://your.domain.name.com/wp -admin/includes/admin.php
4. domainname/wp-includes
domainname/wp-includes/filename
Here is a list of filenames in your wp -includes directory that could bring up an error when exploited via aURL:
canonical.phpclass-feed.phpclass.wp-scripts.phpclass.wp-styles.phpcomment-template.phpdefault-embeds.phpdefault-filters.phpdefault-widgets.phpfeed-atom-comments.phpfeed-atom.phpfeed-rdf.phpfeed-rss.phpfeed-rss2-comments.phpfeed-rss2.phpgeneral-template.phpkses.phpmedia.phppost.phpregistration-functions.phprss-functions.phprss.phpscript-loader.phpshortcodes.phptaxonomy.phptemplate-loader.phptheme.phpupdate.phpvars.phpwp-db.phpuser.php
Security Tips
1. Login to your hosting control panel (domainname/cpanel).2. Go to public_html > wp-includes (if using cPanel) , go to site directory> domainname> www> wp -
includes (if using SPanel)3. Create a new file in location of wp -admin > includes . with the name .htacces (in txt format) , txt
file which will be rename with the name ' .htaccess '4. Copy under code in file .htaccess
<ifmodule mod_rewrite.c>RewriteEngine OnRewriteBase /RewriteRule .*\.php$ http://your.domain.name.com/ [L]
Useful to switch to the front page of your domain site if there is a access your domain site through theURL .
Referensi :
http://codex.wordpress.org/
http://google.com/
To Be Continue :D
Special Thanks :
Allah SWT, Muhamad SAW
My sister Nabila and Dyah, My Lovely Fitri Ardiyadila .
Indonesian Coder Team , Exploit -ID , Kebumen Cyber Crew, Devilz Code, Explore Crew , Magelang Cyber, Malang Cyber
My Best Friend :
kaMtiEz, El-Farhatz, r3m1ck, adeyonatan ( Thanks Bro your Support \m/ )