PHP-scripts for analysis and modification. PHP-scripts for analysis and modification Victory unique administrator login

We create an authoritative registration page for the multisite, replacing the standard wp-signup.php.

For a normal WordPress installation, the registration side (authorization, password reset) should display the wp-login.php file.

• /wp-login.php - authorization
• /wp-login.php?action=register - registration
• /wp-login.php?action=lostpassword - Lost password

For a multisite wp-login.php, you need to be smart. So, when you go to /wp-login.php?action=register on WordPress multisite, you will redirect to the /wp-signup.php side. In rich topics, the side looks not so pleasantly, I’ll be able to control it.

The main site of the merezhі

For the WordPress promotion, you create a registration page (wp-signup.php) on the main domain (website) of the enterprise. Prote, you can create a registration page for the dermal website of the merchant, so that they have different topics. We look at the difference, if all the sites of the Merezha have their own personal registration page, but the same theme is chosen and the sites are no longer mine. As vykoristovuyutsya different topics, it is necessary to write more code.

functions.php?

Ni. Im'ya file, zdaєtsya, zgaduєtsya be-yakіy statti about WordPress. In our opinion, looking at those who have the functionality of registering insurance on a site spawn, there is no reason to blame yoga in MU-plugins, as they get entangled when they write to a site.

Lyric entry

Warto signify that MU-plugins are occupied earlier for secondary plugins and before the WordPress core is fully occupied, which can lead to fatal pardons for PHP. Similar "early" advancement may have its pluses. Let's just say, if you're in the middle of those, you can't go up to some actions, so you can try to get into the functions.php file with those. An example of which can be actions from the Jetpack plugin in the form jetpack_module_loaded_related-posts (related-posts - the name of the module) for the help of which you can see the activity of modules in Jetpack. Prior to this action, it is impossible to "attach" to the file with those that the action has already been occupied with by those - the plug-ins are occupied earlier. You can look at the big picture of the WordPress engagement order on the Action Reference side of the code.

File order

MU-plugins can replace any number of files in the same structure, as it seems to you logical. I will finish approximately the following hierarchy:

|-mu-plugins |-|-load.php |-|-|-selena-network |-|-|-|-signup |-|-|-|-|-plugin.php |-|-|-| -|-... |-|-|-|-jetpack |-|-|-|-|-plugin.php

The load.php file includes all the necessary plugins for our measure:

// Load Traslates for all addons load_muplugin_textdomain("selena_network", "/selena-network/languages/"); // Network Signup require WPMU_PLUGIN_DIR . "/selena-network/signup/plugin.php"; // Other plugins // require WPMU_PLUGIN_DIR ...

In the middle of the selena-network folder, the plugin folders are saved, the skin has its own plugin.php , so we include it in load.php . Tse give gnuchkіst that mozhlivіst shvidko vіdklyuchati and include deakі speechі.

Registration party addresses

To specify the address of the registration party, the wp_signup_location filter is selected. You can find it in the middle of the wp-login.php file and you can redirect to wp-signup.php itself.

Case "register" : if (is_multisite()) ( wp_redirect(apply_filters("wp_signup_location", network_site_url("wp-signup.php"))); exit;

Add your function to mu-plugins/selena-network/signup/plugin.php , so that you enter the address of the registration party on the streaming site:

Function selena_network_signup_page ($url) ( return home_url () . "/signup/"; ) add_filter ("wp_signup_location", "selena_network_signup_page", 99);

selena_network - a prefix that I use in the names of all functions in the middle of MU-plugins on my site to avoid collusion, and then replace it with your own unique prefix. The priority of adding a filter is 99, so that other plugins, for example bbPress and BuddyPress can overwrite this address on the file (MU-plugins are taken earlier, lower name plugins, div. higher). Respect that home_url() wins instead of network_site_url() , so that you don't check on the same domain. Like the address, you can twist it to the URL.

Side fold

Now let's create a page with the address site.com/signup/ through a custom interface, and in the parent folder, the template for our new page is page-signup.php. The word "signup" can be replaced by a unique ID.

Inside the new template, it is necessary to call the selena_network_signup_main() function to display the registration form.

Please note that the whole process is not bound by templates, and instead you can create your own shortcode, which also calls the selena_network_signup_main() function.

wp-signup.php and wp-activate.php

Now let's take a look at the creation of functions, as if we were creating a registration form. For whom copy the wp-signup.php and wp-activate.php files from the WordPress root at mu-plugings/selena-network/signup/ (and do not forget to include them in the middle of mu-plugins/selena-network/signup/plugin.php) . Further manipulations with files are even more coherent and can be described for a long time; I will only describe what I myself need to work on and publish the external files of my project:

1. On the top of the file, see all the require , quick-click functions, and other code behind the functions.
2. Rename all functions by adding unique prefixes to names.
3. Wrap the bottom part of the wp-signup.php code with the selena_network_signup_main function and write global $active_signup on the cob; .
4. Change the layout to the vlasnu in the required areas.

Inside wp-activate.php, you need to add approximately the same:

1. View the entire code with functions, wrap the layout around the other function.
2. Change the layout in the areas where it is necessary.

The file wp-activate.php is considered for the activation side of the oblique record. As a third party of registration, for it you need to create a custom template, use the same call function in the wp-activate.php file.

Nadsilaemo leaf activation

The registrar's office enforces the receipt of the sheet with the request for the activation of the oblikovy record. The wpmu_signup_user_notification() function from the ms-functions.php file takes care of cym zapping. Її functionality can be assigned for your own function. The reason, through the way it is necessary to change this function, is that it is necessary to force the activation of the oblique record from wp-activate.php . "Turn off" this function, you can use the additional wpmu_signup_user_notification filter, which is false anyway (so don't turn it off, the activation sheet will be edited two, okay, really two different sheets).

Function armyofselenagomez_wpmu_signup_user_notification($user, $user_email, $key, $meta = array()) ( // ... // Code for wpmu_signup_user_notification() function wp_mail($user_email, wp_specialchars_decode($subject), $ ; return false; ) add_filter("wpmu_signup_user_notification", "armyofselenagomez_wpmu_signup_user_notification", 10, 4);

As a result, the registration page in the topics of Selena began to look richer and neater.

Visnovok

On the Internet, there are no better ways to do it yourself - Apache redirects, AJAX-forms, like not working without Java Script, etc. sites.

I’ll respect that you edit the files carefully and don’t mess up too much during the holidays, so in the future, like WordPress change the wp-signup.php and wp-activate.php files, it’s easier to take care of yourself for a change.

Do not forget to marvel at the output code of all the descriptions of the other functions, so that I will be able to figure out what is in the middle of the code.

Bonus. Defender against spammers

Find the best sites on WordPress often get a lot of spam registrations. You can write non-sophisticated minds for filtering bots, often more similar to trying to create a piece of intelligence 🙂 (I'm not an expert on customizing Apache, so my rules may not be correct).

RewriteEngine On RewriteBase / RewriteRule ^wp-signup\.php - RewriteRule ^wp-activate\.php - # BEGIN WordPress # Wordpress view rules don't need to be locked :) # ... # END WordPress

PS I try to describe in as much detail as possible the acts of third-party speeches, to the fact that if I started, for an hour it was possible for anyone to tell and explain a lot of speeches. So I respect that similarly small inductions on other materials can be improved to develop something new and expand your knowledge. The RewriteRule records have regular lines, the stench is not foldable, for example, the symbol ^ means the ear of a row.

If on the right you reach the security of additions, it is important to think not only about the release of that operating system, but also about writing the protection of scripts. In this article, you know how to ensure the security of your program and the safety of your program and the less irritating. Below is a list of entries that will help you protect your program from all kinds of attacks:

1. Validation of input data
2. Defend against XSS attacks
3. Defend against CSRF attacks
4. Importance of SQL injections
5. File system hacker
6. Defendant of this session
7. Processing pardons
8. Protect files that connect

Validation of input data

Under the hour of designing programs, you need to practice protecting yoga from "nasty" input data. The rule, as it is necessary to follow, should sound something like this: “Do not lie to the one who is koristuvach”. Irrespective of those who do not threaten most of the koristuvachivs, make sure that those who want to hack your site, vikoristovuyuchi "bad" data, which are entered through the form or address row. If you constantly check and filter the input data, then you have a great chance of writing a secure program.

Always check your data in PHP scripts. Well, if you win JavaScript for data validation, then be it a mitigator, you can turn it on in your browser. At this time, your addendum is not safe. Nobody minds JavaScript validation, but for a good laugh you need to double check the data in PHP scripts.

Defend against XSS attacks

Cross-site scripting or XSS attack is an attack that is based on exploiting code on potentially different sides. The problem is that sloppy code can be entered through forms, and then displayed in the browser.

Let's say that on your site there is a form for entering comments, which will be displayed once you add it. The attacker can enter a comment to attack the JavaScript code. After the administration of the form, the data is sent to the server and entered into the database. If this data is taken from the database and the new comment is displayed on the HTML side, including the JavaScript code. You can redirect the koristuvach to your wrong side or to a phishing site.

To protect your programs, run the input data through the strip_tags() function to see all actual tags. When displaying data in the browser, stop the htmlentities() function.

Defend against CSRF attacks

An offensive type of attack, which is visible to the world, is either a CSRF attack or a cross-site request. Attacking victorious tricks for the removal of confidential information, or the introduction of the right without the knowledge of the victim. Basically, it works on badly stolen sites, de business logic will work on robotic GET requests.

Vzagali, GET requests are dempotent. Idempotency, in this context, means that access to one or the other side can be done for a long time without any third-party involvement. The GET itself should be charged only for denying access to information, but at the same time not for different transactions.

The following simple example shows how a non-hijacking site can detect CSRF attacks:

Let's say that Bob wants to perform a CSRF attack on Alice. Vіn having formed a special url address and sent it to Alicia by e-mail:

See my site!

If Alice is authorized on the website example.com and if you follow these instructions, $1000 will be transferred to Bob's account. As an alternative, Bob can edit the image, and in the src attribute add the "bad" address.

The browser is unable to display the image, the shards of yoga are not available, the software will be created without the knowledge of that part of Alice.

In order to avoid similar attacks, beat only POST requests before processes that are used to change information in the database. Don't tag $_REQUEST. Use $_GET to parse GET parameters, and $_POST to parse POST parameters.

As an addendum, you can generate a unique unique token and attach it to the POST skin request. When a koristuvach enters the system, you can generate a password token and write it to the session. Shards of all forms are displayed in the box, the whole token needs to be written down in the attached field. The business logic of the program is responsible for transferring the functionality, which is a reversible token from forms and a token that is saved in the session.

Importance of SQL injections

To win the data to the data base, follow the PDO win. With parameterized queries and prepared virusases, you can threaten SQL injections.

Let's take a look at the next butt:

For the code presented above, we can force the prepare() method to include the named parameters: :name and:age . In this rank, ask for compiling for further substitution of data. When calling the execute() method, the request is re-formed and winked. If you use this kind of technique, all tests of the SQL injection attacker will be reduced to zero.

File system hacker

As a reliable retailer, you are responsible for writing such code that does not threaten your file system. Let's take a look at the code, which is used to download the file, in the form of data transferred by the coder.

This script is not safe, so through it you can take access to any directory, which is accessible from the file with the script: to the directory with sessions, system folders and much more.

Defendant of this session

For locking, all session information is recorded to the temp directory. If you are a virtual hosting provider, if you please, you can write a script and review your session data. Therefore, beware of saving passwords or credit card numbers for sessions.

If you still need to save similar data in the session, then the best approach will be encryption. This does not completely solve the problem, because the encrypted data is not 100% secure, however, the information that is collected will be unreadable. So you should think about those that you can save these sessions in another place, such as a data base. PHP has a special session_set_save_handler() method that allows you to save session data in your own way.

Starting with PHP 5.4, you can pass an object of type SessionHandlerInterface to session_set_save_handler() .

Processing pardons

Under the hour of rozrobki programs varto pay respect for all kinds of pardons, as they can win, but in the case of kіntse koristuvachіv їkh it is necessary to take them. As if pardons are given to koristuvachas, we will irritate your site. In such a rank, the best solutions will be the configuration for the end server and the distribution server.

On the public server, you need to enable options such as display_errors and display_start_up_errors , as well as options such as error_reporting and log_errors , to be active, so that all the pardons that winicked from coristuvachiv were recorded in the logs.

You can also tweak “set_error_handler” to designate your own pardon handler. However, there may be a fault in the exchange, even if the author's work is done by the native PHP mechanism. The pardons E_CORE_ERROR , E_STRICT or E_COMPILER_ERROR cannot be found in the same file as the one in which the compiler is written. Moreover, pardons, which can be blamed on the obrobnik itself, cannot be confirmed.

For a more elegant way to include, potentially unsafe code should be placed in a try/catch block. Usі vlasnі vinyatki mayut but objects of the class or subclasses Exception. Even though the blame has been thrown, the try/catch blocks can be broken.

Protect files that connect

Often in PHP scripts, there is a need to add other files, such as connecting to the base and other files. Deyakі rozrobnik proponuyut such files expansion.inc. Do not parse such files for PHP promotions. If you go to them at the address without any intermediary, you can send the text to the file. If a hacker is allowed to take access to a file that takes data, connects to the database, then you can take access to all data of your program. So be sure to change the .php extension for the preferred files and save them where there is no direct access.

Podbag

If you will try to resurrect the 8 rules, then by the meaningful world you will be allowed to strengthen the resistance of your zastosuvannya to various attacks. Don't trust the data entered by the corrupters, steal your files and database.

Let's think about who is a hacker? A hacker is not a cracker! People often get confused and understand. A hacker is right in front of us a person with non-standard ideas, and in this way її strength, you can say.

To successfully resist a hacker, you need to learn to think outside the box. Like it seems, they beat a wedge with a wedge.

Today I'm going to tell you an incredible way to protect yourself from attacks like php include. Go wine, obviously, far from everyone. And it honestly protects you not from the attack itself, but from its manifestation. Intrigued?

How to joke about…

Let's take a look at it, as the burglar herself tries to show inconsistency.

You look like this. The attacker modifies all parameters according to your needs, allowing that these parameters are used by the enable function. Well, otherwise, in a simple way, you can “get” the files. And in order to designate chi є razlivіst chi nі, you need to add some kind of file on the whole system (it came - variability є, nі - razlivіstі nemaє).

Obviously, as an attacker, you don’t know the structure of the distribution of directories and files, and you can’t get any file, so you won’t know the way to the new one. Ale buvayut such files, yakі zavzhd іsnuyut і sistemі, і until yakі zavzhd є rights to read. For Linux, /etc/passwd, and for Windows, let's say C:\boot.ini. Ale vtim Windows, it’s not enough for us to click, so they gave me a memo about passwd

/etc/passwd

You sang along in your logs to a greater number of records in the form of:

Action=../etc/passwd%00
?action=../../etc/passwd%00
?action=../../../etc/passwd%00
?action=../../../../etc/passwd%00
?action=../../../../../etc/passwd%00
?do=../etc/passwd%00
?do=../../etc/passwd%00
?do=../../../etc/passwd%00
?do=../../../../etc/passwd%00
?do=../../../../../etc/passwd%00
?id=../etc/passwd%00
?id=../../etc/passwd%00
?id=../../../etc/passwd%00
?id=../../../../etc/passwd%00
?id=../../../../../etc/passwd%00

If so, then you should know that you tried to know php include (well, it’s possible to read more files, but don’t click on us at once). So from, as if one of your parameters is not processed by a proper rank and is used by the function include(), then the same file /etc/passwd was added, instead it was interpreted as a php script, and the shards of the wines did not tag the php code, they would be viewed in the browser in the same way. This would serve as a “marker” for the burglar of the obviousness of the inconsistency.

To what am I writing, to the extent that when poking around, the scammer of obov'yazkovo (I guarantee that in 90% of cases) will try to get the file /etc/passwd.

Protect yourself, goodness!

Without a doubt, you thought at once: “Wow, do you want to propagate the ultimate WAF and filter packets for /etc/passwd in them?”. Ni. Tse standard method. This is an example of how a great person thinks.

Let's show some fantasy. Why don't we just add some php code to the passwd file? And as soon as the attacker can get in, then our php code is broken. (Do you care about madness? - look at the end)

Since we know that the only one who thinks to include this file is a hacker, then our php code is guilty of banit, and in order to prevent our system from being hacked, to block the infuriating file, and it is necessary to inform about the administrator's substitution.

But how to add php code to /etc/passwd and even more syntax zhorstko regulations? The skin coristuvach has a "comment" field - the description of the coristuvach, there you can enter everything at any time (because of the double note, I understand). Therefore, we take that dodaemo koristuvach into the system with the comments we need. Then /etc/passwd will avenge such a row

root:x:0:0:Superuser:/:
daemon:*:1:5::/:/sbin/sh
bin:*:2:2::/usr/bin:/sbin/sh
sys:*:3:3::/:
adm:*:4:4::/var/adm:/sbin/sh
securityuser:*:1001:1001::/:

Well, in the script, which is being connected, it’s already necessary for you to do it - banish the coristuvacha, block the mail, remind the administrator.

As a result, we have our own pasta, so that you can protect your site from evil.

Visnovok

So, I can fully ascertain that everything written above is similar to madder. I have a wonderful mind that nothing in practice is victorious. Ale wrote not for whom. I wrote, to show the butt of a non-standard approach in the gallery to the zakhist.

Dyakuёmo for respect =)

All software products for hosting PHP scripts are divided into two categories: allow installation of add-on modules on the server and work with the default configuration of web servers. The first is more important in terms of security, in order to translate PHP-scripts from a text-based look into a special binary code, and also to allow access to the server with administrator rights. Others can practice practically on all hostings with PHP support, including those without cost, but not become a big problem for the evil one. In a subgroup, you can see the original code, which is not encrypted, but embossed.

Zahist on the same server:

A new commercial campaign that is actively developing. On a par with the master APIs, we hope to interact with scripts that are protected, supported by the Windows and Linux operating systems. Due to the small breadth, it is not installed on the usual virtual hosting, but it can be installed as a shortlisted server on other servers. There are no public decoders.

Commercial zakhist practically does not grow up, it is not installed on virtual hostings. Allows you to install a trial term for robotic scripts with reversal of dates according to the exact time of the known servers, to link the scripts that are protected to the servers, ip-addresses, MAC-addresses of the merged card, and the numbers of the data are victorious for decryption. We support all operating systems. There are no public decoders.

phpSHIELD. SourceGuardian prototype for PHP. Following the anger of two retailers, they ceased to develop as an independent product. The main functionality of the same, there are no public decoders.

ionCube PHP Encoder. Another popular commercial product for the protection of scripts. After the advent of public decoders for Zend, more and more often they were victorious and installed on virtual hostings. Allows you to encrypt not only scripts, but templates, XML documents, images, binary files. Attaches the protection of files to servers, є hard obfuscator, supports all operating systems. There are no public decoders, but deZender is known in some areas.

PHTML Encoder. The commercial system is small-scaled, it provides the best functionality for products of this type, working under the usual operating systems. For a fee, you can add a holiday code and modify it to your needs. There are no public decoders.

dwebencoder. Exotic protection for Windows, applications for creating scripted presentations and catalogs on CDs. The installed one looks like a self-hosted web server, on which php-scripts are encoded. There are no public decoders.

PHP Compact. Zakhist is more theoretical, less practical. I was rozroblyalas on one of the forums, but similarly far for the author's releases on the right I did not stick out. There are no decoders, as well as stolen scripts.

Adding code to the old php-accelerators Turck MMCache and eAccelerator. Convert scripts to bytecode with the method of improving the speed of the code. Є versions of modules for Windows and Linux. There are no public decoders, but, perhaps, the code for the project may be of help to the victim.

Zahist on the same day of the code:

CNCrypto. There is no free access to demo versions, the analysis was carried out behind stolen scripts. The hanging module of folding does not show up when unpacked, it only works on a good obfuscation of the output code.

PHPCipher. Zahist is an online service. Archives from your scripts are taken to the site and are taken back by stealing. A paid license allows you to sign the protection of scripts with your credits and to win for commercial purposes. A cost-free license allows you to win only special needs. The defender itself is protected by the Zend "php-module, which is connected to the protected scripts. After deZend" and the module is protected, all the necessary constants are taken up to the code. There are no obfuscator functions.

ByteRun Protector for PHP. A commercial product, depending on the type of license, allows you to protect scripts both on the server's level and on the level of the external code. The server zahist with standard possibilities does not have anything special. Zahist on equal scripts can be done easily automatically and manually. There is no public decoder for the server version.

Even more popular among vіtchiznyanykh rozrobnikіv zahist. Є strongly zasmіchenim empty code module zakhistu, which is connected through include to the zahranіh scriptіv. The decoding algorithm is even simpler, it doesn't call the daily folds for manual or automatic pickup. For all types, it is still known to the output code, there is no obfuscator function. There are few features for a few breaths of decoding, but here the stench will not be described.

codelock. Another popular zakhist, a miracle butt of illiterate programming. I am a php program that allows you to code like the scripts themselves, and the result of their work in the browser using javascript. Scripts can be protected with a password, but through mediocre implementation, the password can be easily recognized without knowing the overhead guard. The protection module is a php-script that is replaced by an empty code, which connects to the scripts that are being protected. Algorithm zakhistu is even simpler, it is more familiar to the output code. There are no obfuscation functions.

TrueBug PHP Encoder, recently TrueBug PHP Obfuscator & Encoder. Dzhe ts_kavy protector for dosl_dzhennya. Prior to version 1.0.2, the standard php files for gzip-compression were tweaked, starting from version 1.0.3, by the authors of the expansions of the author's compression algorithm. The new product TrueBug PHP Obfuscator & Encoder now has the function of obfuscation and optimization of output code. The only weak point of the attack is a post-script algorithm for decoding scripts, and the algorithm is changed for the skin version of the attack. After the analysis, the zahist is easy to read exactly to the exact code, naturally for the mind, it’s not a common obfuscator.

Zorex PHP CryptZ. Zahist, yak and CodeLock, є addendum on php, MySQL database is required for yoga robots. Zakhistu module - a script that connects to php, encrypts in a kilka ball. After the analysis, the algorithm is easy to understand exactly up to the output code. There are no obfuscator functions.

Free PHP Encoder. Cost-free online service for coding php-scripts. The module of the host is a php-script, which is connected, attacked by Zend, which is required to get from the site. Algorithm is fast-paced, obfuscator functions are not available.

PHP script, primitive encoding, standard base64. Greater respect is not meritorious and there is no practical interest.

"The websites of the banks are lamyat for the sake of pennies, the Pentagon - for the sake of espionage, and my project is not needed by anyone," - unfortunately, I myself respect more of the authorities in special blogs, Internet business cards, virtual representatives of small companies. About those, how to hijack the site, they are less than alone, but darma. In today's realities, there is absolutely a kind of Maidanchik, regardless of the type of popularity, tsikaviy in the eyes of hackers. Who else might need your resource? Let's unravel:
1. Vitivki scriptkіdіs. Jargon means hackers-pochatkivtsiv, like to shy the first few on the “dark side”. Having acquired a lot of tools, or having written a couple of good programs, it’s a waste of time to misread the practice on the first victim that you tried, and choose, as a rule, the most easy (weakly protected and not updated by CMS) numbers.
2. Black SEO. The servants of dishonest optimizers are still in use - the placement of attached messages to project codes that may be TIC over 10, as before, practice. І, first for all, under the blow, resources are consumed on engines with open source code (Joomla, Drupal, OpenCart and so on).
3. Pobudova bot-no. Defend WordPress for htaccess plugins that are relevant to the fact that absolutely any resource can be used to create zombies, which are used during DDoS attacks, spreading spam just fine.
4. Companion churn. Nareshti, attack may not be you - hosting will be the main method, and the site will serve less as one great difference in the provider's IT infrastructure. Zrozumіlo, yogo share will be baiduzha to hackers.

The consequences of the evil can be the most unacceptable: the loss of content, or the resource as a whole, the pessimization of the types of shock systems, the intrusion of the audience through the writing “The site can be blocked by the safety of the computer or the mobile attachment”, the base of your web resource was skoєno contrary to the law.

Also, it is possible to make sure that you are up to date - nutritional safety is a completely skin webmaster. І yakshto them nekhtuvat, all zusillya z poshkovogo prosuvannya (and tse - pennies and expensive hour) building a vіdrazu drink ashes. The problem is already relevant, so I have written a series of articles devoted to threats and methods of combating them. Three releases will look at the popular CMS system - WordPress.

How to host a WordPress site

One of the most primitive methods of evil is brute force. The term is translated as “brute force”, and means the withdrawal of the login / password bet by the method of exhaustive enumeration of possible options. Most of the time, brute-forcers help to make their lives easier, having scrambled in the tweaks of the engine and the server - it helps them, for example, to recognize them as a cloud record, which is a short number of combinations. Itself about the adoption of these quirks, as well as about the methods of combating with samples of unauthorized access.

1. Tick the unique administrator login

For locking, the system prompts the creation of a coristuvacha for the names of admin. However, for hosting a WordPress site, it is best to create a login that consists of a set of random letters and numbers. You can change the administrator's name on a resource without any particular problems, using one of two methods:

Through the admin. Go to the “Koristuvachi” distribution, press the “Add new” button and create a face record. In the “Role” field, select “Administrator” and confirm the operation. Then go to the name of the well-created appearance, turn to the “Koristuvachi” section, select “admin” and press “Vidality”. At the top, put a radio button in the position "Call all the time" and select a new administrator from the list, and then press "Confirm the call".
. Vikoristovyuchi phpMyAdmin. It's easier to do this procedure through the database control panel. Select the required database, find the wp_users table, find the “admin” row (ID=1), click on “Change” and enter the name field.

2. Create a special public record for publications

Yakshcho "do not shine" the administrator, tse secure additional protection. Create an okremiya oblіkovy record for the placement of articles and link to it all previously published materials in the manner described in paragraph 1. Further, add information and communicate with readers only from the new oblіkovy record.

3. Set a folding password

Take advantage of the generally accepted recommendations: the length of the password must be no less than 10 characters, the password must be unique and consist of a vipadkovo sequence of capital and capital letters, numbers and special signs.
At any time it is not possible:
. compose a password from meaningful phrases
. vykoristovuvat be-yakі factual data (date of birth, girl's name, bank account number, current date ...)
It is necessary to turn off the risk of choosing a code phrase for the dictionary, and also to reduce the hour required for brute force. So, the evil sequence of 10 characters, which consists of only small letters and digits (hki458p1fa), will take 10 days for a machine hour for one PC, and then add large letters and additional signs (Nv6$3PZ~w1), like this period grow up to 526 years, guaranteeing a practically absolute zakhist WordPress. It's easy to remember and remember similar passwords, especially if you are busy with many projects. Therefore, for this generation, it is better to use special managers, for example - KeePassX, which can be opened everywhere without a cost, or a great test document (in short, it will be packed into archives with a password).

4. Change the password for the data base

Reinvention of the rule is more fair and for the security of the access code to MySQL. Aje herself will find all the content there, as well as the hash of the secret phrase to the admin. As you already win a weak password, wart about those who remember it. Fight like this:

1. Go to the phpMyAdmin password panel
2. Go to the “Koristuvachі” tab and select the clerk of the data base.
3. Click on “Privilege Editing”
4. Find the column “Change password” and enter a new secret sequence in the specified field
5. Save your changes by pressing “OK”

Now the wp-config.php editing is gone, otherwise WordPress can't connect to the data base. Find row define('DB_PASSWORD', 'password'); and enter a new password instead of the word password. Return respect: the oscillating sign (‘) is required for re-encryption of SQL commands, it should also be repeated at the secret phrase warehouse.

5. Update passwords regularly

Їх varto minyati take it once for a pіvroku. Pozachergova change of code phrases is due to obov'yazykovo zdіysnyuvatisya after:

Transferring data for authentication to third parties (programmers, system administrators, optimizers and other fahivtsy, it’s like stinking at the staff of the hosting company)
. accessing a web resource from someone else's computer (at a party, in an Internet cafe)
. authorization, which could have been compromised (the machine is infected with a virus)

6. Don't forget to remember the secret keys for cookies

The stench is located near the wp-config.php file. Usyogo їх 8:

define("AUTH_KEY", "unique key"); define("SECURE_AUTH_KEY", "unique key"); define("LOGGED_IN_KEY", "unique key"); define("NONCE_KEY", "unique key"); define("AUTH_SALT", "unique key"); define("SECURE_AUTH_SALT", "unique key"); define("LOGGED_IN_SALT", "unique key"); define("NONCE_SALT", "unique key");

It doesn’t matter if you guess for the names of the names, the keys are given for encrypting cookie files (we use the jargon: cookie - bake, salt - strong, we can hackers in salty stoves), like vikoristovuyutsya in order to remember the site, having forgotten your computer after authorization. The bottom line is that the attacker takes away the hash of the administrator's password from his order, it is not possible to generate cookies, which are necessary for accessing the site without rewiring the secret phrases.

To improve safety, the sequence of characters for the spelling should be replaced with a unique string after the CMS is spoken. For convenience, retailers have created a web generator, spreading at the address www.api.wordpress.org/secret-key/1.1/salt/ - when you enter, you will have the keys, and if you change the side, then the combinations will be updated.

7. Signature authorization for the admin panel

Htaccess allows you to dodatkovo hijack the WordPress site by adding authentication on the same server. The code will look like this:

# Select the authorization script file: # Set the basic type of authentication - it means what when trying # Go to the specified directory or file will be supplied with a password: AuthType basic # Enter the text that should be displayed in the header of the form: AuthName "Identify yourself" : AuthUserFile "/home/website/.htpasswd" # Specify that a password is required when accessing the wp-login.php file: Require valid-user# We restrict access to the .htpasswd file to third persons: order allow,deny deny from all

At the same time, it would be bad to talk about the security of htaccess itself. Strictly ostensibly, such a directive can be spelled out in the main settings for hosting, ale vrahovyuchi carelessness of some providers, varto be safe:

The “login” substitution is represented by the bazhane of the name. It was not possible to generate the password itself, as well as to encrypt it, even if it saves similar data from the open source - it is not allowed to rozkish. Therefore, you need to use anonymous services, or better yet, write the script you need on your own. Fight like this:

1) Create a notepad file from extensions.php, for example, crypt.php
2) Enter the code there, substituting the word "Password" for your password:

3) Save the file and save it to the root directory
4) Go to the request site_name.ru/crypt.php - the password hash will appear on the screen
5) Save the value of the .htpasswd file and put it in the root directory, and delete crypt.php

The final touch is to review the fence instead of the directory of the web resource. It is enough to add a single row in htaccess:

Options All-Indexes

You need to fight so that hackers can't find out if the files are in the project's directories. On rich hostings, the directive is already included in the configuration of the server, but at the same time, at the time of intervention on the account, the order should be written independently.

8. Install captcha

Wikoristanya captcha allow you to see if not all, then, accept, most of the brute force bots, but at the same time. The catalog of plugins for hosting a WordPress site offers a lot of options. Krym podklyuchennya corporate solution like Google, of great interest is Captcha by BestWebSoft mixed (graphics and text) type, which is based on mathematical logic. Nezalezhnіst vіd servіsіv, naochnіst і priyatny rіven slozhnostі to rob the module one of the best.

Nalashtuvannya is not a particular problem. The “Basic” tab allows you to choose, where you need to display the captcha, and also to specify the title and symbol for the identification of the fields, the captcha until completion.

The "Expansion" distribution section ensures the possibility of creating official announcements about pardons, as well as the activation of supplementary image packages, to make life easier for bots.

Another possibility is to create a larger list of IP-addresses, for which captchas are not displayed.

The result of the installation and activation of the plugin will be the appearance of the form on the authorization side:

9. Change admin address

Rozpovіdayuchi about those, how to hijack a site on WordPress, varto guess a radical, ale and foldable way - change the URL of the authorization side on equal scripts. The procedure is followed by a few steps:

1. Rename the wp-login.php file. Conquer the vipadkovy sequence of small Latin letters, numbers and dashes. For example: abc-123.php
2. Find all wp-login.php riddles in the file and replace them with a new name.
3. For the correct operation of the site, it is necessary to change the following: wp-activate.php, general-template.php, post-template.php, functions.php, class-wp-customize-manager.php, general-template.php, link-template.php, admin-bar.php, post.php, pluggable.php, ms-functions.php, canonical.php, functions.wp-scripts.php, wp-signup.php, my-sites.php, schema.php, ru_RU.po

After these manipulations, the admin roztashovuvatimetsya for the address site / abc-123.php. Access to the new file should be protected and protected with a password the way it was assigned. In addition, you can introduce potential hackers into Oman by creating a fake wp-login.php file, as well as setting a password for the new one.

Another simpler option is to use the "Rename wp-login.php" add-on. After the plugin is installed for hosting the site in the menu "Setup" -> "Permanent posting" a new field will appear:

10. Enter admin IP

Dodatkovu security can be secured at the vipadku, as you have a static IP-address. Having blocked access to wp-login.php from your other computer, damn it, and make life easier for the attackers:

order deny,allow deny from all allow from 127.0.0.1, 127.0.02 #Through whom you can specify your IP addresses

11. Remove authorization pardons

When sorting through passwords, the attacker needs information about those that the entered data turned out to be incorrect. This alert is displayed when you try to log in, and WordPress also alerts you if you entered it incorrectly, login or password. To get it right, it’s enough to add just one row to functions.php:

add_filter("login_errors",create_function("$a", "return null;"));

For this, choose in the admin "Sunny look" -> "Editor" -> "Theme functions". Enter the code required after the tag

12. Vykoristovyte z'ednannya.

To encrypt the traffic between the computer and the web server, it uses the https protocol, which makes it impossible to overwhelm important data, in our case - identification. In order to activate it, you will need to get an SSL-certificate, which will serve two functions: maintaining the web resource and encrypting the information that is being transmitted. You can take yoga at specialized centers, or at low domain name registrars. For non-commercial purposes, a cost-free ear-to-ear certificate is sufficient (as promoted by the company www.startssl.com). Before the installation process, call the VIN of the report descriptions from the hoster's preliminary distribution.

Having removed the SSL certificate, it is necessary to redirect the administrative part of the web resource on the protected site. At the tip of WordPress, it’s worth trying for an additional offensive construction:

Options +FollowSymlinks RewriteEngine On RewriteCond %(HTTPS) =off RewriteCond %(REQUEST_URI) =/wp-login.php RewriteRule (.*) https://%(HTTP_HOST)%(REQUEST_URI)

It is also possible to force the obtaining of SSL certificates only on the same engine. For which one, open the wp-config.php file and add the following

define("FORCE_SSL_ADMIN", true);

Hell, you can set up a global redirect from http to https. For new sites, such a pidhid is optimal in view of those that Google wants to protect projects, giving it the first priority for search engines:

Options +FollowSymlinks RewriteEngine on RewriteCond %(HTTPS) =off RewriteRule ^(.*)$ https://%(HTTP_HOST)%(REQUEST_URI)

13. Block intruders

If suspicious activity is detected from the first IPs, block access to the site. Fight for the analogy in the previous way. The difference is that the directives are prescribed for the project as a whole, and we redirect the addresses of those who we want to ban:

Order Allow,Deny Allow from all Deny from 127.0.0.1, 127.0.02

The method is superior, protein efficient. In the first place, as if by rank, it is necessary to fix the brute-forcers and the water-reinforcement of them in the case of good-natured ones. In another way, with a mass attack, you simply cannot manually enter the IP of hackers and bots. This way is good only if the administrator can have a reliable "black list" address.

In other ways, you can use the plugin to host a WordPress site called WP Cerber. This solution is absolutely cost-free, with the help of a very important set of tools that call out to protect the evil CMS. You can install yoga directly from the admin panel.

For zamovchuvannyam proponuyutsya dosit tyamuschi parameters. Wtim, the number of samples of varto is increased to 5, so that you can’t understand.

On the contrary, check the box “Block IP for wp-login.php request” so that you can change the admin address in the way described earlier.

For whom can you use the WP Cerber power tool:

The plugin mode for hosting the site “Citadel” also does not require additional settings. Vin assignments for “conservation” of the project for a massive brute force attack. A check mark next to "Record try entering a file" is better to take it off - it will help you turn off the attachment to the server.

The “Access Lists” tab is used to create a “black” and “white” IP list (if you have static addresses, you must add them to the list of trusted ones), and the “Tools” section allows you to manage the import and export of previously entered settings. Vtіm, tі posibility does not require a clear look.

14. Move configuration file

As we know, wp-config.php saves such critically important data as a login and password for accessing MySQL, as well as API keys. The next step is quite obvious - WordPress hijacking via htaccess for additional access to the file:

Order allow,deny Deny from all

Prote є th nadіynishy method. WordPress may be somewhat special, but few people know about it. The engine allows a configuration file to be placed one price higher than the root directory..php can be moved to the site directory. In this case, the file will become inaccessible via the Internet, in which case the CMS will read the information in the new one.

15. Add a REFERER

The method, which has proven itself well when attacking WordPress from spam, will help and at times resist brute-forcers. Aje sorting out the passwords - it’s not even a manual robot: for which there are special programs. And that means, by turning on the rechecking of headers in input requests, you can view bots with an empty HTTP REFERER:

RewriteEngine On RewriteCond %(REQUEST_METHOD) POST RewriteCond %(REQUEST_URI) .(wp-comments-post|wp-login)\.php* RewriteCond %(HTTP_REFERER) !.*site.* RewriteCond %(HTTP_US *) http:// %(REMOTE_ADDR)/$1

16. Encrypt XML-RPC

Starting with version 3.5, WordPress introduced the ability to enable the call-to-remote protocol XML-RPC procedures. Basically wine is needed for interaction with mobile programs, proteo similar functionality is far from needed for skin. However, xmlrpc.php is actively used for DDoS attacks, being the Achilles' heel of the entire project.

In addition, hackers have come up with XML-RPC hacking for brute force. Using the wp.getUsersBlogs method allows you to sort through the public data in a richer way, lower through the admin form. Many XML-RPC shortcuts affect authorization, requesting the form:

wp.getUsersBlogs admin 12345

prizvede to the fact that the dvigun povodomit, chi transferred combination є correct. To avoid this misfortune, it is necessary to re-enable the protocol. Zrobiti tse can be kіlkom ways:

1) Blocking access to the xmlrpc.php file via htaccess

require_once(ABSPATH . "wp-settings.php");

it is necessary to write

function remove_x_pingback($headers) ( unset($headers["X-Pingback"]); return $headers; ) add_filter("wp_headers", "remove_x_pingback");

4) Wicorous plug-in Control XML-RPC publishing, which you turn in "Setting" -> "Writing" option:

Turn on respect: add the protocol immediately after activation, and in the settings you can turn it on by checking the checkbox next to the checkbox.

17. Investigate Brute Force Attacks

Nasamkinets varto guess about cicavia plug-in for logging attempts to evil - Authentication and xmlrpc log writer. If the same WP Cerber can be used for monitoring, this module will be more appropriate, especially for those who need the capability of the protocol described above. AX LogWriter can handle brute force via xmlrpc.php, so you can evaluate the risk of threatening that dosility again and again and again. Nareshti, tim, who does not take care of the security of his project, the plugin for hosting the site to squash the eyes on the importance of overhauled entries.

The AX LogWriter wiki is not collapsible. After the admin menu is installed, the final branch will appear, so you can make all the necessary changes:

In the “Error Type” field, select the saving method. Supports writing to the system log, Apache server server, as well as the ability to create a custom file. In the rest of the case for the new one, you can also change the name (Custom Error Log Name) and the directory (Custom Error Log Path). This gives a wide range of possibilities for the system administrator - for example, the solution can be won at once from fail2ban. Also, do not forget to select the correct time zone in the Timezone field.

The custom log can be viewed directly from the admin panel on the side of the Custom Log Viewer:

Suggested:

The refurbishment of methods will help to improve the safety of your resource and save some of the brute-forcing bots, hooligans and scriptkids that are practiced. Prote everything that has been described above is just the tip of the iceberg. In the arsenal of evil-doers, there are more and more sophisticated methods. And now, in the next article, we will talk about those, how to protect themselves from real hackers, how to win over the differences in the inconsistency of the engine and the server software. As in this material, the most important hygiene rules will be considered the keys to adjusting the CMS, ways to modify the code, as well as the most relevant plugins.