elcodigok / wphardening Goto Github PK
View Code? Open in Web Editor NEWFortify the security of any WordPress installation.
Home Page: https://danielmaldonado.com.ar
Fortify the security of any WordPress installation.
Home Page: https://danielmaldonado.com.ar
One of the main vectors of attacks in WordPress is due to the misuse of this library.
The idea is to inform the user that timthumb.php is present in your project as a warning.
Within the project structure is a mixture of different variable names. The idea is to normalize all these names.
The list is stripped to improve recognition of projects in WordPress
Implement option WP_MEMORY_LIMIT in wp-config-wphardening.php
http://codex.wordpress.org/Editing_wp-config.php#Increasing_memory_allocated_to_PHP
The idea is to create a new option for changing the owners and groups of files and directories
As the use of new option is proposed --chown
The idea is to show information such as the version of the library and the values of some variables.
Tthat way we can upload all files to web server
Change wp_admin_css() function of /wp-include/general-template.php because the css file calls giving the version of WordPress.
Example:
<link rel='stylesheet' id='buttons-css' href='http://misite.com/wp-includes/css/buttons.min.css?ver=3.9.1' type='text/css' media='all' />
Fix bug in regular expression detected in the file lib/pluginsWordPress.py
Thanks to the collaboration of @Jsitech
Load options from a configuration INI file --load-conf
./wphardening.py --load-conf /path/complet/wphardening.conf
Instead of looking for a WordPress project from a local directory, it would be possible to start the project by downloading WordPress from its official website.
The idea is to move those out of a WordPress project that hidden to later retrieve directory.
Improve malware scanner including the following functions
assert, file_get_contents, curl_exec, popen, proc_open, unserialize, eval, base64_encode, base64_decode, create_function, exec, shell_exec, system, passthru, ob_get_contents, file, curl_init, readfile, fopen, fsockopen, pfsockopen, fclose, fread and file_put_contents
The idea is to change the end of stream remove option
https://github.com/elcodigok/wphardening/blob/master/wphardening.py#L147
It is advisable to change the contents of the $wp_version variable in the wp-includes/version.php file?
Compressing static files .css and .js
This way we can have the application in multiple languages.
The idea is to recommend not to use the root user for MySQL databases in class wpconfigWordPress.py
https://github.com/elcodigok/wphardening/blob/master/lib/wpconfigWordPress.py#L83
Error login messages may expose and give hackers an idea if they’ve gotten username correct/incorrect, vice versa. It is wise to hide it from unauthorized login.
To hide login error messages, simply put the following code in functions.php
add_filter('login_errors',create_function('$a', "return null;"));
should show the status of downloading plugins, status bar
The idea for this issue is to store the information of all the options that were executed.
The idea is to look at the whole project of WordPress and its source code's base64_decode(); function where it is usually a backdoor attempt encode or malware.
Check all the problems that can arise in the process of updating
https://github.com/elcodigok/wphardening/blob/máster/lib/updateWPHardening.py#L32
This requires learning about variables WP_CONTENT_DIR and WP_CONTENT_URL
The idea is to recommend a default value in the URL of the file robotsWordPress.py
https://github.com/elcodigok/wphardening/blob/master/lib/robotsWordPress.py#L44
The idea is to Download from the official WordPress repository instead of using the -d option for the PATH.
Botnet scripts that automatically look for vulnerabilities in your software are sometimes identified as User-Agent libwww-perl. By blocking access from libwww-perl you can eliminate many simpler attacks. Read more on blocking Libwww-perl access and improving your website's security.
RewriteCond %{HTTP_USER_AGENT} libwww-perl.*
RewriteRule .* – [F,L]
http://www.cyberciti.biz/tips/the-rise-of-bots-spammers-crack-attacks-and-libwww-perl.html
implement a more detailed output information to the verbose mode all options
The idea is to find all Themes of the project and give the user the option to remove them.
removeWordPress.py
The idea is that the tool recognizes all themes and delete those that are not going to use.
The controls that are already in the project are very weak and may improve.
The current code when running wphardening.py generates a default output to the console line. The idea is to export to a more user-friendly HTML format.
The idea is sicronizar with GitHub and keep always updated the code on the client side.
The idea is to separate with a menu class source code in wphardening.py
Generate file doc/CHANGELOG.md
This script goes in your .htaccess and will attempt to prevent malicious string attacks on your site (XSS). Please be aware some of these strings might be used for plugins or themes and doing so will disable the functionality. This script from perishablepress is fairly safe to use and should not break anything important. A more advanced one can be found on askapache.com.
RewriteCond %{QUERY_STRING} ../ [NC,OR]
RewriteCond %{QUERY_STRING} boot.ini [NC,OR]
RewriteCond %{QUERY_STRING} tag= [NC,OR]
RewriteCond %{QUERY_STRING} ftp: [NC,OR]
RewriteCond %{QUERY_STRING} http: [NC,OR]
RewriteCond %{QUERY_STRING} https: [NC,OR]
RewriteCond %{QUERY_STRING} mosConfig [NC,OR]
RewriteCond %{QUERY_STRING} ^.([|]|(|)||'|"|;|?|).* [NC,OR]
RewriteCond %{QUERY_STRING} ^.(%22|%27|%3C|%3E|%5C|%7B|%7C). [NC,OR]
RewriteCond %{QUERY_STRING} ^.(%0|%A|%B|%C|%D|%E|%F|127.0). [NC,OR]
RewriteCond %{QUERY_STRING} ^.(globals|encode|config|localhost|loopback). [NC,OR]
RewriteCond %{QUERY_STRING} ^.(request|select|insert|union|declare|drop). [NC]
RewriteRule ^(.*)$ - [F,L]
Interface for users who do not understand the command line applications.
in flag --wp-config add
/* Disable reporting errors */
error_reporting(0);
@ini_set(‘display_errors’, 0);
Thaks Andres @p4ter0
A declarative, efficient, and flexible JavaScript library for building user interfaces.
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google ❤️ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.