Step Nine – Lock it down

Six super simple ways to improve security

Think of computer security like the security in your house. The best anyone can do is to lock the doors, set the alarm, maybe hire a security guard to drive by occasionally – but if someone is determined and has a sledgehammer…

…all bets are off.

But at least make it a challenge for the bastards.

1) Passwords

The most common passwords are:

  • password
  • 123456
  • 111111
  • abc123
  • qwerty

If your password is listed above I will find you and I will slap you.

The easiest way to hack a user account is to guess the password. Programmes can easily be written to try every combination of numbers and letters. This is called a “bruteforce” attack. It takes a few days, but it works. A better and more targeted approach is to try the most common passwords and dictionary words first. This is called a “dictionary” attack. I prefer the strategic approach when hacking.

The shorter the password the easier it is to guess. Converting short words into “l33t sp34k” isn’t a good solution. “Pr1nc355” would theoretically take just as long to crack as “princess”.

What you want is something much, much longer, but is easy to remember.

XKCD are awesome nerd comics by Randall Munroe

Don’t use the same password when signing up to newsletters as you use for any of your email accounts, internet banking, social media, etc.

That’s just asking for trouble.

(this is only part of the comic)
XKCD are awesome nerd comics by Randall Munroe

2) Make it more annoying to get administrator info

By default, when you install WordPress, the first user created is an administrator with high-level privileges. This is usually designated with ID=1. Making it anything OTHER than 1 is a good idea. This is done on the database level.

Also, don’t be too obvious with usernames. Bad usernames for high-level accounts are examples like:

  • root
  • admin
  • sysadmin
  • accounts
  • webmaster
  • support

Good usernames are unique to the person and usernames SHOULD NOT BE SHARED. The whole point is to make people accountable when they break something, I mean… when they change something.

3) Make it harder to do SQL injection

WordPress, by default, prepends all it’s tables with “wp_” but you can change this. That’ll make it annoying for hackers that assume your website will be using defaults.

SQL Injection is when a shitty programmer writes shitty code that doesn’t sanitize user input on forms. Some WordPress plugins can be written by shitty programmers. Best to cover all bases.

XKCD are awesome nerd comics by Randall Munroe

4) Ports

A port is a way in to your webserver from the Internet. Keep the ones you need like HTTP on port 80 and HTTPS on port 443, but close the ones you don’t need open. And re-map the ones like SSH usually port 22, just to annoy people.

Programmer’s note to self.

If possible, set up SSH public/private key pairs for SSH access rather than relying on passwords.

5) Unix Permissions

Don’t ask me about Windows and ACL permissions or whatever they call it in IIS Microsoft Server hell.

In the adult world, on Linux, there are three levels of access:

  1. Owner – usually “www-data”
  2. Group – usually “www-data”
  3. World

And each of these can:

  • Read (4)
  • Write (2)
  • Execute (1)

Those numbers assigned to read, write and execute can be combined in various ways and no matter how they’re combined, because of mathematical magic, the meaning can always be figured out.

My preferences:

  • Files
    • read/write (6 = 4 + 2) by the owner and the group and;
    • only readable (4) by everyone else
  • Directories
    • read/write/execute (7 = 4 + 2 + 1) by the owner and the group and;
    • read/execute (5 = 4 + 1) by everyone else
find . -type f -exec chmod 664 {} +
find . -type d -exec chmod 775 {} +
chown -R www-data:www-data .

This doesn’t mean peoples can read the source code of WordPress php files via their internet browser because when Apache and PHP are set up correctly they’ll only serve up the finished product… the html code.

6) .htaccess

There are some files and folders however that do need to be locked down a bit tighter.

There is a special file you can put in any webserver directory, and so long as the configuration of apache allows it, this special file can do all sorts of cool stuff.

The dot before the name, makes it a hidden file.

WordPress works by rewriting urls, so this code snippet is mandatory for WordPress to actually run. Usually placed in a .htaccess file in the main webserver directory.

# BEGIN WordPress
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^index\.php$ - [L]
RewriteCond %{REQUEST_FILENAME} !-f
RewriteCond %{REQUEST_FILENAME} !-d
RewriteRule . /index.php [L]

But then, in folders that should be keep private, you might include a .htaccess file containing…

deny from all 

There’s a lot that .htaccess can do. Make sure Apache is set up nicely in the first place.

I also like to keep things less cached when in dev mode

    # short expire times because its dev
<IfModule mod_expires.c>
       ExpiresActive On

       # Default directive
       ExpiresDefault "access plus 4 hours"

# My favicon
       ExpiresByType image/x-icon "access plus 1 day"

# Images
      ExpiresByType image/gif "access plus 4 hours"
       ExpiresByType image/png "access plus 4 hours"
       ExpiresByType image/jpg "access plus 4 hours"
       ExpiresByType image/jpeg "access plus 4 hours"

       # CSS
       ExpiresByType text/css "access plus 4 hours"

# Javascript
ExpiresByType application/javascript "access plus 4 hours"

But wait! There’s more….

You could spend a lifetime securing your website.

The kind of security that is good enough for your website, is designed to stop or slow down the automated attacks that target random ip addresses looking for common vulnerabilities that can be exploited to turn your webserver into a grunt in their army to attack other webservers – more important webservers.

You can even go hire one of these bot-net armies for as little as $5 on the dark web to attack one of these more important webservers.

To save their time and mine, I prefer to just tell people that, as of 15th August 2019, this website is running on Ubuntu 16.04.5 LTS (xenial) on Apache using PHP/7.2.17

Go play with this (use “request type” as HEAD):

Programmer’s note to self, some server info can be found via command line:

sudo lsb_release -a
sudo uname -a
XKCD are awesome nerd comics by Randall Munroe

Adding “sudo” before a command in Linux means it runs as root (ie: God). Which means it will usually run without complaining. So, where are you at with making me that sandwich 🙂

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.