Well, this is embarrassing. I left a gaping security hole right here in my own author website. I buried my head in the sand and planted a “kick me” sign on my butt. I dodged a bullet because, as you’ll see below, nobody visits my website yet. But, since I tell people to adopt the motto, care and share to be prepared, I need to swallow my pride and share how I messed up and what I did to fix it. Learn from my mistake. And it’s okay to call me a dork on this one. I deserve it.
He asked if he could try to hack it. I laughed and told him to go right ahead, just tell me what he uncovered so I can fix it. I was confident he wouldn’t find anything. I am a security professional, after all. Too cocky for my own good sometimes.
Take a look at the page views for August 2, 2017. That was all Ihor. He was thorough. And it didn’t take him long to find problems.
First, he tried to login and change my admin password. I saw the audit trail, and WordPress even emailed me a notice that somebody was trying to mess with my password.
I look forward to the day when thousands of people visit this site every day and I need commercial hosting. But for now, it lives inside a virtual machine in my basement, and since I’m the only one who edits it, I was thinking about restricting access to my local network anyway. But even with access to the login screen granted to the entire Internet – as are most WordPress websites – Ihor was unable to get in. I was feeling smug.
And then he nailed me. Take a look at the screenshots of shame Ihor sent me:
He was able to look at directory listings of my website, which is about as bad as it gets. And he let me have it. Here are a few of his comments:
come on ))))))))))
I think that’s only the beginning )))))))))
no no ))))))))))))))))
Ihor’s native language is Ukrainian, not English. This was his way to tell me I was sloppy and should have known better. He was right. I hung my head in shame and wallowed in self-pity for a few minutes. I’m a busy guy. I don’t have time for this. Why is the world picking on me?
And then I forced myself to swallow my pride and find and fix the problem. This gets technical.
First, I compared this website with other WordPress websites I’ve built. None of them allowed directory listings. What was different about this one? With this one, I put the website underneath the standard httpd directory tree, at /var/www/html. I might build a network of future websites, and it’s convenient to put them all in this directory tree. I never considered a network of websites with my earlier ones. I put them all into the WordPress standard location, /usr/share/wordpress. That was the only difference I could find.
How did putting this website into a different directory tree enable directory searches? It was this section in the standard configuration file, /etc/httpd/conf/httpd.conf:
<Directory "/var/www/html"> Options Indexes FollowSymLinks . . . </Directory>
“Options Indexes” above means allow directory searches in the directory tree, /var/www/html. It was an ugly default setting from the Linux distribution I’m using. But it’s my fault for trusting factory default settings and not testing. The cure was to insert this into the configuration file specific to this website, which overrides the default setting:
<Directory /var/www/html/wordpress> Options FollowSymLinks . . . </Directory>
I want to thank my friend, Ihor for doing a great penetration test for me. Care and share to be prepared. I would rather be embarrassed than penetrated. I hope my mistake helps others.