Threat analysis, security by obscurity and WordPress

Rusty Lock
  Image by Mykl Roventine

I’ve been running wordpress for a long time now, and luckily so far, it hasn’t been hacked.
Of course – this doesn’t prove anything, as I didn’t count hacking attempts. It also doesn’t show it’s unhackable – on the contrary, I believe that my wordpress installation is hackable by a determined attacker.

However, there’s a subtle issue at play regarding the ‘determined attacker’. There are several kinds of attackers today, and the two most notable ones are the ‘targeted attacker’ and the ‘mass attacker’. The targeted attacker aims to attack your resources specifically, probably because his interest in them. The mass attacker on the other hand, is interested in any resource like your own.

From this premise it follows that the two attackers will likely use different methods of operation. The mass attacker is looking to increase his ROI. He will use mass tools with the most coverage, and if an attack doesn’t work on a specific target, nevermind, it will work on others. For him, work is worthwhile only if it allows him to attack a substantial number of new targets.
In contrast, the targeted attacker’s goal is to break into your resources. For her the fact that a given attack will yield hundreds of other targets is irrelevant, unless it helps attacking you. She might start with top-of-the-shelf mass tools, but when these won’t work, the targeted attacker will study her target, until she finds a vulnerability, and then use it.

Now the question you should ask yourself – who are you defending against? When defending against a mass attacker, making yourself unnoticed and uncommon might be worthwhile. A little security by obscurity will most likely be enough to thwart most of the attacks.
Against targeted attacks you need a more solid defense, utilizing all the tricks in your bag, and still be aware that it probably won’t be enough. You should also seek to minimize damages in case of a successful attack.

Today, most wordpress blogs are under mass attacks. WordPress blogs are searched, exploited and the 0wned automatically, with the goal of getting the most coverage.
For some time now I’ve been using a small trick that helps to defend against mass attacks. The trick is simple – I added a small .htaccess file password-protecting the admin directory of my wordpress installation. Of course, in all probability the password may be bruteforced or completely bypassed by a very determined attacker, but against a mass attacker it is very effective.

I’ve seen suggestions to rename your files and dirs – this will probably also work. Still, it should be noted that this kind of methods only add obfuscation, thereby only protecting from mass attacks. Personally, I don’t consider the last method worthwhile – it complicates your installation and upgrade process, it requires much more work to be done right, and at most adds similar security to the .htaccess file, most likely less.

To conclude – do your threat analysis, and use the defense methods with the most ROI relative to that analysis. Just as another method – do consider using .htaccess files to prevent access to your admin directory.

Security web-design

Troubles with Wild Themes

Some time ago, I wrote that I was planning on using a new theme for this blog. To do this, I first looked for possible candidates on, and then started to adapt the one I liked. However, while working on the theme, I noticed hidden links in the code of the theme.

These links were hidden by using “font-size: 1px”. Hidden links are there to increase the search engine placement of the creator and his affiliates. In this case the creators were ‘‘. You can check their stats in technorati, and see they have about 250 blogs linking to them, mostly via regular credits.

Upon further examination I found two more themes by these guys, with the same hidden SEO links.
Afterwards, I checked some 20 blogs that had their themes, about half of which still had the SEO (Search Engine Optimization) links in them. Other linked urls were (a blog) and (an ad exchange service).
I reported this to, and it seems I can no longer find the themes via their search engines. However, the themes are still available for download.

The SEO links, while being an annoyance and an underhanded thing to do, are not the main issue here. The big problem I had with this theme was, that if someone has no compunction about putting SEO links, he\they might put a backdoor there as well. I’m not saying that these guys did it, but I know that if I was a bad guy looking to make money – I’d do it.
This is a very easy way to infect servers. Just prepare a few good-looking themes for wordpress, phpbb or any other standard web-application, sit back, and watch the botnets grow. You don’t only get to infect the server, you can try to infect any client that connects to an infected server. Instead of researching a new vulnerability, just use social engineering, like you do with end users surfing the web.

You can publish your themes, and evidently, they won’t go through too much scrutiny. With an appropriate Google Alert in place – you can also be informed whenever someone new installs your theme.

This is a trust issue – and it seems that you shouldn’t trust WordPress’ theme DB. While this may seem obvious to you, it wasn’t to me at first, and I bet it isn’t obvious to many others starting their small blogs and looking for a good theme.


New theme

I usually try to avoid meta posts, and I don’t like Ars Poetica. (Maybe I do like it in programs though, but only to a limited extent.)

However, as you can probably see, I’ve updated the theme of the blog. It took me a long while to choose something I liked, and then work on it until it looked good on the blog. I’ll be happy to hear thoughts and opinions about it.

UPDATE: I’ve had some problems with this theme, so it might be on and off. For those interested in how it should look, here’s a link to a screenshot.