Access Denied: Keeping yourself off an attacker’s radar

Paul Gilzow (wpDirAuth, Presentation)

Locking down recon to reduce ability to detect (fingerprint) what’s running.

https://builtwith.com/ualr.edu
https://wpscan.org/

Counter measures

Use apache mod_authz

File protection

  • protect wp-content (no reason for php files to be able to be directly executed in wp-content, implicitly deny everything and whitelist things that are allowed—things that need to be downloaded as web assets for the browser)
  • protect wp-includes (deny everything except wp-tinymce
  • protect wp-admin (lock to ip ranges? except for admin-ajax.php?)
  • protect the root directory (lock wp-login.php to ip ranges, block xmlrpc, readme, license)

User protection

  • disable the redirect from ?author=# to pretty permalinks
  • remove permalink from author profile page output
  • remove user-specific class
  • modify WordPress’s overly informative error messages to force a default error message
  • USE SSO for your auth instead of local accounts!

[IDEA] use git to roll through a history of commits to incrementally show changes for a presentation