The Wonderful world of websites. A pentester’s personal crash course.
Hello again! This past month I prepped for my Pentest+ exam from Comptia by using Tryhackme’s online learning platform. I highly recommend the service if getting into cyber is something on your radar, or if you need to brush up on techniques. There’s a plethora of rooms to explore and CTF’s live and in person to experiment with if that’s your cup of tea.
Anyway, as mentioned last month, I decided to explore a platform I haven’t done my homework on for quite some time. The push I needed was from watching the video log made by NetworkChuck on Youtube about building your own website. It slanted on the less technical side, but one of the things necessary to bug bounty is knowledge of web domains takeovers, registry services, and for my project knowledge on best practices for hosting a Wordpress site. Aside from volunteering my experience my town & networking together my burpsuite pentest setup, this has by far been the most enriching experience I’ve had yet. Allow me to elaborate.
So I followed closely along with NetworkChuck’s video, but instead of going for a free host I opted for google domains which has its own VDP. I also chose to go with Hostinger, as they too have a VDP which I may explore in the future. I could have chosen Azure for IIS or used my AWS server space, but the problem with that is my lack of experience with database servers. I remember trying to apply for a job some time ago which would have build up my SQL experience, but it was too far for me to drive to daily. Other than that, I didn’t really touch the DB servers on my internship. Having some of these tools for managing a site pre-configured and accessible in a Cpanel made some of the herculean tasks a lot easier.
I get to Google Domains and register my alias as a .dev web domain. It’s usually good to secure common namespaces like .com and .us, but at $12/y and with various fees I don’t quite understand yet I was hesitant. Top level domains aka TLDs also have different sets of rules, regulations, policies and procedures to follow. A .dev domain needs an SSL certificate for transport security for instance (In 2021 everyone should have this.) There are more complex use cases for country coded 2 letter TLD’s.
[Note: You can read a side-point on my website about how how I came to understand TLD’s working in the context of this odd one-off tool called Namebase. Give it a look! ]
So with this set up, Google offers a few choices for websites. If you need a personal website with minimal functionality, this would be a fine endpoint and the least expensive option for anybody out there. However, we were going to learn Wordpress, and all the complexity that goes into it. A quick domain transfer by replacing the DNS name space in the google dashboard, and we were off to our host with the most, Hostinger.
So Hostinger provides a plethora of essential services to running a website, but allow me to start with their practices I’m not too keen on.
The first being website bloatware. This was not a default Wordpress install. It was bundled with things like ‘all-in-one-SEO’, ‘contact forms lite’ and a few error pages. This was all bundled with some unfortunately common default pages. These I know as attacker enumeration points. Plugins unpacked also tend to be out of date. If you set and forget a site, a good hacker will easily gather info on page scripting, server info, locations, software versions and so on. Thankfully, a file manager with a good GUI and server side editing on-the-fly allowed for quickly making new scripts and removing pages as the process went along.
The second thing is defaults like ftp and mail servers being enabled. You need to turn these off manually as to not be attacked. Thankfully there was no default credentials for email, and you’re given 1 address for the low cost plan. Still, this is an easy spoofing and reflection point for someone to impersonate an address coming from your name space. Email spam is as annoying as littering in public, make sure it doesn’t have your name on it!
One thing that did come with default credentials was the DB server. My god do you need to change this quick. Make a new user, a new name and password, update the wp-config file and remove the old account.
I’m also not sure about the default Hostinger Wordpress plugin and auto-login process. This could be a security sticking point if someone wants to enable 2fa on their Wordpress site. It saves time, but increases risk, so evaluate your risk assessment model appropriately for this one.
Other than that, Hostinger is fairly robust and functional for making changes to a site behind the scenes. It’s best described as Platform as a Service (PaaS). You don’t have control over the bare metal elements, but everything else is fair game. These are still viewable from the PHP engine, but it’s out of reach for the most part. You can disable file uploads but still use them from the logins you provide Hostinger, making for a good and secure backend system. Their customer support is sharp witted about many topics as well.
Be sure to backup! Hostinger comes with a backup function through the Cpanel. Download your site locally and use it. Also, download your site from Wordpress via plugin once that’s set up. More on this later.
Lets move on to the actual Wordpress software. The tools you need are going to vary, but this one comes with 2 popular and yet probably overly powerful editors: Elementor and Astra. Choose 1 of these to focus on and let the other one go, otherwise you’re bound to run into conflict. Based on their recent interest in beefing up security, I would recommend keeping Elementor, but there are many other options out there.
Plugins; you’ll need a few plugins to lock down your site’s security. I recommend the following based on my research:
Disable XMLRPC* — needs additional script to work effectively. See below
Disable Search — If possible, many sites may not need search, google does the job better and safer.
Wordfence or Local firewall of choice. — On-Website WAF’s are an effective line of defense.
Network WAF — Cloudflare, Sucuri, or other providers. These cost money unless you’re hosting your own bare metal server.
Activity log of choice — Use one connected to your database as opposed to saving files on your public server. These can be enumerated and viewed by a crafty attacker.
Wpscan — essential for any website owner to make sure plugins are up to date!
Favicon generator — Add a favicon to get rid of the default Wordpress one. Design and security in mind.
Scripts are important as well. These are the scrips you’ll need to disable common attack vectors:
- Content headers in .htaccess. (‘Header set’ plus appropriate content in quotes “”)
- Directory traversal defenses and 403.
- Move WLWManifest from your site to your private directory. (Move the file manually.)
- Disable the RSS and atom feeds unless you need them.
- Disable version display with wordpress pugins.
- Hide user, admin and page in wp-json.
*- Block XMLRPC — On a case-by-case basis, very much subjective based on mobile, plugins etc. Can be worked around.
Next are a few general tips for site management.
On adding scripting to your page, it’s best practice to NOT EDIT THE functions.php file for a Wordpress site. This impacts load times and security most. If you can add scripts, do so at the footer of the site unless absolutely necessary, and make a backup of this file before changing it. If scripts load remotely from Github, be cautious of supply chain attacks and cross site request forgery. If they load locally, be sure to check for updates and apply them regularly.
For search engine optimization, or SEO for short, a robots.txt and sitemap.xml file are necessary to index your page. If you don’t want your site indexed, there’s an option checkbox inside Wordpress to disable this. Also if you want to do this, you should sign up for Google and Bing’s search tools and get the appropriate scripts from each provider. Be sure not to put sensitive functionality or commands in the file to leak your site’s functionality to manual attackers, unless you’re absolutely sure they won’t work.
Backup, backup, backup, backup. It needs to be said quadrice. Have a local backup, a backup on the host, a backup of the DB, a backup available everywhere except on the website itself. Test your backups and know what you need. The Hostinger default plugin all-in-one WP migration requires file uploads and scripts to restore from backups, which is a major hassle to do. There are no good one click FOSS options for this, aside from community editions for developers to mess with.
Finally, it’s possible to put a medium blog right on top of your domain [https://help.medium.com/hc/en-us/articles/115003053487-Setting-up-a-custom-domain-for-your-profile-or-publication]. This would be about $50 a year however, so I’ll think twice before using this. A name in a different website’s spot is fine by me for now.
These are just the tips I’ve learned from my first month and a half of messing around with Wordpress. It’s crazy to know that anyone can build a robust website with enough ingenuity and drive. You can make it as simple or complex as you want as well. With great power comes a great responsibility, so be sure to secure your site it with many layers above for your small business needs. We call this process Defense in Depth.
An odd thing to note from my research is that HSTS autoloading and Content-security policy isn’t necessary if you have SSL and register for a google domain. This I find quite odd and wonder if it’s google domains favoritism at play. If anyone has any answers on why this is, I’d love to hear from you.
Thanks for reading, I’ll look into more ways to improve my site as time goes on, and I’ll continue to share tips with the local community groups as well. See you next month, stay safe!
