Comments on: WordPress Hardening Project Update

By: BlogSecurity » Blog Archive » WPIDS - WordPress Intruder Detection System

Thu, 22 Nov 2007 03:00:56 +0000

[...] so on. In short, its a defense plugin for WordPress that BlogSec members have been working on for a few months now. I would say it was more of an Intruder Prevention System then an Intruder Detection [...]

By: AskApache

AskApache — Wed, 17 Oct 2007 03:27:40 +0000

This is a really nice, well-thought-out effort, but not a best-practice... The BEST way to block all of these files is to only block EXTERNAL requests for them. IOW, if your wp-cache requests a file, it should be allowed. If a visitor on your webpage requests the same file, it should be denied. This seems impossible to accomplish but actually mod_rewrite provides a really cool way... for example, this blocks all external requests (except those generated by ErrorDocument code /index.php?error=code) for files ending in .php in either the wp-includes or wp-content directory, but it doesn't block your server or WP install!


RewriteCond %{QUERY_STRING} !error
RewriteCond %{THE_REQUEST} ^[A-Z]{3,9}\ /(wp-includes|wp-content)/(.+)\.php\ HTTP/
RewriteRule .* - [F]

code from htaccess tutorial Another way to secure your wordpress with .htaccess is by using my wordpress plugin: htaccess password protect on AskApache.com

By: BlogSecurity » Inspector WordPress Plugin Review

BlogSecurity » Inspector WordPress Plugin Review — Mon, 08 Oct 2007 06:11:21 +0000

[...] The plugin has a list of security conditions (stored in conditions.txt). These rules define what requests are considered bad. I took interest in the plugin to see if we could use it in the WP hardening project. [...]

By: David Kierznowski

David Kierznowski — Mon, 24 Sep 2007 15:11:40 +0000

Mutt, great to hear, thanks for your feedback!

By: Mutt

Mutt — Mon, 24 Sep 2007 15:02:15 +0000

I’ve been testing Gareth’s WP-Lockdown. Seems to work well for me with most of the bugs now ironed out. I look forward to developments here.

By: ReZEN

ReZEN — Fri, 21 Sep 2007 11:11:36 +0000

I wrote a personal plugin encryptconf wich encrypts the wordpress configuration file. Might want to give it a look: http://www.rezen.org/encryptconf.zip

By: Wordpress Hardening Project « Among the Impostors - Cyber Fraud

Wordpress Hardening Project « Among the Impostors - Cyber Fraud — Tue, 18 Sep 2007 11:11:36 +0000

[...] Wordpress Hardening Project David Kierznowski of Gnucitizen and Philipp Heinze have been working on a WordPress lock down toold , wp-lockdows, to help make the blogging world a safer place. You can find more on this, and the plugin wp-ids over at the WordPress Blog . [...]

By: Robert Irizarry

Robert Irizarry — Mon, 17 Sep 2007 17:57:53 +0000

I’m really looking forward to this plugin and I’m sure folks will appreciate an easy to harden their WordPress environments. Thanks in advance!

By: Tomsn

Tomsn — Mon, 17 Sep 2007 17:01:41 +0000

One Question: why does the WP Developers not add some hardening things like the output text of the wrong Username or Password…
Every changes i made it’s had it even a new update comes… :-(

By: SigT

SigT — Mon, 17 Sep 2007 13:53:02 +0000

WPIDS y el WordPress Hardening Project…

WPIDS es un port de PHPIDS a WordPress, si no me equivoco la traducción vendría a ser Sistema de Detección de Intrusiones para WordPress (WordPress Intrusion Detection System) ya que aunque no aclaran el término, IDS se refiere a esto.

Según una …