Security Audits

4 Must-Read Tips For a Safer Drupal

A free and open-source content management platform written entirely in PHP, Drupal is one of the most popular choices for creating your blog/website on the internet. Drupal can be variedly used to create a static website, a dynamic blog, a user-generated forum and/or a community based website. With so much of possibilities and a user-friendly interface, Drupal attracts a large number of webmasters and bloggers. As such, it is also a constant target for high-end hackers. If you run a Drupal website that is large enough to be noticed, you must take adequate security measures. Here are a few useful tips that will help you create a safer Drupal portal.

Keep Everything Updated

Be it WordPress, Joomla or Drupal, the same rule applies. You must always keep your core content management system, site template as well any third party modules you may be using, up-to-date. Always use the latest available version of Drupal on your website. Only use well-maintained themes and plugins that are regularly updated against possible security vulnerabilities, and make sure you are running the most recent version. This will help keep your site protected against all possible vulnerabilities that may arise from time to time.

Use Special Security Modules

Just like WordPress has additional security plugins that add functionalities like antivirus and firewall on to your website, Drupal too, provides a host of security modules that allow you to enhance and improve the security of your WordPress. While Drupal Core itself comes with inbuilt security systems, their repository contains a whole lot of additional security extensions you might consider using. Two great examples of successful Drupal security modules are the Paranoia Module and the Security Kit Module.

Secure Your Site Against Unauthorized Uploads

There is no better way to turn your site into a malware funhouse than allowing anonymous users to post content. But what about community-based websites and forums? That’s why we recommend you to choose which types of files can and cannot be uploaded by users with particular permissions. Also, please don’t let every other user on the site to manipulate and alter your Drupal HTML in a negative way. Add this to a decent antimalware module and regularly scan for malicious code and files on your database. Remember, malware is the easiest way to compromise a site’s usability.

Prepare For the Worst

Even after you have successfully implemented every other great security measure out there, you can never be careful enough. Hackers can always find new ways to compromise your website, either by hacking into user accounts or the database itself. That’s why it is highly recommended that you backup your files and database on a regular basis. Keep multiple copies of your files and database in your PC as well as cloud. This will make sure that you can get your site up and running in two minutes even after your site has been compromised.

These are just a few of the many measures you can take in order to protect your Drupal website. Do you have any additional recommendations? If so, feel free to leave your comments.

5 Simple Tips to a Secure Joomla Website

An open-source Content Management System designed for creating outstanding web applications in a breeze, Joomla has been used over 50 million times as of today. The reason behind Joomla’s unbeatable popularity and preference amongst web application developers is its flawless coding, designed to simplicity and extraordinary flexibility. Unlike WordPress, Joomla prides itself as a secure CMS, which means it shouldn’t require you to use an external firewall or virus scanner. However, from time to time, certain security measures are necessary. Here are 5 useful tips to creating a more secure Joomla portal:

Keep Your Joomla and Extensions Up-to-date

Just like WordPress, Joomla too, needs you to manually update the core application from time to time. This helps the CMS secure itself against emerging security vulnerabilities and new hacking techniques. Joomla also comes with a huge repository of useful plugins that add functionality to your site. For the sake of foolproof security, it is necessary to keep your core Joomla CMS and all the associated plugins updated to the latest version.

Change the Default Database Prefix

All Joomla applications come with a default database table prefixed jos_. Hence, most SQL injections target the jos_users table to hack into and retrieve the administrator’s username and password. By changing the default jos_ prefix of your Joomla application to something else, you can secure it from a serious SQLi vulnerability. You can do this easily by using your hosting’s phpMyAdmin panel.

Hide the Version Numbers from Extensions

The first step towards hacking a Joomla website is to track down the versions of Joomla and additional extensions used by the web application. This helps the hacker find out vulnerabilities within the specified version of Joomla and extensions and use them in the hacking procedure. In order to not provide the hacker with an advantage, it is a good idea to remove the version numbers from the names of the various extensions used on your Joomla. This is as easy as using your hoisting’s file manager to find out the file names for each extension and remove the version number from those file names.

Replace the Default Superadministrator

On Joomla, the default ID of the superadministrator is always 62. Hackers can use this information to launch a Brute Force attack on the admin account and hack into your website. To avoid this, just change the user ID of the core administrator to something else. To do this, create a new superadministrator with a strong username and password, log out of the default superadministrator account and log back in with the new superadministrator account. Now, first demote the original superadministrator account to Manager and then delete it. That’s it! You have successfully changed your superadministrator user ID to something safer.

Use a Strong Username and Password

This applies to much every web application out there. You should use strong, untraceable usernames and passwords for your Joomla user accounts, especially the ones with administrator privilege. To create strong usernames and passwords, use a combination of alphanumeric characters, lowercase and uppercase letters as well as symbols. Further, it is a good advice to change your username and password every 3 months.

These are five of the most important security suggestions that you must abide by to keep your Joomla web application secure. Please follow us for more useful information on web application security and Joomla.

Common Internet Security Vulnerabilities

  1. Injection Flaws: Passing unfiltered data to an SQL server, a browser or an LDAP server can result in an injection vulnerability, whereby the hackers can inject malicious code into the data, resulting in harm to the user receiving the data.
  2. Authentication Breach: This happens when a user passing sensitive information through an encrypted secure network suddenly encounters a break of authentication, leaving their sensitive data vulnerable to all the hackers out there.
  3. Cross-Site Scripting: Abbreviated as XSS, this is a very common input sanitization failure. It happens when an attacker force loads malicious JavaScript tags on input, which is returned to the user’s browser unsanitized, resulting in undue harm.
  4. Insecure Direct Object References: When an internal web application object, such as a file or database is exposed to unauthorized users, attackers receive access to these direct object references and make it easier for the site to be compromised.
  5. Security Misconfiguration: Databases and servers can be misconfigured on several levels, resulting in the appearance of several known and unknown vulnerabilities that compromise a web application’s security.
  6. Exposure of Sensitive Data: On the internet, sensitive data includes private user credentials such as credit card information, mailing address, bank account number, user account password and so forth. These informations should be passed through a secure encrypted connection at all times. Failure to do so can result in security vulnerabilities that seriously affect users.
  7. Missing Function Level Access Control: An authorization failure that results when adequate authorization is not performed when a function is called on the server. Performing right authorizations on the server side can avoid this vulnerability.
  8. Cross Site Request Forgery: This happens when a third party website forces the web browser into misusing its authority to fulfill the hacker’s interests. This is basically a deputy attack where the browser itself is confused.
  9. Components with Known Vulnerabilities: Adding strands of code that depict known vulnerabilities, such as corrupt WordPress plugins and Drupal modules, can result in a high-priority security vulnerability.
  10. Unvalidated Redirects and Forwards: An input filtering issue which occurs whenever the said web application contains malicious extensions which cause the trusted but compromised website to redirect to an unsafe, malicious website.

WordPress Hacking 101: How to Hack a WordPress Site

Ever wonder how you could hack a WordPress site? You are not one of the bad guys, but you just want to know how it works, maybe for the purpose of securing your own WordPress site. Hacking a WordPress site is a complex and multi-step procedure. You will need to gather information about the site you are about to hack, locate vulnerabilities, obtain login info and finally attack the site using user attack, application attack or server attack. Here are the steps to hacking a WordPress site. Please note that they are for educational purpose only, and we shall not be held responsible if you misuse the information provided in any way.

Obtaining Information

In order to successfully hack a WordPress site, you must start by understanding the way the site works. Does it use the latest or an earlier version of WordPress? Does it have one or more plugins that are not updated and contain potential security vulnerabilities? Does it use any special security software to prevent attacks from happening? Once you have done the required homework, you can start out on hacking any WordPress site.

A very easy way to detect the version of core WordPress is to look for a meta generator tag in the source code of the file. It will show something like this:

<meta name="generator" content="WordPress 3.5.2" />

Next, do some directory indexing, which will give you an idea of the various files and folders within the WordPress and where they are located. Just look for the index of contents in the following URLs:

/wp-content/
/wp-content/plugins/
/wp-content/themes/
/uploads/
/images/

Next, find out about the various users on the site by visiting the following URLs:

wordpressexample.com/?author=1
wordpressexample.com/?author=2
wordpressexample.com/?author=3
And so on…

Once you have an idea of the WordPress, themes, plugins and users, you can pick any of the following methods to hack into the WordPress:

Attacking Users

An easy way to hack into a WordPress site is to just hack into the individual WordPress user accounts for the site. Once you have found the list of users on the site using the method above, you already have their usernames, and all you need is the passwords. An easy way to find out weak passwords is a Brute Force Attack. It is nothing but using hitting the login form with a random list of passwords until one just works out. It is really the most common and basic way to hack into any CMS. Other ways of finding user passwords include sniffing the password an HTTP login session or getting the user’s login credentials by installing a key logger onto the user’s workstation.

Attacking Applications

The second most common way is to surf the themes and plugins on the subject’s website for vulnerabilities in the myriad strands of PHP code contained within the many applications. Common vulnerabilities include XSS, SQL injection, file upload and code execution exploits that can easily be targeted and attacked by hackers. A common way of hacking into a WordPress application is a Brute Force Attack similar to the one used to obtain user credentials. There are various online tools that can help you achieve this, such as WPScan and Nmap NSE.

Attacking Servers

A Brute Force Attack that reveals the credentials of a server management account gives the hacker full access to both the server and the application. Password guessing can be used to hack into the following server applications:

  • SSH Service
  • CPanel or WHCMS Web Hosting Control Panels
  • phpMyAdmin database management application
  • Webmin Server Management
  • MySQL database service

Tools like the OpenVAS Vulnerability Scanner and Nmap Port Scanner make it very easy to search for common vulnerabilities in server accounts.

These are just a few of the many ways one can hack into a WordPress site. Reasons behind these attacks can include anything from deliberately spreading malware, obtaining sensitive information about users and taking complete control over the hacked site for many reasons.

Did you learn something new about how to hack a WordPress site from reading this article? Let us know in your comments!

The 3 Best Security Plugins for WordPress

With hundreds of thousands of users across the world, WordPress accounts for 18.9% of all the self-hosted websites on the web. While this may not sound like much, imagine 19% of the millions of websites that have the ability to pay for their hosting, it’s really a lot. But if you are the average WordPress user, you have done exactly what most people do: purchase a hosting, install WordPress, launch your website, use a couple of unessential plugins in the process, and then forget about it altogether. But in all this brouhaha, you are actually missing out on of the key components of any website: security. Given that WordPress is, in fact, the single largest Content Management System in the realm of website builders, it is always the chief target of all the hackers, spammers and sploggers out there. Hence, certain security measures are necessary.

While there are an unlimited number of security plugins in the WordPress repository, including anti-malwares, firewalls, spam-checkers, and so forth, not all of them are equally good. So, here are the 3 best security plugins for WordPress, all of which provide a complete suite of security services for your site:

WordFence

One of the most popular free WordPress security plugins out there, WordFence has over 1 million + active installs and millions of downloads. It comes with a host of security services, including an antivirus, a firewall, login security, multisite security and so much more. In fact, it claims to make your website 50 times faster and more secure, immediately after installation.

WordFence is compatible with most themes, plugins and hosting providers. It comes with IPV6 compatibility too. You can expect to seamlessly integrate WordFence into any existing WordPress, without any of the technical jargon. Another plus side is, it’s 100% free!

iThemes Security

Formerly known as Better WP Security, this plugin was subsequently bought by iThemes, the reputed WordPress theme and plugin company. It then underwent a change of name, along with a significant set of improvements. While iThemes Security can only be used to its fullest capacity if you buy their Pro version, the Free version alone offers most of the basic security you need, including a powerful site firewall, bruteforce attack protection, malware scanning with virustotal.com, backend hider and so on.

The Pro plans too, aren’t very pricy, and are well-worth the security it provides.

All In One WP Security & Firewall

The All In One WP Security & Firewall is supposed to be all the security your site needs. Meaning, there is no need to use other security plugins on your site if you are using this plugin. In fact, using multiple security plugins on the same site with All In One WP Security & Firewall can lead to compatibility issues.

On the plus side, this plugin really does provide all the security you will need. It has an anti-malware checker, a robust security firewall with IP tracking, a spam comments and registration blocker and so much more. There is also a pro version available that offers another bundle of advanced security options you can use.

In our personal experience, of all the security plugins we have used for our site, iThemes Security is the best. It’s lightweight, fast, compatible and completely secure. What are your favorite WordPress security plugins? Let us know in your comments!