> On Oct 19, 2018, at 10:15 AM, Paul Stead <paul.st...@zeninternet.co.uk> wrote: > > Can't comment on the score - hacked Wordpress sites often have bits hosted in > > * wp-admin
Yes. > * wp-content Yes and no. Everything that a user uploads for their site lives under wp-content, so any rule triggering on that part of the URL would be a mistake. The tree looks like this: /wp-content/themes/ - this is where website themes (think templates) live. You will see css and js from this directory or subdirectories, also in some cases images (icons and the like) /wp-content/plugins/ - this is where WP plugins (gobs of code that add some specific functionality to the site). Similar to themes, you’ll generally see css and js there, and possibly some images /wp-content/uploads/ - this is where all images/media that the webmaster uploads lives. This is where you want to be strict with any URL matching rules. You should NOT see any files ending in .js nor .css - that’s a strong sign that the installation is compromised. You should NOT see any files ending in .php in ANY of the above directory trees. Themes and plugins contain .php files, but they are NOT directly executed from outside, they are simply included by other WP core code. So when you see a .php file in those directories in a URL, something is very wrong. And you’re likely looking at a compromised account, which is likely somehow involved in spamming or phishing. A good webhost applies a few very simple rules that block about 99% of the WP exploits: - PHP not even parsed under the uploads directory ENTIRELY, even for includes. Since this directory is ALWAYS writable by the web user, it’s where most exploits want to put their payloads. You break nothing but exploits by disallowing php execution there. Similarly, you block no good email by nuking any URL that ends in .php and lives under that directory. - PHP not executed anywhere under /wp-content other than by includes - /wp-admin/ only has /wp-admin/admin-ajax.php allowed for non-authenticated users. You should never see any URL other than that from that directory. - Only wp-content is writable by the web user (pretty rare, but doable, and very common with “boutique” hosting) You will have a surprisingly secure WP install with just those few simple steps above. That’s my WP quicky for anyone writing WP rules. If such a person is on the list and wants to discuss, I’m super happy to do so! Charles > Pages within these directories are publicly accessible, but it is very > unusual for a WP plugin to reference these URIs directly in outbound emails > > > Paul > > On 19/10/2018, 14:38, "Alex" <mysqlstud...@gmail.com> wrote: > > Hi, > > Should we be adding 3 points for just this, or is there never a reason > users should be using /wp-admin in their URLs? > > Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN > ======> got hit: "/wp-admin/images/" > > The rule description says possible phishing, but how would an end-user > be in a position to create a public link that involves their WP admin > directory in the first place? > > > -- > Paul Stead > Senior Engineer (Tools & Technology) > Zen Internet
