Great info - I think the other WP rules I co-wrote in the rules base conforms 
to this convention - I'll double check

Paul

On 19/10/2018, 20:36, "Charles Sprickman" <sp...@bway.net> wrote:


    > On Oct 19, 2018, at 10:15 AM, Paul Stead <paul.st...@zeninternet.co.uk> 
wrote:
    >
    > Can't comment on the score - hacked Wordpress sites often have bits 
hosted in
    >
    > * wp-admin

    Yes.

    > * wp-content

    Yes and no.

    Everything that a user uploads for their site lives under wp-content, so 
any rule triggering on that part of the URL would be a mistake.

    The tree looks like this:

    /wp-content/themes/ - this is where website themes (think templates) live. 
You will see css and js from this directory or subdirectories, also in some 
cases images (icons and the like)
    /wp-content/plugins/ - this is where WP plugins (gobs of code that add some 
specific functionality to the site). Similar to themes, you’ll generally see 
css and js there, and possibly some images
    /wp-content/uploads/ - this is where all images/media that the webmaster 
uploads lives. This is where you want to be strict with any URL matching rules. 
 You should NOT see any files ending in .js nor .css - that’s a strong sign 
that the installation is compromised.

    You should NOT see any files ending in .php in ANY of the above directory 
trees.  Themes and plugins contain .php files, but they are NOT directly 
executed from outside, they are simply included by other WP core code.  So when 
you see a .php file in those directories in a URL, something is very wrong.  
And you’re likely looking at a compromised account, which is likely somehow 
involved in spamming or phishing.

    A good webhost applies a few very simple rules that block about 99% of the 
WP exploits:

    - PHP not even parsed under the uploads directory ENTIRELY, even for 
includes.  Since this directory is ALWAYS writable by the web user, it’s where 
most exploits want to put their payloads. You break nothing but exploits by 
disallowing php execution there. Similarly, you block no good email by nuking 
any URL that ends in .php and lives under that directory.
    - PHP not executed anywhere under /wp-content other than by includes
    - /wp-admin/ only has /wp-admin/admin-ajax.php allowed for 
non-authenticated users. You should never see any URL other than that from that 
directory.
    - Only wp-content is writable by the web user (pretty rare, but doable, and 
very common with “boutique” hosting)

    You will have a surprisingly secure WP install with just those few simple 
steps above.

    That’s my WP quicky for anyone writing WP rules.  If such a person is on 
the list and wants to discuss, I’m super happy to do so!

    Charles

    > Pages within these directories are publicly accessible, but it is very 
unusual for a WP plugin to reference these URIs directly in outbound emails
    >
    >
    > Paul
    >
    > On 19/10/2018, 14:38, "Alex" <mysqlstud...@gmail.com> wrote:
    >
    >    Hi,
    >
    >    Should we be adding 3 points for just this, or is there never a reason
    >    users should be using /wp-admin in their URLs?
    >
    >    Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN
    >    ======> got hit: "/wp-admin/images/"
    >
    >    The rule description says possible phishing, but how would an end-user
    >    be in a position to create a public link that involves their WP admin
    >    directory in the first place?
    >
    >
    > --
    > Paul Stead
    > Senior Engineer (Tools & Technology)
    > Zen Internet



--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet

Reply via email to