Great info - I think the other WP rules I co-wrote in the rules base conforms
to this convention - I'll double check
Paul
On 19/10/2018, 20:36, "Charles Sprickman" <sp...@bway.net> wrote:
> On Oct 19, 2018, at 10:15 AM, Paul Stead <paul.st...@zeninternet.co.uk>
wrote:
>
> Can't comment on the score - hacked Wordpress sites often have bits
hosted in
>
> * wp-admin
Yes.
> * wp-content
Yes and no.
Everything that a user uploads for their site lives under wp-content, so
any rule triggering on that part of the URL would be a mistake.
The tree looks like this:
/wp-content/themes/ - this is where website themes (think templates) live.
You will see css and js from this directory or subdirectories, also in some
cases images (icons and the like)
/wp-content/plugins/ - this is where WP plugins (gobs of code that add some
specific functionality to the site). Similar to themes, you’ll generally see
css and js there, and possibly some images
/wp-content/uploads/ - this is where all images/media that the webmaster
uploads lives. This is where you want to be strict with any URL matching rules.
You should NOT see any files ending in .js nor .css - that’s a strong sign
that the installation is compromised.
You should NOT see any files ending in .php in ANY of the above directory
trees. Themes and plugins contain .php files, but they are NOT directly
executed from outside, they are simply included by other WP core code. So when
you see a .php file in those directories in a URL, something is very wrong.
And you’re likely looking at a compromised account, which is likely somehow
involved in spamming or phishing.
A good webhost applies a few very simple rules that block about 99% of the
WP exploits:
- PHP not even parsed under the uploads directory ENTIRELY, even for
includes. Since this directory is ALWAYS writable by the web user, it’s where
most exploits want to put their payloads. You break nothing but exploits by
disallowing php execution there. Similarly, you block no good email by nuking
any URL that ends in .php and lives under that directory.
- PHP not executed anywhere under /wp-content other than by includes
- /wp-admin/ only has /wp-admin/admin-ajax.php allowed for
non-authenticated users. You should never see any URL other than that from that
directory.
- Only wp-content is writable by the web user (pretty rare, but doable, and
very common with “boutique” hosting)
You will have a surprisingly secure WP install with just those few simple
steps above.
That’s my WP quicky for anyone writing WP rules. If such a person is on
the list and wants to discuss, I’m super happy to do so!
Charles
> Pages within these directories are publicly accessible, but it is very
unusual for a WP plugin to reference these URIs directly in outbound emails
>
>
> Paul
>
> On 19/10/2018, 14:38, "Alex" <mysqlstud...@gmail.com> wrote:
>
> Hi,
>
> Should we be adding 3 points for just this, or is there never a reason
> users should be using /wp-admin in their URLs?
>
> Oct 19 09:33:11.561 [1299] dbg: rules: ran uri rule __URI_WPADMIN
> ======> got hit: "/wp-admin/images/"
>
> The rule description says possible phishing, but how would an end-user
> be in a position to create a public link that involves their WP admin
> directory in the first place?
>
>
> --
> Paul Stead
> Senior Engineer (Tools & Technology)
> Zen Internet
--
Paul Stead
Senior Engineer (Tools & Technology)
Zen Internet
