1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

does it make your website more vulnerable to hacking if...

Discussion in 'BlackHat Lounge' started by Oh!no, Apr 16, 2013.

  1. Oh!no

    Oh!no Newbie

    Joined:
    Apr 13, 2013
    Messages:
    38
    Likes Received:
    1
    [h=2][/h] normally, you can find out what software a site/forum is using by checking their footer, so my question is, does it make your website more vulnerable to hacking if people know what software you are using?
     
  2. RMX

    RMX Power Member

    Joined:
    Nov 16, 2009
    Messages:
    726
    Likes Received:
    389
    Occupation:
    Network Security Admin
    Location:
    London, UK
    Home Page:
    Knowing the software and it's version helps the attacker to identify the appropriate exploits to use to gain access to the site (if any). It does not necessarily mean that they can get into the site by knowing the software/version.
     
    • Thanks Thanks x 2
  3. james406

    james406 Junior Member

    Joined:
    Feb 22, 2012
    Messages:
    124
    Likes Received:
    65
    Yes, definitely. The simple solution is to move the login page, which is the main advantage would-be hackers have. For example, if you leave the wp-admin folder as wp-admin and not secret-login or similar, then they may use automated tools to try to brute-force your password or similar.

    You shouldn't have an issue with wordpress/similar if you're sensible about the plugins you use and keep everything updated as soon as updates come out.

    Edit: of course, you may not be able to move the login page depending on the precise software you mean.
     
    • Thanks Thanks x 1
  4. Oh!no

    Oh!no Newbie

    Joined:
    Apr 13, 2013
    Messages:
    38
    Likes Received:
    1
    Thanks.

    I mean those "powered by XXXXX" I wonder if it is better to remove them, so people have a harder time to find out what software I am using.
     
  5. Oh!no

    Oh!no Newbie

    Joined:
    Apr 13, 2013
    Messages:
    38
    Likes Received:
    1
    or it doesn't matter at all, whether I remove it not, people can still find out what software I am using very easily?
     
  6. Zapdos

    Zapdos Power Member

    Joined:
    Oct 22, 2011
    Messages:
    597
    Likes Received:
    708
    Location:
    Eastern North Carolina
    It can help. For instance, awhile back there was an exploit for both IPB and vBulletin that only worked on specific versions. You could then use googles exact match search and find thousands of vulnerable sites without even needing to crawl sites yourself.
    In any case, removing the information is not security. You should instead focus on preventing attacks even if they find your software+version, find your login page, find your admin account, find your password... Get preventive features at every single step of the way.
     
    • Thanks Thanks x 1
  7. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,063
    Likes Received:
    2,872
    Gender:
    Male
    Yes if you don't update the software to the latest... Architectures like Drupal is pretty secure and you can't hack it if the site is not ill coded.
     
    • Thanks Thanks x 1
  8. Oh!no

    Oh!no Newbie

    Joined:
    Apr 13, 2013
    Messages:
    38
    Likes Received:
    1
    how to prevent people from attacking even after they find out your password??:eek:
     
  9. Black.Star

    Black.Star Junior Member

    Joined:
    Oct 4, 2011
    Messages:
    185
    Likes Received:
    1,028
    Occupation:
    IT security specialist
    Location:
    Europe
    Yes. It wont help you against a targeted attack, since a quick portscan will easily give the attacker what he wants.
    However against automated attacks, it will help you to not get included in the search results. Hide as much as you can.
    The number 1 key for a successful penetration of a computer system is is to know how the system works.
     
  10. Black.Star

    Black.Star Junior Member

    Joined:
    Oct 4, 2011
    Messages:
    185
    Likes Received:
    1,028
    Occupation:
    IT security specialist
    Location:
    Europe
    There is no such thing as something being unhackable. Trust me.
     
    • Thanks Thanks x 1
  11. mast3r0flol

    mast3r0flol Registered Member

    Joined:
    Jul 11, 2012
    Messages:
    62
    Likes Received:
    14
    Ok come on you think a simple piece of information like your theme will stop a intelligent, genius person like a hacker from hacking your website?

    Come up with a better way to safeguard your website, this is just a small petty thing.
    Doesn't make a difference.
     
  12. Xp3r7

    Xp3r7 Regular Member

    Joined:
    Sep 9, 2011
    Messages:
    286
    Likes Received:
    386
    Occupation:
    Freelancer
    Location:
    In the middle of nowhere
    It will stop some of the script kiddies and it won't stop someone who knows what he's doing.
     
  13. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,063
    Likes Received:
    2,872
    Gender:
    Male
    I am concerned about them, but it takes an idiot to code an insecure application in drupal.
     
    • Thanks Thanks x 1
  14. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,120
    Occupation:
    Chair moistener.
    Location:
    Cyberspace
    i'd be more worried about the version info in the header, especially if you're running a wordmess blog.
     
  15. Black.Star

    Black.Star Junior Member

    Joined:
    Oct 4, 2011
    Messages:
    185
    Likes Received:
    1,028
    Occupation:
    IT security specialist
    Location:
    Europe
    The user always is the weakest link in the system.
     
    • Thanks Thanks x 1
  16. Gogol

    Gogol Elite Member

    Joined:
    Sep 10, 2010
    Messages:
    3,063
    Likes Received:
    2,872
    Gender:
    Male
    Well @ THREAD
    You kind of remove the search footprints when you don't use known architecture / hide them so that you don't get indexed for that footprint. It prevents automated attacks as well as someone trying to hack websites using footprints. Trust me in this ;-)
     
    Last edited: Apr 24, 2013
  17. Zapdos

    Zapdos Power Member

    Joined:
    Oct 22, 2011
    Messages:
    597
    Likes Received:
    708
    Location:
    Eastern North Carolina
    Authenticate via IP. Use secondary passwords for high-risk settings (changing themes, modifying files, viewing database.) Secondary login forms. Key files. Time locks. Secondary/tertiary authentication on changing settings by other people.
     
    • Thanks Thanks x 1
  18. makemecash

    makemecash Regular Member

    Joined:
    Mar 16, 2012
    Messages:
    279
    Likes Received:
    303
    To be honest with you, I have played both spectrums - WP security consultant and "hired goon"

    My suggestions on preventing your WP site from being hacked:
    - always make sure that your WP version is up to date.
    - "nulled" plugins can quite often have back-doors
    - never have your admin login be "admin"
    - Limit login access attempts: http://wordpress.org/extend/plugins/login-lockdown/
    - Track your site's logins: http://wordpress.org/extend/plugins/simple-login-log/
    - secure your wp-config file:
    HTML:
    <files wp-config.php>order allow,denydeny from all </files>
    - Disable file editing (place in wp-config.php):
    HTML:
    define('DISALLOW_FILE_EDIT', true);
    
    - Disable the WP version number on site and RSS feed (paste into theme's function.php file):
    HTML:
    function mysite_remove_version() {return '';}add_filter('the_generator', 'mysite_remove_version');
    - Open up wp-config.php and and look for the "secret keys". If they aren't there or the default keys are shown, then get new keys and paste them in your config file:
    HTML:
    https://api.wordpress.org/secret-key/1.1/salt/
    
    - When you first install WP, it gives you a default database prefix of "wp_", you will want to change that to something else. For example, something like "secretdb_"
    - protect your .htaccess file (add this into your wp-config.php file):
    HTML:
    <Files .htaccess>     order allow,deny     deny from all  </Files> 
    
    - To have added security for your admin login, you can prevent access to login pages based on IP address. You can do this by opening up your .htaccess file and adding this:
    [hmtl]
    <Files wp-login.php>
    Order Deny,Allow
    Deny from all
    Allow from xx.xx.xx.xx
    </Files>
    [/html]
    The xx.xx.xx.xx would be your IP address in which you can find your IP here: http://whatismyipaddress.com/
    Then you will need to to the same in your admin folder. So open up your /admin folder and see if there is a .htaccess file in it. If there is, great! Otherwise, you will have to create one. Once you have done that, just paste this code in there:
    HTML:
    Order Deny,AllowDeny from allAllow from xx.xx.xx.xx
    There you go! That will get all of the starters pretty much secured. Of course there is a lot more to do if you want to completely secure your site - but the info above is a good start. Also, i'd recommend using cloudflare.com, that will prevent known spammer and hacker IP's from entering your site.
     
    • Thanks Thanks x 2
  19. omnipotent$

    omnipotent$ Regular Member

    Joined:
    Mar 23, 2013
    Messages:
    493
    Likes Received:
    288
    If there is a will, there is a way. Any site can be hacked. Even Edu and gov sites get hacked as well.
     
  20. The Scarlet Pimp

    The Scarlet Pimp Jr. VIP Jr. VIP Premium Member

    Joined:
    Apr 2, 2008
    Messages:
    788
    Likes Received:
    3,120
    Occupation:
    Chair moistener.
    Location:
    Cyberspace