[wp-hackers] protecting wp-content/plugins ?

Omry Yadan omry at yadan.net
Sat Aug 25 10:55:13 GMT 2007


I have read the whole thread, and I am not convinced.

the main argument against this is:

attackers don't care, they just run all the existing exploits against
random sites.

you making the assumption that all attackers are script kiddies.

what about an real hacker (cracker, whatever)  that wants to screw a
specific site?

he will first try existing scripts, and when this fails he will start to
really learn the site.

every bit of info helps, and a list of plugins - most of which are open
source, is a huge help.

if I really wanted to hack such a site, I would start learning its
plugins, looking for holes.

yes, it may be possible to learn of the existence of known plugins in
other ways, but a list will give you the unknown ones as well, and much
faster.



James Davis wrote:

> Omry Yadan wrote:
>
>> covering wp-content and wp-themes will make the life of an attacker much
>> harder.
>> there is a huge difference because those are guarantied to be there.
>
> You've made the mistake of believing that the attacker is an
> inquisitive person who cares whether his exploits succeed or not.
>
> The lack of a directory index is not going to stop an attacker trying
> to exploit a vulnerable script that may or may not exist on your
> server. They're going to try it regardless. They won't even care if
> you're attentive enough to notice their failed attempts in your logs.
>
> The problem is a server wide one and should be fixed at that level if
> you really care about it. Placing an index file in the directory only
> masks the problem for a single application.
>
> James
>



More information about the wp-hackers mailing list