hack3rcon
Forum Replies Created
-
Forum: Fixing WordPress
In reply to: How to solve these security problems?Thank you.
I did:Date: Tue, 31 Aug 2021 12:12:28 GMT Server: Apache X-Frame-Options: SAMEORIGIN Referrer-Policy: same-origin Feature-Policy: microphone 'none'; payment 'none'; sync-xhr 'self' https://ITJUSTANEXAMPLE.COM X-XSS-Protection: 1; mode=block Permissions-Policy: geolocation=();midi=();notifications=();push=();sync-xhr=();microphone=();camera=();magnetometer=();gyroscope=();speaker=(self);vibrate=();fullscreen=(self);payment=(); Vary: Accept-Encoding Last-Modified: Thu, 18 Feb 2021 14:15:14 GMT ETag: "87ac-5bb9cf6df5853" Accept-Ranges: bytes Content-Length: 34732 X-XSS-Protection: 1; mode=block X-Content-Type-Options: nosniff Strict-Transport-Security: max-age=31536000; includeSubDomains; preload Referrer-Policy: no-referrer-when-downgrade Content-Type: text/html; charset=UTF-8 Content-Encoding: gzipIn your opinion, I must launch a reverse proxy server to solve those vulnerabilities?
I think my WordPress has some problems!!!Forum: Fixing WordPress
In reply to: First page of WordPress website is messed up!Below files doesn’t exist:
"styles-rtl.css" "styles.css" "email-subscribers-public.css"Below files existed:
/var/www/wordpress/wp-content/upgrade/elementor.3.1.2-K0jYUN/elementor/assets/lib/font-awesome/css/font-awesome.min.css /var/www/wordpress/wp-content/upgrade/elementor.3.1.2-K0jYUN/elementor/assets/lib/eicons/css/elementor-icons.min.css /var/www/wordpress/wp-content/upgrade/elementor.3.1.2-K0jYUN/elementor/assets/lib/animations/animations.min.css /var/www/wordpress/wp-content/upgrade/elementor.3.1.2-K0jYUN/elementor/assets/css/frontend-legacy-rtl.min.css /var/www/wordpress/wp-content/plugins/elementor-pro/assets/css/frontend-rtl.min.css /var/www/wordpress/wp-content/plugins/elementor-pro/assets/css/templates/frontend-rtl.min.css /var/www/wordpress/wp-content/upgrade/elementor.3.1.2-K0jYUN/elementor/assets/css/templates/frontend-rtl.min.css /var/www/wordpress/wp-content/upgrade/elementor.3.1.2-K0jYUN/elementor/assets/css/frontend-rtl.min.css /var/www/wordpress/wp-content/upgrade/elementor.3.1.2-K0jYUN/elementor/assets/lib/font-awesome/css/all.min.css /var/www/wordpress/wp-content/upgrade/elementor.3.1.2-K0jYUN/elementor/assets/lib/font-awesome/css/v4-shims.min.cssForum: Fixing WordPress
In reply to: First page of WordPress website is messed up!I never modified or removed any file!!!
I just update my WordPress and its plugins.
Can below Apache configuration affect it:LoadModule deflate_module modules/mod_deflate.so AddOutputFilterByType DEFLATE text/plain AddOutputFilterByType DEFLATE text/html AddOutputFilterByType DEFLATE text/xml AddOutputFilterByType DEFLATE text/css AddOutputFilterByType DEFLATE application/xml AddOutputFilterByType DEFLATE application/xhtml+xml AddOutputFilterByType DEFLATE application/rss+xml AddOutputFilterByType DEFLATE application/javascript AddOutputFilterByType DEFLATE application/x-javascript <FilesMatch "\.(ico|pdf|flv|jpg|jpeg|png|gif|js|css|swf)$"> Header set Cache-Control "max-age=63072000, public" </FilesMatch>Forum: Fixing WordPress
In reply to: How to set the Content Security Policy?Thank you so much.
I changed that line as below:Header set Content-Security-Policy-Report_uri "default-src 'self'; script-src 'self' 'unsafe-inline'; style-src 'self' 'unsafe-inline';"And restarted my Apache service. How can I see the report?
I checked the Developer Tools of Chromium browser:
Chromium
But the result of https://securityheaders.com/ site not changed!Forum: Everything else WordPress
In reply to: WP-CLI show me “Warning: Could not create directory.”I found the solution. It was because of “chmode()” and “mkdir” in the disable_functions in the “php.ini” file.
Forum: Everything else WordPress
In reply to: WP-CLI show me “Warning: Could not create directory.”Hello,
I changed some PHP configuration as below:allow_url_fopen = Off allow_url_include = Off variables_order = "GPCS" allow_webdav_methods = Off session.gc_maxlifetime = 600 file_uploads = On upload_tmp_dir = /tmp/ upload_max_filesize = 2M max_file_uploads = 2 enable_dl = Off disable_functions = system, exec, shell_exec, passthru, phpinfo, show_source, highlight_file, popen, proc_open, fopen_with_path, dbmopen, dbase_open, putenv, move_uploaded_file, chdir, mkdir, rmdir, chmod, rename, filepro, filepro_rowcount, filepro_retrieve, posix_mkfifo # see also: http://ir.php.net/features.safe-mode disable_classes = session.name = myPHPSESSID session.auto_start = Off session.use_trans_sid = 0 session.cookie_domain = full.qualified.domain.name session.use_strict_mode = 1 session.use_cookies = 1 session.use_only_cookies = 1 session.cookie_lifetime = 14400 session.cookie_secure = 1 session.cookie_httponly = 1 session.cookie_samesite = Strict session.cache_expire = 30 session.sid_length = 256 session.sid_bits_per_character = 6 memory_limit = 50M post_max_size = 20M max_execution_time = 60 report_memleaks = On track_errors = Off html_errors = OffIs it related to these changes?
Thank you.
Forum: Everything else WordPress
In reply to: A question about WP-CLI command.Hello,
I added above lines, but it asks me the username and password for visit the website and not just “wp-login.php”.
How can I solve it?
I guess that I shouldn’t add the above lines in the “.htpasswd” file under the WordPress directory!!!Forum: Everything else WordPress
In reply to: A question about WP-CLI command.Thank you.
I added another file with below command:
# htpasswd -c /etc/httpd/.WPhtpasswd "Panel User"
In the root directory of the WordPress, a “.htpasswd” file existed and added below lines at the end of it:AuthType Digest AuthName "Password Protected" AuthDigestDomain /wp-login.php https://www.MyWebSite.com/wp-login.php AuthUserFile /etc/httpd/.WPhtpasswd Require valid-user Satisfy AllThen restarted the Apache service and when I browse the WordPress admin dashboard, then it asks me the username and password, but it doesn’t work!!!
Can it because that I used the same username in “Panel User” for the phpMyAdmin and WordPress?Forum: Everything else WordPress
In reply to: A question about WP-CLI command.Thank you so much.
I am already using “htpasswd” for protecting “PhpMyAdmin”, Can I have two different “htpasswd” file? One for PhpMyAdmin and another for WordPress.
For “PhpMyAdmin” I did:
# htpasswd -c /etc/httpd/.htpasswd "Panel User"
Then, create the “.htaccess” file within the “PhpMyAdmin” directory with below lines:AuthType basic AuthName "Authentication Required" AuthUserFile /etc/httpd/.htpasswd Require valid-userFor WordPress can I use “.htpasswd2”?
Forum: Everything else WordPress
In reply to: A question about WP-CLI command.Thank you.
Thus, it must handle by Apache? If yes, then how can I change below lines to set a password for WordPress logging page?<Directory /usr/share/phpmyadmin> AuthType Basic AuthName "Restricted Content" AuthUserFile /etc/httpd/.htpasswd Require valid-user </Directory>
Forum: Everything else WordPress
In reply to: A question about WP-CLI command.Thanks, but I must explain more.
I know that for logging to the WordPress admin dashboard, I must enter the username and password, but I meant was set a password for seeing that page. Something like: PhpMyAdmin
Set a username and password for the Login Interface.Forum: Everything else WordPress
In reply to: A question about WP-CLI command.Thank you, but I meant was set a password for see the WordPress admin page. For example, when I browse “https://mywebsite.com/wp-admin ” then it ask me a username and password then show the admin page.
About the second question, can I change “https://mywebsite.com/wp-admin ” to “https://mywebsite.com/wproot ” or…?Forum: Fixing WordPress
In reply to: Why Directory Listing cannot be disabled?OK.
Thank you.Forum: Fixing WordPress
In reply to: Why Directory Listing cannot be disabled?Thanks, but when I browse ” https://MyDomain.net/wp-content/plugins ” then I can see the content of the directory 🙁
Why?Forum: Fixing WordPress
In reply to: How to fix these XSS Vulnerabilities?Excuse me, I meant was “XSS”.