This week’s blog writing is brought to you by the Hacker that forced registered his way into my website as an admin. Security is a big thing I learned this week as I’ve been spending some time rebuilding my webpage to make it more modern and responsive. The website started off at first as a simple HTML page that had things listed on it like the SSID to the Wi-Fi the network password a link to get to the music player and be able to add music to the playlist from the persons computer in the garage and a list of commonly asked questions that I ended up providing step by step instructions on things like “How to reset your pc”. This was in the beginning of the garage and I had little idea of what I was doing please don’t freak out to much over the Wi-Fi SSID and password I had publicly posted on an HTML webpage that also had no SSL or firewall setup because that was all so trivial for me at the time. Things of course changed rather quickly when our Minecraft server in the garage LAN kept getting hacked and we all wondered why. (as you can guess no firewall was setup for that either)
Now things are setup a bit differently but WordPress is still new to me. I’m assuming this hacker came in with his Hacker cape on and did a quick SQL injection to get a password to the database and all the listed members of the site. I remember doing this in my CEH (Computer Ethical Hacking) class and was blown away by how fast this was to do. Going through some tutorials I’m finding that a MySQL installation no longer applies a password to the “ROOT” user and you have to manually put in an additional script to set the password for ROOT. As you can guess the Hacker was able to do this because I had no password set for Root. During my installation I flew right through the setup process for the LAMP server and started setting up the website. My surprise was checking the user names and not being able to make any changes as my account’s password had been changed. Jokes on me I just got hacked!
Taking some time to perform some stellar hacking moves in the Linux file structure I was able to do some hocus pocus magic and have the password reset for account “1” which is apparently the main account. This was a great learning experience for me and after I spent the next few hours locking down what I could and coming up with a plan to execute in rebuilding this WordPress instance. Of course there is no common sense in just rebuilding the same old site so to make things better I’m going to see about setting this host up with a firewall to docker then build a virtual network in docker to have the WordPress multisite hanging out within. I think this would be better anyway and being behind a double firewall just seems a bit more secure not to forget the UFW Linux firewall built into the Operating System. Lastly, I need to figure out a “best practice” way to store usernames and passwords. Not really sure about that one but when I figure it out I’ll be sure to post it as it will be innovative for sure.