Just found this wordpress penetration-testing tool – looks pretty handy, especially since it seems to have some follow-up tools to do stuff once you’ve gained access. Another one for the testing arsenal!
I’m a freelance coder, web-developer and general number-cruncher/bot-herder based in the UK. I mostly play blue team (defence) on linux/php/bash but also a little red-team (offense) as needed, though it’s not really my thing so more from a research/learnign perspective.
*this page has grown quite a bit so will be split up into separate sections soon.
I don’t aim to have many clients but the clients I have I’m emotionally invested in and try to look after properly. I’ve been freelance since about 1999 and several of my clients have been with me over a decade, so hopefully that says something about the kind of relationships I’m trying to build.
If you’re reading this then it’s probably because I or someone I know has sent you here (or you like really obscure linux projects!).
I don’t really get much walk-in traffic so this site is mostly just because as a coder I ought to have a site, but it’s also ended up as somewhere for me to rant about bots, linux and random crypto stuff which most people don’t seem to care about but I do. Hence no hard-sell. If you want to know more, email me.
All of my work comes by recommendation and I’m still eating almost 20 years later so I guess I must be doing something right.
I tend to work with SMEs for a variety of reasons, but a big one is that my hours are somewhat…”flexible” (I tend to write code at night when it’s quiet), and it seems like nocturnal tendencies are better tolerated with smaller companies.
If things are going to work well with a client it needs to be a two-way relationship, and I’ve no hesitation in parting ways with clients where that isn’t forthcoming. I have a few joint ventures and ongoing commission projects which mean lucky enough to be able to pretty much cherry-pick the projects I want to work on…which is great 🙂
I tend to stick to one client per niche to avoid conflicts of interest. There’s also a practical aspect to that, in that my aim is generally to demolish the competition so I can’t really have two “dogs” in any one particular “race” and actually give my best to both.
What I do:
It mostly tends to be web-related stuff on linux/wordpress and/or php or bash script, but generally it’s back-end/server centric stuff, making plugins and whatnot rather than just “building websites”.
I’ll leave specifics out for privacy but here’s a few examples of things I’ve made over the years, in no particular order:
software/plugins to integrate a digital asset management system with wordpress as a lead-generation/promotional tool to give additional value to the DAM-system’s clients (many of whom now have wordpress sites). Very interesting project, challenging and rewarding.
video-evidence handling software for domestic law enforcement (which also integrated with a DAM system). May still be in use, I “ghost” wrote the project a number of years back and never had direct contact with end-client so no means of knowing (old project).
a multi-user/group multi-streaming/chat platform for wordpress using only free/open-source components, which has the ability to record the video streams and then perform basic video editing on them, which is no mean feat since the video data in stream-recordings can be garbage in terms of keyframes and such. It uses nearline cloud storage (up to 10tb using google drive) for off-server archiving so you don’t need to pay through the nose for huge storage on your server and leverages google’s enormous processing power for bulk video processing/cleanup & management. From there google’s groups/sharing controls allow teams of people to work on organising or processing the archived data.
“The Zombie Fence [tm]” – which is basically a “defensive co-operative” of sorts to defend wordpress sites from automated bot attacks (unauthorised login attempts). Even slightly popular wordpress sites tend to be under constant siege from bots, though most people don’t seem to realise it (because they don’t look for it). I guess it’s the tradeoff for having an open-source platform. You might think “so what if someone’s failing to log in to my site – i’ve got strong passwords”, they’re not getting in…but! If someone’s generating 10k login attempts per hour that’s an extra 10k page-loads/cpu-cycles and ram which you’re having to dedicate to someone you don’t even want on your site, and that costs you performance and possibly even money. Obviously this problem is exacerbated on complex sites which have a lot of plugins. Some website hosts might even bill you for overage or restrict access if your site is generating excessive load, but at the very least that’s a malicious user using up cpu cycles and ram which you’d rather have dedicated to serving the visitors you DO want. The plugin is specifically written to activate as early in the wordpress page load as possible and hard-exit so that blocked page-loads use the absolute minimum of server resources. The system also includes functionality to provide ip-specific user-tracking (which google analytics still lacks and will probably never have) which is a massive help when debugging sales funnels, landing pages, or unusual visitor behaviour. Multiple sites on a server cooperate to protect each other from attackers and it includes “tripwire” protection on for popularly attacked usernames. There’s also an optional “preauth” stage to function as a sort of “double-lock” mechanism for sites in particularly hostile niches or where somehow hiding usernames isn’t practical. There’s also country-blocking by ip, detecting path traversal attempts and common exploits as well as basic “fingerprint” analysis of visitors’ behaviour to determining who’s human and who’s not, and then whether to let them in. There’sa set of configurable rules like a firewall so you can whitelist essential addresses. If a malicious user gets detected on one site, the other sites in the network also use that information and block the user too. This works surprisingly well and has been in service since about 2015 and is mostly transparent to the visitors (i.e. rather than having to actively engage visitors like captcha/recaptcha) to my hosted sites, and (so far) very rarely gets it wrong. It even works surprisingly well against distributed attacks (e.g. using proxychains + dictionary attacks). The system handles about 50k unauthorised access attempts per week and that’s just on my humble little servers. Sites can be individually configured to provide varying degrees of protection depending on the type of threats they’re encountering and can even be set up to redirect malicious traffic to specific urls – e.g. large file downloads or “reverse slow-loris attack” type throttled connections to jam up an attackers’ connections. This system is included in the price of (and is also required for) my wordpress hosting.
an image gallery plugin for wordpress which can handle large volumes of images. You can quickly and easily sort through and categorize thousands of images in a very short space of time, which is something I found to be lacking in all the other commercial gallery plugins I tried. They sorta worked ok for a few images but when you then dump 2000+ images in there the admin side of things tends to get rather laborious, so i wrote this plugin.
a dozen or so other misc wordpress plugins to just make using wordpress a bit easier/nicer.
much opsec for various client sites in hostile/high-risk niches who need to maintain a degree of anonymity/distance from a plethora of ill-wishers. I also do some general “routine poking around” my clients’ public info to see what private info might be accidentally public, and then help them remedy that to minimize chances of doxxing or using that info to pivot to a better attack vector.
performance tuning wordpress. I looove performance tuning anything, cars, motorbikes and yes even wordpress…it’s where the rubber meets the road with wordpress and again. getting provable results on your google pagespeed or gt-metrix score can help improve page-speed metrics which in turn helps organic rankings and has other knock-on benefits, as well as just making your site more functional and pleasant to use.
split testing of sales funnels to optimise conversions – test everything, always be improving. It’s amazing how small details/changes can make a world of difference. Even tiny improvements to the conversion process are worth pursuing – if you’re paying £1k/mo for advertising, and are getting 1% conversions, just getting that up to 2% is like *boom* – instantly double your site revenue from here forward and quite often it’s little changes you wouldn’t think would make any difference…but it does. Conversion optimising is usually time and effort well spent.
basic penetration testing for wordpress and basic security audits on linux webservers. To defend against the type of attacks I’ve encountered on wordpress/linux I’ve had to learn to replicate those attacks, so whilst I wouldn’t claim to be a sophisticated attacker, most of my sites have been getting bombarded by bots non-stop for years, and learning how to replicate those attacks has given me quite a bit of insight, which I have been using to try and better defend my clients’ sites.
a raspberry pi-based kiosk system written in bash, with web-app which can control the whole thing from a smartphone.
a raspberry pi-based cctv system with minimal bandwidth usage for remote wifi cameras and multiple concurrent viewers, which automatically logs and archives footage, and cleans up old footage automatically. It can be run on a single machine or the components can be distributed across a number of linux machines. I wrote this system after we had people trying to break into my workshop and although we interrupted them, I didn’t have the presence of mind to remember to film them on my phone..so whilst we had live cctv views (which helped us spot them in the first place), there was no record of what had occurred. This system uses a few little bash scripts to mean you always have the last 7 days’ worth of footage so if there’s a security breach you have a record of what’s occurred. This same system has been since used to find neighbours’ missing cats, track down amazon-delivery-person antics and more. Has been in service a few years now with zero downtime. This system is free/open source and code & instructions on how to set it up can be found here
A raspberry pi-based print server written in bash. Use any old printer which windows no longer supports and end up with a system where you can drop a pdf in a “hot” folder, and it gets automatically printed. Often even smartphones/tablets can generate a pdf “printout” so it can be used from laptops as well as mobile devices. This project is free and setup/instructions can be found here
various little bash scripts which cover anything from automatically rotating vpn routing, to backups and archiving. Automate All The Things With Bash \o/
To me this is more than just building someone a site and letting them get on with it, which is an approach I never understood from surprisingly many (even apparently “reputable”) “web design companies” whose messes I’ve repeatedly had to clean up over the years. It’s such a short-term way of thinking and it baffles me how they stay in business.
I’m not a (wordpress) themer, so whilst I don’t mind hacking some stuff in a theme, extensive theming/modification isn’t my cup of tea for a variety of reasons, not least of which is security.
So I tend to work mostly within the framework provided by existing themes which get regularly maintained rather than setting up some hodge-podge which is likely to be full of vulnerabilities and rarely gets updated because nobody cares enough about security to allocate a theme maintenance budget, so is best avoided altogether imho.
Imho there’s more to this than just putting a site up. Usually if you’ve got a site you want to make money and that means the process has to take into account where you will be getting traffic from, right the way to after-sales support and upselling/follow-on-sales and *keeping* your hard-won customers. The system overall also needs to take into account any peculiarities of the clients’ niche and particular situation so it works for them, as securely as possible. I don’t know quite how-come, but I seem to have a knack for looking at a sales process the way a visitor would and that lets me see the things which “trip up” a sale. Eliminate those sticking points and watch your ROI improve significantly.
I try to help my clients develop and grow their sites into a successful tool/business with *provable* ROI, and that often covers things like e-commerce, Adwords and marketing/social-media/seo strategy as well as building the actual site.
I run a few small servers and nowadays mostly work in wordpress, for which I’ve written a number of little plugins and addons to help expand functionality and also protect the sites I host (see defensive botnet above).
Nowadays much of my work is done quietly in the background (which is how I’ve come to like it) and yet other parts are confidential so you won’t see a any details here, but by now I’ve been doing this over a decade and have “ghost”-written code for law enforcement as well as the odd blue-chip client here and there. Nowadays though I tend to focus mostly on my own projects and the few SME clients I keep.
If you’re interested in reasonably priced, managed wordpress hosting or other wordpress/IT-related problem-solving, then feel free to drop me an email at email@example.com.
As you can probably tell from my blog I am also interested in information security (particularly wordpress security), privacy etc as well as how those things can be (and are) misused, and I also enjoy tinkering with Linux and solving problems with scripting – particularly using Raspberry Pis (which I love!) 🙂
I am seeing this sort of activity every day and the scale has gone bonkers recently. One of my sites was seeing an attack with several thousand intrusion attempts per hour, but each from unique IPs. Each IP was only used once or twice at most. I had to turn off the blacklist email notifications from our bot filter so that I didn’t go through my monthly sending quota in a matter of hours.
Thankfully we’re still standing because it was relatively easy to make adjustments to our bot filtering system but still. yikes.
I realise this isn’t exactly news (given the date of the article) but this fight has been ongoing for a while now. Recently things seem to have escalated though as both defensive and offensive sides have been upping their game. WordPress security is now something you actually need to have a plan for or prepared to become a casualty. Not if but when.
WordPress is great in so many ways, but its popularity makes it attractive as a botnet platform, as well as the bandwidth from the nice always-on servers vs compromised pcs, which tend to get switched off and have crappy upload speeds.
It’s so easy to get going with wordpress (by design) that it ensures the “botherders” have an almost endless source of potential zombies by way of folks who haven’t yet figured out that wordpress security is actually a thing.
Krebs’ was apparently taken down recently by a DDOS from IoT devices so imagine what you could do with a network of wordpress sites…
If you run a wordpress site and don’t run somesort of defences, the chances are you’re probably not monitoring login notifications either which means that you’re not seeing the potentially thousands of intrusion attempts on your site that are happening all the time and at best occupying your server by making it load the page thousands of times for someone who’s trying to harm you.
So basically you won’t even know that anything’s going on until it’s already happened.