HairyPotter

The main problem with that wordpress import routine is that it simply do not works unless you have 3 or 4 posts. Try it with 10,000 posts. Try it with 900,000 posts, as I am trying for a week.

The attacker was able to make posts. Thousands! In fact, posts and comments. I had to rename the php files in order to stop him. That was the only way to stop him. Nothing appeared to stop him. He posted with total easy. He used some sort of script to run specific files of WP installation, in order to post.

I am the only one allowed to post. Nobody have neither authorization or even logins/passwords, just me and I never disclosered to anyone.

amazing!

ah, just to complement…
like in war, obscurity is not security, I agree.
Obscurity is camouflage!

Viper007Bond, unfortunately you are wrong in everything you said.

You are assuming that I use easy words, but I can use any word in any language. Will you guess a word in French or German? And if I name the file as “xT12314lsd23.php” how will you discover it? Guessing?

The other point is that you are assuming that every cracker is an expert. 99% of those guys invading sites are completely morons who follow a recipe: 1) google for some site using WP 2) use the file xyz.php and do bla bla bla…

If you make your site invisible (not common) to google, how will they discover it? It’s like a car alarm. The alarm will not stop a pro, but will stop 99% of the morons.

You are wrong again when you said I am new to the web develpment world. I am developing for the web since 1996 and in PHP since 2000. I never have a site invaded before using WordPress, due to the fact that I never name any of my directories and files using english words or obvious words in any language (too many crackers speaking english, so this is the language they will try).

Another common error I never do, is to show detailed error messages, the king of messages that can guide the cracker. For example. If you put a login screen where one have to fill username and password, you can have 2 situations: unknown username or wrong password. If you show an error message saying: WRONG PASSWORD, the cracker will know he have a correct username.

Things like that make the difference.

My site cracked site was written in French and Portuguese. The cracker was located in the USA. Do you think the site was cracked by an american who knows french and portuguese? No. I will tell you: the site was googled by the words PROUDLY POWERED BY WORDPRESS (I have a log entry with cracker’s IP and such string googled) and the guy knew the files to crack, due to the fact they had the original names.

I agree that such modifications I suggested were difficult to implement on the first phase, cause many code would have to be rewritten, but it will turn crackers like hard.
??

I am not expecting no one to accept the ideas I exposed. Those were just my ideas. I think they can help.

thanks.

Thanks to all those who understood and tried to accept and considere the ideas I posted. I also agree that stupid are those who always accept the former opinions and knowledge and never offer his/her position, standing as heretic after the Inquisition… (I am dramatic today… someone listening to violins out there?)…

So, let’s start modifying all stuff… ??

I would like not to integrade both. I would like to get rid of SMF and copy all posts on SMF as posts on WP.

what concerns? have you read what I said? I said get rid of all words, phrases, etc., that could identify wp installation. That’s it. Better this way than the present way. My blog was invaded by someone who found it thru google. I have traced the guy on my logs and he first googled for wordpress, find my blog and posts 720 thousand sex-casino-viagra cr*p!
/&%/#%!

come on boys…

database name, username and pass would be in index.php.
Why use a unique name like wp-config.php if one can use a generic name like index.php? As I said, just one file cannot be renamed, index.php and index.php can be anything. The idea is to mask all occurrences of the name WORDPRESS and replace them for images with different names.

There’s no reason why wp-config.php cannot have other name. Everything can be on a database. The only file with the same name will be index.php, but this can be anything and a loser cannot search in google for index.php in order to find wp installations.

The only thing that guarantees a successful search in google is a constant and unique name, like wp-config.php. If one can rename that for xyz.php, it will be invisible in google.