Configuration of website extra security layer
Shiv Patel (143792)
Masters in information system Security management
Concordia University of Edmonton
spatel3@student.concordia.ab.ca
Abstract - Security vulnerabilities occur in most websites. The
quick, typical forms to build a website are prone to SQL injection
attacks, cross-site scripting attacks and brute force attacks and
other bugs that are less popular. Many tools for detecting or
minimizing the vulnerabilities of popular websites have created.
Existing strategies involve the construction of the web or are
vulnerable to false positives. This report provides a fully
automated way of identifying website weakness. It hardens the
Website by using WordPress plugins and Hardening from the
webserver domain by inserting an SSL Certificate and shifting
from Hypertext Transfer Protocol(HTTP) to the Hypertext
Transfer Protocol Secure (HTTPs) and Unable directory listings.
Keywords—SQL injection, Cross-site scripting, brute force,
vulnerabilities, SSL certificate.
I. INTRODUCTION
This report provides information now on how I to harden my
eCommerce Website. I have used A WordPress CMS for my
Website, and WordPress runs millions of websites over the
internet. And we hosted our Website over a Ubuntu web
server using Plugins provided by Cybera. Hardening the
Website means adding various layers of protection to reduce
the potential attack surface. Hardening also requires manual
computer enhancement steps or software adjustments. There
6 Common security flaws in most of the E-commerce sites,
i.e. SQL injection, buffer overflows, remote command
Execution, price Manipulation, cross-site scripting and Ddos
attack. It is less common for customers to use a website with
weaknesses or bad security irrespective of the product, as it
becomes much more comfortable and doesn't want its
information compromised or hacked and doesn't trust the
Website with its card details. In this report, I have done a
Security scan and then started handing my site by using
Plugins, migrating from http to https(SSL certification) and
by Hardening from the server-side. Such variations in the
layers are essential for understanding the actions of security
and for hardening the site.
II. METHODOLOGY
A. Analysis of Weakness of Ecommerce Website
Nessus: Nessus tests cover a wide range of
technology, from operating systems, network devices, high-
speed control machines, repositories and web servers. The
type o Exposure and Vulnerabilities Nessus will search for :
• Unauthorized access to sensitive data on a network could
have Vulnerabilities.
• Config Flaws Example: Open mail, Missing Patches etc.
• Standard password, common passwords and blank/lost
passwords for some system account.
• Nessus and run a Dictionary attack by calling Hydra; it's
a password cracking tool which includes Medusa and
john the ripper.
• Denials of service.
The Nessus scanner allows predetermined tests (for
example, host findings and malware detection) to be used. For
legitimate testing, the Nessus scanner itself is open source and
free to use.
1) System requirements for Nessus :
a) Windows 10
b) Nessus Vulnerability Scanner-Version 8.9.0-x64 for
Windows 10
link: https://www.tenable.com/downloads/nessus
2) Configuration of Nessus and Scanning :
After Installation, I started with the configuration of
Nessus. First, after installation its lets us select the product like
essential, professional, Nessus manager. I selected the Nessus
essential for the start. I had to give my email to get the
Activation code on my mail .after activation; I had to set a
login name and password for my Nessus. It took nearly 1/2 Hr
to install all plugins and components completely. next, I did
the Basic scan to my website by adding IPv6
address(2605:fd00:4:1001:f816:3eff:fe45:b015) in the target.
The next phase, Is for Scanning the Website for
Vulnerabilities testing in Advanced Scan mode. In advance,
Scan, I made a configuration to find out the Vulnerabilities.
the changes are as follows:
a) In discovery Subsection, I selected 'Host Discovery'
to Begin a network discovery search to see what hosts on your
Network, like IP, FQDN, operating systems and access ports,
if applicable.
b) Turn on remote Host Ping. This option allows
Nessus to decide if remote hosts are alive in several ports.
General configurations and ping methods show when setting
to On. and ensured "Test the local Nessus host "and "Use fast
network discovery" is enabled to use in the absence of a proxy
or load balancer to validate the response of a server, when a
ping response is responded by Nessus to avoid false positives.
The quick discovery of the Network bypasses these further
tests.
c) Select all ping methods (ARP, TCP, ICMP (Assume
...), UDP).
d) Confirm the boot period wait for five minutes under
"Wake-on-LAN."
e) Click on Port Scanning. Choose all choices under
"Local Port Enumerators."
f) Ensure that both "SYN" and "UDP" are chosen
under "Network Port Scanners."
g) In service discovery, under the general setting, make
sure all the options are selected.
h) In the "Assessment" section, Under the subheading
"General," you will confirm the "Perform thorough tests" and
"Override Normal Accuracy" choices. Confirm that the
"antivirus definition grace period" is 0 days.
i) Under Brute Force, make sure all options are
selected.
j) Confirm that this feature is disabled in the category
"Malware" Assessment while maintaining the current
category settings.
k) Continue with Report Subsection, ensuring all three
choices are chosen in the subsection "Processing." Confirm
"report as much information as possible" under "Override
normal verbosity."
After all this configuration, I saved the setting and started
scanning and found Flaws on the Website.
Fig 1. shows the advance scan of Vulnerabilities scan using
Nessus
B. Plugins to harden the Website of WordPress
All in One WP security plugin: The All in One WP
Security plugin is a free download and has many features,
including an advanced firewall and a Brute Force
authentication defense. It has a security scoring system. It
provides a particular security module from the Tips and Tricks
HQ.
It is a complete solution for your security concerns with
WordPress and a great way to protect your current WordPress
installations. To eliminate security risk by vulnerability
detection and the installation and introduction of the new
WordPress security practice and techniques suggested. All In
One WP Security also utilizes a unique grading system for
protection points to determine how well the protection
features that you installed to secure your Website.
After Installing and activating Plugin, we will harden the
site. First, we will change the Username other than admin
because admin is the default username, which is typical and
usual. Second, we will make sure that our password is more
secure so that it takes several years to crack by any attacks.
Thirdly we will configure "Login Lockdown Options." will
make a Maximum Login Attempts try to 3-4 times if anyone
Username or password fail attempts and Login Retry Time
Period to 5. Under User Registration, I Enable Manual
approval of New Registration and add
CAPTCHA(Completely Automated Public Turing Test ) and
add a honeypot on the registration page to add A layer of
protection in my site. Now next, I configured Database
Security Settings so that WordPress table prefix from "wp_"
to something robust so that SQL Injection can be avoided.
Further, I step up automatic Backup with a time interval of
1 week and no. of the backup file to one file. In Filesystem
Security settings, I disable PHP files Editing. Next, I configure
the blacklist Manager so that it can lock IP from Unauthorize
access. Further, enable Basic Firewall Protection and disable
Trace and track.
Fig 2. Shows the Captcha ask during login in the admin
account.
C. Enable firewall and allow trusted services through a
firewall
Ubuntu's primary firewall activation method is ufw. ufw is
a user-friendly way to create an IPv4 or IPv6 firewall designed
to facilitate the iptables firewall setup. ufw is not meant to
deliver the full functionality of the firewall through its control
interface, but instead provides a convenient way of adding or
deleting simple rules. It is used mainly for the host-based
firewall.
D. Migration of Web from HTML to HTMLs
A markup language that is being specifically designed for
the display of applications as websites on web browsers.
HTML is the same as other languages, which means the
structure syntax and layout of a document. HTML stands for
Hypertext Transfer Protocol, while HTMLs stands for
Hypertext Transfer Protocol Secure. IN HTML is data or
transmitted data is stolen, then it is easily readable to the
attacker while in HTMLs, it is Encrypted and secure with the
help of an SSL Certificate(SSL stands for Secure Socket
Layer).
Often, certificate providers such as DigiCert would
provide a validated and trusted SSL certificate at a fee. I have
applied the SSL features and not the certificate authentication
for this lab. So I created a self-signed certificate that is not
signed by any trusted certification authorities included in the
web browser so that I can not use this certificate to confirm
the identification of our application.
Fig 3. Show the DigiCert certification type with the price.
TLS/SSL works using a public certification and private
key. SSL process that converts plaintext to ciphertext. It seems
that the hackers have a junk text that decrypts it. An attacker
will need to have a private key. In SSL Certification, a public
key issued to encrypt the text and the Private key to decrypt
the Text. I created a self-signed key and certificate pair with
OpenSSL in a single command:
“openssl req -x509 -nodes -days 365 -newkey rsa:2048 -
keyout /etc/ssl/private/apache-selfsigned.key -out
/etc/ssl/certs/apache-selfsigned.crt”
a) Configuring Apache to Use SSL
As we Created key and certificate under the /etc/ssl
directory. I need to modify the apache to take the benefits of
the SSL certificate. Firstly I configured the snippet with secure
SSL Settings. Created a new snippet with then of ssl-
params.conf under /etc/apache2/conf-available folder and will
disable the HSTS.
b) Changing the Default Apache SSL Virtual Host File:
Today, all HTTP and encrypted HTTPS traffic are
supported on the site/browsers. For greater security, HTTP
should be automatically redirected to HTTPS. It can easily
bypass this segment by adding the following code line in
default “/etc/apache2/sites-available/000-default.conf ” file.
✓ Redirect permanent "/" “https://[ipaddress of ur
website]/”
In my Site I add the following to redirect to my Site:
✓ redirect permanent “/”
“http://[2605:fd00:4:1001:f816:3eff:fe45:b015]/”
c) Adjusting the Firewall:
Now, as I used the ufw firewall, To allow SSL traffic, I
needed to adjust the setting as Apache adds some profile
during installation. And to see the profile, I used the “ufw app
list” command. After I got to see the list, I add apache service
to the firewall by using the command “ufw allow ‘Apache
Full’ ”.To see the status of ufw, I used the ufw status
command.
d) Enabling the changes in Apache:
As I alter the setting of ufw, now I enable the SSL and
header modules in Apache, enable my SSL ready virtual host
and will restart apache my following commands:
✓ A2enmod ssl
✓ A2enmod header
✓ A2enmod default-ssl
✓ A2enmod ssl-params
A2enmod is a script to enable Apache services or modules.
After all, this was done, I needed to check that I didn’t
make any syntax error and to make sure I used the
“Apache2ctl configtest” command. After all the syntax is ok,
I restarted the apache.
e) Testing Encryption and the SSL certificate:
To see whether the certificate is supported. I tried
assessing my site by using https:// instead of http:// it askes to
whether proceed to unsafe site or not its because we have ass
an ssl certificate which we have created it's not by my
browser’s trusted certificate authorities.
Next, I tried accessing my site with http:// to see whether
it will redirect to https or not as I added a redirect command
in my configuration.
To check the certificate is served or not. I check it on the
Qualys ssl test method, to check I need proper DNS and IPv6
address. I get it from cybera under the metadata section of
instance. After I got the DNS, open up the following site in a
web browser: https://www.ssllabs.com/ssltest/index.html and
started scanning and got the report.
Fig 4. shows the scan of SSL certificate
E. Disable directory listing:
A web server feature that shows a collection of all the files
without an index file including index.php and default.asp is
the directory listing. For instance, by type in
"http:/www.example.com/incoming/" in your browser, you
can see everything in that directory when you create a folder
called "income." You don't need a password or anything.
To prevent accessing the file from the browser. In apache
has a function to disable it by running the command
“a2dismod autoindex”.
F. Upgrade php7.0 to php7.4 and removing info.php:
The reason behind upgrading PHP is to fix the bugs which
were found in the older version of PHP. Rater; I say to make
it security focus. And will be removing the Info.php my
running “rm info.php” command.
G. Ecommerce web application vulnerability test:
I must reassess the differences in control and direct
comparison before and after hardening and correction of
vulnerabilities after harnessing the e-commerce application
After the post-assessment, specific learning targets will be
accomplished because a clear safety benchmark is reached.
Analyze the Nessus Essentials ' vulnerability assessment
report by restarting the device.
III. CONCLUSION
My aim was to find the weaknesses in my website with
Nessus and to harden it with plugins and Self-signed
Certificates. I used the "All in One WP Security" plugin for
hardening the WordPress and implemented and self-signed
certificate by making changing the configuration of Apache
files. By comparing the scan result of website taken before and
after Hardening.by hardening my website it increased the
security and found less vulnerability come to its initial scan.
And by doing so I accomplished the objectives of my lab 2.
 IV. APPENDIX

Fig 9 shows the Change of Admin Username.

Fig 5. Shows the Updated version of PHP

Fig 6. Shows the firewall updates /configuration. Fig 10. Shows the final scan Results of Web Vulnerabilities.

Fig 7. Shows the logon lockdown settings

Fig 8.Show the Password strength.