Forum

Thread tagged as: Installation, Configuration, Hosting

How can we hide Perch from Google?

Given that the recent MarkItUp vulnerability seems to have been exploited by folks who were simply able to use Google to identify Perch users, is it possible to rename your app's parent directory as a security-by-obscurity measure? Or is there a way to externalize resources so that Google is not including CMS identifiers in its indexing?

Joel Davies

Joel Davies 0 points

  • 5 years ago
Rachel Andrew

Rachel Andrew 394 points
Perch Support

Yes, you can rename the Perch folder to anything you like.

I don't imagine Google was being used however, it's likely the vulnerability was added to a script that targets lots of different CMS platforms with different issues. However renaming the folder may well have given some protection.

If you do a Google search on /perch/resources/ you get a lot of index pages for the resources directories of many sites. My own was one of them. I'm thinking I should modify my .htaccess file to disallow indexing, but will that cause problems for Perch?

Drew McLellan

Drew McLellan 2638 points
Perch Support

No, it won't cause any problems with Perch.

The exploit has nothing to do with the ability to find results in Google. The vulnerability is being tested for by automated scripts that test sites for all sorts without knowledge of what they're actually running.

I don't think that's true. The line in my log files where the hacker arrived was:

91.236.116.102 - - [24/Nov/2015:18:30:46 +0000] "GET /perch/resources/ HTTP/1.1" 200 36211 "https://www.google.se/" "Mozilla/5.0 (X11; Linux i686) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/45.0.2454.101 Chrome/45.0.2454.101 Safari/537.36"

Each subsequent use of the file once it was uploaded had a number of seconds between times, suggesting this was a human being, not an automated script.

Rachel Andrew

Rachel Andrew 394 points
Perch Support

  1. Once an automated script has found a site then a human might then use the information resulting in the result you are seeing.

  2. Automated scripts are capable of adding a delay and looking like a browser. They do that in order to get round protection that most people have in place to block obvious bot activity. If something starts hammering a server with requests it is obviously not human traffic.

If you don't want a Directory listing of resources for example then the simplest way to deal with that is to turn off Indexes - here's the info for Apache https://wiki.apache.org/httpd/DirectoryListings

In Perch you can also:

  • rename the Perch folder
  • store your resources somewhere other than 'resources'.

Well maybe - except the referrer showed google.se (you could fake this, but why would you bother?) and two out of my six Perch sites were attacked - when I ran the Google search for myself these were the two sites that were within the first 50 results.

But tomorrow (or yesterday?) someone else could run an automated script attack, so of course it is right that simply being hidden from Google isn't protection in itself. I'm certainly thinking that for future sites I might rename folders to avoid such possibilities. Even with a system generally as robust as Perch, it all helps.

Michael Wilkinson

Michael Wilkinson 6 points
Registered Developer

Hi Mallen

I would advise always renaming the directory names. We do it to throw people off when looking at the source in the browser (you can tell straight away a Wordpress site when doing that, and accessing the login screen and guessing the password because a staggering amount of people don't change the default...it's amazing).

We change the database table prefix, the perch directory and always set up resource buckets to have the resources elsewhere. This not only helps with managing the files, but also means you can tell Google not send it's bots to the perch directory.

Nothing is 100% secure of course, but we can do a lot ourselves to minimise the risks. Thankfully, Perch allows us to do this so easily and also doesn't throw out a load of crap to the front end like WP does.