How to get started with Wordpress Security?

Everyone loves security testing, but find it hard to start or ponder over a question “Where should I start?”. Many experts may portray it as very difficult for you to even start or practice, but I come with a good news to you where I speak about the security tests you can start doing right-away (after you finish reading this). Be informed that, this is specific to Wordpress security testing and also one with the security researcher/ethical hacker mindset can apply the techniques to other web platforms with some modification in the test or no modification at all.

Well, you got some hang of Wordpress now. Lets get to the creamy layer of Wordpress security now.

TEST #1

However, by keeping the Wordpress platform up-to-date with new versions, one can make the security better as Wordpress team always works on some aspects of security of Wordpress in terms of strengthening it.

In short, make sure you are using updated wordpress version on any date.

Now, as a security tester you can find a bug in terms of finding the wordpress version used by a company or any website or a blog through following ways.

And once you find the version number, compare it with the current new version which is released by wordpress. If you find it lesser than the current version, then directly report it in the bug tracker. Voila!

Tip 2: Let’s say, readme.html or license.txt files are removed by the developers (I like such developers) before publishing wordpress on their server, the other way to scout for the wordpress version is by going to the wordpress source code on client-side.

Do a right click on your web browser and go to view-source. Search for, <meta name=”generator”

A snapshot of the version number in the view-source looks like,

The fix: You need to get rid of the meta tag from the source and also remove the readme.html and license.txt files from webserver.

TEST #2

Finding the usernames that exist on the wordpress platform. When a company creates a blog or a website, they have created various usernames that may include administrators, subscribers, authors, moderators etcetera. And one of the way to know the username is by looking into the blog post meta data or details where the author name is revealed. Sometimes, the username is displayed as author name until the “Display Name” is chosen as “Nickname” to be shown on the blog post so that hackers do not get access to the username (which could also be an administrator role).

That’s one way to find. Nevertheless, let’s say that we cannot get access to the real username because the developer fixed that by showing Nickname in the blog post details. It could be disappointment, but hackers don’t stop there. And the next test could be finding the usernames on the platform in the following ways,

On a successful find of the username, you will see the URL as follows (if the attack worked). (I typed tuppad.com/blog/?author=1 and then I found the username as “admin”).

What’s is this a security bug? In the security world, we call this as “Enumeration attacks”. Once the hacker has found the username, they go to the wp-login.php or /wp-admin form and use the identified valid username and try brute-forcing the password by guessing or by using automated tools or custom scripts.

TEST #3

Lock your directories and let the access be forbidden to malicious users

If you have been a developer or a tester who has looked into the webserver settings, you may have come across something called “Directory listing” or “Locking directory browsing” (Naming conventions may change based on control panels that you may be using).

In simple words, let me explain!

Let’s say a hotel which is built using wordpress is uploading all their invoices and important documents (confidential) using their administrator privileges after logging into admin panel of wordpress. Whenever they upload, they are thinking that they are not displaying the uploaded file link anywhere on the website, but just uploading it on their server. By default, all the uploads done from wordpress admin panel are uploaded on to /wp-content/uploads/ directory.

Now, the test that you can perform is by trying to access /wp-content/uploads and see whether you are showing the directory structure or there was 404 (not found) or 403 (forbidden access). Personally, in my experience, I have come across more companies turning directory listing off on their web server.

Snapshot of how directory listing vulnerability looks like:

TEST #4

Change the default database table prefix to something else. As it’s open-source, everyone (including hackers) else may know the default table structure.

How to do it?

Ah, one more important thing here. If you use the first way mentioned above, then also see if your wp-config.php file has the prefix value updated. Or else, your blog or website built on wordpress may not be functional as it fails to make a database connection.

TEST #5

2Factor Authentication and .htaccess can add more layers to your wordpress security

With .htaccess, one has to authenticate if they wish to open the login form (that is, /wp-admin or /wp-login.php). If someone (possibly, a black-hat hacker) enter incorrect credentials, the login form for admin or any other user roles will not be displayed (however, even brute-force can be applied at .htaccess level as well. But, this helps to demotivate malicious users to proceed to the login form as they feel it’s too much challenging or difficult compared to just brute-forcing login form and then BOOM).

Also, a tip could be to have whitelist of IP addresses or IP address range which can access the administrator login form. All other IP addresses that doesn’t exist in the range or which are not exact will be forbidden from accessing the login form. Beautiful, isn’t it?

Wrapping it up

Please comment with your feedback if you need more writings like this. And also, provide feedback which can help me and others who read. And do not forget to share the love with the world by sharing this on social media.

Related posts:

People often forget that Bash actually a programming language. And just like JavaScript, Python, Ruby, GoLang and many others languages, Bash language has functions. What’s interesting here it’s how…

Since I grow up in a family that believes gods worshipping culture, I have been in touch with this kind of folk beliefs when I was a kid. I think this culture is declining. Young people would not…

Anytime you walk into a BestBuy, an H&M, or the Apple Store, store associates come to you and try to sell you their products. That’s sales. But that is a different kind of sales when comparing to…