CMS Security - WordPress
1. WordPress Vulnerabilities
- Common Vulnerabilities and Exposures (CVE) *
- WPScan Vulnerability Database *
- WordPress Security Category Archive *
- Dxwsecurity *
Consequences of using Outdated WordPress
Create a zip file which consist of a backdoor file |
WordPress shows "Theme installed successfully" |
Navigate to the path disclosed during the installation |
Pwned! |
2. WordPress Security Issues & Threats
2.1 WordPress Release Archive
https://wordpress.org/download/release-archive/2.2 WordPress Username Enumeration *
2.3 Disable User Registration If Not Needed
2.4 Delete readme.html and install.php
3. WordPress Hardening Recommendations
3.1 Data Backups
3.2 Access Control
3.2.1 2 Factor Authentication- Rublon Two-Factor Authentication
- Two-Factor
- Duo Two-Factor Authentication
- Authy Two Factor Authentication
3.2.2 Password
3.3 Core Directories/Files
3.3.1 File Permission
Directory: 775 (drwxr-xr-x)
Files: 644 (-rw-r--r--)
find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \;
Avoid having any file or directory set to 777!
3.3.2 WP-* *
Restrict Access to wp-admin Directory
- Create passwords for .htpasswd files using Htpasswd Generator
- Copy the text generated into .htpasswd file
- Create a .htaccess file in /wp-admin/ directory with the following codes
Prevents normal site visitors from accessing /wp-admin/admin-ajax.php
Add the following codes in .htaccess file.
<Files admin-ajax.php>
Order allow,deny
Allow from all
Satisfy any
</Files>
Prevents normal site visitors from accessing WP-Includes
Add the following codes in .htaccess file.
# Block the include-only files.
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L]
</IfModule>
# BEGIN WordPress
Note:
Place it outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file.
WordPress can overwrite anything between these tags.
WP-Content/Uploads
Add the following codes in .htaccess file.
# Kill PHP Execution
<Files ~ "\.ph(?:p[345]?|t|tml)$">
deny from all
</Files>
WP-Config.php
Add the following codes in .htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>
Disable File Editing
Append the following two lines to the end of your wp-config.php file
## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true);
3.4 Security Plugins
- Sucuri Security – Auditing, Malware Scanner and Security Hardening *
- Wordfence Security *
- iThemes Security *
- Loginizer *
- NinjaFirewall (WP Edition) *
4. WordPress Security Guideline
- OWASP Wordpress Security Implementation Guideline *
- Hardening WordPress *
- Wordpress Security Functions for paranoid folks *
5. Checklist – How to Secure Your WordPress Website
Download the PDF here:
6. Testing WordPress Security and Misconfiguration
6.1 WPScan - black box WordPress vulnerability scanner *
Run all enumeration tools
root@kali:~# wpscan --url http:// --enumerate
6.2 Nikto *
root@kali:~# nikto -h <target_url>
References:
Hardening WordPress *
The WordPress Security Learning Center *
Top tips to prevent a WordPress hack *