WordPress is a content management system. Due to its simple installation, automatic set-up support by many hosting providers, opensource code structure, thousands of theme and plugin support, different file type support and a high number of online documents, this system is used by many people. What is more, even the corporate firms can use this system in addition to individual bloggers.
WordPress’s popularity has made it a focal point of the attackers. For this reason, attackers work really hard to exploit WordPress vulnerabilities. They compromised paid WordPress plugins and themes. Then, they leave a backdoor in them and offer these themes and plugins for free to users. When a website is built with these themes and plugins, attackers can easily compromise that website.
The main reasons for the system with the WordPress infrastructure to be compromised by the attackers are as follows:
Especially let’s emphasise those who can’t be checked remotely without providing information. First of them is the cybersecurity risks in shared hosting. Share hosting services host multiple website client on a server. In fact, if you could take the folder with the files of your website to higher directory, you can see the folders of all websites. But correctly configured server will prevent you to see other websites on the same server. If the server is not configured correctly, when one of the websites on that server is compromised, all other websites can be compromised. Remember, you are as safe as the weakest link in cybersecurity.
Another thing is about database configuration. You need to be careful if the database has other data than your website (which is the case for most databases). When the user information with database reading authentication is compromised (this could be root or user of the other websites), the database of your website will be compromised.
After talking about these two remotely uncontrolled but important attack vectors, it is time to talk about what we can do and our recommendations.
You can use our free and online WordPress Vulnerability Control tool to easily check WordPress vulnerability. To do this, you can start by typing your domain name in the form on top of the page and start scanning.
Or you can remotely check them by using open-source code tools such as wpscan, cmsscan. These tools will provide you with a report as if your website is attacked.
wpscan --url https://securityforeveryone.com [+] URL: https://securityforeveryone.com/ [127.0.0.1] [+] Started: Sun Jun 7 18:34:17 2020 Interesting Finding(s): [+] Headers | Interesting Entries: | - Server: nginx | - X-Powered-By: PHP/5.4.45 | Found By: Headers (Passive Detection) | Confidence: 100% [+] XML-RPC seems to be enabled: https://securityforeveryone.com/xmlrpc.php | Found By: Headers (Passive Detection) | Confidence: 100% | Confirmed By: | - Link Tag (Passive Detection), 30% confidence | - Direct Access (Aggressive Detection), 100% confidence | References: | - http://codex.wordpress.org/XML-RPC_Pingback_API | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner | - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login | - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access [+] https://securityforeveryone.com/readme.html | Found By: Direct Access (Aggressive Detection) | Confidence: 100% [+] The external WP-Cron seems to be enabled: https://securityforeveryone.com/wp-cron.php | Found By: Direct Access (Aggressive Detection) | Confidence: 60% | References: | - https://www.iplocation.net/defend-wordpress-from-ddos | - https://github.com/wpscanteam/wpscan/issues/1299 [+] WordPress version 2.3.3 identified (Insecure, released on 2008-02-05). | Found By: Rss Generator (Passive Detection) | - https://securityforeveryone.com/?feed=rss2, | - https://securityforeveryone.com/?feed=rss2,
http://wordpress.org/?v=2.3.3[+] WordPress theme in use: theme212 | Location: https://securityforeveryone.com/wp-content/themes/theme212/ | Style URL: https://securityforeveryone.com/wp-content/themes/theme212/style.css | Style Name: WordPress theme 212 | Style URI: http://wordpress.org/ | Description: A theme from Template-Help.com Collection... | Author: Template_Help.com | Author URI: http://www.Template-Help.com/ | | Found By: Css Style In Homepage (Passive Detection) | | Version: 2.0 (80% confidence) | Found By: Style (Passive Detection) | - https://securityforeveryone.com/wp-content/themes/theme212/style.css, Match: 'Version: 2.0' [+] Enumerating All Plugins (via Passive Methods) [+] Checking Plugin Versions (via Passive and Aggressive Methods) [i] Plugin(s) Identified: [+] wp-gbcf | Location: https://securityforeveryone.com/wp-content/plugins/wp-gbcf/ | | Found By: Urls In Homepage (Passive Detection) | | The version could not be determined.
Other than remote scanning software, you can check your security by installing WordPress plugins: The most popular WordPress security plugins:
Be careful about the following items to have a secure WordPress:
define( ‘WP_DEBUG’, false );
To disable XML-RPC access, you can add the following code to function.php file of your theme. add_filter(‘wp_headers’, ‘remove_x_pingback’); add_filter(‘xmlrpc_enabled’, ‘__return_false’); To disable REST API property, you can add the following code to function.php file of your theme. // Filters for WP-API version 1.x add_filter( ‘json_enabled’, ‘__return_false’ ); add_filter( ‘json_jsonp_enabled’, ‘__return_false’ ); // Filters for WP-API version 2.x add_filter( ‘rest_enabled’, ‘__return_false’ ); add_filter( ‘rest_jsonp_enabled’, ‘__return_false’ );