1. WordPress Vulnerabilities

1. Common Vulnerabilities and Exposures (CVE) *
2. WPScan Vulnerability Database *
3. WordPress Security Category Archive *
4. Dxwsecurity *

Repercussions of Using Outdated WordPress

Generating a zip file containing a backdoor file

WordPress displaying “Theme installed successfully”

Accessing the path revealed during installation

Compromised!

2. WordPress Security Issues & Threats

2.1 WordPress Release Archive

https://wordpress.org/download/release-archive/

2.2 WordPress Username Enumeration *

2.3 Disabling User Registration When Unnecessary

2.4 Removing readme.html and install.php

3. WordPress Hardening Suggestions

3.1 Data Backups

3.2 Access Control

3.2.1 Two-Factor Authentication

• Rublon Two-Factor Authentication
• Two-Factor
• Duo Two-Factor Authentication
• Authy Two Factor Authentication

3.2.2 Passwords

3.3 Core Directories/Files

3.3.1 File Permissions

Directory: 775 (drwxr-xr-x)

Files: 644 (-rw-r–r–)

1
2

 find /path/to/your/wordpress/install/ -type d -exec chmod 755 {} \;
find /path/to/your/wordpress/install/ -type f -exec chmod 644 {} \; 

Refrain from setting any file or directory to 777!

3.3.2 WP-* *

Restricting Access to the wp-admin Directory

1. Use the Htpasswd Generator to create passwords for .htpasswd files.
2. Transfer the generated text to the .htpasswd file.
3. Place a .htaccess file in the /wp-admin/ directory with the following code:

1
2
3
4
5

 AuthName "Unauthorized access is prohibited."
AuthUserFile 
AuthGroupFile /dev/null
AuthType basic
require user 

Preventing General Site Visitors from Accessing /wp-admin/admin-ajax.php

Insert the following code into the .htaccess file.

1
2
3

 Order allow,deny 
 Allow from all 
 Satisfy any 

Preventing General Site Visitors from Accessing WP-Includes

Add the following code to the .htaccess file.

1
2
3
4
5
6
7
8
9

 # Block the include-only files.
 RewriteEngine On
RewriteBase /
RewriteRule ^wp-admin/includes/ - [F,L]
RewriteRule !^wp-includes/ - [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ - [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php - [F,L]
RewriteRule ^wp-includes/theme-compat/ - [F,L] 
# BEGIN WordPress 

Note:

Position this code outside the # BEGIN WordPress and # END WordPress tags in the .htaccess file, as WordPress might overwrite anything within these tags.

WP-Content/Uploads

Insert the following code into the .htaccess file.

1
2

# Kill PHP Execution
 deny from all 

WP-Config.php

Add the following code to the .htaccess file.

1
2

 order allow,deny
deny from all 

Disabling File Editing

Add the following two lines to the end of your wp-config.php file

1
2

 ## Disable Editing in Dashboard
define('DISALLOW_FILE_EDIT', true); 

3.4 Security Plugins

• Sucuri Security – Auditing, Malware Scanner and Security Hardening *
• Wordfence Security *
• iThemes Security *
• Loginizer *
• NinjaFirewall (WP Edition) *

4. WordPress Security Guideline 

• OWASP Wordpress Security Implementation Guideline *
• Hardening WordPress *
• Wordpress Security Functions for paranoid folks *

5. Checklist for Securing a WordPress Website 

Download the PDF:

https://www.wordfence.com/learn/wordpress-security-checklist/

6. Testing WordPress Security and Misconfiguration

6.1 WPScan: A Black Box WordPress Vulnerability Scanner *

Executing All Enumeration Tools

1

 root@kali:~# wpscan --url http:// --enumerate 

6.2 Nikto *

1

root@kali:~# nikto -h 

References:
Hardening WordPress *
The WordPress Security Learning Center *
Top Tips to Avert WordPress Hacks *

WordPress Security News:

June 2018

Vulnerable WordPress Plugins Expose E-Commerce Websites to Hackers