Most of institutional websites delivered to Hardsecure for testing use Wordpress as his own CMS (content management system) most of it because it's the simplest and most popular service to create your own website or blog, powering 42% of all websites on the internet. Even if you're not a developer, you can easily change your site with the vast ecosystem of WordPress themes and plugins.

In the section below, we'll live some of the most common vulnerabilities experienced during pentests.

COMMON VULNERABILITIES:

Brute Force Attacks, that involves multiple trial and error approach using hundreds of combinations to guess the correct username or password.

Cross-Site Scripting, also known as XSS attack. In this type of attack, the attacker loads malicious JavaScript code that, when loaded on the client side, starts collecting data and possibly redirecting to other malicious websites.

Outdated WordPress/plugins are more likely to be affected by a security threat. Over time, hackers find their way to exploit its core and ultimately execute the attack on sites that still use outdated versions.

User Enumeration is a way to fetch user data from your website. These three enumeration techniques are a very fast way to identify users of a WordPress: JSON API, Login Form and Author Archives.

Malware is a malicious code that is injected into themes, outdated plugin or script and extract data from the website or insert malicious content.

DoS/DDoS, DoS is performed using a single source, while DDoS is an organized attack performed by multiple machines around the world.


HARDENING FRAMEWORK
Security must be something recurrent! You can have serious problems once you stop checking your website security. In this chapter, we'll talk about the main measures to protect your WordPress or others CMS's. The first measure refers to strong passwords, two-factor authentication and how often do we change our passwords. This are three easy tips that if you should use your day to day

The second measure focus on updates. This aren't always related with new features; this could contain security and stability fixes which are essential. In WordPress, we've to pay attention to plugins, themes, and PHP that each version has 2 years of support.

If your site has several users, it is not recommended to make everyone as administrators. As well as changing the login path, it won't solve all problems, but it can help against bots and/or scripts. Blocking URL paths with the help of WAF is a good step to keep unknown IP's out such as the login page.

The most important file is config.php, you can move this file, update WordPress security keys to improve encryption, change permissions on these files, disable XML-RPC, hide WordPress versions (The less people know about your WordPress site setup, the better), add security headers such as:
• Content-Security Policy
• X-XSS-Protection
• Strict-Transport-Security
• X-Frame-Options
• Public-Key-Pins
• X-Content-Type

Use security plugins Like iThemes Security and/or WordFence Security and don't forget to always use secure connections (HTTPS, SFTP).

FINAL NOTES
There are over 55,000 WordPress plugins! The best choice you can make is to use the ones that has high satisfaction ratings and that are frequently updated because, as we've seen above, these updates are important to the integrity of your site. Remember to install only the necessary ones and if you want to play it safe, it’s best to create a development or staging instance for testing it first.

By: Ricardo Araújo, Pentester at Hardsecure.