Most of institutional websites delivered to Hardsecure for testing use Wordpress as his own CMS (content management system) most of it because it's the simplest and most popular service to create your own website or blog, powering 42% of all websites on the internet. Even if you're not a developer, you can easily change your site with the vast ecosystem of WordPress themes and plugins.
In the section below, we'll live some of the most common vulnerabilities experienced during pentests.
Security must be something recurrent! You can have serious problems once you stop checking your website security. In this chapter, we'll talk about the main measures to protect your WordPress or others CMS's.
The first measure refers to strong passwords, two-factor authentication and how often do we change our passwords. This are three easy tips that if you should use your day to day
The second measure focus on updates. This aren't always related with new features; this could contain security and stability fixes which are essential. In WordPress, we've to pay attention to plugins, themes, and PHP that each version has 2 years of support.
If your site has several users, it is not recommended to make everyone as administrators. As well as changing the login path, it won't solve all problems, but it can help against bots and/or scripts. Blocking URL paths with the help of WAF is a good step to keep unknown IP's out such as the login page.
The most important file is config.php, you can move this file, update WordPress security keys to improve encryption, change permissions on these files, disable XML-RPC, hide WordPress versions (The less people know about your WordPress site setup, the better), add security headers such as:
Use security plugins Like iThemes Security and/or WordFence Security and don't forget to always use secure connections (HTTPS, SFTP).
There are over 55,000 WordPress plugins! The best choice you can make is to use the ones that has high satisfaction ratings and that are frequently updated because, as we've seen above, these updates are important to the integrity of your site. Remember to install only the necessary ones and if you want to play it safe, it’s best to create a development or staging instance for testing it first.
By: