Download as PDF, PPTX
Uploaded bySiteGround.com
8 Ways to Hack a WordPress website
This document outlines 8 ways to hack a WordPress site, including having an outdated WordPress core or plugins/themes, weak login credentials, malware, vulnerable server software, incorrect server configurations, and wrong file permissions. It provides examples for each vulnerability and recommends keeping everything updated, using strong passwords, proper permissions, and working with experienced administrators to secure a site.
More Related Content
Similar to 8 Ways to Hack a WordPress website
![Vibe Coding vs. Spec-Driven Development [Free Meetup]](https://cdn.slidesharecdn.com/ss_thumbnails/vibecodingvsspecdrivendevelopment-251209105622-43f455e7-thumbnail.jpg?width=640&height=640&fit=bounds)
![Coded Agents – with UiPath SDK + LangGraph [Virtual Hands-on Workshop]](https://cdn.slidesharecdn.com/ss_thumbnails/codedagentsdeck-251215155422-5497c599-thumbnail.jpg?width=640&height=640&fit=bounds)
8 Ways to Hack a WordPress website
- 1. 8 WAYS TOHACK A WORDPRESS SITE WordCamp Porto 2013 Daniel Kanchev
- 2. Before We Begin… • 7+Years of WordPress experience • 5 years with SiteGround • Love FOSS • Addicted to extreme and not so secure sports
- 3. Why should YOUcare?
- 4.
- 5. 1. OUTDATED WORDPRESSCORE • WP 3.7.1 - MAINTENANCE RELEASE • WP 3.6.1 - SECURITY RELEASE • WP 3.5.2 - SECURITY RELEASE • WP 3.5.1 - SECURITY RELEASE • WP 3.4.2 - SECURITY RELEASE • WP 3.4.1 - SECURITY RELEASE • WP 3.3.3 - SECURITY RELEASE • WP 3.3.2 - SECURITY RELEASE • WP 3.3.1 - SECURITY RELEASE • WP 3.2.1 - MAINTENANCE RELEASE
- 6. 1. OUTDATED WORDPRESSCORE • WP 3.7.1 - MAINTENANCE RELEASE • WP 3.6.1 - SECURITY RELEASE • WP 3.5.2 - SECURITY RELEASE • WP 3.5.1 - SECURITY RELEASE • WP 3.4.2 - SECURITY RELEASE • WP 3.4.1 - SECURITY RELEASE • WP 3.3.3 - SECURITY RELEASE • WP 3.3.2 - SECURITY RELEASE • WP 3.3.1 - SECURITY RELEASE • WP 3.2.1 - MAINTENANCE RELEASE 80%
- 7.
- 8.
- 9. WP PLUGINS SECURITYSTATE “Checkmarx’s research lab identified that more than 20% of the 50 most popular WordPress plugins are vulnerable to common Web attacks, such as SQL Injection” http://www.checkmarx.com/wp-content/uploads/2013/06/The-Security-State-of-WordPressTop-50-Plugins.pdf
- 10. NOTABLE EXAMPLES • timthumb.php SecurityVulnerability • W3 Total Cache Vulnerability
- 11.
- 12. 3. UPDATED BUTSTILL VULNERABLE
- 13. FREE THEMES/PLUGINS ?! “8out of 10 sites included base64 encoding in their themes.” Siobhan McKeown
- 14.
- 15.
- 16. 4. WEAK LOGINDETAILS
- 17. Do you login with username “admin” ?
- 19.
- 20. CHANGE THE ADMINUSER UPDATE wp_users SET user_login = ‘Yourname+_admin’ where user_login = ‘admin’;
- 21. STRONG PASSWORDS Use awhole sentence or a favourite quote: Comedy is acting out optimism!
- 22.
- 23. SECURE YOUR COMPUTERS •Keep your OS and all programs updated • Install Anti-Virus software • Use personal firewalls • Open • Use sites via HTTPS whenever possible SSH or SFTP instead of FTP
- 24. 6. VULNERABLE SERVERSOFTWARE
- 25.
- 26. SOME EXAMPLES • PHP-CGI Vulnerability- versions before 5.3.12/5.4.2 • MySQL/MariaDB Vulnerability - versions before 5.5.25 • Apache range header DoS - versions before 2.2.20
- 27. • Update server software • Followsecurity bulletins • Hire professional sysadmins
- 28.
- 29. APACHE SYMLINK VULNERABILITY TheProblem: public_html/fred.txt —> /home/otheracct/public_html/wp-config.php The Solution: Add to httpd.conf or .htaccess file: SymLinksIfOwnerMatch
- 30. • Find a goodhost • Hire professional sysadmins
- 31. 8. WRONG PERMISSIONS+ ISOLATION
- 32. THE CORRECT PERMISSIONS Folders:755 • Files: 644 • wp-config.php: 444 •
- 33. SSH COMMAND TOCORRECT PERMISSIONS • find /wordpress -type d -exec chmod 755 {} ; ! ! • find /wordpress -type f -exec chmod 644 {} ;
- 34. GENERAL GUIDELINES • Use SecretKeys - http://api.wordpress.org/secret- key/1.1/salt • Move • Use wp-config.php to parent folder SSL for wp-login.php • Allow admin access only from certain IPs
- 35.
- 36.
- 37.
- 38.