Open in app

Sign in

Write

Sign in

When to Pentest WordPress: Security and Compliance Tips for the World’s Largest CMS — Cyver

Cyver_io
Cyver Blog
Published in
4 min readSep 30, 2020

Most estimates suggest that almost 20% of the web runs on WordPress . That makes sense considering the CMS is simple, affordable, and relatively secure. WordPress offers out-of-the-box customization and functionality that you won’t find anywhere else. At the same time, the very themes, plugins, and add-ons that make WordPress customizable increase security risks. The small-to-medium businesses that normally run WordPress are also especially vulnerable to attack, with some 43% of all cyberattacks aimed at this demographic.

Regularly pentesting WordPress properties can help you to ensure your websites stay secure. This is especially important for e-commerce and B2B organizations, or anyone processing sensitive data. Breaches can result in loss of trust, massive expense, loss of website and data, and lengthy settlements with any affected parties including vendors, customers, and employees. Pentesting will identify vulnerabilities which could lead to a breach, so you can improve total site and customer security.

Why Pentest WordPress Sites?

As the owner or a website, you are solely responsible for its security. WordPress’s core software is secure, meeting OWASP 10 security standards at a minimum. The thousands of publishers sharing themes and plugins to WordPress’s directory are not bound by any regulations, only a set of guidelines. In addition, your settings, hosting, physical server, and security policy and processes will dramatically affect the security of your site.

WordPress sites are vulnerable to:

  • Cross-Site Scripting (XXS)
  • Session Exploits
  • Brute Force and DDOS attacks
  • Virus/Malware
  • Security Misconfiguration Errors
  • Cross-Site Request Forgery (CSRF)
  • XML External Entity Processing Attacks
  • Backdoor Exploits
  • Malicious Redirects
  • Phishing/Human Error

In most cases, WordPress API, including Database, Filesystem, HTTP, Permissions, etc., are secure. However, it is your responsibility to ensure they are properly configured with your host, your server, and your site.

Regular pentesting will help you to:

  • Maintain compliance for regulatory standards
  • Preemptively find and solve vulnerabilities
  • Prevent downtime from exploits and hacks
  • Avoid fines and damage to customers by protecting sensitive data

How Do You Pentest WordPress?

WordPress pentests are run in your live environment or a virtual environment depending on permissions granted by your Host. WordPress encourages users to be as secure as possible. However, the company does not grant users permission to pentest core software including APIs. You can test your own settings, applications, software, and setup, but not the core software. In addition, you won’t have permission to pentest plugins, which are applications, leased from third-parties. You may check plugin providers on an individual basis and notify those plugin providers of a pentest if they allow it. If you use Cyver, we automatically send a responsible disclosure to the plugin provider when we find a new vulnerability.

Why? WordPress and other applications grant a limited use license to users. This restricts your rights to actions which can not affect other users. If a pentest exploits a vulnerability, it may temporarily impact the availability of the service.

WordPress pentests include:

  • Testing non-public systems such as server hosting, bastion hosting, etc.
  • Testing configuration, including user accounts, permissions, access controls, ports, settings, versioning, etc.
  • Testing security controls such as firewalls, web application firewalls (WAF), limitations, etc.
  • Testing code and site application including files, file upload, malware or malicious code injection, etc.
  • Testing the URL and the IP attached to the website

If you source your WordPress pentesting with Cyver, the scope, depth, and approach of the pentest will be fully tailored to meet the needs of your organization. For example, you might need full ASVS Level 2 standards to meet compliance for your industry. You might also want a simple OWASP 10 assessment to ensure your website is relatively secure.

Best Practices for WordPress Security

In many cases, you can do a lot to keep your WordPress site secure. Most issues relate to WordPress settings and Host settings. You also have to consider your company security policy.

WordPress Settings

  • Keep all apps, plugins, and themes up to date. Turn on auto-updates.
  • Turn off any themes, plugins, or apps you are not using. Remove them from the site if possible.
  • Automate backups
  • Keep PHP up to date
  • Move wp-config.php out of the root directory
  • Change the database table prefix
  • Monitor audit logs
  • Disallow file editing for admins
  • Review directory permissions settings
  • Protect logins with 2-factor authentication, user bans, and by updating the default login URL
  • Log idle users out of the site
  • Hide WordPress versioning

Security Policy

  • Choose a host that offers security
  • Implement HTTPS and similar security standards
  • Implement Access Management with restricted administrator usage
  • Use tools such as WordFence, WPScan, or iThemes to limit logins, block malicious IPs, and install firewalls.
  • Review the security and authenticity of themes and plugins before installation
  • Utilize third-party security for applications
  • Implement a secure password system with a password logger to reduce risks of loss or theft

You are responsible for protecting your WordPress environment. If your site is hacked, you lose customer data, or lose your site, WordPress is not responsible. Regular pentesting ensures you stay on top of issues so you keep your site and your customers safe. Pentesting will review settings, configurations, application vulnerabilities, and exploits and recommend fixes so you can harden security and keep your site safe.

If you’re ready to pentest your WordPress site, Cyver can help. We offer basic CMS pentesting at a flat rate, using our Credit system. We’ve been pentesting WordPress for over 15 years and we know how to find and assess vulnerabilities at every level. Our simple, transparent pricing and timelines means you can easily plan your Pentest into your budget. And, our cloud platform means we’ll deliver findings to you in real-time, in a ticket-based format, so you can immediately work on remediation.

Want to know more, click here to learn how Pentest-as-a-Service works. Or, sign up now to request your first pentest.

Originally published at https://www.cyver.io on September 30, 2020.

Pentesting
Pentesting Wordpres
WordPress
Cybersecurity

--

--

Cyver_io
Cyver Blog

Written by Cyver_io

2 Followers
Writer for

Cyver is a cybersecurity firm delivering pentest-as-a-service in the cloud.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams