WordPress Penetration Testing

  WordPress powers a lot of websites on the Internet. So it’s no surprise that seasoned attackers and “script-kiddies” like to target WordPress websites. Whether you’re a webmaster, or a security professional, when tasked with assessing the security posture of a WordPress website, it tends to help to be aware of common security pitfalls attackers typically take advantage of. It is also important to use the right penetration testing tools.

In this article, I’ll be covering a number of common security holes, malpractices and useful information an attacker may be able to abuse in many WordPress installations. I’ll also highlight a number of tools you can should use to help you automate the WordPress penetration test.

Common WordPress security issues & malpractices Outdated versions of WordPress code

Running old versions of WordPress core containing security vulnerabilities is arguably one of the most common security holes relating to WordPress. While newer versions of WordPress make it easy to upgrade to the latest version, it’s not uncommon for older WordPress sites to be lagging behind.

Running an old version of WordPress on the Internet is a ticking time bomb. Many old versions of WordPress contain security vulnerabilities. Many of these security issues are commonly exploited en-masse by attackers.

When auditing a WordPress website for security vulnerabilities, this is typically one of the very first things you’d want to check. Fortunately for attackers, by default, WordPress adds an HTML meta tag containing the version of WordPress being used.

<meta name=”generator” content=”WordPress 4.8.11″ />

Knowing a WordPress installation is running an old version could give an attacker the opportunity to take advantage of a known vulnerability. Use the CVE security vulnerability database to search for known security issues in WordPress core.

Follow us on social media

Sample text. Lorem ipsum dolor sit amet, consectetur adipiscing elit nullam nunc justo sagittis suscipit ultrices.