This post was most recently updated on July 29th, 2024
Security scenarios to be check for WordPress site
1. Issue/Scenario – Access WordPress admin area
Description – Every WordPress site has a management area through which the site admin manages the content and all the sections of the site. The admin user has all the access and authority to add, edit and delete the site content. By default the admin panel URL of any WordPress site has common format e.g. www.XYZ.com/wp-admin. This URL is most common, unprotected and easy access pattern. Just keeping /wp-admin/ at the end of your domain name is not a proper practice instead of this developer should implement custom and unique url.
Solution –
a. IP address – Block all the IPs from accessing the admin area except few selected IPs who has admin rights.
How to implement-
Step 1- Define the IP address to whom the access is to be provided.
Step 2- From FTP (Filezilla) download the .htaccess files from root directory and make edit in it with the IP Id in “Allow from” section. To add more IP addresses, add a new line with “Allow from” and the next IP address.
Add code –
Step 3- Save, Commit on SVN and upload the file to FTP again
b. Unique URL – Customize the admin panel URL from /wp-admin to some unique directory path.To customize the Admin url some plugins are available or developer can use hooks for it. Here for example plugin WPS hide Login
Step 1- Login to admin panel and navigate to plugins section
Step 2- Install the plugin named “WPS hide login”
Step 3- Go to Settings> General setting and scroll down to WPS hide login section
Step 4- Edit the admin URL from /wp-admin
2. Issue/Scenario – WordPress database pre-fix
Description – WordPress Database contains all the data of your site. When user installs the WordPress the pre-fix set by default as “wp_” Hackers usually target this kind of database of the site by injecting automated code or by inserting scripts.
Solution – Change the database pre-fix from wp_ to some unique per-fix
How to implement-
Step 1- Take a backup of the existing database before making any changes
Step 2 – Open wp-config.php file which is located in your WordPress root directory. Change the “$table prefix” line from wp_ to other pre-fix e.g. wp_testPrefix856
Step 3 – Change all Database Tables Name using sql query
Step 4 – Change the pre-fix of option table also
Step 5 – Change the pre-fix of the UserMeta Table
3. Issue/Scenario – Site scanning
Description – Site scanning is security scan of an application to check the loopholes and weak points of the application. In the market there are many security scanners available to scan the malwares and vulnerabilities. e.g. Sucuri, Detectify, Zap
How to implement –
We are considering ZAP tool for example
Step 1- Download Zap tools exe (https://www.zaproxy.org/)
Step 2- Run the exe on your system and launch the tool on your local machine
Step 3- In the tool enter the “URL” on which the scan to be conducted
Step 4- Once the test completed; export the test report or analyse the same online
4. Issue/Scenario – Disable Directory Browsing
Description – Sometimes web servers enables directory browsing. That lead to access to all the files and folders inside the root directory of the web server for all public. The hackers can access to site media, themes and plugins used.
How to implement-
Step 1- Define the IP address to whom the access is to be provided.
Step 2- From FTP (Filezilla) download the .htaccess files from root directory and make edit
Step 3 – Add one line code in the .htaccess file “Options -Indexes” and save the file
Step 4 – Upload the file to server again using FTP
5.Issue/Scenario – File specific access
Description – Restrict file access in wp-content folder like theme, plugins and specific media files but at the same time you can unblock selected files like JPG, PDF, DOCX, CSS and JS etc.
How to implement-
Step 1- Define the IP address to whom the access is to be provided.
Step 2- From FTP (Filezilla) download the .htaccess files from root directory and make edit
Step 3- Create new .htaccess the below mentioned code. Add code in the .htaccess file –
Order deny,allowDeny from all
Step 4- Save the file and paste it in wp folder
6. Issue/Scenario – Access to wp-includes
Description – wp-includes folder has file which are necessary to run the core WordPress which contains default theme or plugins. So it is better is not to have access to this folder. Restrict access to all that mean not even admin
How to implement-
Step 1- Define the IP address to whom the access is to be provided.
Step 2- From FTP (Filezilla) download the .htaccess files from root directory and make edit
Step 3- Add below mentioned code in .htaccess file
RewriteEngine OnRewriteBase /
RewriteRule ^wp-admin/includes/ – [F,L]
RewriteRule !^wp-includes/ – [S=3]
RewriteRule ^wp-includes/[^/]+\.php$ – [F,L]
RewriteRule ^wp-includes/js/tinymce/langs/.+\.php – [F,L]
RewriteRule ^wp-includes/theme-compat/ – [F,L]
7. Issue/Scenario – Access to wp-config.php
Description- The WordPress wp-config.php file contains very sensitive information about WordPress installation, the WordPress security keys and the WordPress database connection details. So it is must have security point
How to implement-
Step 1- Define the IP address to whom the access is to be provided.
Step 2- From FTP (Filezilla) download the .htaccess files from root directory and make edit
Step 3- Add below mentioned code in .htaccess file
# protect wpconfig.php
order allow,deny
deny from all
8. Issue/Scenario – Password authentication
Description – Password implementation should be followed to achieve all the security validations
How to implement –
1. Set up password field should have combination of uppercase, lower case, alphanumeric values and special characters. Password should be display in encrypted form.
2. Can implement reset password functionality periodically automated
3. Can validate while reset the password last used passwords should not be allow.
9. Issue/Scenario – SSL Authentication
Description – Force SSl certification . SSL is protocol used while transferring the data from website and user browser in encrypted format. While testing check if the page still work with HTTP URL even after implementation of HTTPS
How to implement-
* Force WordPress SSL for Login and Dashboard (Admin Area) – Add code line in wp-config
define(‘FORCE_SSL_ADMIN’, true)
* Forcing SSL for a Specific WordPress Page or Post
find the WordPress page ID and add the below code to the theme’s functions .php file after replacing the page ID
function force_ssl()
{
// Specify ID of page to be viewed on SSL connection
if (is_page(
{
header(‘HTTP/1.1 301 Moved Permanently’);
header(“Location: https://” . $_SERVER[“SERVER_NAME”] . $_SERVER[“REQUEST_URI”]);
exit();
}
// All other pages must not be https
else if (!is_page(
{
header(‘Location: http://’ . $_SERVER[‘SERVER_NAME’].$_SERVER[‘REQUEST_URI’]);
exit();
}
}
add_action(‘template_redirect’, ‘force_ssl’);
10. Issue/Scenario – Session timeout
Description – Set up the configuration to logout user automatically if user is inactive for specific period of time.
How to implement-
There are plugins available to setup time out session functionality
11. Issue/Scenario – Avoid admin panel url to find by Google search engine
Description – Developers can code in such a way that the google search engine will not find admin panel while crawling through the website
How to implement-
Create a .txt file in directory with the code mentioned below –
User-agent: *
Disallow: /wp-content/
Disallow: /wp-includes/
Disallow: /wp-admin/
12. Issue/Scenario – File upload functionality
Description – Validate the file upload functionality at UI side. User should be able to upload only approve file types. User should not be able to upload .exe files. Also make sure file size should be pre-defined
How to implement-
The settings to allow and restrict the file format are available in the plugins
13. Issue/Scenario – Avoid click jacking
Description – Hackers can insert codes on clicks or keystrokes by the users on a web page
How to implement-
Step 1- Go to WP admin files
Step 2- Select function.php file and edit it
Step 3- Add the below mentioned code at the end of the file
function block_frames() {
header( ‘X-FRAME-OPTIONS: SAMEORIGIN’ );
}
add_action( ‘send_headers’, ‘block_frames’, 10 );
14. Issue/Scenario – Limited login attempt
Description – After multiple unsuccessful attempts of login, user account should get block with condition
How to implement –
The security plugin used by developer has setting to add login attempt limits whenever user attempted multiple successful logins
15.Issue/Scenario – Two factor authentication
Description- In this case, the user provides login details for two different components. The website owner decides what those two are. It can be a regular password followed by a secret question, a secret code, a set of characters, or more popular, the Google Authenticator app, which sends a secret code to your phone. This way, only the person with repective phone can log in to your site.
How to implement –
By using security plugins developers can easily implement two factor authentication to the WordPress site like Wp firewall, two factor, two factor sms
16. Issue/Scenario – Email id as User ID
Description – Using a email id is more secure than the username. As usernames are more easy to predict. Also any email id use for login is verified that user is a valid user at time of registration itself.
How to implement –
In forms make setting such that user id should be user’s email id.
17. Issue/Scenario – Periodic check of audit log
Description – When we are running a multi author website, sometimes its not possible to look in each activity happening to the website. Like changing themes, widgets as these operations have limited permission to use for admin. Due to this the threats can be detected timely and prehand
How to implement-
Plugin like “WP security audit log” are available to track the audit logs of WordPress site
18. Issue/Scenario – Update and remove necessary elements
Description – WordPress site is inclusive of many important elements which needs to be updated and removed in periodic check like WordPress theme, WordPress plugins and WordPress itself
How to implement –
1. Timely check the versions of WordPress, Theme used, Plugins used and update it with impact analysis
2. Remove the unwanted themes and plugins from the admin site
3. Hide the version of the WordPress, Theme used and plugins where ever possible
4. No null or cracked version of theme or plugin should be used
19. Issue/Scenario – Direct hit to the URLs
Description – The URLs of the page need login authentication can not be access by hitting them directly. On Direct hit of such URLs the page should redirect to the login page itself
How to implement-
To achieve this code should be updated by developers that any user can not hit direct url and access it if not logged in
20. Issue/Scenario – Comments section on blog/post page should be secure
Description – Approve comment functionality is implemented before display the comments on the site. As there might be some external links, fishy links added to the comments. Also the comments can have inappropriate language used which need to be checked and then to be published on the site.
How to implement –
The admin can update setting to approve the comments for blog page.
21. Issue/Scenario – Error pages to be handled
Description – When user encountered with any error page; a customized error page should be rendered
How to implement-
Error pages can be handled via .htaccess file
Add below mentioned code in the .htaccess file
ErrorDocument 401 http://yourwebsite.com/error-401
ErrorDocument 403 http://yourwebsite.com/error-403
ErrorDocument 500 http://yourwebsite.com/error-500
22. Issue/Scenario – Maintenance page
Description- While site is under maintenance the user should redirect to the customized maintenance page from any URL of the site
How to implement-
Step 1- Create a separte “Down for maintenance” HTML file
Step 2- Upload it to the base WordPress installation directory
Step 3 – Add below mentioned code in .htaccess file
RewriteEngine on
RewriteCond %{REQUEST_URI} !/maintenance.html$
RewriteCond %{REMOTE_ADDR} !^123\.123\.123\.123
RewriteRule $ /maintenance.html [R=302,L]
23. Issue/Scenario – Restrict hotlinking
Description- Hotlinking means find an image from internet and use the link of the image to your site.
How to implement-
Add below mentioned code in the .htaccess file And update the link mentioned at the last line
RewriteEngine on
RewriteCond %{HTTP_REFERER} !^$
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourwebsite.com [NC]
RewriteCond %{HTTP_REFERER} !^http(s)?://(www\.)?yourotherwebsite.com [NC]
RewriteRule \.(jpg|jpeg|png|gif)$ http://abc.testimage.jpg [NC,R,L]
24. Issue/Scenario – Restrict access to .htaccess
Description – The WordPress .htaccess file contains all the important security related setting so it is more important to restrict the public access to this file
How to implement-
Add code –
order allow,deny
deny from all
satisfy all
25 . Issue/Scenario – Captcha to all forms
Description – CAPTCHAs are designed to protect the site from hacker or spammers to restrict the sensitive information, block spam and attacks, also to restrict access to a website.
How to implement –
There are several plugins available to add the captcha on the forms available on your website. E.g. Google captcha you just need to install and configure the plugin.
26. Issue/Scenario – Take backup of Database and Files
Description – Taking the backups of your database and files periodically is the best and standard practice. Periodic backups will certainly help you in unfortunate events like hacked website or malware injections etc.
How to implement –
WordPress provide plugins to take backups like backup buddy, Vault press by jetpack etc. Also some hosting platforms also provide backup feature,
