Secure Wordpress Null Bhachav
AI Generated Summary
AI Generated Content Disclaimer
Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This Null Bachaav community workshop walks through WordPress internals, setup procedures, and comprehensive security hardening, covering attack vectors at the core, plugin, and theme levels along with practical defense strategies using .htaccess and child themes.
Key Topics Covered
WordPress Internals:
- Execution flow: index.php defines WP_USE_THEMES and includes wp-blog-header.php
- wp-blog-header loads wp-config.php (database and constants) and wp-settings.php (plugins, pluggable functions)
- Request lifecycle: path declaration, query parsing, HTTP headers, template redirections
- Theme rendering: header, loop, widget/sidebar, footer
- Key files: wp-config.php, wp-settings.php, .htaccess, /wp-admin/, /wp-content/ (plugins, themes), /wp-includes/
Setup Methods:
- Shared hosting: Upload via FTP and run install.php, or use hosting control panel
- VPS/Dedicated: Upload via SSH/FTP, or sync via SVN for version control
Core-Level Attack Vectors:
- Full path disclosures through error messages
- Enumeration attacks: username (?author=1 redirects to /author/username), attachment (?attachment=1), plugin/theme discovery via predictable URLs (wp-content/plugin, readme.txt)
- Account brute force enabled by different error messages for invalid username vs. invalid password
- Version disclosure at multiple locations
- XMLRPC-based SSRF attacks and DDoS potential
Additional Attack Vectors:
- Plugin/theme vulnerabilities from old or poorly coded files
- Vulnerable code in core
- Permission and access misconfigurations
- SWF and timthumb-related attacks
- Clickjacking, comment spam, dangerous HTTP methods (PUT)
Defense Strategies:
Key Principle: Never modify WordPress core files directly (upgrades overwrite them)
Using .htaccess:
- Redirections via RewriteCond/RewriteRule
- Custom directives: DirectoryIndex, ServerSignature Off, Header unset Etag
- Access restrictions on sensitive directories and files
Child Theme Approach (Recommended):
- Create a child theme folder that inherits from parent theme
- style.css with Template reference to parent theme and @import
- functions.php for function overrides using remove_action/add_action
- Survives theme updates unlike direct theme modifications
Mitigations:
- Set display_error: Off in php.ini to prevent path disclosure
- Implement clickjacking protection headers
- Address XMLRPC issues
- Disable dangerous HTTP methods
- Use automated scanners for continuous monitoring
Actionable Takeaways
- WordPress security starts with understanding the execution flow and file structure
- Never modify core or parent theme files directly; use .htaccess and child themes
- Username enumeration through ?author=1 is a commonly overlooked information leak
- XMLRPC presents significant attack surface for SSRF and DDoS
- Plugin and theme enumeration is trivial due to predictable URL patterns