AI Generated Content Disclaimer
Note: This summary is AI-generated and may contain inaccuracies, errors, or omissions. If you spot any issues, please contact the site owner for corrections. Errors or omissions are unintended.
This Null Bachaav community workshop walks through WordPress internals, setup procedures, and comprehensive security hardening, covering attack vectors at the core, plugin, and theme levels along with practical defense strategies using .htaccess and child themes.
Key Topics Covered
WordPress Internals:
Execution flow: index.php defines WP_USE_THEMES and includes wp-blog-header.php
wp-blog-header loads wp-config.php (database and constants) and wp-settings.php (plugins, pluggable functions)
Request lifecycle: path declaration, query parsing, HTTP headers, template redirections
Theme rendering: header, loop, widget/sidebar, footer
Key files: wp-config.php, wp-settings.php, .htaccess, /wp-admin/, /wp-content/ (plugins, themes), /wp-includes/
Setup Methods:
Shared hosting: Upload via FTP and run install.php, or use hosting control panel
VPS/Dedicated: Upload via SSH/FTP, or sync via SVN for version control
Core-Level Attack Vectors:
Full path disclosures through error messages
Enumeration attacks: username (?author=1 redirects to /author/username), attachment (?attachment=1), plugin/theme discovery via predictable URLs (wp-content/plugin, readme.txt)
Account brute force enabled by different error messages for invalid username vs. invalid password
Version disclosure at multiple locations
XMLRPC-based SSRF attacks and DDoS potential
Additional Attack Vectors:
Plugin/theme vulnerabilities from old or poorly coded files
Vulnerable code in core
Permission and access misconfigurations
SWF and timthumb-related attacks
Clickjacking, comment spam, dangerous HTTP methods (PUT)
Defense Strategies:
Key Principle: Never modify WordPress core files directly (upgrades overwrite them)
Using .htaccess:
Redirections via RewriteCond/RewriteRule
Custom directives: DirectoryIndex, ServerSignature Off, Header unset Etag
Access restrictions on sensitive directories and files
Child Theme Approach (Recommended):
Create a child theme folder that inherits from parent theme
style.css with Template reference to parent theme and @import
functions.php for function overrides using remove_action/add_action
Survives theme updates unlike direct theme modifications
Mitigations:
Set display_error: Off in php.ini to prevent path disclosure
Implement clickjacking protection headers
Address XMLRPC issues
Disable dangerous HTTP methods
Use automated scanners for continuous monitoring
Actionable Takeaways
WordPress security starts with understanding the execution flow and file structure
Never modify core or parent theme files directly; use .htaccess and child themes
Username enumeration through ?author=1 is a commonly overlooked information leak
XMLRPC presents significant attack surface for SSRF and DDoS
Plugin and theme enumeration is trivial due to predictable URL patterns
