Looking for WordPress vulnerabilities with WPScan
Conclusion
After reading this article, I trust any WordPress website owners will immediately confirm that they have Jetpack Protect (or an alternative) installed and activated on their websites.
It's not an exaggeration to say that the sands are continually shifting in this area. If it hasn't already occurred to you, attackers may use the same tools that you use to defend your websites to cause damage.
If you are anything like me, you will find WPScan's findings fascinating. Hopefully, you will pay closer attention to security alerts when they are announced in the future and log into the WordPress dashboard more frequently to check for timely advisories from clever automated security plugins like Jetpack Protect.
Infos
- WordPress: https://wordpress.com
- PHP: https://www.php.net
- "How Attackers Slip Inside WordPress" by Chris Binnie, Linux Magazine, issue 275, October 2023, pp. 34-39
- WPScan: https://wpscan.com/wordpress-security-scanner
- Jetpack Protect: https://jetpack.com/protect
- Jetpack pricing: https://cloud.jetpack.com/pricing
- Ubuntu installation instructions: https://ubuntu.com/tutorials/install-and-configure-wordpress#1-overview
- Debian "bullseye" instructions: https://cloudinfrastructureservices.co.uk/install-wordpress-on-debian-10-11/
- Downloading WordPress: https://wordpress.org/latest.zip
- Installing with a Ruby gem: https://github.com/wpscanteam/wpscan/wiki/WPScan-User-Documentation
- Let's Encrypt: https://letsencrypt.org
- TimThumb: https://blog.sucuri.net/2019/08/timthumb-attacks-the-scale-of-legacy-malware-infections.html
- API Details: https://wpscan.com/api
- CVE Numbering Authority: https://www.cve.org/ProgramOrganization/CNAs
- Swagger: https://wpscan.com/docs/api/v3/
- "A Complete Guide on xmlrpc.php in WordPress" by Rachel McCollin, June 30, 2023: https://kinsta.com/blog/xmlrpc-php
« Previous 1 2 3
Buy this article as PDF
(incl. VAT)