VULNERABILITIES FIXATION TOOL USED FOR SCAN – WPSCAN.
PLUGIN USED FOR FIXATION
Full path disclosure: Many websites running WordPress are exposing the internal path/full path where the php files are installed when they display a php message error. This can be used to facilititate further attacks such as path traversal. – In a php.ini file, you can add a line like display_errors = off.
– In an .htaccess file, you can add a line that says php_flag display_errors off. Bulletproof security
File Editing enabled: It is recommended to disable file editing within the WordPress dashboard. We need to make few changes in wp.config file.
In wp.config file:
define(‘DISALLOW_FILE_EDIT’, true); —
Whenever WordPress is installed or updated a file called readme.html is included. This file may disclose your blog’s version number which could aid an attacker in exploitation. It is a good practice to not include readme.html file in root directory. —
Directory browsing enabled:
If directory listing is turned on, the server will display an HTML page listing the contents of the directory. Anyone on the web could potentially visit a directory on your site, see what files exist there and access them. # Disable Directory Browsing
In .htaccess file include the following:
Options All -Indexes
WordPress User Enumeration: Password brute force attack.
To enable basic HTTP authentication on the WordPress administration area, we need to activate the directive described below on the wp-admin directory and reference the .htpasswd file (.htpasswd file stores combinations of usernames and password hashes which the web server will use to authenticate users.
.htpasswd file can be created using the .htpasswd command line or using an online password file generator.) In .htaccess file
# Stop WordPress username enumeration vulnerability
AuthUserFile /srv/auth/.htpasswd AuthName “WordPress Authenticated area.”
Require valid-user Wordfence/ Stop user enumeration
Bbpress plugin vulnerability:
Input path disclosure and SQL injection:
If user input is not properly validated and escaped, an attacker can replace that user input with commands they can send directly to the database.
Plugins not updated: Automatic updates for plugins and themes are another thing you can configure by inserting a bit of code into wp-config.php. add_filter( ‘auto_update_plugin’, ‘__return_true’ ); —
Disclosed version number Remove version from readme.html