Documente Academic
Documente Profesional
Documente Cultură
WordPress-based Websites]
How to
Secure
Your
WordPress
Website
Shehu Awwal
Damilare D. Fagbemi
This book is completely free. If you would like to publish some or all parts of this
book, you should give credits to Hack Null or the authors, Shehu Awwal and
Damilare D. Fagbemi.
Acknowledgements
First, I must thank Almighty God who has bestowed knowledge upon me.
I thank my Parents who have allowed me to pursue my passion, and have given
me advice. They have always guided me.
I thank My Brothers And Sisters.
I thank Olusegun Ibrahim Bankole-Hameed who is a childhood friend of my Dad
and part of our family, who has always been a source of encouragement.
Thanks to Jibril Ashiru, Ali Fakandu, Aliu Salis, Danlami, Mudassir Abdool,
Comseer, Sani, Ismail, Adegboyega Mahmud and other people I couldnt mention
here.
I thank my Friends both online and offline
And lastly, I thank my fellow hackers and penetration testers.
- Shehu Awwal
Credits
I must express my deep respect for every ethical hacker and information security
professional, as I know too well the depth of patience and sacrifice that the field
of Information Security requires.
Shehu Awwal
3
Contents
Acknowledgements................................................................................................................................. 2
Credits ..................................................................................................................................................... 3
About The Authors .................................................................................................................................. 4
Chapter 1: Initial Discussions about WordPress Security ....................................................................... 6
Chapter 2: How Hackers Gather Information about Target Systems ..................................................... 8
Chapter 3: Removing the WordPress Meta Tag and Read Me Information ......................................... 10
Chapter 4: Prevent Access to the wp-contents And wp-includes Directories ...................................... 12
Chapter 5: Hiding the wp-contents and wp-includes Directories from Search Engines ....................... 13
Chapter 6: Preventing Clickjacking in WordPress ................................................................................. 14
Chapter 7: Utilizing the Internet Security Services of Cloudflare CDN ................................................. 16
Chapter 8: Penetration Testing with the D-TECT Scanner by Shawar Khan ......................................... 17
the same name, had its official website defaced by a group of hackers. Its rather
interesting that a tool that is recognized for scanning against different types of
attacks on websites, had its own official website compromised.
11
12
Chapter 5: Hiding the wp-contents and wpincludes Directories from Search Engines
In Chapter 2, we looked at how hackers gather information from websites by
interacting directly with the target. But after preventing such access, it is often
possible to glean similar information from search engines. Since you have
prevented any one from accessing http://www.site.com/wp-contents and
http://www.site.com/wp-includes from been read directly on your website,
another way this can be done is through search engine. Now we need to prevent
search engines from crawling wp-includes, wp-contents, and other directories.
To prevent search engine from reading this information, follow these steps:
Step 1: Login to your cPanel / FTP
Step 2: Click on File Manager and select your website
Step 3: Scroll down, you should see robots.txt. Add these codes below and save
it.
User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/plugins/
Disallow: /wp-content/themes/
Disallow: /feed/
Disallow: */feed/
Thats all about.
13
width="1247"
</body>
</html>
Step 2: Dont forget to replace www.site.com with the URL of the WordPress site
you want to test.
Step 3: Save with Clickjack.html and dont forget to save as All files.
Step 4: Run it in your Browser and the site will be in iframe.
14
15
16
17
Thanks for reading this handbook and we hope you have found it useful. There
might be an update as we keep on exploring how to strengthen WordPress
security.
Note: If you require professional assistance with implementations of some of the
guidelines we have provided, please reach out to awwalshehu@gmail.com OR
shehu@hacknull.com for penetration testing consulting.
18