[A Security Guide for

WordPress-based Websites]

How to
Secure
Your
WordPress
Website
Shehu Awwal
Damilare D. Fagbemi

How To Secure Your

WordPress Website
A Security Guide for WordPress-based Websites
Copyright 2016 Hack Null

This book is completely free. If you would like to publish some or all parts of this
book, you should give credits to Hack Null or the authors, Shehu Awwal and
Damilare D. Fagbemi.

Acknowledgements
First, I must thank Almighty God who has bestowed knowledge upon me.
I thank my Parents who have allowed me to pursue my passion, and have given
me advice. They have always guided me.
I thank My Brothers And Sisters.
I thank Olusegun Ibrahim Bankole-Hameed who is a childhood friend of my Dad
and part of our family, who has always been a source of encouragement.
Thanks to Jibril Ashiru, Ali Fakandu, Aliu Salis, Danlami, Mudassir Abdool,
Comseer, Sani, Ismail, Adegboyega Mahmud and other people I couldnt mention
here.
I thank my Friends both online and offline
And lastly, I thank my fellow hackers and penetration testers.
- Shehu Awwal

I thank the global community of non-harmful Internet users, the almost

anonymous givers and takers of mostly free information. I also thank the security
community to which I belong and am proud of.
- Damilare D. Fagbemi

Credits
I must express my deep respect for every ethical hacker and information security
professional, as I know too well the depth of patience and sacrifice that the field
of Information Security requires.

Shehu Awwal
3

About The Authors

Shehu Awwal is a Nigerian ethical hacker. He owns a tech blog that focuses on
security and tech news, with how to's on (http://techmedia.com.ng). He also
provides penetration testing on web application, mobile application and
network security in Hack Null (http://www.hacknull.com). Hes a bug bounty
hunter, and he has found some vulnerabilities in some top websites. Hes
passionate about everything security, whether mobile, web or network. Hes
currently studying computer science in Usmanu Danfodiyo University, Sokoto,
Nigeria.

Damilare D. Fagbemi is a Software Security Architect at Intel Corporation, where

he has the pleasure of working with talented software teams to drive and
improve product security. He is also a Chapter leader at the Open Web
Application Security Project (OWASP) in Nigeria, and a former Co-founder of
http://verdeinfotech.com. He enjoys writing and blogs at http://edgeofus.com.
When hes not stuck in a computer, he can be found exploring nature and trying
to stay active without a fitness tracker.

Don Caprio is a tech blogger at geek.ng, a gadget collector, an amateur

iPhoneographer and a front-end web designer. You can connect on Twitter
@doncaprio

Contents
Acknowledgements................................................................................................................................. 2
Credits ..................................................................................................................................................... 3
About The Authors .................................................................................................................................. 4
Chapter 1: Initial Discussions about WordPress Security ....................................................................... 6
Chapter 2: How Hackers Gather Information about Target Systems ..................................................... 8
Chapter 3: Removing the WordPress Meta Tag and Read Me Information ......................................... 10
Chapter 4: Prevent Access to the wp-contents And wp-includes Directories ...................................... 12
Chapter 5: Hiding the wp-contents and wp-includes Directories from Search Engines ....................... 13
Chapter 6: Preventing Clickjacking in WordPress ................................................................................. 14
Chapter 7: Utilizing the Internet Security Services of Cloudflare CDN ................................................. 16
Chapter 8: Penetration Testing with the D-TECT Scanner by Shawar Khan ......................................... 17

Chapter 1: Initial Discussions about WordPress

Security
In this chapter, we will start off by describing the current state of web application
security. But first, whats WordPress? WordPress is a web based Content
Management System that supports the creation and modification of web content
through a simple interface that abstracts away many low-level web development
details.
Through research and consulting, we have come across countless websites
running on older and vulnerable versions of Content Management Systems like
WordPress, Joomla, and Drupal. It happens that software exploits for such CMS
vulnerabilities are often freely available on the web.
WordPress, like many other web applications has always been known to be
vulnerable to different types of attacks. Over time, those attacks have greatly
reduced due to the contributions of Bug Bounty Hunters and Penetration Testers.
In some cases, 0-Day vulnerabilities (completely new flaws) are discovered,
causing WordPress to push out a hot fix. If WordPress users hide certain website
information from the attackers/hackers, it becomes much more difficult for them
to fingerprint or gather information about the target website.
From experience and existing research, its fairly easy to predict what could go
wrong with a web application, if certain preventive security measures are not in
place. To keep yourself up to date, you can check http://techmedia.com.ng for the
latest security news. Its likely that some hacker or researcher has found a new
and critical vulnerability in WordPress which affects the version of WordPress
youre using. But thats information security, no system is completely safe.
However, with the right steps taken, some degree of security can be built into any
application, including WordPress websites. Otherwise, it would be quite
frustrating to have your website vandalized and your customer data stolen with
little effort by even the most inexperienced hackers, who only have to fire up one
of the numerous and free vulnerability scanners on the web. Its also worth
mentioning that once a website goes live, its crawled for vulnerabilities by
automated scanners within hours.
On the web, everything and everyone is fair game. Secured computers and
networks are routinely infiltrated by cybercriminals and hackers. As I write this
chapter, SWIFT, a global bank that also provides secure financial messaging
services, was hacked and millions of U.S dollars were stolen without a trace.
Accunetix, the manufacturer of the popular application vulnerability scanner with
6

the same name, had its official website defaced by a group of hackers. Its rather
interesting that a tool that is recognized for scanning against different types of
attacks on websites, had its own official website compromised.

Chapter 2: How Hackers Gather Information

about Target Systems
Our aim in writing this handbook is to make it accessible and friendly to anyone,
regardless of their background or depth of knowledge in application security. We
must also point out that we will focus on security for WordPress websites, not
networks or broader systems.
Before hackers start any type of attack on a WordPress site, they often gather
some information which makes it easy to access their target. In hacking or
information security in general, reconnaissance is used to refer to the act or means
by which hackers obtain information about the target system.
For example, thieves who want to steal from a house need to gather as much
information as they can to carry out the crime successfully. They would have to
locate the address of the house, and check whether there are security guards or
guard dogs in the house, as such factors increase the risks of failure. But even if
house is protected by a security guard and a dog, there are still alternatives. They
could opt for Saturday, when the security guards are away for the weekend and
the dog is by itself. By throwing a bone to the dog, they could gain access to the
house.
As it is in that analogy, so it is in hacking. There are two types of Information
gathering approaches and they are Active Information Gathering and Passive
Information Gathering. We will be brief in describing both approaches as they
are broad information Security topics that are worthy of a dedicated handbook.
Active Information Gathering
Earlier in this chapter, we considered thieves who want to steal from a house and
the need for them to know the address of their destination.
The same thing applies to hacking. Active Information Gathering means engaging
with the target system directly. For instance, getting the WordPress related
information of a website through direct interaction with that website. One way to
achieve this is to view the WordPress <meta> tag to know which version of
WordPress is being run, what directories are open, and perhaps inspect other
pertinent information which we will consider later.
This technique is easily detected by firewalls and Intrusion Detection Systems
(IDS). So hackers usually combine this approach with other techniques.

Passive Information Gathering

Earlier, we discussed the thief looking for an alternative way to get into a house
when nobody is around but only the dog. Once again, the same applies to hacking.
In Passive Information Gathering, we are not engaging directly with the target
system, but we use search engines like Google, social media platforms and other
websites to gather information about the target.

Chapter 3: Removing the WordPress Meta Tag

and Read Me Information
Having understood the general principles and approaches adopted by hackers for
information gathering, lets turn to the WordPress specifics. In WordPress, there
are Meta Tags that give information about your WordPress site like which version
of WordPress youre running on. That information is very valuable to hackers
and as such, hiding it becomes a priority.
Since this book is also targeted at people who do not have much experience using
WordPress, the outlined steps should be very easy to carry out.
Follow these step to remove meta-tag:
Step 1: Login to your WordPress Dashboard
Step 2: Click on Appearance > Editor
Step 3: Search or look for functions.php and add the following code to it.
function techmedia_remove_version() {
return '';
}
add_filter('the_generator', 'techmedia_remove_version');
remove_action( 'wp_head', 'feed_links', 2 );
remove_action( 'wp_head', 'feed_links_extra', 3 );

Save the file.

Another thing we need to do is remove the Readme.html file

Our research shows that very few WordPress administrators delete readme.html.
Stop for a minute, and have a look at your WordPress site (example
http://www.site.com/readme.html).
You will notice that page provides information about your WordPress version as
well as the web server and database versions that it supports. We should also
remove this file to make it difficult for an attacker to figure out which version of
WordPress youre currently running on.
10

Follow These Steps to Remove Readme.html

Step 1: Login to your CPanel / FTP
Step 2: Go to File Manager and choose the directory in which your WordPress
website is installed.
Step 3: In the main directory, locate readme.html and delete it.

11

Chapter 4: Prevent Access to the wp-contents

And wp-includes Directories
Although we consider the usage of the public URL to enumerate the contents of
the wp-contents and wp-includes folders to be low risk, we still recommend that
such enumeration is prevented. It is a good practice to block the access of all
website directories from discovery or enumeration via the URL.
But how do you know if your WordPress wp-contents and wp-includes can be
read? Check your WordPress site (for example http://www.site.com/wp-contents
or http://www.site.com/wp-includes). Without protecting those directories, you
should see a list of the files of your WordPress website.

To Prevent wp-contents And wp-includes From Being Read

Step 1: Login to your cPanel or FTP
Step 2: Click on File Manager. And before clicking on Go, you should see Show
Hidden Options. If you cant see it contact your Hosting provider on how to do
so.
Step 3. You should see .htaccess, edit and add the following to it.
Options All Indexes
Step 4: Then save it. Now try browsing
http://www.site.com/wp-contents or http://www.site.com/wp-includes
I guess you have an error right? Thats good.

12

Chapter 5: Hiding the wp-contents and wpincludes Directories from Search Engines
In Chapter 2, we looked at how hackers gather information from websites by
interacting directly with the target. But after preventing such access, it is often
possible to glean similar information from search engines. Since you have
prevented any one from accessing http://www.site.com/wp-contents and
http://www.site.com/wp-includes from been read directly on your website,
another way this can be done is through search engine. Now we need to prevent
search engines from crawling wp-includes, wp-contents, and other directories.

To prevent search engine from reading this information, follow these steps:
Step 1: Login to your cPanel / FTP
Step 2: Click on File Manager and select your website
Step 3: Scroll down, you should see robots.txt. Add these codes below and save
it.
User-agent: *
Disallow: /wp-admin/
Disallow: /wp-includes/
Disallow: /wp-content/plugins/
Disallow: /wp-content/themes/
Disallow: /feed/
Disallow: */feed/
Thats all about.

13

Chapter 6: Preventing Clickjacking in

WordPress
Clickjacking is generally considered a low risk vulnerability, but it has a
particularly huge impact when the attacker is very good at Social Engineering.
As we know, lots of websites use WordPress. One of the easiest way to gather
information of users is through Clickjacking. But first, lets explain what
Clickjacking means.
It can also be called UI Redressing, whereby an attacker spoofs the original
website because it allows IFrames.
For instance, lets assume that we run an eCommerce website where users want
new goods and discounts. Through Clickjacking, an attacker is able to make an
Iframe of the original website, add a little CSS and JavaScript to it and send to
any victim. It would look exactly like my eCommerce website. The code the
attacker added by the attacker creates an overlay, such that although the user sees
a button such as Click here for new offers, upon clicking a different action is
carried out.
By default, IFrames are enabled in WordPress.

How to Test For Clickjacking in WordPress

Step 1: Open Notepad and add the following code to it,
<html>
<head><title>Web Page Is Vulnerable To ClickJacking Attack</title></head>
<body><iframe
src="http://www.site.com"
height="800"></iframe>

width="1247"

</body>
</html>
Step 2: Dont forget to replace www.site.com with the URL of the WordPress site
you want to test.
Step 3: Save with Clickjack.html and dont forget to save as All files.
Step 4: Run it in your Browser and the site will be in iframe.

14

How to Fix Clickjacking in WordPress

Since I have showed you how to test for it, how then can we fix it? Its easy to
do.
Step 1: Download this plugin: https://wordpress.org/plugins/insert-headers-andfooters/ and install
Step 2: From your WordPress dashboard, go to Settings > Insert Heads and
Footers. In the Header section, add the following code:
Step 3:
<script language="javascript" type="text/javascript">
if (window!= top) top.location.href = location.href;
</script>

15

Chapter 7: Utilizing the Internet Security

Services of Cloudflare CDN
Content Delivery Networks (CDNs) are used to serve web content to end-users
with high availability and high performance. Cloudflare goes a step further by
providing Internet security services that shield websites from malware and
viruses. The Internet security services also improve the speed of websites by
limiting access to bots and crawlers. Such features arent only useful for
WordPress websites, and are worth exploring for any web application. Cloudflare
offers premium and free plans.
It is easy to implement; all you need to do is access http://www.cloudflare.com
and register. If you already have a Cloudflare account, then go ahead and login
to add your website. If you would like to use the Cloudflares nameservers, its
also a good idea because it prevents people from knowing your hosting provider,
unless the attacker is so mean to try and get need information through your mail
headers and so on. Cloudflare also provides free SSL services, allowing you to
provided encrypted communication for your website.
We have used Cloudflare extensively, but must also mention that there are other
good CDNs that provide Internet security services such as Incapsula, CDNify,
and Myra Cloud.

16

Chapter 8: Penetration Testing with the D-TECT

Scanner by Shawar Khan
D-TECT is a web application penetration testing tool that was designed to
simplify WordPress website testing, by combining several tools. In addition to
detection of website flaws such as cross-site scripting (XSS), SQL injection, and
clickjacking, it also includes WordPress specific attacks like WordPress user
name enumeration, backup grabbing and a more generic WordPress vulnerability
scan.
There are other web vulnerability scanners such as Burp Suite and OWASP ZAP
that are very adept at detecting website vulnerabilities. D-TECT should be
combined with such scanners for robust validation.
You can download D-Tect at Github:
https://github.com/shawarkhanethicalhacker/D-TECT
More details on web application penetration testing are also available at OWASP:
https://www.owasp.org/index.php/OWASP_Testing_Guide_v4_Table_of_Cont
ents

17

Thanks for reading this handbook and we hope you have found it useful. There
might be an update as we keep on exploring how to strengthen WordPress
security.
Note: If you require professional assistance with implementations of some of the
guidelines we have provided, please reach out to awwalshehu@gmail.com OR
shehu@hacknull.com for penetration testing consulting.

18