Suddenly the entire world is talking about hacking “again”, there is a awesome new serie (mr. robot) and I recently stand corrected on hacker “gear” in sense 8 also a great serie, that is on netflix. The names where pretty fancy tho, rage master, water witch, switch hooks, CANDYGRAM are not something we regular hear about, but they do exist ! Also the story about the hacking team, is pretty crazy. (good summery about hacking team) Anyway my brain was looking in to security again.
Is my WordPress installation save ? Did I use some dangerously outdated plugin ? Is my template safe ? Is something giving away data ? Security is not easy and very time consuming. So I was happy to find that, there is a great tool for these kind of tests, called wpscan (WPScan is a black box WordPress vulnerability scanner). Running it is as easy as -after installation- :
ruby wpscan.rb --url http://my_blog.ext
What is even more fun, you can start a brute force on accounts of the blog! I was surprised to learn that WordPress doesn’t per default include a limitation at the amount of login attempts can be made and as such you have to rely on plugins, as otherwise, this leaves the door open to brute force attacks.
I was checking what kind of security measurements are in WordPress, allot of plugins pop-up when searching for it, however adding more code to a project generally decreases the security and doesn’t make it faster generally. The exception seems to be Wordfence, stating that they make your website up to 50 times faster, and more secure since they limit the amount of logins over time. While that does seem to be to good to be true, the data seems to be there, so Wordfence it is!